clang-tools  14.0.0git
SuspiciousMemsetUsageCheck.cpp
Go to the documentation of this file.
1 //===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
10 #include "clang/AST/ASTContext.h"
11 #include "clang/ASTMatchers/ASTMatchFinder.h"
12 #include "clang/ASTMatchers/ASTMatchers.h"
13 #include "clang/Lex/Lexer.h"
14 #include "clang/Tooling/FixIt.h"
15 
16 using namespace clang::ast_matchers;
17 
18 namespace clang {
19 namespace tidy {
20 namespace bugprone {
21 
22 void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
23  // Match the standard memset:
24  // void *memset(void *buffer, int fill_char, size_t byte_count);
25  auto MemsetDecl =
26  functionDecl(hasName("::memset"),
27  parameterCountIs(3),
28  hasParameter(0, hasType(pointerType(pointee(voidType())))),
29  hasParameter(1, hasType(isInteger())),
30  hasParameter(2, hasType(isInteger())));
31 
32  // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
33  Finder->addMatcher(
34  callExpr(
35  callee(MemsetDecl), argumentCountIs(3),
36  hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
37  .bind("char-zero-fill")),
38  unless(hasArgument(
39  0, anyOf(hasType(pointsTo(isAnyCharacter())),
40  hasType(arrayType(hasElementType(isAnyCharacter()))))))),
41  this);
42 
43  // Look for memset with an integer literal in its fill_char argument.
44  // Will check if it gets truncated.
45  Finder->addMatcher(
46  callExpr(callee(MemsetDecl), argumentCountIs(3),
47  hasArgument(1, integerLiteral().bind("num-fill"))),
48  this);
49 
50  // Look for memset(x, y, 0) as that is most likely an argument swap.
51  Finder->addMatcher(
52  callExpr(callee(MemsetDecl), argumentCountIs(3),
53  unless(hasArgument(1, anyOf(characterLiteral(equals(
54  static_cast<unsigned>('0'))),
55  integerLiteral()))))
56  .bind("call"),
57  this);
58 }
59 
60 void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
61  if (const auto *CharZeroFill =
62  Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
63  // Case 1: fill_char of memset() is a character '0'. Probably an
64  // integer zero was intended.
65 
66  SourceRange CharRange = CharZeroFill->getSourceRange();
67  auto Diag =
68  diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
69  "potentially mistaken for int 0");
70 
71  // Only suggest a fix if no macros are involved.
72  if (CharRange.getBegin().isMacroID())
73  return;
74  Diag << FixItHint::CreateReplacement(
75  CharSourceRange::getTokenRange(CharRange), "0");
76  }
77 
78  else if (const auto *NumFill =
79  Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
80  // Case 2: fill_char of memset() is larger in size than an unsigned char
81  // so it gets truncated during conversion.
82 
83  const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
84  Expr::EvalResult EVResult;
85  if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
86  return;
87 
88  llvm::APSInt NumValue = EVResult.Val.getInt();
89  if (NumValue >= 0 && NumValue <= UCharMax)
90  return;
91 
92  diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
93  "character range, gets truncated");
94  }
95 
96  else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
97  // Case 3: byte_count of memset() is zero. This is most likely an
98  // argument swap.
99 
100  const Expr *FillChar = Call->getArg(1);
101  const Expr *ByteCount = Call->getArg(2);
102 
103  // Return if `byte_count` is not zero at compile time.
104  Expr::EvalResult Value2;
105  if (ByteCount->isValueDependent() ||
106  !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
107  Value2.Val.getInt() != 0)
108  return;
109 
110  // Return if `fill_char` is known to be zero or negative at compile
111  // time. In these cases, swapping the args would be a nop, or
112  // introduce a definite bug. The code is likely correct.
113  Expr::EvalResult EVResult;
114  if (!FillChar->isValueDependent() &&
115  FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
116  llvm::APSInt Value1 = EVResult.Val.getInt();
117  if (Value1 == 0 || Value1.isNegative())
118  return;
119  }
120 
121  // `byte_count` is known to be zero at compile time, and `fill_char` is
122  // either not known or known to be a positive integer. Emit a warning
123  // and fix-its to swap the arguments.
124  auto D = diag(Call->getBeginLoc(),
125  "memset of size zero, potentially swapped arguments");
126  StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
127  StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
128  if (LHSString.empty() || RHSString.empty())
129  return;
130 
131  D << tooling::fixit::createReplacement(*FillChar, RHSString)
132  << tooling::fixit::createReplacement(*ByteCount, LHSString);
133  }
134 }
135 
136 } // namespace bugprone
137 } // namespace tidy
138 } // namespace clang
clang::tidy::modernize::getText
static StringRef getText(const Token &Tok, const SourceManager &Sources)
Definition: UseOverrideCheck.cpp:78
clang::ast_matchers
Definition: AbseilMatcher.h:14
SuspiciousMemsetUsageCheck.h
ns1::ns2::D
@ D
Definition: CategoricalFeature.h:3
clang::clangd::check
bool check(llvm::StringRef File, llvm::function_ref< bool(const Position &)> ShouldCheckLine, const ThreadsafeFS &TFS, const ClangdLSPServer::Options &Opts, bool EnableCodeCompletion)
Definition: Check.cpp:259
clang
===– Representation.cpp - ClangDoc Representation --------—*- C++ -*-===//
Definition: ApplyReplacements.h:27