restore cstyleCast, write dangerousOldStyleTypeCast for dangerous type casts

Author: danmar

lib/checkother.cpp

@@ -290,6 +290,44 @@ void CheckOther::suspiciousSemicolonError(const Token* tok)
                 "Suspicious use of ; at the end of '" + (tok ? tok->str() : std::string()) + "' statement.", CWE398, Certainty::normal);
 }
 
+/** @brief would it make sense to use dynamic_cast instead of C style cast? */
+static bool isDangerousTypeConversion(const Token* const tok)
+{
+    const Token* from = tok->astOperand1();
+    if (!from)
+        return false;
+    if (!tok->valueType() || !from->valueType())
+        return false;
+    if (tok->valueType()->typeScope != nullptr &&
+        tok->valueType()->typeScope == from->valueType()->typeScope)
+        return false;
+    if (tok->valueType()->type == from->valueType()->type &&
+        tok->valueType()->isPrimitive())
+        return false;
+    // cast from derived object to base object is safe..
+    if (tok->valueType()->typeScope && from->valueType()->typeScope) {
+        const Type* fromType = from->valueType()->typeScope->definedType;
+        const Type* toType = tok->valueType()->typeScope->definedType;
+        if (fromType && toType && fromType->isDerivedFrom(toType->name()))
+            return false;
+    }
+    const bool refcast = (tok->valueType()->reference != Reference::None);
+    if (!refcast && tok->valueType()->pointer == 0)
+        return false;
+    if (!refcast && from->valueType()->pointer == 0)
+        return false;
+
+    if (tok->valueType()->type == ValueType::Type::VOID || from->valueType()->type == ValueType::Type::VOID)
+        return false;
+    if (tok->valueType()->pointer == 0 && tok->valueType()->isIntegral())
+        // ok: (uintptr_t)ptr;
+        return false;
+    if (from->valueType()->pointer == 0 && from->valueType()->isIntegral())
+        // ok: (int *)addr;
+        return false;
+
+    return true;
+}
 
 //---------------------------------------------------------------------------
 // For C++ code, warn if C-style casts are used on pointer types
@@ -316,40 +354,45 @@ void CheckOther::warningOldStylePointerCast()
             // Old style pointer casting..
             if (!tok->isCast() || tok->isBinaryOp())
                 continue;
-            const Token* from = tok->astOperand1();
-            if (!from)
-                continue;
-            if (!tok->valueType() || !from->valueType())
-                continue;
-            if (tok->valueType()->typeScope != nullptr &&
-                tok->valueType()->typeScope == from->valueType()->typeScope)
+            if (isDangerousTypeConversion(tok))
                 continue;
-            if (tok->valueType()->type == from->valueType()->type &&
-                tok->valueType()->isPrimitive())
-                continue;
-            // cast from derived object to base object is safe..
-            if (tok->valueType()->typeScope && from->valueType()->typeScope) {
-                const Type* fromType = from->valueType()->typeScope->definedType;
-                const Type* toType = tok->valueType()->typeScope->definedType;
-                if (fromType && toType && fromType->isDerivedFrom(toType->name()))
-                    continue;
+            const Token* const errtok = tok;
+            const Token* castTok = tok->next();
+            while (Token::Match(castTok, "const|volatile|class|struct|union|%type%|::")) {
+                castTok = castTok->next();
+                if (Token::simpleMatch(castTok, "<") && castTok->link())
+                    castTok = castTok->link()->next();
             }
-            const bool refcast = (tok->valueType()->reference != Reference::None);
-            if (!refcast && tok->valueType()->pointer == 0)
+            if (castTok == tok->next())
                 continue;
-            if (!refcast && from->valueType()->pointer == 0)
+            bool isPtr = false, isRef = false;
+            while (Token::Match(castTok, "*|const|&")) {
+                if (castTok->str() == "*")
+                    isPtr = true;
+                else if (castTok->str() == "&")
+                    isRef = true;
+                castTok = castTok->next();
+            }
+            if ((!isPtr && !isRef) || !Token::Match(castTok, ") (| %name%|%bool%|%char%|%str%|&"))
                 continue;
 
-            if (tok->valueType()->type == ValueType::Type::VOID || from->valueType()->type == ValueType::Type::VOID)
+            if (Token::Match(tok->previous(), "%type%"))
                 continue;
-            if (tok->valueType()->pointer == 0 && tok->valueType()->isIntegral())
-                // ok: (uintptr_t)ptr;
-                continue;
-            if (from->valueType()->pointer == 0 && from->valueType()->isIntegral())
-                // ok: (int *)addr;
+
+            // skip first "const" in "const Type* const"
+            while (Token::Match(tok->next(), "const|volatile|class|struct|union"))
+                tok = tok->next();
+            const Token* typeTok = tok->next();
+            // skip second "const" in "const Type* const"
+            if (tok->strAt(3) == "const")
+                tok = tok->next();
+
+            const Token *p = tok->tokAt(4);
+            if (p->hasKnownIntValue() && p->getKnownIntValue()==0) // Casting nullpointers is safe
                 continue;
 
