clang-tools 23.0.0git
UnsafeFunctionsCheck.cpp
Go to the documentation of this file.
1//===----------------------------------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
9#include "UnsafeFunctionsCheck.h"
10#include "../utils/OptionsUtils.h"
11#include "clang/AST/ASTContext.h"
12#include "clang/ASTMatchers/ASTMatchFinder.h"
13#include "clang/Analysis/AnnexKDetection.h"
14#include "clang/Lex/Preprocessor.h"
15#include <cassert>
16
17using namespace clang::ast_matchers;
18using namespace llvm;
19
20namespace clang::tidy::bugprone {
21
22static constexpr StringRef OptionNameCustomFunctions = "CustomFunctions";
23static constexpr StringRef OptionNameReportDefaultFunctions =
24 "ReportDefaultFunctions";
25static constexpr StringRef OptionNameReportMoreUnsafeFunctions =
26 "ReportMoreUnsafeFunctions";
27
28static constexpr StringRef FunctionNamesWithAnnexKReplacementId =
29 "FunctionNamesWithAnnexKReplacement";
30static constexpr StringRef FunctionNamesId = "FunctionsNames";
31static constexpr StringRef AdditionalFunctionNamesId =
32 "AdditionalFunctionsNames";
33static constexpr StringRef CustomFunctionNamesId = "CustomFunctionNames";
34static constexpr StringRef DeclRefId = "DRE";
35
36static std::optional<std::string>
37getAnnexKReplacementFor(StringRef FunctionName) {
38 return StringSwitch<std::string>(FunctionName)
39 .Case("strlen", "strnlen_s")
40 .Case("wcslen", "wcsnlen_s")
41 .Default((Twine{FunctionName} + "_s").str());
42}
43
44static StringRef getReplacementFor(StringRef FunctionName,
45 bool IsAnnexKAvailable) {
46 if (IsAnnexKAvailable) {
47 // Try to find a better replacement from Annex K first.
48 StringRef AnnexKReplacementFunction =
49 StringSwitch<StringRef>(FunctionName)
50 .Cases({"asctime", "asctime_r"}, "asctime_s")
51 .Case("gets", "gets_s")
52 .Default({});
53 if (!AnnexKReplacementFunction.empty())
54 return AnnexKReplacementFunction;
55 }
56
57 // FIXME: Some of these functions are available in C++ under "std::", and
58 // should be matched and suggested.
59 return StringSwitch<StringRef>(FunctionName)
60 .Cases({"asctime", "asctime_r"}, "strftime")
61 .Case("gets", "fgets")
62 .Case("rewind", "fseek")
63 .Case("setbuf", "setvbuf")
64 .Case("get_temporary_buffer", "operator new[]");
65}
66
67static StringRef getReplacementForAdditional(StringRef FunctionName,
68 bool IsAnnexKAvailable) {
69 if (IsAnnexKAvailable) {
70 // Try to find a better replacement from Annex K first.
71 StringRef AnnexKReplacementFunction = StringSwitch<StringRef>(FunctionName)
72 .Case("bcopy", "memcpy_s")
73 .Case("bzero", "memset_s")
74 .Default({});
75
76 if (!AnnexKReplacementFunction.empty())
77 return AnnexKReplacementFunction;
78 }
79
80 return StringSwitch<StringRef>(FunctionName)
81 .Case("bcmp", "memcmp")
82 .Case("bcopy", "memcpy")
83 .Case("bzero", "memset")
84 .Case("getpw", "getpwuid")
85 .Case("vfork", "posix_spawn");
86}
87
88/// \returns The rationale for replacing the function \p FunctionName with the
89/// safer alternative.
90static StringRef getRationaleFor(StringRef FunctionName) {
91 return StringSwitch<StringRef>(FunctionName)
92 .Cases({"asctime", "asctime_r", "ctime"},
93 "is not bounds-checking and non-reentrant")
94 .Cases({"bcmp", "bcopy", "bzero"}, "is deprecated")
95 .Cases({"fopen", "freopen"}, "has no exclusive access to the opened file")
96 .Case("gets", "is insecure, was deprecated and removed in C11 and C++14")
97 .Case("getpw", "is dangerous as it may overflow the provided buffer")
98 .Cases({"rewind", "setbuf"}, "has no error detection")
99 .Case("vfork", "is insecure as it can lead to denial of service "
100 "situations in the parent process")
101 .Case("get_temporary_buffer", "returns uninitialized memory without "
102 "performance advantages, was deprecated in "
103 "C++17 and removed in C++20")
104 .Default("is not bounds-checking");
105}
106
107/// Calculates whether Annex K is available for the current translation unit
108/// based on the macro definitions and the language options.
