clang-tools  10.0.0
SuspiciousMemsetUsageCheck.cpp
Go to the documentation of this file.
1 //===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
10 #include "clang/AST/ASTContext.h"
11 #include "clang/ASTMatchers/ASTMatchFinder.h"
12 #include "clang/ASTMatchers/ASTMatchers.h"
13 #include "clang/Lex/Lexer.h"
14 #include "clang/Tooling/FixIt.h"
15 
16 using namespace clang::ast_matchers;
17 
18 namespace clang {
19 namespace tidy {
20 namespace bugprone {
21 
22 void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
23  // Note: void *memset(void *buffer, int fill_char, size_t byte_count);
24  // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
25  Finder->addMatcher(
26  callExpr(
27  callee(functionDecl(hasName("::memset"))),
28  hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
29  .bind("char-zero-fill")),
30  unless(
31  eachOf(hasArgument(0, anyOf(hasType(pointsTo(isAnyCharacter())),
32  hasType(arrayType(hasElementType(
33  isAnyCharacter()))))),
34  isInTemplateInstantiation()))),
35  this);
36 
37  // Look for memset with an integer literal in its fill_char argument.
38  // Will check if it gets truncated.
39  Finder->addMatcher(callExpr(callee(functionDecl(hasName("::memset"))),
40  hasArgument(1, integerLiteral().bind("num-fill")),
41  unless(isInTemplateInstantiation())),
42  this);
43 
44  // Look for memset(x, y, 0) as that is most likely an argument swap.
45  Finder->addMatcher(
46  callExpr(callee(functionDecl(hasName("::memset"))),
47  unless(hasArgument(1, anyOf(characterLiteral(equals(
48  static_cast<unsigned>('0'))),
49  integerLiteral()))),
50  unless(isInTemplateInstantiation()))
51  .bind("call"),
52  this);
53 }
54 
55 void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
56  if (const auto *CharZeroFill =
57  Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
58  // Case 1: fill_char of memset() is a character '0'. Probably an
59  // integer zero was intended.
60 
61  SourceRange CharRange = CharZeroFill->getSourceRange();
62  auto Diag =
63  diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
64  "potentially mistaken for int 0");
65 
66  // Only suggest a fix if no macros are involved.
67  if (CharRange.getBegin().isMacroID())
68  return;
69  Diag << FixItHint::CreateReplacement(
70  CharSourceRange::getTokenRange(CharRange), "0");
71  }
72 
73  else if (const auto *NumFill =
74  Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
75  // Case 2: fill_char of memset() is larger in size than an unsigned char
76  // so it gets truncated during conversion.
77 
78  const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
79  Expr::EvalResult EVResult;
80  if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
81  return;
82 
83  llvm::APSInt NumValue = EVResult.Val.getInt();
84  if (NumValue >= 0 && NumValue <= UCharMax)
85  return;
86 
87  diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
88  "character range, gets truncated");
89  }
90 
91  else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
92  // Case 3: byte_count of memset() is zero. This is most likely an
93  // argument swap.
94 
95  const Expr *FillChar = Call->getArg(1);
96  const Expr *ByteCount = Call->getArg(2);
97 
98  // Return if `byte_count` is not zero at compile time.
99  Expr::EvalResult Value2;
100  if (ByteCount->isValueDependent() ||
101  !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
102  Value2.Val.getInt() != 0)
103  return;
104 
105  // Return if `fill_char` is known to be zero or negative at compile
106  // time. In these cases, swapping the args would be a nop, or
107  // introduce a definite bug. The code is likely correct.
108  Expr::EvalResult EVResult;
109  if (!FillChar->isValueDependent() &&
110  FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
111  llvm::APSInt Value1 = EVResult.Val.getInt();
112  if (Value1 == 0 || Value1.isNegative())
113  return;
114  }
115 
116  // `byte_count` is known to be zero at compile time, and `fill_char` is
117  // either not known or known to be a positive integer. Emit a warning
118  // and fix-its to swap the arguments.
119  auto D = diag(Call->getBeginLoc(),
120  "memset of size zero, potentially swapped arguments");
121  StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
122  StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
123  if (LHSString.empty() || RHSString.empty())
124  return;
125 
126  D << tooling::fixit::createReplacement(*FillChar, RHSString)
127  << tooling::fixit::createReplacement(*ByteCount, LHSString);
128  }
129 }
130 
131 } // namespace bugprone
132 } // namespace tidy
133 } // namespace clang
llvm::Optional< Range > getTokenRange(const SourceManager &SM, const LangOptions &LangOpts, SourceLocation TokLoc)
Returns the taken range at TokLoc.
Definition: SourceCode.cpp:227
===– Representation.cpp - ClangDoc Representation --------—*- C++ -*-===//