clang-tools-extra/clang-tidy/misc/ThrowByValueCatchByReferenceCheck.cpp

   1 //===--- ThrowByValueCatchByReferenceCheck.cpp - clang-tidy----------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8
   9 #include "ThrowByValueCatchByReferenceCheck.h"
  10 #include "clang/AST/ASTContext.h"
  11 #include "clang/AST/OperationKinds.h"
  12 #include "clang/ASTMatchers/ASTMatchFinder.h"
  13
  14 using namespace clang::ast_matchers;
  15
  16 namespace clang::tidy::misc {
  17
  18 ThrowByValueCatchByReferenceCheck::ThrowByValueCatchByReferenceCheck(
  19     StringRef Name, ClangTidyContext *Context)
  20     : ClangTidyCheck(Name, Context),
  21       CheckAnonymousTemporaries(Options.get("CheckThrowTemporaries", true)),
  22       WarnOnLargeObject(Options.get("WarnOnLargeObject", false)),
  23       // Cannot access `ASTContext` from here so set it to an extremal value.
  24       MaxSizeOptions(
  25           Options.get("MaxSize", std::numeric_limits<uint64_t>::max())),
  26       MaxSize(MaxSizeOptions) {}
  27
  28 void ThrowByValueCatchByReferenceCheck::registerMatchers(MatchFinder *Finder) {
  29   Finder->addMatcher(cxxThrowExpr().bind("throw"), this);
  30   Finder->addMatcher(cxxCatchStmt().bind("catch"), this);
  31 }
  32
  33 void ThrowByValueCatchByReferenceCheck::storeOptions(
  34     ClangTidyOptions::OptionMap &Opts) {
  35   Options.store(Opts, "CheckThrowTemporaries", true);
  36   Options.store(Opts, "WarnOnLargeObjects", WarnOnLargeObject);
  37   Options.store(Opts, "MaxSize", MaxSizeOptions);
  38 }
  39
  40 void ThrowByValueCatchByReferenceCheck::check(
  41     const MatchFinder::MatchResult &Result) {
  42   diagnoseThrowLocations(Result.Nodes.getNodeAs<CXXThrowExpr>("throw"));
  43   diagnoseCatchLocations(Result.Nodes.getNodeAs<CXXCatchStmt>("catch"),
  44                          *Result.Context);
  45 }
  46
  47 bool ThrowByValueCatchByReferenceCheck::isFunctionParameter(
  48     const DeclRefExpr *DeclRefExpr) {
  49   return isa<ParmVarDecl>(DeclRefExpr->getDecl());
  50 }
  51
  52 bool ThrowByValueCatchByReferenceCheck::isCatchVariable(
  53     const DeclRefExpr *DeclRefExpr) {
  54   auto *ValueDecl = DeclRefExpr->getDecl();
  55   if (auto *VarDecl = dyn_cast<clang::VarDecl>(ValueDecl))
  56     return VarDecl->isExceptionVariable();
  57   return false;
  58 }
  59
  60 bool ThrowByValueCatchByReferenceCheck::isFunctionOrCatchVar(
  61     const DeclRefExpr *DeclRefExpr) {
  62   return isFunctionParameter(DeclRefExpr) || isCatchVariable(DeclRefExpr);
  63 }
  64
  65 void ThrowByValueCatchByReferenceCheck::diagnoseThrowLocations(
  66     const CXXThrowExpr *ThrowExpr) {
  67   if (!ThrowExpr)
  68     return;
  69   auto *SubExpr = ThrowExpr->getSubExpr();
  70   if (!SubExpr)
  71     return;
  72   auto QualType = SubExpr->getType();
  73   if (QualType->isPointerType()) {
  74     // The code is throwing a pointer.
  75     // In case it is string literal, it is safe and we return.
  76     auto *Inner = SubExpr->IgnoreParenImpCasts();
  77     if (isa<StringLiteral>(Inner))
  78       return;
  79     // If it's a variable from a catch statement, we return as well.
  80     auto *DeclRef = dyn_cast<DeclRefExpr>(Inner);
  81     if (DeclRef && isCatchVariable(DeclRef)) {
  82       return;
  83     }
  84     diag(SubExpr->getBeginLoc(), "throw expression throws a pointer; it should "
  85                                  "throw a non-pointer value instead");
  86   }
  87   // If the throw statement does not throw by pointer then it throws by value
  88   // which is ok.