109///
110/// The result is cached and saved in \p CacheVar.
111static bool isAnnexKAvailable(std::optional<bool> &CacheVar, Preprocessor *PP,
112 const LangOptions &LO) {
113 if (CacheVar.has_value())
114 return *CacheVar;
115
116 CacheVar = analysis::isAnnexKAvailable(PP, LO);
117 return CacheVar.value();
118}
119
120static std::vector<UnsafeFunctionsCheck::CheckedFunction>
121parseCheckedFunctions(StringRef Option, ClangTidyContext *Context) {
122 const std::vector<StringRef> Functions =
123 utils::options::parseStringList(Option);
124 std::vector<UnsafeFunctionsCheck::CheckedFunction> Result;
125 Result.reserve(Functions.size());
126
127 for (const StringRef Function : Functions) {
128 if (Function.empty())
129 continue;
130
131 const auto [Name, Rest] = Function.split(',');
132 const auto [Replacement, Reason] = Rest.split(',');
133
134 if (Name.trim().empty()) {
135 Context->configurationDiag("invalid configuration value for option '%0'; "
136 "expected the name of an unsafe function")
137 << OptionNameCustomFunctions;
138 continue;
139 }
140
141 Result.push_back(
142 {Name.trim().str(),
143 matchers::MatchesAnyListedRegexNameMatcher::NameMatcher(Name.trim()),
144 Replacement.trim().str(), Reason.trim().str()});
145 }
146
147 return Result;
148}
149
150static std::string serializeCheckedFunctions(
151 const std::vector<UnsafeFunctionsCheck::CheckedFunction> &Functions) {
152 std::vector<std::string> Result;
153 Result.reserve(Functions.size());
154
155 for (const auto &Entry : Functions)
156 if (Entry.Reason.empty())
157 Result.push_back(Entry.Name + "," + Entry.Replacement);
158 else
159 Result.push_back(Entry.Name + "," + Entry.Replacement + "," +
160 Entry.Reason);
161
162 return llvm::join(Result, ";");
163}
164
165UnsafeFunctionsCheck::UnsafeFunctionsCheck(StringRef Name,
166 ClangTidyContext *Context)
167 : ClangTidyCheck(Name, Context),
168 CustomFunctions(parseCheckedFunctions(
169 Options.get(OptionNameCustomFunctions, ""), Context)),
170 ReportDefaultFunctions(
171 Options.get(OptionNameReportDefaultFunctions, true)),
172 ReportMoreUnsafeFunctions(
173 Options.get(OptionNameReportMoreUnsafeFunctions, true)) {}
174
175void UnsafeFunctionsCheck::storeOptions(ClangTidyOptions::OptionMap &Opts) {
176 Options.store(Opts, OptionNameCustomFunctions,
177 serializeCheckedFunctions(CustomFunctions));
178 Options.store(Opts, OptionNameReportDefaultFunctions, ReportDefaultFunctions);
179 Options.store(Opts, OptionNameReportMoreUnsafeFunctions,
180 ReportMoreUnsafeFunctions);
181}
182
183void UnsafeFunctionsCheck::registerMatchers(MatchFinder *Finder) {
184 if (ReportDefaultFunctions) {
185 if (getLangOpts().C11) {
186 // Matching functions with safe replacements only in Annex K.
187 auto FunctionNamesWithAnnexKReplacementMatcher = hasAnyName(
188 "::bsearch", "::ctime", "::fopen", "::fprintf", "::freopen",
189 "::fscanf", "::fwprintf", "::fwscanf", "::getenv", "::gmtime",
190 "::localtime", "::mbsrtowcs", "::mbstowcs", "::memcpy", "::memmove",
191 "::memset", "::printf", "::qsort", "::scanf", "::snprintf",
192 "::sprintf", "::sscanf", "::strcat", "::strcpy", "::strerror",
193 "::strlen", "::strncat", "::strncpy", "::strtok", "::swprintf",
194 "::swscanf", "::vfprintf", "::vfscanf", "::vfwprintf", "::vfwscanf",
195 "::vprintf", "::vscanf", "::vsnprintf", "::vsprintf", "::vsscanf",
196 "::vswprintf", "::vswscanf", "::vwprintf", "::vwscanf", "::wcrtomb",
197 "::wcscat", "::wcscpy", "::wcslen", "::wcsncat", "::wcsncpy",
198 "::wcsrtombs", "::wcstok", "::wcstombs", "::wctomb", "::wmemcpy",
199 "::wmemmove", "::wprintf", "::wscanf");
200 Finder->addMatcher(
201 declRefExpr(to(functionDecl(FunctionNamesWithAnnexKReplacementMatcher)
202 .bind(FunctionNamesWithAnnexKReplacementId)))
203 .bind(DeclRefId),
204 this);
205 }
206
207 // Matching functions with replacements without Annex K.
