UnsafeFunctionsCheck.cpp

Go to the documentation of this file.

//===--- UnsafeFunctionsCheck.cpp - clang-tidy ----------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
 
#include "UnsafeFunctionsCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/PPCallbacks.h"
#include "clang/Lex/Preprocessor.h"
#include <cassert>
 
using namespace clang::ast_matchers;
using namespace llvm;
 
namespace clang::tidy::bugprone {
 
static constexpr llvm::StringLiteral OptionNameReportMoreUnsafeFunctions =
    "ReportMoreUnsafeFunctions";
 
static constexpr llvm::StringLiteral FunctionNamesWithAnnexKReplacementId =
    "FunctionNamesWithAnnexKReplacement";
static constexpr llvm::StringLiteral FunctionNamesId = "FunctionsNames";
static constexpr llvm::StringLiteral AdditionalFunctionNamesId =
    "AdditionalFunctionsNames";
static constexpr llvm::StringLiteral DeclRefId = "DRE";
 
static std::optional<std::string>
getAnnexKReplacementFor(StringRef FunctionName) {
  return StringSwitch<std::string>(FunctionName)
      .Case("strlen", "strnlen_s")
      .Case("wcslen", "wcsnlen_s")
      .Default((Twine{FunctionName} + "_s").str());
}
 
static StringRef getReplacementFor(StringRef FunctionName,
                                   bool IsAnnexKAvailable) {
  if (IsAnnexKAvailable) {
    // Try to find a better replacement from Annex K first.
    StringRef AnnexKReplacementFunction =
        StringSwitch<StringRef>(FunctionName)
            .Cases("asctime", "asctime_r", "asctime_s")
            .Case("gets", "gets_s")
            .Default({});
    if (!AnnexKReplacementFunction.empty())
      return AnnexKReplacementFunction;
  }
 
  // FIXME: Some of these functions are available in C++ under "std::", and
  // should be matched and suggested.
  return StringSwitch<StringRef>(FunctionName)
      .Cases("asctime", "asctime_r", "strftime")
      .Case("gets", "fgets")
      .Case("rewind", "fseek")
      .Case("setbuf", "setvbuf");
}
 
static StringRef getReplacementForAdditional(StringRef FunctionName,
                                             bool IsAnnexKAvailable) {
  if (IsAnnexKAvailable) {
    // Try to find a better replacement from Annex K first.
    StringRef AnnexKReplacementFunction = StringSwitch<StringRef>(FunctionName)
                                              .Case("bcopy", "memcpy_s")
                                              .Case("bzero", "memset_s")
                                              .Default({});
 
    if (!AnnexKReplacementFunction.empty())
      return AnnexKReplacementFunction;
  }
 
  return StringSwitch<StringRef>(FunctionName)
      .Case("bcmp", "memcmp")
      .Case("bcopy", "memcpy")
      .Case("bzero", "memset")
      .Case("getpw", "getpwuid")
      .Case("vfork", "posix_spawn");
}
 
/// \returns The rationale for replacing the function \p FunctionName with the
/// safer alternative.
static StringRef getRationaleFor(StringRef FunctionName) {
  return StringSwitch<StringRef>(FunctionName)
      .Cases("asctime", "asctime_r", "ctime",
             "is not bounds-checking and non-reentrant")
      .Cases("bcmp", "bcopy", "bzero", "is deprecated")
      .Cases("fopen", "freopen", "has no exclusive access to the opened file")
      .Case("gets", "is insecure, was deprecated and removed in C11 and C++14")
      .Case("getpw", "is dangerous as it may overflow the provided buffer")
      .Cases("rewind", "setbuf", "has no error detection")
      .Case("vfork", "is insecure as it can lead to denial of service "
                     "situations in the parent process")
      .Default("is not bounds-checking");
}
 
/// Calculates whether Annex K is available for the current translation unit
/// based on the macro definitions and the language options.
///
/// The result is cached and saved in \p CacheVar.
static bool isAnnexKAvailable(std::optional<bool> &CacheVar, Preprocessor *PP,
                              const LangOptions &LO) {
  if (CacheVar.has_value())
    return *CacheVar;
 
  if (!LO.C11)
    // TODO: How is "Annex K" available in C++ mode?
    return (CacheVar = false).value();
 
  assert(PP && "No Preprocessor registered.");
 
  if (!PP->isMacroDefined("__STDC_LIB_EXT1__") ||
      !PP->isMacroDefined("__STDC_WANT_LIB_EXT1__"))
    return (CacheVar = false).value();
 
  const auto *MI =
      PP->getMacroInfo(PP->getIdentifierInfo("__STDC_WANT_LIB_EXT1__"));
  if (!MI || MI->tokens_empty())
    return (CacheVar = false).value();
 
  const Token &T = MI->tokens().back();
  if (!T.isLiteral() || !T.getLiteralData())
    return (CacheVar = false).value();
 
  CacheVar = StringRef(T.getLiteralData(), T.getLength()) == "1";
  return CacheVar.value();
}
 
