clang-tools 20.0.0git
SuspiciousMemsetUsageCheck.cpp
Go to the documentation of this file.
1//===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
10#include "clang/AST/ASTContext.h"
11#include "clang/ASTMatchers/ASTMatchFinder.h"
12#include "clang/ASTMatchers/ASTMatchers.h"
13#include "clang/Lex/Lexer.h"
14#include "clang/Tooling/FixIt.h"
15
16using namespace clang::ast_matchers;
17
18namespace clang::tidy::bugprone {
19
21 // Match the standard memset:
22 // void *memset(void *buffer, int fill_char, size_t byte_count);
23 auto MemsetDecl =
24 functionDecl(hasName("::memset"),
25 parameterCountIs(3),
26 hasParameter(0, hasType(pointerType(pointee(voidType())))),
27 hasParameter(1, hasType(isInteger())),
28 hasParameter(2, hasType(isInteger())));
29
30 // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
31 Finder->addMatcher(
32 callExpr(
33 callee(MemsetDecl), argumentCountIs(3),
34 hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
35 .bind("char-zero-fill")),
36 unless(hasArgument(
37 0, anyOf(hasType(pointsTo(isAnyCharacter())),
38 hasType(arrayType(hasElementType(isAnyCharacter()))))))),
39 this);
40
41 // Look for memset with an integer literal in its fill_char argument.
42 // Will check if it gets truncated.
43 Finder->addMatcher(
44 callExpr(callee(MemsetDecl), argumentCountIs(3),
45 hasArgument(1, integerLiteral().bind("num-fill"))),
46 this);
47
48 // Look for memset(x, y, 0) as that is most likely an argument swap.
49 Finder->addMatcher(
50 callExpr(callee(MemsetDecl), argumentCountIs(3),
51 unless(hasArgument(1, anyOf(characterLiteral(equals(
52 static_cast<unsigned>('0'))),
53 integerLiteral()))))
54 .bind("call"),
55 this);
56}
57
58void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
59 if (const auto *CharZeroFill =
60 Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
61 // Case 1: fill_char of memset() is a character '0'. Probably an
62 // integer zero was intended.
63
64 SourceRange CharRange = CharZeroFill->getSourceRange();
65 auto Diag =
66 diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
67 "potentially mistaken for int 0");
68
69 // Only suggest a fix if no macros are involved.
70 if (CharRange.getBegin().isMacroID())
71 return;
72 Diag << FixItHint::CreateReplacement(
73 CharSourceRange::getTokenRange(CharRange), "0");
74 }
75
76 else if (const auto *NumFill =
77 Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
78 // Case 2: fill_char of memset() is larger in size than an unsigned char
79 // so it gets truncated during conversion.
80
81 const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
82 Expr::EvalResult EVResult;
83 if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
84 return;
85
86 llvm::APSInt NumValue = EVResult.Val.getInt();
87 if (NumValue >= 0 && NumValue <= UCharMax)
88 return;
89
90 diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
91 "character range, gets truncated");
92 }
93
94 else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
95 // Case 3: byte_count of memset() is zero. This is most likely an
96 // argument swap.
97
98 const Expr *FillChar = Call->getArg(1);
99 const Expr *ByteCount = Call->getArg(2);
100
101 // Return if `byte_count` is not zero at compile time.
102 Expr::EvalResult Value2;
103 if (ByteCount->isValueDependent() ||
104 !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
105 Value2.Val.getInt() != 0)
106 return;
107
108 // Return if `fill_char` is known to be zero or negative at compile
109 // time. In these cases, swapping the args would be a nop, or
110 // introduce a definite bug. The code is likely correct.
111 Expr::EvalResult EVResult;
112 if (!FillChar->isValueDependent() &&
113 FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
114 llvm::APSInt Value1 = EVResult.Val.getInt();
115 if (Value1 == 0 || Value1.isNegative())
116 return;
117 }
118
119 // `byte_count` is known to be zero at compile time, and `fill_char` is
120 // either not known or known to be a positive integer. Emit a warning
121 // and fix-its to swap the arguments.
122 auto D = diag(Call->getBeginLoc(),
123 "memset of size zero, potentially swapped arguments");
124 StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
125 StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
126 if (LHSString.empty() || RHSString.empty())
127 return;
128
129 D << tooling::fixit::createReplacement(*FillChar, RHSString)
130 << tooling::fixit::createReplacement(*ByteCount, LHSString);
131 }
132}
133
134} // namespace clang::tidy::bugprone
DiagnosticBuilder diag(SourceLocation Loc, StringRef Description, DiagnosticIDs::Level Level=DiagnosticIDs::Warning)
Add a diagnostic with the check's name.
void registerMatchers(ast_matchers::MatchFinder *Finder) override
Override this to register AST matchers with Finder.
void check(const ast_matchers::MatchFinder::MatchResult &Result) override
ClangTidyChecks that register ASTMatchers should do the actual work in here.