clang-tools 22.0.0git
UnsafeFunctionsCheck.cpp
Go to the documentation of this file.
1//===----------------------------------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
9#include "UnsafeFunctionsCheck.h"
10#include "../utils/OptionsUtils.h"
11#include "clang/AST/ASTContext.h"
12#include "clang/ASTMatchers/ASTMatchFinder.h"
13#include "clang/Lex/PPCallbacks.h"
14#include "clang/Lex/Preprocessor.h"
15#include <cassert>
16
17using namespace clang::ast_matchers;
18using namespace llvm;
19
20namespace clang::tidy::bugprone {
21
22static constexpr StringRef OptionNameCustomFunctions = "CustomFunctions";
23static constexpr StringRef OptionNameReportDefaultFunctions =
24 "ReportDefaultFunctions";
25static constexpr StringRef OptionNameReportMoreUnsafeFunctions =
26 "ReportMoreUnsafeFunctions";
27
28static constexpr StringRef FunctionNamesWithAnnexKReplacementId =
29 "FunctionNamesWithAnnexKReplacement";
30static constexpr StringRef FunctionNamesId = "FunctionsNames";
31static constexpr StringRef AdditionalFunctionNamesId =
32 "AdditionalFunctionsNames";
33static constexpr StringRef CustomFunctionNamesId = "CustomFunctionNames";
34static constexpr StringRef DeclRefId = "DRE";
35
36static std::optional<std::string>
37getAnnexKReplacementFor(StringRef FunctionName) {
38 return StringSwitch<std::string>(FunctionName)
39 .Case("strlen", "strnlen_s")
40 .Case("wcslen", "wcsnlen_s")
41 .Default((Twine{FunctionName} + "_s").str());
42}
43
44static StringRef getReplacementFor(StringRef FunctionName,
45 bool IsAnnexKAvailable) {
46 if (IsAnnexKAvailable) {
47 // Try to find a better replacement from Annex K first.
48 StringRef AnnexKReplacementFunction =
49 StringSwitch<StringRef>(FunctionName)
50 .Cases({"asctime", "asctime_r"}, "asctime_s")
51 .Case("gets", "gets_s")
52 .Default({});
53 if (!AnnexKReplacementFunction.empty())
54 return AnnexKReplacementFunction;
55 }
56
57 // FIXME: Some of these functions are available in C++ under "std::", and
58 // should be matched and suggested.
59 return StringSwitch<StringRef>(FunctionName)
60 .Cases({"asctime", "asctime_r"}, "strftime")
61 .Case("gets", "fgets")
62 .Case("rewind", "fseek")
63 .Case("setbuf", "setvbuf");
64}
65
66static StringRef getReplacementForAdditional(StringRef FunctionName,
67 bool IsAnnexKAvailable) {
68 if (IsAnnexKAvailable) {
69 // Try to find a better replacement from Annex K first.
70 StringRef AnnexKReplacementFunction = StringSwitch<StringRef>(FunctionName)
71 .Case("bcopy", "memcpy_s")
72 .Case("bzero", "memset_s")
73 .Default({});
74
75 if (!AnnexKReplacementFunction.empty())
76 return AnnexKReplacementFunction;
77 }
78
79 return StringSwitch<StringRef>(FunctionName)
80 .Case("bcmp", "memcmp")
81 .Case("bcopy", "memcpy")
82 .Case("bzero", "memset")
83 .Case("getpw", "getpwuid")
84 .Case("vfork", "posix_spawn");
85}
86
87/// \returns The rationale for replacing the function \p FunctionName with the
88/// safer alternative.
89static StringRef getRationaleFor(StringRef FunctionName) {
90 return StringSwitch<StringRef>(FunctionName)
91 .Cases({"asctime", "asctime_r", "ctime"},
92 "is not bounds-checking and non-reentrant")
93 .Cases({"bcmp", "bcopy", "bzero"}, "is deprecated")
94 .Cases({"fopen", "freopen"}, "has no exclusive access to the opened file")
95 .Case("gets", "is insecure, was deprecated and removed in C11 and C++14")
96 .Case("getpw", "is dangerous as it may overflow the provided buffer")
97 .Cases({"rewind", "setbuf"}, "has no error detection")
98 .Case("vfork", "is insecure as it can lead to denial of service "
99 "situations in the parent process")
100 .Default("is not bounds-checking");
101}
102
103/// Calculates whether Annex K is available for the current translation unit
104/// based on the macro definitions and the language options.
