doxygen/MallocSizeofChecker_8cpp_source.html

// MallocSizeofChecker.cpp - Check for dubious malloc arguments ---*- C++ -*-=//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// Reports inconsistencies between the casted type of the return value of a

// malloc/calloc/realloc call and the operand of any sizeof expressions

// contained within its argument(s).

//

//===----------------------------------------------------------------------===//


#include "clang/AST/StmtVisitor.h"

#include "clang/AST/TypeLoc.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/ADT/iterator_range.h"

#include "llvm/Support/raw_ostream.h"


using namespace clang;

using namespace ento;


namespace {


typedef std::pair<const TypeSourceInfo *, const CallExpr *> TypeCallPair;

typedef llvm::PointerUnion<const Stmt *, const VarDecl *> ExprParent;


class CastedAllocFinder

  : public ConstStmtVisitor<CastedAllocFinder, TypeCallPair> {

  IdentifierInfo *II_malloc, *II_calloc, *II_realloc;


public:

  struct CallRecord {

    ExprParent CastedExprParent;

    const Expr *CastedExpr;

    const TypeSourceInfo *ExplicitCastType;

    const CallExpr *AllocCall;


    CallRecord(ExprParent CastedExprParent, const Expr *CastedExpr,

               const TypeSourceInfo *ExplicitCastType,

               const CallExpr *AllocCall)

      : CastedExprParent(CastedExprParent), CastedExpr(CastedExpr),

        ExplicitCastType(ExplicitCastType), AllocCall(AllocCall) {}

  };


  typedef std::vector<CallRecord> CallVec;

  CallVec Calls;


  CastedAllocFinder(ASTContext *Ctx) :

    II_malloc(&Ctx->Idents.get("malloc")),

    II_calloc(&Ctx->Idents.get("calloc")),

    II_realloc(&Ctx->Idents.get("realloc")) {}


  void VisitChild(ExprParent Parent, const Stmt *S) {

    TypeCallPair AllocCall = Visit(S);

    if (AllocCall.second && AllocCall.second != S)

      Calls.push_back(CallRecord(Parent, cast<Expr>(S), AllocCall.first,

                                 AllocCall.second));

  }


  void VisitChildren(const Stmt *S) {

    for (const Stmt *Child : S->children())

      if (Child)

        VisitChild(S, Child);

  }


  TypeCallPair VisitCastExpr(const CastExpr *E) {

    return Visit(E->getSubExpr());

  }


  TypeCallPair VisitExplicitCastExpr(const ExplicitCastExpr *E) {

    return TypeCallPair(E->getTypeInfoAsWritten(),

                        Visit(E->getSubExpr()).second);

  }


  TypeCallPair VisitParenExpr(const ParenExpr *E) {

    return Visit(E->getSubExpr());

  }


  TypeCallPair VisitStmt(const Stmt *S) {

    VisitChildren(S);

    return TypeCallPair();

  }


  TypeCallPair VisitCallExpr(const CallExpr *E) {

    VisitChildren(E);

    const FunctionDecl *FD = E->getDirectCallee();

    if (FD) {

      IdentifierInfo *II = FD->getIdentifier();

      if (II == II_malloc || II == II_calloc || II == II_realloc)

        return TypeCallPair((const TypeSourceInfo *)nullptr, E);

    }

    return TypeCallPair();

  }


  TypeCallPair VisitDeclStmt(const DeclStmt *S) {

    for (const auto *I : S->decls())

      if (const VarDecl *VD = dyn_cast<VarDecl>(I))

        if (const Expr *Init = VD->getInit())

          VisitChild(VD, Init);

    return TypeCallPair();

  }

};


class SizeofFinder : public ConstStmtVisitor<SizeofFinder> {

public:

  std::vector<const UnaryExprOrTypeTraitExpr *> Sizeofs;


  void VisitBinMul(const BinaryOperator *E) {

    Visit(E->getLHS());

    Visit(E->getRHS());

  }


  void VisitImplicitCastExpr(const ImplicitCastExpr *E) {

    return Visit(E->getSubExpr());

  }


  void VisitParenExpr(const ParenExpr *E) {

    return Visit(E->getSubExpr());

  }


  void VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *E) {

    if (E->getKind() != UETT_SizeOf)

      return;


    Sizeofs.push_back(E);

  }

};


// Determine if the pointee and sizeof types are compatible.  Here

// we ignore constness of pointer types.

