[clang] [Webkit Checkers][SaferCpp] Detect base-to-derived downcasts laundered through void* in MemoryUnsafeCastChecker (PR #200294)
Balázs Benics via cfe-commits
cfe-commits at lists.llvm.org
Tue Jun 2 06:23:23 PDT 2026
steakhal wrote:
> > I wonder why we don't use the `castExpr` matcher instead of the more specific `cxxStaticCastExpr`. There is no semantic difference of C or C++ style casts, so I wonder, why is one handled but not the other?
>
> To build on what @steakhal said, the new matchers only fire when the relevant cast is written as a C++ `static_cast<>` expression (`CXXStaticCastExpr`), but not as a C-style cast.
>
> The following equivalents use a C-style cast in a position that the matcher checks, but they are not currently flagged by this PR (resulting in false negatives):
>
> ```
> - (Derived*)(void*)base — both casts are C-style
> - static_cast<Derived*>((void*)base) — the inner void* cast is C-style
> - (Derived*)static_cast<void*>(base) — the outer downcast is C-style
> - (Derived*)returnCast(base) — outer C-style cast of a void*-returning call
> - fnArgCast((void*)base) — C-style cast in the call-argument form
> ```
>
> Note that I used AI to help me to review this PR in order to identify these test cases, and to verify these test cases are all missed by building llvm locally with the current PR applied.
This is exactly what I had in mind - but I didn't use AI, and I was lazy xD
https://github.com/llvm/llvm-project/pull/200294
More information about the cfe-commits
mailing list