208 auto FunctionNamesMatcher =
209 hasAnyName("::asctime", "asctime_r", "::gets", "::rewind", "::setbuf",
210 "::std::get_temporary_buffer");
211 Finder->addMatcher(
212 declRefExpr(
213 to(functionDecl(FunctionNamesMatcher).bind(FunctionNamesId)))
214 .bind(DeclRefId),
215 this);
216
217 if (ReportMoreUnsafeFunctions) {
218 // Matching functions with replacements without Annex K, at user request.
219 auto AdditionalFunctionNamesMatcher =
220 hasAnyName("::bcmp", "::bcopy", "::bzero", "::getpw", "::vfork");
221 Finder->addMatcher(
222 declRefExpr(to(functionDecl(AdditionalFunctionNamesMatcher)
223 .bind(AdditionalFunctionNamesId)))
224 .bind(DeclRefId),
225 this);
226 }
227 }
228
229 if (!CustomFunctions.empty()) {
230 std::vector<StringRef> FunctionNames;
231 FunctionNames.reserve(CustomFunctions.size());
232
233 for (const auto &Entry : CustomFunctions)
234 FunctionNames.emplace_back(Entry.Name);
235
236 auto CustomFunctionsMatcher =
237 matchers::matchesAnyListedRegexName(FunctionNames);
238
239 Finder->addMatcher(declRefExpr(to(functionDecl(CustomFunctionsMatcher)
240 .bind(CustomFunctionNamesId)))
241 .bind(DeclRefId),
242 this);
243 // C++ member calls do not contain a DeclRefExpr to the function decl.
244 // Instead, they contain a MemberExpr that refers to the decl.
245 Finder->addMatcher(memberExpr(member(functionDecl(CustomFunctionsMatcher)
246 .bind(CustomFunctionNamesId)))
247 .bind(DeclRefId),
248 this);
249 }
250}
251
252/// A ``Reason`` prefixed with ``>`` produces a fully-custom message and
253/// suppresses the ``Replacement`` suffix; an empty ``Replacement`` yields
254/// the "it should not be used" form; otherwise the standard suggestion
255/// form is used.
256static void emitDiag(ClangTidyCheck &Check, const Expr *SourceExpr,
257 const FunctionDecl *FuncDecl, StringRef Replacement,
258 StringRef Reason) {
259 if (Reason.consume_front(">")) {
260 Check.diag(SourceExpr->getExprLoc(), "function %0 %1")
261 << FuncDecl << Reason.trim() << SourceExpr->getSourceRange();
262 return;
263 }
264 if (Replacement.empty()) {
265 Check.diag(SourceExpr->getExprLoc(),
266 "function %0 %1; it should not be used")
267 << FuncDecl << Reason << SourceExpr->getSourceRange();
268 return;
269 }
270 Check.diag(SourceExpr->getExprLoc(),
271 "function %0 %1; '%2' should be used instead")
272 << FuncDecl << Reason << Replacement << SourceExpr->getSourceRange();
273}
274
275void UnsafeFunctionsCheck::check(const MatchFinder::MatchResult &Result) {
276 const Expr *SourceExpr = nullptr;
277 const FunctionDecl *FuncDecl = nullptr;
278
279 if (const auto *DeclRef = Result.Nodes.getNodeAs<DeclRefExpr>(DeclRefId)) {
280 SourceExpr = DeclRef;
281 FuncDecl = cast<FunctionDecl>(DeclRef->getDecl());
282 } else if (const auto *Member =
283 Result.Nodes.getNodeAs<MemberExpr>(DeclRefId)) {
284 SourceExpr = Member;
285 FuncDecl = cast<FunctionDecl>(Member->getMemberDecl());
286 } else {
287 llvm_unreachable("No valid matched node in check()");
288 return;
289 }
290
291 assert(SourceExpr && FuncDecl && "No valid matched node in check()");
292
293 // Only one of these are matched at a time.