105///
106/// The result is cached and saved in \p CacheVar.
107static bool isAnnexKAvailable(std::optional<bool> &CacheVar, Preprocessor *PP,
108 const LangOptions &LO) {
109 if (CacheVar.has_value())
110 return *CacheVar;
111
112 if (!LO.C11)
113 // TODO: How is "Annex K" available in C++ mode?
114 return (CacheVar = false).value();
115
116 assert(PP && "No Preprocessor registered.");
117
118 if (!PP->isMacroDefined("__STDC_LIB_EXT1__") ||
119 !PP->isMacroDefined("__STDC_WANT_LIB_EXT1__"))
120 return (CacheVar = false).value();
121
122 const auto *MI =
123 PP->getMacroInfo(PP->getIdentifierInfo("__STDC_WANT_LIB_EXT1__"));
124 if (!MI || MI->tokens_empty())
125 return (CacheVar = false).value();
126
127 const Token &T = MI->tokens().back();
128 if (!T.isLiteral() || !T.getLiteralData())
129 return (CacheVar = false).value();
130
131 CacheVar = StringRef(T.getLiteralData(), T.getLength()) == "1";
132 return CacheVar.value();
133}
134
135static std::vector<UnsafeFunctionsCheck::CheckedFunction>
136parseCheckedFunctions(StringRef Option, ClangTidyContext *Context) {
137 const std::vector<StringRef> Functions =
138 utils::options::parseStringList(Option);
139 std::vector<UnsafeFunctionsCheck::CheckedFunction> Result;
140 Result.reserve(Functions.size());
141
142 for (const StringRef Function : Functions) {
143 if (Function.empty())
144 continue;
145
146 const auto [Name, Rest] = Function.split(',');
147 const auto [Replacement, Reason] = Rest.split(',');
148
149 if (Name.trim().empty()) {
150 Context->configurationDiag("invalid configuration value for option '%0'; "
151 "expected the name of an unsafe function")
152 << OptionNameCustomFunctions;
153 continue;
154 }
155
156 Result.push_back(
157 {Name.trim().str(),
158 matchers::MatchesAnyListedNameMatcher::NameMatcher(Name.trim()),
159 Replacement.trim().str(), Reason.trim().str()});
160 }
161
162 return Result;
163}
164
165static std::string serializeCheckedFunctions(
166 const std::vector<UnsafeFunctionsCheck::CheckedFunction> &Functions) {
167 std::vector<std::string> Result;
168 Result.reserve(Functions.size());
169
170 for (const auto &Entry : Functions) {
171 if (Entry.Reason.empty())
172 Result.push_back(Entry.Name + "," + Entry.Replacement);
173 else
174 Result.push_back(Entry.Name + "," + Entry.Replacement + "," +
175 Entry.Reason);
176 }
177
178 return llvm::join(Result, ";");
179}
180
181UnsafeFunctionsCheck::UnsafeFunctionsCheck(StringRef Name,
182 ClangTidyContext *Context)
183 : ClangTidyCheck(Name, Context),
184 CustomFunctions(parseCheckedFunctions(
185 Options.get(OptionNameCustomFunctions, ""), Context)),
186 ReportDefaultFunctions(
187 Options.get(OptionNameReportDefaultFunctions, true)),
188 ReportMoreUnsafeFunctions(
189 Options.get(OptionNameReportMoreUnsafeFunctions, true)) {}
190
191void UnsafeFunctionsCheck::storeOptions(ClangTidyOptions::OptionMap &Opts) {
192 Options.store(Opts, OptionNameCustomFunctions,
193 serializeCheckedFunctions(CustomFunctions));
194 Options.store(Opts, OptionNameReportDefaultFunctions, ReportDefaultFunctions);
195 Options.store(Opts, OptionNameReportMoreUnsafeFunctions,
196 ReportMoreUnsafeFunctions);
197}
198
199void UnsafeFunctionsCheck::registerMatchers(MatchFinder *Finder) {
200 if (ReportDefaultFunctions) {
201 if (getLangOpts().C11) {
202 // Matching functions with safe replacements only in Annex K.
