doxygen/CastSizeChecker_8cpp_source.html

 //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 //
 // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
 // whether the size of the symbolic region is a multiple of the size of T.
 //
 //===----------------------------------------------------------------------===//

 #include "clang/AST/CharUnits.h"
 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"

 using namespace clang;
 using namespace ento;

 namespace {
 class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
   mutable std::unique_ptr<BuiltinBug> BT;

 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
 };
 }

 /// Check if we are casting to a struct with a flexible array at the end.
 /// \code
 /// struct foo {
 ///   size_t len;
 ///   struct bar data[];
 /// };
 /// \endcode
 /// or
 /// \code
 /// struct foo {
 ///   size_t len;
 ///   struct bar data[0];
 /// }
 /// \endcode
 /// In these cases it is also valid to allocate size of struct foo + a multiple
 /// of struct bar.
 static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
                                   CharUnits TypeSize, QualType ToPointeeTy) {
   const RecordType *RT = ToPointeeTy->getAs<RecordType>();
   if (!RT)
     return false;

   const RecordDecl *RD = RT->getDecl();
   RecordDecl::field_iterator Iter(RD->field_begin());
   RecordDecl::field_iterator End(RD->field_end());
   const FieldDecl *Last = nullptr;
   for (; Iter != End; ++Iter)
     Last = *Iter;
   assert(Last && "empty structs should already be handled");

   const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
   CharUnits FlexSize;
   if (const ConstantArrayType *ArrayTy =
         Ctx.getAsConstantArrayType(Last->getType())) {
     FlexSize = Ctx.getTypeSizeInChars(ElemType);
     if (ArrayTy->getSize() == 1 && TypeSize > FlexSize)
       TypeSize -= FlexSize;
     else if (ArrayTy->getSize() != 0)
       return false;
   } else if (RD->hasFlexibleArrayMember()) {
     FlexSize = Ctx.getTypeSizeInChars(ElemType);
   } else {
     return false;
   }

   if (FlexSize.isZero())
     return false;

   CharUnits Left = RegionSize - TypeSize;
   if (Left.isNegative())
     return false;

   return Left % FlexSize == 0;
 }

 void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
   const Expr *E = CE->getSubExpr();
   ASTContext &Ctx = C.getASTContext();
   QualType ToTy = Ctx.getCanonicalType(CE->getType());
   const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());

   if (!ToPTy)
     return;

   QualType ToPointeeTy = ToPTy->getPointeeType();

   // Only perform the check if 'ToPointeeTy' is a complete type.
   if (ToPointeeTy->isIncompleteType())
     return;

   ProgramStateRef state = C.getState();
   const MemRegion *R = C.getSVal(E).getAsRegion();
   if (!R)
     return;

   const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
   if (!SR)
     return;

   SValBuilder &svalBuilder = C.getSValBuilder();

   DefinedOrUnknownSVal Size = getDynamicSize(state, SR, svalBuilder);
   const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
   if (!SizeInt)
     return;

   CharUnits regionSize = CharUnits::fromQuantity(SizeInt->getZExtValue());
   CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);

   // Ignore void, and a few other un-sizeable types.
   if (typeSize.isZero())
     return;

   if (regionSize % typeSize == 0)
     return;

   if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
     return;

   if (ExplodedNode *errorNode = C.generateErrorNode()) {
     if (!BT)
       BT.reset(new BuiltinBug(this, "Cast region with wrong size.",
                                     "Cast a region whose size is not a multiple"
                                     " of the destination type size."));
     auto R = std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(),
                                                       errorNode);
     R->addRange(CE->getSourceRange());
     C.emitReport(std::move(R));
   }
 }

 void ento::registerCastSizeChecker(CheckerManager &mgr) {
   mgr.registerChecker<CastSizeChecker>();
 }

 bool ento::shouldRegisterCastSizeChecker(const CheckerManager &mgr) {
   // PR31226: C++ is more complicated than what this checker currently supports.
   // There are derived-to-base casts, there are different rules for 0-size
   // structures, no flexible arrays, etc.
   // FIXME: Disabled on C++ for now.
   const LangOptions &LO = mgr.getLangOpts();
   return !LO.CPlusPlus;
 }
ento

clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:2645

clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:2655

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:655

clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37

clang::Type
The base class of the type hierarchy.
Definition: Type.h:1472

clang::CharUnits::isZero
bool isZero() const
isZero - Test whether the quantity equals zero.
Definition: CharUnits.h:116

BugType.h

clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>&#39;.
Definition: Type.h:7153

clang::RecordDecl
Represents a struct/union/class.
Definition: Decl.h:3770

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:174

clang::FieldDecl
Represents a member of a struct/union/class.
Definition: Decl.h:2746

Checker.h

CheckerManager.h

clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:3400

clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:54

clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:840

CharUnits.h

clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:6402

clang::RecordDecl::field_begin
field_iterator field_begin() const
Definition: Decl.cpp:4457

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:3361

clang::CharUnits::isNegative
bool isNegative() const
isNegative - Test whether the quantity is less than zero.
Definition: CharUnits.h:125

clang::Expr
This represents one expression.
Definition: Expr.h:110

End
SourceLocation End
Definition: USRLocFinder.cpp:167

evenFlexibleArraySize
static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize, CharUnits TypeSize, QualType ToPointeeTy)
Check if we are casting to a struct with a flexible array at the end.
Definition: CastSizeChecker.cpp:50

clang::RecordDecl::field_end
field_iterator field_end() const
Definition: Decl.h:3993

clang::CharUnits::fromQuantity
static CharUnits fromQuantity(QuantityType Quantity)
fromQuantity - Construct a CharUnits quantity from a raw integer type.
Definition: CharUnits.h:63

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::ComparisonCategoryType::Last

BuiltinCheckerRegistration.h

clang::RecordType::getDecl
RecordDecl * getDecl() const
Definition: Type.h:4627

clang::ento::getDynamicSize
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB)
Get the stored dynamic size for the region MR.
Definition: DynamicSize.cpp:25

APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:18

clang::ASTContext::getAsConstantArrayType
const ConstantArrayType * getAsConstantArrayType(QualType T) const
Definition: ASTContext.h:2420

DynamicSize.h

clang::RecordDecl::hasFlexibleArrayMember
bool hasFlexibleArrayMember() const
Definition: Decl.h:3824

clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:21

clang::Type::getArrayElementTypeNoTypeQual
const Type * getArrayElementTypeNoTypeQual() const
If this is an array type, return the element type of the array, potentially with type qualifiers miss...
Definition: Type.cpp:371

clang::DeclContext::specific_decl_iterator
specific_decl_iterator - Iterates over a subrange of declarations stored in a DeclContext, providing only those that are of type SpecificDecl (or a class derived from it).
Definition: DeclBase.h:2085

clang::RecordType
A helper class that allows the use of isa/cast/dyncast to detect TagType objects of structs/unions/cl...
Definition: Type.h:4617

clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types...
Definition: Type.cpp:2211

clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2259

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:263

clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2367

clang::ConstantArrayType
Represents the canonical version of C arrays with a specified constant size.
Definition: Type.h:2934

CheckerContext.h