294 const auto *AnnexK = Result.Nodes.getNodeAs<FunctionDecl>(
295 FunctionNamesWithAnnexKReplacementId);
296 const auto *Normal = Result.Nodes.getNodeAs<FunctionDecl>(FunctionNamesId);
297 const auto *Additional =
298 Result.Nodes.getNodeAs<FunctionDecl>(AdditionalFunctionNamesId);
299 const auto *Custom =
300 Result.Nodes.getNodeAs<FunctionDecl>(CustomFunctionNamesId);
301 assert((AnnexK || Normal || Additional || Custom) &&
302 "No valid match category.");
303
304 bool AnnexKIsAvailable =
305 isAnnexKAvailable(IsAnnexKAvailable, PP, getLangOpts());
306 StringRef FunctionName = FuncDecl->getName();
307
308 std::string Replacement;
309 std::string Reason;
310
311 if (Custom) {
312 const CheckedFunction *MatchedEntry = nullptr;
313 for (const auto &Entry : CustomFunctions) {
314 if (Entry.Pattern.match(*FuncDecl)) {
315 MatchedEntry = &Entry;
316 break;
317 }
318 }
319 if (!MatchedEntry) {
320 llvm_unreachable("No custom function was matched.");
321 return;
322 }
323 Replacement = MatchedEntry->Replacement;
324 Reason = MatchedEntry->Reason.empty() ? "is marked as unsafe"
325 : MatchedEntry->Reason;
326 } else {
327 const std::optional<std::string> ReplacementFunctionName =
328 [&]() -> std::optional<std::string> {
329 if (AnnexK) {
330 if (AnnexKIsAvailable)
331 return getAnnexKReplacementFor(FunctionName);
332 return std::nullopt;
333 }
334
335 if (Normal)
336 return getReplacementFor(FunctionName, AnnexKIsAvailable).str();
337
338 if (Additional)
339 return getReplacementForAdditional(FunctionName, AnnexKIsAvailable)
340 .str();
341
342 llvm_unreachable("Unhandled match category");
343 }();
344 if (!ReplacementFunctionName)
345 return;
346
347 Replacement = *ReplacementFunctionName;
348 Reason = getRationaleFor(FunctionName).str();
349 }
350
351 emitDiag(*this, SourceExpr, FuncDecl, Replacement, Reason);
352}
353
354void UnsafeFunctionsCheck::registerPPCallbacks(
355 const SourceManager &SM, Preprocessor *PP,
356 Preprocessor * /*ModuleExpanderPP*/) {
357 this->PP = PP;
358}
359
360void UnsafeFunctionsCheck::onEndOfTranslationUnit() {
361 this->PP = nullptr;
362 IsAnnexKAvailable.reset();
363}
364
365} // namespace clang::tidy::bugprone
clang::tidy::ClangTidyContext
Every ClangTidyCheck reports errors through a DiagnosticsEngine provided by this context.
Definition ClangTidyDiagnosticConsumer.h:70
clang::tidy::ClangTidyContext::configurationDiag
DiagnosticBuilder configurationDiag(StringRef Message, DiagnosticIDs::Level Level=DiagnosticIDs::Warning)
Report any errors to do with reading the configuration using this method.