203 auto FunctionNamesWithAnnexKReplacementMatcher = hasAnyName(
204 "::bsearch", "::ctime", "::fopen", "::fprintf", "::freopen",
205 "::fscanf", "::fwprintf", "::fwscanf", "::getenv", "::gmtime",
206 "::localtime", "::mbsrtowcs", "::mbstowcs", "::memcpy", "::memmove",
207 "::memset", "::printf", "::qsort", "::scanf", "::snprintf",
208 "::sprintf", "::sscanf", "::strcat", "::strcpy", "::strerror",
209 "::strlen", "::strncat", "::strncpy", "::strtok", "::swprintf",
210 "::swscanf", "::vfprintf", "::vfscanf", "::vfwprintf", "::vfwscanf",
211 "::vprintf", "::vscanf", "::vsnprintf", "::vsprintf", "::vsscanf",
212 "::vswprintf", "::vswscanf", "::vwprintf", "::vwscanf", "::wcrtomb",
213 "::wcscat", "::wcscpy", "::wcslen", "::wcsncat", "::wcsncpy",
214 "::wcsrtombs", "::wcstok", "::wcstombs", "::wctomb", "::wmemcpy",
215 "::wmemmove", "::wprintf", "::wscanf");
216 Finder->addMatcher(
217 declRefExpr(to(functionDecl(FunctionNamesWithAnnexKReplacementMatcher)
218 .bind(FunctionNamesWithAnnexKReplacementId)))
219 .bind(DeclRefId),
220 this);
221 }
222
223 // Matching functions with replacements without Annex K.
224 auto FunctionNamesMatcher =
225 hasAnyName("::asctime", "asctime_r", "::gets", "::rewind", "::setbuf");
226 Finder->addMatcher(
227 declRefExpr(
228 to(functionDecl(FunctionNamesMatcher).bind(FunctionNamesId)))
229 .bind(DeclRefId),
230 this);
231
232 if (ReportMoreUnsafeFunctions) {
233 // Matching functions with replacements without Annex K, at user request.
234 auto AdditionalFunctionNamesMatcher =
235 hasAnyName("::bcmp", "::bcopy", "::bzero", "::getpw", "::vfork");
236 Finder->addMatcher(
237 declRefExpr(to(functionDecl(AdditionalFunctionNamesMatcher)
238 .bind(AdditionalFunctionNamesId)))
239 .bind(DeclRefId),
240 this);
241 }
242 }
243
244 if (!CustomFunctions.empty()) {
245 std::vector<llvm::StringRef> FunctionNames;
246 FunctionNames.reserve(CustomFunctions.size());
247
248 for (const auto &Entry : CustomFunctions)
249 FunctionNames.emplace_back(Entry.Name);
250
251 auto CustomFunctionsMatcher = matchers::matchesAnyListedName(FunctionNames);
252
253 Finder->addMatcher(declRefExpr(to(functionDecl(CustomFunctionsMatcher)
254 .bind(CustomFunctionNamesId)))
255 .bind(DeclRefId),
256 this);
257 // C++ member calls do not contain a DeclRefExpr to the function decl.
258 // Instead, they contain a MemberExpr that refers to the decl.
259 Finder->addMatcher(memberExpr(member(functionDecl(CustomFunctionsMatcher)
260 .bind(CustomFunctionNamesId)))
261 .bind(DeclRefId),
262 this);
263 }
264}
265
266void UnsafeFunctionsCheck::check(const MatchFinder::MatchResult &Result) {
267 const Expr *SourceExpr = nullptr;
268 const FunctionDecl *FuncDecl = nullptr;
269
270 if (const auto *DeclRef = Result.Nodes.getNodeAs<DeclRefExpr>(DeclRefId)) {
271 SourceExpr = DeclRef;
272 FuncDecl = cast<FunctionDecl>(DeclRef->getDecl());
273 } else if (const auto *Member =
274 Result.Nodes.getNodeAs<MemberExpr>(DeclRefId)) {
275 SourceExpr = Member;
276 FuncDecl = cast<FunctionDecl>(Member->getMemberDecl());
277 } else {
278 llvm_unreachable("No valid matched node in check()");
279 return;
280 }
281
282 assert(SourceExpr && FuncDecl && "No valid matched node in check()");
283
284 // Only one of these are matched at a time.