static bool typesCompatible(ASTContext &C, QualType A, QualType B) {

  // sizeof(void*) is compatible with any other pointer.

  if (B->isVoidPointerType() && A->getAs<PointerType>())

    return true;


  // sizeof(pointer type) is compatible with void*

  if (A->isVoidPointerType() && B->getAs<PointerType>())

    return true;


  while (true) {

    A = A.getCanonicalType();

    B = B.getCanonicalType();


    if (A.getTypePtr() == B.getTypePtr())

      return true;


    if (const PointerType *ptrA = A->getAs<PointerType>())

      if (const PointerType *ptrB = B->getAs<PointerType>()) {

        A = ptrA->getPointeeType();

        B = ptrB->getPointeeType();

        continue;

      }


    break;

  }


  return false;

}


static bool compatibleWithArrayType(ASTContext &C, QualType PT, QualType T) {

  // Ex: 'int a[10][2]' is compatible with 'int', 'int[2]', 'int[10][2]'.

  while (const ArrayType *AT = T->getAsArrayTypeUnsafe()) {

    QualType ElemType = AT->getElementType();

    if (typesCompatible(C, PT, AT->getElementType()))

      return true;

    T = ElemType;

  }


  return false;

}


class MallocSizeofChecker : public Checker<check::ASTCodeBody> {

public:

  void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,

                        BugReporter &BR) const {

    AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(D);

    CastedAllocFinder Finder(&BR.getContext());

    Finder.Visit(D->getBody());

    for (const auto &CallRec : Finder.Calls) {

      QualType CastedType = CallRec.CastedExpr->getType();

      if (!CastedType->isPointerType())

        continue;

      QualType PointeeType = CastedType->getPointeeType();

      if (PointeeType->isVoidType())

        continue;


      for (const Expr *Arg : CallRec.AllocCall->arguments()) {

        if (!Arg->getType()->isIntegralOrUnscopedEnumerationType())

          continue;


        SizeofFinder SFinder;

        SFinder.Visit(Arg);

        if (SFinder.Sizeofs.size() != 1)

          continue;


        QualType SizeofType = SFinder.Sizeofs[0]->getTypeOfArgument();


        if (typesCompatible(BR.getContext(), PointeeType, SizeofType))

          continue;


        // If the argument to sizeof is an array, the result could be a

        // pointer to any array element.

        if (compatibleWithArrayType(BR.getContext(), PointeeType, SizeofType))

          continue;


        const TypeSourceInfo *TSI = nullptr;

        if (CallRec.CastedExprParent.is<const VarDecl *>()) {

          TSI = CallRec.CastedExprParent.get<const VarDecl *>()

                    ->getTypeSourceInfo();

        } else {

          TSI = CallRec.ExplicitCastType;

        }


        SmallString<64> buf;

        llvm::raw_svector_ostream OS(buf);


        OS << "Result of ";

        const FunctionDecl *Callee = CallRec.AllocCall->getDirectCallee();

        if (Callee && Callee->getIdentifier())

          OS << '\'' << Callee->getIdentifier()->getName() << '\'';

        else

          OS << "call";

        OS << " is converted to a pointer of type '" << PointeeType

           << "', which is incompatible with "

           << "sizeof operand type '" << SizeofType << "'";

        SmallVector<SourceRange, 4> Ranges;

        Ranges.push_back(CallRec.AllocCall->getCallee()->getSourceRange());

        Ranges.push_back(SFinder.Sizeofs[0]->getSourceRange());

        if (TSI)

          Ranges.push_back(TSI->getTypeLoc().getSourceRange());


        PathDiagnosticLocation L = PathDiagnosticLocation::createBegin(

            CallRec.AllocCall->getCallee(), BR.getSourceManager(), ADC);


        BR.EmitBasicReport(D, this, "Allocator sizeof operand mismatch",

                           categories::UnixAPI, OS.str(), L, Ranges);

      }

    }

  }

};


}


void ento::registerMallocSizeofChecker(CheckerManager &mgr) {

  mgr.registerChecker<MallocSizeofChecker>();

}


bool ento::shouldRegisterMallocSizeofChecker(const CheckerManager &mgr) {

  return true;

}

Parent
NodeId Parent
Definition: ASTDiff.cpp:191

AnalysisManager.h

BugReporter.h

BuiltinCheckerRegistration.h

CheckerManager.h

Checker.h

StmtVisitor.h

TypeLoc.h
Defines the clang::TypeLoc interface and its subclasses.