Definition ClangTidyDiagnosticConsumer.cpp:208
clang::tidy::bugprone::UnsafeFunctionsCheck::registerPPCallbacks
void registerPPCallbacks(const SourceManager &SM, Preprocessor *PP, Preprocessor *ModuleExpanderPP) override
Definition UnsafeFunctionsCheck.cpp:354
clang::tidy::bugprone::UnsafeFunctionsCheck::check
void check(const ast_matchers::MatchFinder::MatchResult &Result) override
Definition UnsafeFunctionsCheck.cpp:275
clang::tidy::bugprone::UnsafeFunctionsCheck::storeOptions
void storeOptions(ClangTidyOptions::OptionMap &Opts) override
Definition UnsafeFunctionsCheck.cpp:175
clang::tidy::bugprone::UnsafeFunctionsCheck::UnsafeFunctionsCheck
UnsafeFunctionsCheck(StringRef Name, ClangTidyContext *Context)
Definition UnsafeFunctionsCheck.cpp:165
clang::tidy::bugprone::UnsafeFunctionsCheck::registerMatchers
void registerMatchers(ast_matchers::MatchFinder *Finder) override
Definition UnsafeFunctionsCheck.cpp:183
clang::ast_matchers
Definition AbseilMatcher.h:16
clang::tidy::bugprone::OptionNameReportMoreUnsafeFunctions
static constexpr StringRef OptionNameReportMoreUnsafeFunctions
Definition UnsafeFunctionsCheck.cpp:25
clang::tidy::bugprone::getReplacementForAdditional
static StringRef getReplacementForAdditional(StringRef FunctionName, bool IsAnnexKAvailable)
Definition UnsafeFunctionsCheck.cpp:67
clang::tidy::bugprone::FunctionNamesId
static constexpr StringRef FunctionNamesId
Definition UnsafeFunctionsCheck.cpp:30
clang::tidy::bugprone::getRationaleFor
static StringRef getRationaleFor(StringRef FunctionName)
Definition UnsafeFunctionsCheck.cpp:90
clang::tidy::bugprone::OptionNameCustomFunctions
static constexpr StringRef OptionNameCustomFunctions
Definition UnsafeFunctionsCheck.cpp:22
clang::tidy::bugprone::isAnnexKAvailable
static bool isAnnexKAvailable(std::optional< bool > &CacheVar, Preprocessor *PP, const LangOptions &LO)
Calculates whether Annex K is available for the current translation unit based on the macro definitio...
Definition UnsafeFunctionsCheck.cpp:111
clang::tidy::bugprone::getAnnexKReplacementFor
static std::optional< std::string > getAnnexKReplacementFor(StringRef FunctionName)
Definition UnsafeFunctionsCheck.cpp:37
clang::tidy::bugprone::getReplacementFor
static StringRef getReplacementFor(StringRef FunctionName, bool IsAnnexKAvailable)
Definition UnsafeFunctionsCheck.cpp:44
clang::tidy::bugprone::emitDiag
static void emitDiag(ClangTidyCheck &Check, const Expr *SourceExpr, const FunctionDecl *FuncDecl, StringRef Replacement, StringRef Reason)
A Reason prefixed with > produces a fully-custom message and / suppresses the Replacement suffix; an ...
Definition UnsafeFunctionsCheck.cpp:256
clang::tidy::bugprone::AdditionalFunctionNamesId
static constexpr StringRef AdditionalFunctionNamesId
Definition UnsafeFunctionsCheck.cpp:31
clang::tidy::bugprone::parseCheckedFunctions
static std::vector< UnsafeFunctionsCheck::CheckedFunction > parseCheckedFunctions(StringRef Option, ClangTidyContext *Context)
Definition UnsafeFunctionsCheck.cpp:121
clang::tidy::bugprone::CustomFunctionNamesId
static constexpr StringRef CustomFunctionNamesId
Definition UnsafeFunctionsCheck.cpp:33
clang::tidy::bugprone::DeclRefId
static constexpr StringRef DeclRefId
Definition UnsafeFunctionsCheck.cpp:34
clang::tidy::bugprone::FunctionNamesWithAnnexKReplacementId
static constexpr StringRef FunctionNamesWithAnnexKReplacementId
Definition UnsafeFunctionsCheck.cpp:28
clang::tidy::bugprone::OptionNameReportDefaultFunctions
static constexpr StringRef OptionNameReportDefaultFunctions
Definition UnsafeFunctionsCheck.cpp:23
clang::tidy::bugprone::serializeCheckedFunctions
static std::string serializeCheckedFunctions(const std::vector< UnsafeFunctionsCheck::CheckedFunction > &Functions)
Definition UnsafeFunctionsCheck.cpp:150
clang::tidy::matchers::matchesAnyListedRegexName
inline ::clang::ast_matchers::internal::Matcher< NamedDecl > matchesAnyListedRegexName(llvm::ArrayRef< StringRef > NameList)
Definition clang-tidy/utils/Matchers.h:146
clang::tidy::utils::options::parseStringList
std::vector< StringRef > parseStringList(StringRef Option)
Parse a semicolon separated list of strings.
Definition OptionsUtils.cpp:16
llvm
Some operations such as code completion produce a set of candidates.
Definition Generators.h:152
clang::tidy::ClangTidyOptions::OptionMap
llvm::StringMap< ClangTidyValue > OptionMap
Definition ClangTidyOptions.h:128
FuncDecl
static constexpr const char FuncDecl[]
Definition utils/UseRangesCheck.cpp:36
Generated on for clang-tools by doxygen 1.14.0