doxygen/CastSizeChecker_8cpp_source.html

 //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
 //
 //                     The LLVM Compiler Infrastructure
 //
 // This file is distributed under the University of Illinois Open Source
 // License. See LICENSE.TXT for details.
 //
 //===----------------------------------------------------------------------===//
 //
 // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
 // whether the size of the symbolic region is a multiple of the size of T.
 //
 //===----------------------------------------------------------------------===//
 #include "ClangSACheckers.h"
 #include "clang/AST/CharUnits.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

 using namespace clang;
 using namespace ento;

 namespace {
 class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
   mutable std::unique_ptr<BuiltinBug> BT;

 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
 };
 }

 /// Check if we are casting to a struct with a flexible array at the end.
 /// \code
 /// struct foo {
 ///   size_t len;
 ///   struct bar data[];
 /// };
 /// \endcode
 /// or
 /// \code
 /// struct foo {
 ///   size_t len;
 ///   struct bar data[0];
 /// }
 /// \endcode
 /// In these cases it is also valid to allocate size of struct foo + a multiple
 /// of struct bar.
 static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
                                   CharUnits TypeSize, QualType ToPointeeTy) {
   const RecordType *RT = ToPointeeTy->getAs<RecordType>();
   if (!RT)
     return false;

   const RecordDecl *RD = RT->getDecl();
   RecordDecl::field_iterator Iter(RD->field_begin());
   RecordDecl::field_iterator End(RD->field_end());
   const FieldDecl *Last = nullptr;
   for (; Iter != End; ++Iter)
     Last = *Iter;
   assert(Last && "empty structs should already be handled");

   const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
   CharUnits FlexSize;
   if (const ConstantArrayType *ArrayTy =
         Ctx.getAsConstantArrayType(Last->getType())) {
     FlexSize = Ctx.getTypeSizeInChars(ElemType);
     if (ArrayTy->getSize() == 1 && TypeSize > FlexSize)
       TypeSize -= FlexSize;
     else if (ArrayTy->getSize() != 0)
       return false;
   } else if (RD->hasFlexibleArrayMember()) {
     FlexSize = Ctx.getTypeSizeInChars(ElemType);
   } else {
     return false;
   }

   if (FlexSize.isZero())
     return false;

   CharUnits Left = RegionSize - TypeSize;
   if (Left.isNegative())
     return false;

   return Left % FlexSize == 0;
 }

 void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
   const Expr *E = CE->getSubExpr();
   ASTContext &Ctx = C.getASTContext();
   QualType ToTy = Ctx.getCanonicalType(CE->getType());
   const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());

   if (!ToPTy)
     return;

   QualType ToPointeeTy = ToPTy->getPointeeType();

   // Only perform the check if 'ToPointeeTy' is a complete type.
   if (ToPointeeTy->isIncompleteType())
     return;

   ProgramStateRef state = C.getState();
   const MemRegion *R = C.getSVal(E).getAsRegion();
   if (!R)
     return;

   const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
   if (!SR)
     return;

   SValBuilder &svalBuilder = C.getSValBuilder();
   SVal extent = SR->getExtent(svalBuilder);
   const llvm::APSInt *extentInt = svalBuilder.getKnownValue(state, extent);
   if (!extentInt)
     return;

   CharUnits regionSize = CharUnits::fromQuantity(extentInt->getSExtValue());
   CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);

   // Ignore void, and a few other un-sizeable types.
   if (typeSize.isZero())
     return;

   if (regionSize % typeSize == 0)
     return;

   if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
     return;

   if (ExplodedNode *errorNode = C.generateErrorNode()) {
     if (!BT)
       BT.reset(new BuiltinBug(this, "Cast region with wrong size.",
                                     "Cast a region whose size is not a multiple"
                                     " of the destination type size."));
     auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), errorNode);
     R->addRange(CE->getSourceRange());
     C.emitReport(std::move(R));
   }
 }

 void ento::registerCastSizeChecker(CheckerManager &mgr) {
   // PR31226: C++ is more complicated than what this checker currently supports.
   // There are derived-to-base casts, there are different rules for 0-size
   // structures, no flexible arrays, etc.
   // FIXME: Disabled on C++ for now.
   if (!mgr.getLangOpts().CPlusPlus)
     mgr.registerChecker<CastSizeChecker>();
 }
clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:2497

clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:2510

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:641

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:94

clang::ento::CheckerContext::generateErrorNode
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition: CheckerContext.h:248

clang::Type
The base class of the type hierarchy.
Definition: Type.h:1414

clang::CharUnits::isZero
bool isZero() const
isZero - Test whether the quantity equals zero.
Definition: CharUnits.h:116

