clang  19.0.0git
CastSizeChecker.cpp
Go to the documentation of this file.
1 //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
10 // whether the size of the symbolic region is a multiple of the size of T.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/AST/CharUnits.h"
15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 namespace {
26 class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
27  const BugType BT{this, "Cast region with wrong size."};
28 
29 public:
30  void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
31 };
32 }
33 
34 /// Check if we are casting to a struct with a flexible array at the end.
35 /// \code
36 /// struct foo {
37 /// size_t len;
38 /// struct bar data[];
39 /// };
40 /// \endcode
41 /// or
42 /// \code
43 /// struct foo {
44 /// size_t len;
45 /// struct bar data[0];
46 /// }
47 /// \endcode
48 /// In these cases it is also valid to allocate size of struct foo + a multiple
49 /// of struct bar.
50 static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
51  CharUnits TypeSize, QualType ToPointeeTy) {
52  const RecordType *RT = ToPointeeTy->getAs<RecordType>();
53  if (!RT)
54  return false;
55 
56  const RecordDecl *RD = RT->getDecl();
57  RecordDecl::field_iterator Iter(RD->field_begin());
58  RecordDecl::field_iterator End(RD->field_end());
59  const FieldDecl *Last = nullptr;
60  for (; Iter != End; ++Iter)
61  Last = *Iter;
62  assert(Last && "empty structs should already be handled");
63 
64  const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
65  CharUnits FlexSize;
66  if (const ConstantArrayType *ArrayTy =
67  Ctx.getAsConstantArrayType(Last->getType())) {
68  FlexSize = Ctx.getTypeSizeInChars(ElemType);
69  if (ArrayTy->getSize() == 1 && TypeSize > FlexSize)
70  TypeSize -= FlexSize;
71  else if (!ArrayTy->isZeroSize())
72  return false;
73  } else if (RD->hasFlexibleArrayMember()) {
74  FlexSize = Ctx.getTypeSizeInChars(ElemType);
75  } else {
76  return false;
77  }
78 
79  if (FlexSize.isZero())
80  return false;
81 
82  CharUnits Left = RegionSize - TypeSize;
83  if (Left.isNegative())
84  return false;
85 
86  return Left % FlexSize == 0;
87 }
88 
89 void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
90  const Expr *E = CE->getSubExpr();
91  ASTContext &Ctx = C.getASTContext();
92  QualType ToTy = Ctx.getCanonicalType(CE->getType());
93  const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
94 
95  if (!ToPTy)
96  return;
97 
98  QualType ToPointeeTy = ToPTy->getPointeeType();
99 
100  // Only perform the check if 'ToPointeeTy' is a complete type.
101  if (ToPointeeTy->isIncompleteType())
102  return;
103 
104  ProgramStateRef state = C.getState();
105  const MemRegion *R = C.getSVal(E).getAsRegion();
106  if (!R)
107  return;
108 
109  const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
110  if (!SR)
111  return;
112 
113  SValBuilder &svalBuilder = C.getSValBuilder();
114 
115  DefinedOrUnknownSVal Size = getDynamicExtent(state, SR, svalBuilder);
116  const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
117  if (!SizeInt)
118  return;
119 
120  CharUnits regionSize = CharUnits::fromQuantity(SizeInt->getZExtValue());
121  CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);
122 
123  // Ignore void, and a few other un-sizeable types.
124  if (typeSize.isZero())
125  return;
126 
127  if (regionSize % typeSize == 0)
128  return;
129 
130  if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
131  return;
132 
133  if (ExplodedNode *errorNode = C.generateErrorNode()) {
134  constexpr llvm::StringLiteral Msg =
135  "Cast a region whose size is not a multiple of the destination type "
136  "size.";
137  auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, errorNode);
138  R->addRange(CE->getSourceRange());
139  C.emitReport(std::move(R));
140  }
141 }
142 
143 void ento::registerCastSizeChecker(CheckerManager &mgr) {
144  mgr.registerChecker<CastSizeChecker>();
145 }
146 
147 bool ento::shouldRegisterCastSizeChecker(const CheckerManager &mgr) {
148  // PR31226: C++ is more complicated than what this checker currently supports.
149  // There are derived-to-base casts, there are different rules for 0-size
150  // structures, no flexible arrays, etc.
151  // FIXME: Disabled on C++ for now.
152  const LangOptions &LO = mgr.getLangOpts();
153  return !LO.CPlusPlus;
154 }
APSInt
llvm::APSInt APSInt
Definition: ByteCodeExprGen.cpp:23
evenFlexibleArraySize
static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize, CharUnits TypeSize, QualType ToPointeeTy)
Check if we are casting to a struct with a flexible array at the end.
Definition: CastSizeChecker.cpp:50
Iter
unsigned Iter
Definition: HTMLLogger.cpp:154
End
SourceLocation End
Definition: USRLocFinder.cpp:167
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:185
clang::ASTContext::getCanonicalType
CanQualType getCanonicalType(QualType T) const
Return the canonical (structural) type corresponding to the specified potentially non-canonical type ...
Definition: ASTContext.h:2589
clang::ASTContext::getAsConstantArrayType
const ConstantArrayType * getAsConstantArrayType(QualType T) const
Definition: ASTContext.h:2782
clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2439
clang::CastExpr
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
Definition: Expr.h:3535
clang::CastExpr::getSubExpr
Expr * getSubExpr()
Definition: Expr.h:3585
clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38
clang::CharUnits::isZero
bool isZero() const
isZero - Test whether the quantity equals zero.
Definition: CharUnits.h:122
clang::CharUnits::fromQuantity
static CharUnits fromQuantity(QuantityType Quantity)
fromQuantity - Construct a CharUnits quantity from a raw integer type.
Definition: CharUnits.h:63
clang::ConstantArrayType
Represents the canonical version of C arrays with a specified constant size.
Definition: Type.h:3568
clang::DeclContext::specific_decl_iterator
specific_decl_iterator - Iterates over a subrange of declarations stored in a DeclContext,...
Definition: DeclBase.h:2342
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::FieldDecl
Represents a member of a struct/union/class.
Definition: Decl.h:3060
clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:482
clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:3151
clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:3161
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:940
clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:7371
clang::RecordDecl
Represents a struct/union/class.
Definition: Decl.h:4171
clang::RecordDecl::hasFlexibleArrayMember
bool hasFlexibleArrayMember() const
Definition: Decl.h:4204
clang::RecordDecl::field_end
field_iterator field_end() const
Definition: Decl.h:4380
clang::RecordDecl::field_begin
field_iterator field_begin() const
Definition: Decl.cpp:5073
clang::RecordType
A helper class that allows the use of isa/cast/dyncast to detect TagType objects of structs/unions/cl...
Definition: Type.h:5561
clang::RecordType::getDecl
RecordDecl * getDecl() const
Definition: Type.h:5571
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
clang::Type
The base class of the type hierarchy.
Definition: Type.h:1813
clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types,...
Definition: Type.cpp:2361
clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:8160
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::CheckerManager::getLangOpts
const LangOptions & getLangOpts() const
Definition: CheckerManager.h:169
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:775
clang::ento::getDynamicExtent
DefinedOrUnknownSVal getDynamicExtent(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB)
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Fri Jun 28 2024 01:37:08 for clang by doxygen 1.9.1