clang 20.0.0git
CastSizeChecker.cpp
Go to the documentation of this file.
1//=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
10// whether the size of the symbolic region is a multiple of the size of T.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/AST/CharUnits.h"
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
27 const BugType BT{this, "Cast region with wrong size."};
28
29public:
30 void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
31};
32}
33
34/// Check if we are casting to a struct with a flexible array at the end.
35/// \code
36/// struct foo {
37/// size_t len;
38/// struct bar data[];
39/// };
40/// \endcode
41/// or
42/// \code
43/// struct foo {
44/// size_t len;
45/// struct bar data[0];
46/// }
47/// \endcode
48/// In these cases it is also valid to allocate size of struct foo + a multiple
49/// of struct bar.
50static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
51 CharUnits TypeSize, QualType ToPointeeTy) {
52 const RecordType *RT = ToPointeeTy->getAs<RecordType>();
53 if (!RT)
54 return false;
55
56 const RecordDecl *RD = RT->getDecl();
57 RecordDecl::field_iterator Iter(RD->field_begin());
58 RecordDecl::field_iterator End(RD->field_end());
59 const FieldDecl *Last = nullptr;
60 for (; Iter != End; ++Iter)
61 Last = *Iter;
62 assert(Last && "empty structs should already be handled");
63
64 const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
65 CharUnits FlexSize;
66 if (const ConstantArrayType *ArrayTy =
67 Ctx.getAsConstantArrayType(Last->getType())) {
68 FlexSize = Ctx.getTypeSizeInChars(ElemType);
69 if (ArrayTy->getSize() == 1 && TypeSize > FlexSize)
70 TypeSize -= FlexSize;
71 else if (!ArrayTy->isZeroSize())
72 return false;
73 } else if (RD->hasFlexibleArrayMember()) {
74 FlexSize = Ctx.getTypeSizeInChars(ElemType);
75 } else {
76 return false;
77 }
78
79 if (FlexSize.isZero())
80 return false;
81
82 CharUnits Left = RegionSize - TypeSize;
83 if (Left.isNegative())
84 return false;
85
86 return Left % FlexSize == 0;
87}
88
89void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
90 const Expr *E = CE->getSubExpr();
91 ASTContext &Ctx = C.getASTContext();
92 QualType ToTy = Ctx.getCanonicalType(CE->getType());
93 const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
94
95 if (!ToPTy)
96 return;
97
98 QualType ToPointeeTy = ToPTy->getPointeeType();
99
100 // Only perform the check if 'ToPointeeTy' is a complete type.
101 if (ToPointeeTy->isIncompleteType())
102 return;
103
104 ProgramStateRef state = C.getState();
105 const MemRegion *R = C.getSVal(E).getAsRegion();
106 if (!R)
107 return;
108
109 const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
110 if (!SR)
111 return;
112
113 SValBuilder &svalBuilder = C.getSValBuilder();
114
115 DefinedOrUnknownSVal Size = getDynamicExtent(state, SR, svalBuilder);
116 const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
117 if (!SizeInt)
118 return;
119
120 CharUnits regionSize = CharUnits::fromQuantity(SizeInt->getZExtValue());
121 CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);
122
123 // Ignore void, and a few other un-sizeable types.
124 if (typeSize.isZero())
125 return;
126
127 if (regionSize % typeSize == 0)
128 return;
129
130 if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
131 return;
132
133 if (ExplodedNode *errorNode = C.generateErrorNode()) {
134 constexpr llvm::StringLiteral Msg =
135 "Cast a region whose size is not a multiple of the destination type "
136 "size.";
137 auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, errorNode);
138 R->addRange(CE->getSourceRange());
139 C.emitReport(std::move(R));
140 }
141}
142
143void ento::registerCastSizeChecker(CheckerManager &mgr) {
144 mgr.registerChecker<CastSizeChecker>();
145}
146
147bool ento::shouldRegisterCastSizeChecker(const CheckerManager &mgr) {
148 // PR31226: C++ is more complicated than what this checker currently supports.
149 // There are derived-to-base casts, there are different rules for 0-size
150 // structures, no flexible arrays, etc.
151 // FIXME: Disabled on C++ for now.
152 const LangOptions &LO = mgr.getLangOpts();
153 return !LO.CPlusPlus;
154}
evenFlexibleArraySize
static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize, CharUnits TypeSize, QualType ToPointeeTy)
Check if we are casting to a struct with a flexible array at the end.
Definition: CastSizeChecker.cpp:50
E
Expr * E
Definition: CheckExprLifetime.cpp:210
Iter
unsigned Iter
Definition: HTMLLogger.cpp:153
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:188
clang::ASTContext::getAsConstantArrayType
const ConstantArrayType * getAsConstantArrayType(QualType T) const
Definition: ASTContext.h:2922
clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2723
clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2541
clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:3547
clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:3597
clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38
clang::CharUnits::isZero
bool isZero() const
isZero - Test whether the quantity equals zero.
Definition: CharUnits.h:122
clang::CharUnits::fromQuantity
static CharUnits fromQuantity(QuantityType Quantity)
fromQuantity - Construct a CharUnits quantity from a raw integer type.
Definition: CharUnits.h:63
clang::ConstantArrayType
Represents the canonical version of C arrays with a specified constant size.
Definition: Type.h:3616
clang::DeclContext::specific_decl_iterator
specific_decl_iterator - Iterates over a subrange of declarations stored in a DeclContext,...
Definition: DeclBase.h:2384
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::FieldDecl
Represents a member of a struct/union/class.
Definition: Decl.h:3033
clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:500
clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:3199
clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:3209
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:929
clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:7937
clang::RecordDecl
Represents a struct/union/class.
Definition: Decl.h:4162
clang::RecordDecl::hasFlexibleArrayMember
bool hasFlexibleArrayMember() const
Definition: Decl.h:4195
clang::RecordDecl::field_end
field_iterator field_end() const
Definition: Decl.h:4379
clang::RecordDecl::field_begin
field_iterator field_begin() const
Definition: Decl.cpp:5114
clang::RecordType
A helper class that allows the use of isa/cast/dyncast to detect TagType objects of structs/unions/cl...
Definition: Type.h:6078
clang::RecordType::getDecl
RecordDecl * getDecl() const
Definition: Type.h:6088
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:334
clang::Type
The base class of the type hierarchy.
Definition: Type.h:1828
clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types,...
Definition: Type.cpp:2396
clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:8741
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:202
clang::ento::CheckerManager::getLangOpts
const LangOptions & getLangOpts() const
Definition: CheckerManager.h:167
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:780
clang::ento::getDynamicExtent
DefinedOrUnknownSVal getDynamicExtent(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB)
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Wed Jul 9 2025 12:43:28 for clang by doxygen 1.9.6