  89   // There are addition checks that emit diagnosis messages if the thrown value
  90   // is not an RValue. See:
  91   // https://www.securecoding.cert.org/confluence/display/cplusplus/ERR09-CPP.+Throw+anonymous+temporaries
  92   // This behavior can be influenced by an option.
  93
  94   // If we encounter a CXXThrowExpr, we move through all casts until you either
  95   // encounter a DeclRefExpr or a CXXConstructExpr.
  96   // If it's a DeclRefExpr, we emit a message if the referenced variable is not
  97   // a catch variable or function parameter.
  98   // When encountering a CopyOrMoveConstructor: emit message if after casts,
  99   // the expression is a LValue
 100   if (CheckAnonymousTemporaries) {
 101     bool Emit = false;
 102     auto *CurrentSubExpr = SubExpr->IgnoreImpCasts();
 103     const auto *VariableReference = dyn_cast<DeclRefExpr>(CurrentSubExpr);
 104     const auto *ConstructorCall = dyn_cast<CXXConstructExpr>(CurrentSubExpr);
 105     // If we have a DeclRefExpr, we flag for emitting a diagnosis message in
 106     // case the referenced variable is neither a function parameter nor a
 107     // variable declared in the catch statement.
 108     if (VariableReference)
 109       Emit = !isFunctionOrCatchVar(VariableReference);
 110     else if (ConstructorCall &&
 111              ConstructorCall->getConstructor()->isCopyOrMoveConstructor()) {
 112       // If we have a copy / move construction, we emit a diagnosis message if
 113       // the object that we copy construct from is neither a function parameter
 114       // nor a variable declared in a catch statement
 115       auto ArgIter =
 116           ConstructorCall
 117               ->arg_begin(); // there's only one for copy constructors
 118       auto *CurrentSubExpr = (*ArgIter)->IgnoreImpCasts();
 119       if (CurrentSubExpr->isLValue()) {
 120         if (auto *Tmp = dyn_cast<DeclRefExpr>(CurrentSubExpr))
 121           Emit = !isFunctionOrCatchVar(Tmp);
 122         else if (isa<CallExpr>(CurrentSubExpr))
 123           Emit = true;
 124       }
 125     }
 126     if (Emit)
 127       diag(SubExpr->getBeginLoc(),
 128            "throw expression should throw anonymous temporary values instead");
 129   }
 130 }
 131
 132 void ThrowByValueCatchByReferenceCheck::diagnoseCatchLocations(
 133     const CXXCatchStmt *CatchStmt, ASTContext &Context) {
 134   if (!CatchStmt)
 135     return;
 136   auto CaughtType = CatchStmt->getCaughtType();
 137   if (CaughtType.isNull())
 138     return;
 139   auto *VarDecl = CatchStmt->getExceptionDecl();
 140   if (const auto *PT = CaughtType.getCanonicalType()->getAs<PointerType>()) {
 141     const char *DiagMsgCatchReference =
 142         "catch handler catches a pointer value; "
 143         "should throw a non-pointer value and "
 144         "catch by reference instead";
 145     // We do not diagnose when catching pointer to strings since we also allow
 146     // throwing string literals.
 147     if (!PT->getPointeeType()->isAnyCharacterType())
 148       diag(VarDecl->getBeginLoc(), DiagMsgCatchReference);
 149   } else if (!CaughtType->isReferenceType()) {
 150     const char *DiagMsgCatchReference = "catch handler catches by value; "
 151                                         "should catch by reference instead";
 152     // If it's not a pointer and not a reference then it must be caught "by
 153     // value". In this case we should emit a diagnosis message unless the type
 154     // is trivial.
 155     if (!CaughtType.isTrivialType(Context)) {
 156       diag(VarDecl->getBeginLoc(), DiagMsgCatchReference);
 157     } else if (WarnOnLargeObject) {
 158       // If the type is trivial, then catching it by reference is not dangerous.
 159       // However, catching large objects by value decreases the performance.
 160
 161       // We can now access `ASTContext` so if `MaxSize` is an extremal value
 162       // then set it to the size of `size_t`.
 163       if (MaxSize == std::numeric_limits<uint64_t>::max())
 164         MaxSize = Context.getTypeSize(Context.getSizeType());
 165       if (Context.getTypeSize(CaughtType) > MaxSize)
 166         diag(VarDecl->getBeginLoc(), DiagMsgCatchReference);
 167     }
 168   }
 169 }
 170
 171 } // namespace clang::tidy::misc