-            cstyleCastError(tok, tok->valueType()->pointer > 0);
+            if (typeTok->tokType() == Token::eType || typeTok->tokType() == Token::eName)
+                cstyleCastError(errtok, isPtr);
         }
     }
 }
@@ -365,14 +408,49 @@ void CheckOther::cstyleCastError(const Token *tok, bool isPtr)
                 "which kind of cast is expected.", CWE398, Certainty::normal);
 }
 
+void CheckOther::warningDangerousOldStyleTypeCast()
+{
+    // Only valid on C++ code
+    if (!mTokenizer->isCPP())
+        return;
+    if (!mSettings->severity.isEnabled(Severity::warning) && !mSettings->isPremiumEnabled("cstyleCast"))
+        return;
+
+    logChecker("CheckOther::warningDangerousOldStyleTypeCast"); // warning,c++
+
+    const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
+    for (const Scope * scope : symbolDatabase->functionScopes) {
+        const Token* tok;
+        if (scope->function && scope->function->isConstructor())
+            tok = scope->classDef;
+        else
+            tok = scope->bodyStart;
+        for (; tok && tok != scope->bodyEnd; tok = tok->next()) {
+            // Old style pointer casting..
+            if (!tok->isCast() || tok->isBinaryOp())
+                continue;
+
+            if (isDangerousTypeConversion(tok))
+                dangerousOldStyleTypeCastError(tok, tok->valueType()->pointer > 0);
+        }
+    }
+}
+
+void CheckOther::dangerousOldStyleTypeCastError(const Token *tok, bool isPtr)
+{
+    const std::string type = isPtr ? "pointer" : "reference";
+    reportError(tok, Severity::warning, "dangerousOldStyleTypeCast",
+                "Potentially dangerous C style type cast of " + type + " to object, use dynamic_cast or static_cast",
+                CWE398, Certainty::normal);
+}
+
 void CheckOther::warningIntToPointerCast()
 {
-    if (!mSettings->severity.isEnabled(Severity::portability))
+    if (!mSettings->severity.isEnabled(Severity::portability) && !mSettings->isPremiumEnabled("cstyleCast"))
         return;
 
     logChecker("CheckOther::warningIntToPointerCast"); // portability
 
-    const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
     for (const Token* tok = mTokenizer->tokens(); tok; tok = tok->next()) {
         // pointer casting..
         if (!tok->isCast())
@@ -4487,6 +4565,7 @@ void CheckOther::getErrorMessages(ErrorLogger *errorLogger, const Settings *sett
     c.checkComparisonFunctionIsAlwaysTrueOrFalseError(nullptr, "isless","varName",false);
     c.checkCastIntToCharAndBackError(nullptr, "func_name");
     c.cstyleCastError(nullptr);
+    c.dangerousOldStyleTypeCastError(nullptr, true);
     c.intToPointerCastError(nullptr);
     c.suspiciousFloatingPointCastError(nullptr);
     c.passedByValueError(nullptr, false);

lib/checkother.h

@@ -80,6 +80,9 @@ class CPPCHECKLIB CheckOther : public Check {
     /** @brief Are there C-style pointer casts in a c++ file? */
     void warningOldStylePointerCast();
 
+    /** @brief Dangerous type cast */
+    void warningDangerousOldStyleTypeCast();
+
     /** @brief Casting non-hexadecimal integer literal to pointer */
     void warningIntToPointerCast();
 
@@ -201,6 +204,7 @@ class CPPCHECKLIB CheckOther : public Check {
     void clarifyCalculationError(const Token *tok, const std::string &op);
     void clarifyStatementError(const Token* tok);
     void cstyleCastError(const Token *tok, bool isPtr = true);
+    void dangerousOldStyleTypeCastError(const Token *tok, bool isPtr);
     void intToPointerCastError(const Token *tok);
     void suspiciousFloatingPointCastError(const Token *tok);
     void invalidPointerCastError(const Token* tok, const std::string& from, const std::string& to, bool inconclusive, bool toIsInt);
@@ -277,6 +281,7 @@ class CPPCHECKLIB CheckOther : public Check {
                // warning
                "- either division by zero or useless condition\n"
                "- access of moved or forwarded variable.\n"
+               "- potentially dangerous C style type cast of pointer/reference to object.\n"
 
                // performance
                "- redundant data copying for const variable\n"

test/cfg/googletest.cpp

@@ -44,7 +44,7 @@ namespace ExampleNamespace {
 
 TEST(ASSERT, ASSERT)
 {
-    int *a = (int*)calloc(10,sizeof(int));
+    int *a = (int*)calloc(10,sizeof(int)); // cppcheck-suppress cstyleCast
     ASSERT_TRUE(a != nullptr);
 
     a[0] = 10;

test/cfg/opencv2.cpp

@@ -30,7 +30,7 @@ void validCode(const char* argStr)
     cvStr += " World";
     std::cout << cvStr;
 
