clang-tools-extra/clang-tidy/bugprone/SuspiciousMemsetUsageCheck.cpp

   1 //===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8
   9 #include "SuspiciousMemsetUsageCheck.h"
  10 #include "clang/AST/ASTContext.h"
  11 #include "clang/ASTMatchers/ASTMatchFinder.h"
  12 #include "clang/ASTMatchers/ASTMatchers.h"
  13 #include "clang/Lex/Lexer.h"
  14 #include "clang/Tooling/FixIt.h"
  15
  16 using namespace clang::ast_matchers;
  17
  18 namespace clang::tidy::bugprone {
  19
  20 void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
  21   // Match the standard memset:
  22   // void *memset(void *buffer, int fill_char, size_t byte_count);
  23   auto MemsetDecl =
  24       functionDecl(hasName("::memset"),
  25                    parameterCountIs(3),
  26                    hasParameter(0, hasType(pointerType(pointee(voidType())))),
  27                    hasParameter(1, hasType(isInteger())),
  28                    hasParameter(2, hasType(isInteger())));
  29
  30   // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
  31   Finder->addMatcher(
  32       callExpr(
  33           callee(MemsetDecl), argumentCountIs(3),
  34           hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
  35                              .bind("char-zero-fill")),
  36           unless(hasArgument(
  37               0, anyOf(hasType(pointsTo(isAnyCharacter())),
  38                        hasType(arrayType(hasElementType(isAnyCharacter()))))))),
  39       this);
  40
  41   // Look for memset with an integer literal in its fill_char argument.
  42   // Will check if it gets truncated.
  43   Finder->addMatcher(
  44       callExpr(callee(MemsetDecl), argumentCountIs(3),
  45                hasArgument(1, integerLiteral().bind("num-fill"))),
  46       this);
  47
  48   // Look for memset(x, y, 0) as that is most likely an argument swap.
  49   Finder->addMatcher(
  50       callExpr(callee(MemsetDecl), argumentCountIs(3),
  51                unless(hasArgument(1, anyOf(characterLiteral(equals(
  52                                                static_cast<unsigned>('0'))),
  53                                            integerLiteral()))))
  54           .bind("call"),
  55       this);
  56 }
  57
  58 void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
  59   if (const auto *CharZeroFill =
  60           Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
  61     // Case 1: fill_char of memset() is a character '0'. Probably an
  62     // integer zero was intended.
  63
  64     SourceRange CharRange = CharZeroFill->getSourceRange();
  65     auto Diag =
  66         diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
  67                                           "potentially mistaken for int 0");
  68
  69     // Only suggest a fix if no macros are involved.
  70     if (CharRange.getBegin().isMacroID())
  71       return;
  72     Diag << FixItHint::CreateReplacement(
  73         CharSourceRange::getTokenRange(CharRange), "0");
  74   }
  75
  76   else if (const auto *NumFill =
  77                Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
  78     // Case 2: fill_char of memset() is larger in size than an unsigned char
  79     // so it gets truncated during conversion.
  80
  81     const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
  82     Expr::EvalResult EVResult;
  83     if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
  84       return;
  85
  86     llvm::APSInt NumValue = EVResult.Val.getInt();
  87     if (NumValue >= 0 && NumValue <= UCharMax)
  88       return;
  89
  90     diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
  91                                  "character range, gets truncated");
  92   }
  93
  94   else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
  95     // Case 3: byte_count of memset() is zero. This is most likely an
  96     // argument swap.
  97
  98     const Expr *FillChar = Call->getArg(1);
  99     const Expr *ByteCount = Call->getArg(2);
 100
 101     // Return if `byte_count` is not zero at compile time.
 102     Expr::EvalResult Value2;
 103     if (ByteCount->isValueDependent() ||
 104         !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
 105         Value2.Val.getInt() != 0)
 106       return;
 107
 108     // Return if `fill_char` is known to be zero or negative at compile
 109     // time. In these cases, swapping the args would be a nop, or
 110     // introduce a definite bug. The code is likely correct.
 111     Expr::EvalResult EVResult;
 112     if (!FillChar->isValueDependent() &&
 113         FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
 114       llvm::APSInt Value1 = EVResult.Val.getInt();
 115       if (Value1 == 0 || Value1.isNegative())
 116         return;
 117     }
 118
 119     // `byte_count` is known to be zero at compile time, and `fill_char` is
 120     // either not known or known to be a positive integer. Emit a warning
 121     // and fix-its to swap the arguments.
 122     auto D = diag(Call->getBeginLoc(),
 123                   "memset of size zero, potentially swapped arguments");
 124     StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
 125     StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
 126     if (LHSString.empty() || RHSString.empty())
 127       return;
 128
 129     D << tooling::fixit::createReplacement(*FillChar, RHSString)
 130       << tooling::fixit::createReplacement(*ByteCount, LHSString);
 131   }
 132 }
 133
 134 } // namespace clang::tidy::bugprone