BugType.h

clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>&#39;.
Definition: Type.h:6625

clang::ento::CheckerManager
Definition: CheckerManager.h:117

clang::ento::CheckerContext::getSVal
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Definition: CheckerContext.h:195

clang::RecordDecl
Represents a struct/union/class.
Definition: Decl.h:3572

clang::ento::BuiltinBug
Definition: BugType.h:72

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:153

clang::FieldDecl
Represents a member of a struct/union/class.
Definition: Decl.h:2554

Checker.h

CheckerManager.h

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:3000

clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:725

CharUnits.h

clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38

clang::ento::CheckerContext
Definition: CheckerContext.h:70

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:5988

clang::RecordDecl::field_begin
field_iterator field_begin() const
Definition: Decl.cpp:4107

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:2935

clang::CharUnits::isNegative
bool isNegative() const
isNegative - Test whether the quantity is less than zero.
Definition: CharUnits.h:125

clang::ento::Checker
Definition: Checker.h:516

clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:759

clang::Expr
Expr - This represents one expression.
Definition: Expr.h:106

End
SourceLocation End
Definition: USRLocFinder.cpp:167

clang::ento::SymbolicRegion::getExtent
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.cpp:204

evenFlexibleArraySize
static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize, CharUnits TypeSize, QualType ToPointeeTy)
Check if we are casting to a struct with a flexible array at the end.
Definition: CastSizeChecker.cpp:49

clang::RecordDecl::field_end
field_iterator field_end() const
Definition: Decl.h:3766

clang::CharUnits::fromQuantity
static CharUnits fromQuantity(QuantityType Quantity)
fromQuantity - Construct a CharUnits quantity from a raw integer type.
Definition: CharUnits.h:63

clang::Expr::getType
QualType getType() const
Definition: Expr.h:128

clang::ComparisonCategoryType::Last

clang::RecordType::getDecl
RecordDecl * getDecl() const
Definition: Type.h:4249

clang::ento::CheckerContext::emitReport
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Definition: CheckerContext.h:268

llvm::IntrusiveRefCntPtr
Definition: LLVM.h:45

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:154

clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:151

clang::ASTContext::getAsConstantArrayType
const ConstantArrayType * getAsConstantArrayType(QualType T) const
Definition: ASTContext.h:2417

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:76

clang::RecordDecl::hasFlexibleArrayMember
bool hasFlexibleArrayMember() const
Definition: Decl.h:3626

clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:22

clang::ento::CheckerContext::getASTContext
ASTContext & getASTContext()
Definition: CheckerContext.h:130

ClangSACheckers.h

clang::Type::getArrayElementTypeNoTypeQual
const Type * getArrayElementTypeNoTypeQual() const
If this is an array type, return the element type of the array, potentially with type qualifiers miss...
Definition: Type.cpp:261

clang::ento::SValBuilder
Definition: SValBuilder.h:53

clang::DeclContext::specific_decl_iterator
specific_decl_iterator - Iterates over a subrange of declarations stored in a DeclContext, providing only those that are of type SpecificDecl (or a class derived from it).
Definition: DeclBase.h:2034

clang::RecordType
A helper class that allows the use of isa/cast/dyncast to detect TagType objects of structs/unions/cl...
Definition: Type.h:4239

clang::ento::CheckerContext::getState
const ProgramStateRef & getState() const
Definition: CheckerContext.h:118

clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types...
Definition: Type.cpp:2034

clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2257

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268

clang::ento::CheckerContext::getSValBuilder
SValBuilder & getSValBuilder()
Definition: CheckerContext.h:157

clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.

clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2106

clang::ento::CheckerManager::getLangOpts
const LangOptions & getLangOpts() const
Definition: CheckerManager.h:136

clang::ConstantArrayType
Represents the canonical version of C arrays with a specified constant size.
Definition: Type.h:2832

CheckerContext.h