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182

clang::AnalysisDeclContext
AnalysisDeclContext contains the context data for the function, method or block under analysis.
Definition: AnalysisDeclContext.h:72

clang::ArrayType
Represents an array type, per C99 6.7.5.2 - Array Declarators.
Definition: Type.h:3145

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3862

clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3911

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3913

clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2847

clang::CallExpr::getDirectCallee
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return null.
Definition: Expr.h:3017

clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:3517

clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:3567

clang::ConstStmtVisitor
ConstStmtVisitor - This class implements a simple visitor for Stmt subclasses.
Definition: StmtVisitor.h:194

clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Definition: Stmt.h:1493

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:85

clang::Decl::getBody
virtual Stmt * getBody() const
getBody - If this Decl represents a declaration for a body of code, such as a function or method defi...
Definition: DeclBase.h:1076

clang::ExplicitCastExpr
ExplicitCastExpr - An explicit cast written in the source code.
Definition: Expr.h:3752

clang::ExplicitCastExpr::getTypeInfoAsWritten
TypeSourceInfo * getTypeInfoAsWritten() const
getTypeInfoAsWritten - Returns the type source info for the type that this expression is casting to.
Definition: Expr.h:3774

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1957

clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:109

clang::ImplicitCastExpr
ImplicitCastExpr - Allows us to explicitly represent implicit type conversions, which have no direct ...
Definition: Expr.h:3677

clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269

clang::ParenExpr
ParenExpr - This represents a parethesized expression, e.g.
Definition: Expr.h:2157

clang::ParenExpr::getSubExpr
const Expr * getSubExpr() const
Definition: Expr.h:2172

clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:2896

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:6781

clang::QualType::getCanonicalType
QualType getCanonicalType() const
Definition: Type.h:6833

clang::StmtVisitorBase::Visit
RetTy Visit(PTR(Stmt) S, ParamTys... P)
Definition: StmtVisitor.h:43

clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84

clang::TypeLoc::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
Get the full source range.
Definition: TypeLoc.h:153

clang::TypeSourceInfo
A container of type source information.
Definition: Type.h:6752

clang::TypeSourceInfo::getTypeLoc
TypeLoc getTypeLoc() const
Return the TypeLoc wrapper for the type source info.
Definition: TypeLoc.h:250

clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:7352

clang::Type::isVoidPointerType
bool isVoidPointerType() const
Definition: Type.cpp:615

clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:7033

clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:651

clang::Type::getAsArrayTypeUnsafe
const ArrayType * getAsArrayTypeUnsafe() const
A variant of getAs<> for array types which silently discards qualifiers from the outermost type.
Definition: Type.h:7611

clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:7558

clang::UnaryExprOrTypeTraitExpr
UnaryExprOrTypeTraitExpr - expression with either a type or (unevaluated) expression operand.
Definition: Expr.h:2595

clang::UnaryExprOrTypeTraitExpr::getKind
UnaryExprOrTypeTrait getKind() const
Definition: Expr.h:2627

clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:916

clang::ento::AnalysisManager
Definition: AnalysisManager.h:31

clang::ento::AnalysisManager::getAnalysisDeclContext
AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)
Definition: AnalysisManager.h:121

clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:584

clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition: BugReporter.h:616

clang::ento::BugReporter::EmitBasicReport
void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker, StringRef BugName, StringRef BugCategory, StringRef BugStr, PathDiagnosticLocation Loc, ArrayRef< SourceRange > Ranges=std::nullopt, ArrayRef< FixItHint > Fixits=std::nullopt)
Definition: BugReporter.cpp:3309

clang::ento::BugReporter::getContext
ASTContext & getContext()
Definition: BugReporter.h:614

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:516

clang::ento::PathDiagnosticLocation
Definition: PathDiagnostic.h:195

clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:581

llvm::SmallString
Definition: LLVM.h:34

llvm::SmallVector
Definition: LLVM.h:35

clang::ento::categories::UnixAPI
const char *const UnixAPI
Definition: CommonBugCategories.cpp:21

clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...

clang::syntax::NodeRole::Callee
@ Callee

clang
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C

clang::OpenACCDirectiveKind::Init
@ Init