285 const auto *AnnexK = Result.Nodes.getNodeAs<FunctionDecl>(
286 FunctionNamesWithAnnexKReplacementId);
287 const auto *Normal = Result.Nodes.getNodeAs<FunctionDecl>(FunctionNamesId);
288 const auto *Additional =
289 Result.Nodes.getNodeAs<FunctionDecl>(AdditionalFunctionNamesId);
290 const auto *Custom =
291 Result.Nodes.getNodeAs<FunctionDecl>(CustomFunctionNamesId);
292 assert((AnnexK || Normal || Additional || Custom) &&
293 "No valid match category.");
294
295 bool AnnexKIsAvailable =
296 isAnnexKAvailable(IsAnnexKAvailable, PP, getLangOpts());
297 StringRef FunctionName = FuncDecl->getName();
298
299 if (Custom) {
300 for (const auto &Entry : CustomFunctions) {
301 if (Entry.Pattern.match(*FuncDecl)) {
302 StringRef Reason =
303 Entry.Reason.empty() ? "is marked as unsafe" : Entry.Reason.c_str();
304
305 // Omit the replacement, when a fully-custom reason is given.
306 if (Reason.consume_front(">")) {
307 diag(SourceExpr->getExprLoc(), "function %0 %1")
308 << FuncDecl << Reason.trim() << SourceExpr->getSourceRange();
309 // Do not recommend a replacement when it is not present.
310 } else if (Entry.Replacement.empty()) {
311 diag(SourceExpr->getExprLoc(),
312 "function %0 %1; it should not be used")
313 << FuncDecl << Reason << Entry.Replacement
314 << SourceExpr->getSourceRange();
315 // Otherwise, emit the replacement.
316 } else {
317 diag(SourceExpr->getExprLoc(),
318 "function %0 %1; '%2' should be used instead")
319 << FuncDecl << Reason << Entry.Replacement
320 << SourceExpr->getSourceRange();
321 }
322
323 return;
324 }
325 }
326
327 llvm_unreachable("No custom function was matched.");
328 return;
329 }
330
331 const std::optional<std::string> ReplacementFunctionName =
332 [&]() -> std::optional<std::string> {
333 if (AnnexK) {
334 if (AnnexKIsAvailable)
335 return getAnnexKReplacementFor(FunctionName);
336 return std::nullopt;
337 }
338
339 if (Normal)
340 return getReplacementFor(FunctionName, AnnexKIsAvailable).str();
341
342 if (Additional)
343 return getReplacementForAdditional(FunctionName, AnnexKIsAvailable).str();
344
345 llvm_unreachable("Unhandled match category");
346 }();
347 if (!ReplacementFunctionName)
348 return;
349
350 diag(SourceExpr->getExprLoc(), "function %0 %1; '%2' should be used instead")
351 << FuncDecl << getRationaleFor(FunctionName)
352 << ReplacementFunctionName.value() << SourceExpr->getSourceRange();
353}
354
355void UnsafeFunctionsCheck::registerPPCallbacks(
356 const SourceManager &SM, Preprocessor *PP,
357 Preprocessor * /*ModuleExpanderPP*/) {
358 this->PP = PP;
359}
360
361void UnsafeFunctionsCheck::onEndOfTranslationUnit() {
362 this->PP = nullptr;
363 IsAnnexKAvailable.reset();
364}
365
366} // namespace clang::tidy::bugprone
clang::tidy::ClangTidyContext
Every ClangTidyCheck reports errors through a DiagnosticsEngine provided by this context.
Definition ClangTidyDiagnosticConsumer.h:70
clang::tidy::ClangTidyContext::configurationDiag
DiagnosticBuilder configurationDiag(StringRef Message, DiagnosticIDs::Level Level=DiagnosticIDs::Warning)
Report any errors to do with reading the configuration using this method.