UnsafeFunctionsCheck::UnsafeFunctionsCheck(StringRef Name,
                                           ClangTidyContext *Context)
    : ClangTidyCheck(Name, Context),
      ReportMoreUnsafeFunctions(
          Options.get(OptionNameReportMoreUnsafeFunctions, true)) {}
 
void UnsafeFunctionsCheck::storeOptions(ClangTidyOptions::OptionMap &Opts) {
  Options.store(Opts, OptionNameReportMoreUnsafeFunctions,
                ReportMoreUnsafeFunctions);
}
 
void UnsafeFunctionsCheck::registerMatchers(MatchFinder *Finder) {
  if (getLangOpts().C11) {
    // Matching functions with safe replacements only in Annex K.
    auto FunctionNamesWithAnnexKReplacementMatcher = hasAnyName(
        "::bsearch", "::ctime", "::fopen", "::fprintf", "::freopen", "::fscanf",
        "::fwprintf", "::fwscanf", "::getenv", "::gmtime", "::localtime",
        "::mbsrtowcs", "::mbstowcs", "::memcpy", "::memmove", "::memset",
        "::printf", "::qsort", "::scanf", "::snprintf", "::sprintf", "::sscanf",
        "::strcat", "::strcpy", "::strerror", "::strlen", "::strncat",
        "::strncpy", "::strtok", "::swprintf", "::swscanf", "::vfprintf",
        "::vfscanf", "::vfwprintf", "::vfwscanf", "::vprintf", "::vscanf",
        "::vsnprintf", "::vsprintf", "::vsscanf", "::vswprintf", "::vswscanf",
        "::vwprintf", "::vwscanf", "::wcrtomb", "::wcscat", "::wcscpy",
        "::wcslen", "::wcsncat", "::wcsncpy", "::wcsrtombs", "::wcstok",
        "::wcstombs", "::wctomb", "::wmemcpy", "::wmemmove", "::wprintf",
        "::wscanf");
    Finder->addMatcher(
        declRefExpr(to(functionDecl(FunctionNamesWithAnnexKReplacementMatcher)
                           .bind(FunctionNamesWithAnnexKReplacementId)))
            .bind(DeclRefId),
        this);
  }
 
  // Matching functions with replacements without Annex K.
  auto FunctionNamesMatcher =
      hasAnyName("::asctime", "asctime_r", "::gets", "::rewind", "::setbuf");
  Finder->addMatcher(
      declRefExpr(to(functionDecl(FunctionNamesMatcher).bind(FunctionNamesId)))
          .bind(DeclRefId),
      this);
 
  if (ReportMoreUnsafeFunctions) {
    // Matching functions with replacements without Annex K, at user request.
    auto AdditionalFunctionNamesMatcher =
        hasAnyName("::bcmp", "::bcopy", "::bzero", "::getpw", "::vfork");
    Finder->addMatcher(
        declRefExpr(to(functionDecl(AdditionalFunctionNamesMatcher)
                           .bind(AdditionalFunctionNamesId)))
            .bind(DeclRefId),
        this);
  }
}
 
void UnsafeFunctionsCheck::check(const MatchFinder::MatchResult &Result) {
  const auto *DeclRef = Result.Nodes.getNodeAs<DeclRefExpr>(DeclRefId);
  const auto *FuncDecl = cast<FunctionDecl>(DeclRef->getDecl());
  assert(DeclRef && FuncDecl && "No valid matched node in check()");
 
  const auto *AnnexK = Result.Nodes.getNodeAs<FunctionDecl>(
      FunctionNamesWithAnnexKReplacementId);
  const auto *Normal = Result.Nodes.getNodeAs<FunctionDecl>(FunctionNamesId);
  const auto *Additional =
      Result.Nodes.getNodeAs<FunctionDecl>(AdditionalFunctionNamesId);
  assert((AnnexK || Normal || Additional) && "No valid match category.");
 
  bool AnnexKIsAvailable =
      isAnnexKAvailable(IsAnnexKAvailable, PP, getLangOpts());
  StringRef FunctionName = FuncDecl->getName();
  const std::optional<std::string> ReplacementFunctionName =
      [&]() -> std::optional<std::string> {
    if (AnnexK) {
      if (AnnexKIsAvailable)
        return getAnnexKReplacementFor(FunctionName);
      return std::nullopt;
    }
 
    if (Normal)
      return getReplacementFor(FunctionName, AnnexKIsAvailable).str();
 
    if (Additional)
      return getReplacementForAdditional(FunctionName, AnnexKIsAvailable).str();
 
    llvm_unreachable("Unhandled match category");
  }();
  if (!ReplacementFunctionName)
    return;
 
  diag(DeclRef->getExprLoc(), "function %0 %1; '%2' should be used instead")
      << FuncDecl << getRationaleFor(FunctionName)
      << ReplacementFunctionName.value() << DeclRef->getSourceRange();
}
 
void UnsafeFunctionsCheck::registerPPCallbacks(
    const SourceManager &SM, Preprocessor *PP,
    Preprocessor * /*ModuleExpanderPP*/) {
  this->PP = PP;
}
 
void UnsafeFunctionsCheck::onEndOfTranslationUnit() {
  this->PP = nullptr;
  IsAnnexKAvailable.reset();
}
 
} // namespace clang::tidy::bugprone