-    // cppcheck-suppress unusedAllocatedMemory
+    // cppcheck-suppress [cstyleCast, unusedAllocatedMemory]
     char * pBuf = (char *)cv::fastMalloc(20);
     cv::fastFree(pBuf);
 }
@@ -43,6 +43,7 @@ void ignoredReturnValue()
 
 void memleak()
 {
+    // cppcheck-suppress cstyleCast
     const char * pBuf = (char *)cv::fastMalloc(1000);
     // cppcheck-suppress [uninitdata, valueFlowBailoutIncompleteVar, nullPointerOutOfMemory]
     std::cout << pBuf;

test/cfg/std.cpp

@@ -3027,7 +3027,7 @@ void uninitvar_longjmp(void)
 void uninitvar_malloc(void)
 {
     size_t size;
-    // cppcheck-suppress [uninitvar, unusedAllocatedMemory]
+    // cppcheck-suppress [uninitvar, cstyleCast, unusedAllocatedMemory]
     int *p = (int*)std::malloc(size);
     free(p);
 }
@@ -3259,7 +3259,7 @@ void uninivar_bsearch(void)
     const void* base;
     size_t num;
     size_t size;
-    // cppcheck-suppress uninitvar
+    // cppcheck-suppress [uninitvar, cstyleCast]
     (void)std::bsearch(key,base,num,size,(int (*)(const void*,const void*))strcmp);
 }
 
@@ -3269,11 +3269,11 @@ void minsize_bsearch(const void* key, const void* base,
 {
     const int Base[3] = {42, 43, 44};
 
-    (void)std::bsearch(key,Base,2,size,(int (*)(const void*,const void*))strcmp);
-    (void)std::bsearch(key,Base,3,size,(int (*)(const void*,const void*))strcmp);
-    (void)std::bsearch(key,Base,4,size,(int (*)(const void*,const void*))strcmp);
+    (void)std::bsearch(key,Base,2,size,(int (*)(const void*,const void*))strcmp); // cppcheck-suppress cstyleCast
+    (void)std::bsearch(key,Base,3,size,(int (*)(const void*,const void*))strcmp); // cppcheck-suppress cstyleCast
+    (void)std::bsearch(key,Base,4,size,(int (*)(const void*,const void*))strcmp); // cppcheck-suppress cstyleCast
 
-    (void)std::bsearch(key,base,2,size,(int (*)(const void*,const void*))strcmp);
+    (void)std::bsearch(key,base,2,size,(int (*)(const void*,const void*))strcmp); // cppcheck-suppress cstyleCast
 }
 
 void uninitvar_qsort(void)
@@ -3282,7 +3282,7 @@ void uninitvar_qsort(void)
     size_t n;
     size_t size;
     // cppcheck-suppress uninitvar
-    (void)std::qsort(base,n,size, (int (*)(const void*,const void*))strcmp);
+    (void)std::qsort(base,n,size, (int (*)(const void*,const void*))strcmp); // cppcheck-suppress cstyleCast
 }
 
 void uninitvar_stable_sort(std::vector<int>& v)

test/cfg/windows.cpp

@@ -624,7 +624,7 @@ void memleak_HeapAlloc()
 void memleak_LocalAlloc()
 {
     LPTSTR pszBuf;
-    // cppcheck-suppress [LocalAllocCalled, valueFlowBailoutIncompleteVar]
+    // cppcheck-suppress [LocalAllocCalled, cstyleCast, valueFlowBailoutIncompleteVar]
     pszBuf = (LPTSTR)LocalAlloc(LPTR, MAX_PATH*sizeof(TCHAR));
     (void)LocalSize(pszBuf);
     (void)LocalFlags(pszBuf);
@@ -700,7 +700,7 @@ void resourceLeak_LoadLibrary()
     HINSTANCE hInstLib;
     hInstLib = ::LoadLibrary(L"My.dll");
     typedef BOOL (WINAPI *fpFunc)();
-    // cppcheck-suppress unreadVariable
+    // cppcheck-suppress [unreadVariable, cstyleCast]
     fpFunc pFunc = (fpFunc)GetProcAddress(hInstLib, "name");
     // cppcheck-suppress resourceLeak
 }
@@ -825,7 +825,7 @@ void invalidFunctionArg()
     CloseHandle(hMutex);
 
     //Incorrect: 2. parameter to LoadLibraryEx() must be NULL
-    // cppcheck-suppress [invalidFunctionArg, intToPointerCast]
+    // cppcheck-suppress [invalidFunctionArg, cstyleCast]
     HINSTANCE hInstLib = LoadLibraryEx(L"My.dll", HANDLE(1), 0);
     FreeLibrary(hInstLib);