Definition ClangTidyDiagnosticConsumer.cpp:208
clang::tidy::bugprone::UnsafeFunctionsCheck::registerPPCallbacks
void registerPPCallbacks(const SourceManager &SM, Preprocessor *PP, Preprocessor *ModuleExpanderPP) override
Definition UnsafeFunctionsCheck.cpp:355
clang::tidy::bugprone::UnsafeFunctionsCheck::check
void check(const ast_matchers::MatchFinder::MatchResult &Result) override
Definition UnsafeFunctionsCheck.cpp:266
clang::tidy::bugprone::UnsafeFunctionsCheck::storeOptions
void storeOptions(ClangTidyOptions::OptionMap &Opts) override
Definition UnsafeFunctionsCheck.cpp:191
clang::tidy::bugprone::UnsafeFunctionsCheck::UnsafeFunctionsCheck
UnsafeFunctionsCheck(StringRef Name, ClangTidyContext *Context)
Definition UnsafeFunctionsCheck.cpp:181
clang::tidy::bugprone::UnsafeFunctionsCheck::registerMatchers
void registerMatchers(ast_matchers::MatchFinder *Finder) override
Definition UnsafeFunctionsCheck.cpp:199
clang::ast_matchers
Definition AbseilMatcher.h:16
clang::tidy::bugprone::OptionNameReportMoreUnsafeFunctions
static constexpr StringRef OptionNameReportMoreUnsafeFunctions
Definition UnsafeFunctionsCheck.cpp:25
clang::tidy::bugprone::getReplacementForAdditional
static StringRef getReplacementForAdditional(StringRef FunctionName, bool IsAnnexKAvailable)
Definition UnsafeFunctionsCheck.cpp:66
clang::tidy::bugprone::FunctionNamesId
static constexpr StringRef FunctionNamesId
Definition UnsafeFunctionsCheck.cpp:30
clang::tidy::bugprone::getRationaleFor
static StringRef getRationaleFor(StringRef FunctionName)
Definition UnsafeFunctionsCheck.cpp:89
clang::tidy::bugprone::OptionNameCustomFunctions
static constexpr StringRef OptionNameCustomFunctions
Definition UnsafeFunctionsCheck.cpp:22
clang::tidy::bugprone::isAnnexKAvailable
static bool isAnnexKAvailable(std::optional< bool > &CacheVar, Preprocessor *PP, const LangOptions &LO)
Calculates whether Annex K is available for the current translation unit based on the macro definitio...
Definition UnsafeFunctionsCheck.cpp:107
clang::tidy::bugprone::getAnnexKReplacementFor
static std::optional< std::string > getAnnexKReplacementFor(StringRef FunctionName)
Definition UnsafeFunctionsCheck.cpp:37
clang::tidy::bugprone::getReplacementFor
static StringRef getReplacementFor(StringRef FunctionName, bool IsAnnexKAvailable)
Definition UnsafeFunctionsCheck.cpp:44
clang::tidy::bugprone::AdditionalFunctionNamesId
static constexpr StringRef AdditionalFunctionNamesId
Definition UnsafeFunctionsCheck.cpp:31
clang::tidy::bugprone::parseCheckedFunctions
static std::vector< UnsafeFunctionsCheck::CheckedFunction > parseCheckedFunctions(StringRef Option, ClangTidyContext *Context)
Definition UnsafeFunctionsCheck.cpp:136
clang::tidy::bugprone::CustomFunctionNamesId
static constexpr StringRef CustomFunctionNamesId
Definition UnsafeFunctionsCheck.cpp:33
clang::tidy::bugprone::DeclRefId
static constexpr StringRef DeclRefId
Definition UnsafeFunctionsCheck.cpp:34
clang::tidy::bugprone::FunctionNamesWithAnnexKReplacementId
static constexpr StringRef FunctionNamesWithAnnexKReplacementId
Definition UnsafeFunctionsCheck.cpp:28
clang::tidy::bugprone::OptionNameReportDefaultFunctions
static constexpr StringRef OptionNameReportDefaultFunctions
Definition UnsafeFunctionsCheck.cpp:23
clang::tidy::bugprone::serializeCheckedFunctions
static std::string serializeCheckedFunctions(const std::vector< UnsafeFunctionsCheck::CheckedFunction > &Functions)
Definition UnsafeFunctionsCheck.cpp:165
clang::tidy::matchers::matchesAnyListedName
inline ::clang::ast_matchers::internal::Matcher< NamedDecl > matchesAnyListedName(llvm::ArrayRef< StringRef > NameList)
Definition clang-tidy/utils/Matchers.h:147
clang::tidy::utils::options::parseStringList
std::vector< StringRef > parseStringList(StringRef Option)
Parse a semicolon separated list of strings.
Definition OptionsUtils.cpp:16
llvm
Some operations such as code completion produce a set of candidates.
Definition Generators.h:145
clang::tidy::ClangTidyOptions::OptionMap
llvm::StringMap< ClangTidyValue > OptionMap
Definition ClangTidyOptions.h:128
FuncDecl
static constexpr const char FuncDecl[]
Definition utils/UseRangesCheck.cpp:36
Generated on for clang-tools by doxygen 1.14.0