SuspiciousMemsetUsageCheck.cpp source code [clang-tools-extra/clang-tidy/bugprone/SuspiciousMemsetUsageCheck.cpp]

1	//===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8
9	#include "SuspiciousMemsetUsageCheck.h"
10	#include "clang/AST/ASTContext.h"
11	#include "clang/ASTMatchers/ASTMatchFinder.h"
12	#include "clang/ASTMatchers/ASTMatchers.h"
13	#include "clang/Lex/Lexer.h"
14	#include "clang/Tooling/FixIt.h"
15
16	using namespace clang::ast_matchers;
17
18	namespace clang::tidy::bugprone {
19
20	void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
21	// Match the standard memset:
22	// void memset(void buffer, int fill_char, size_t byte_count);
23	auto MemsetDecl =
24	functionDecl (hasName(Name: "::memset"), parameterCountIs(N: `3`),
25	hasParameter(N: `0`, InnerMatcher: hasType(InnerMatcher: pointerType (pointee (voidType())))),
26	hasParameter(N: `1`, InnerMatcher: hasType(InnerMatcher: isInteger())),
27	hasParameter(N: `2`, InnerMatcher: hasType(InnerMatcher: isInteger())));
28
29	// Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
30	Finder->addMatcher(
31	NodeMatch: callExpr (
32	callee(InnerMatcher: MemsetDecl), argumentCountIs(N: `3`),
33	hasArgument(N: `1`, InnerMatcher: characterLiteral (equals(Value: static_cast<unsigned>(`'0'`)))
34	.bind(ID: "char-zero-fill")),
35	unless (hasArgument(
36	N: `0`, InnerMatcher: anyOf (hasType(InnerMatcher: pointsTo(InnerMatcher: isAnyCharacter())),
37	hasType(InnerMatcher: arrayType (hasElementType (isAnyCharacter()))))))),
38	Action: this);
39
40	// Look for memset with an integer literal in its fill_char argument.
41	// Will check if it gets truncated.
42	Finder->addMatcher(
43	NodeMatch: callExpr (callee(InnerMatcher: MemsetDecl), argumentCountIs(N: `3`),
44	hasArgument(N: `1`, InnerMatcher: integerLiteral ().bind(ID: "num-fill"))),
45	Action: this);
46
47	// Look for memset(x, y, 0) as that is most likely an argument swap.
48	Finder->addMatcher(
49	NodeMatch: callExpr (callee(InnerMatcher: MemsetDecl), argumentCountIs(N: `3`),
50	unless (hasArgument(N: `1`, InnerMatcher: anyOf (characterLiteral (equals(
51	Value: static_cast<unsigned>(`'0'`))),
52	integerLiteral ()))))
53	.bind(ID: "call"),
54	Action: this);
55	}
56
57	void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
58	if (const auto *CharZeroFill =
59	Result.Nodes.getNodeAs<CharacterLiteral>(ID: "char-zero-fill")) {
60	// Case 1: fill_char of memset() is a character '0'. Probably an
61	// integer zero was intended.
62
63	SourceRange CharRange = CharZeroFill->getSourceRange();
64	auto Diag =
65	diag(Loc: CharZeroFill->getBeginLoc(), Description: "memset fill value is char '0', "
66	"potentially mistaken for int 0");
67
68	// Only suggest a fix if no macros are involved.
69	if (CharRange.getBegin().isMacroID())
70	return;
71	Diag << FixItHint::CreateReplacement(
72	RemoveRange: CharSourceRange::getTokenRange(R: CharRange), Code: "0");
73	}
74
75	else if (const auto *NumFill =
76	Result.Nodes.getNodeAs<IntegerLiteral>(ID: "num-fill")) {
77	// Case 2: fill_char of memset() is larger in size than an unsigned char
78	// so it gets truncated during conversion.
79
80	const auto UCharMax = (`1` << Result.Context->getCharWidth()) - `1`;
81	Expr::EvalResult EVResult;
82	if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
83	return;
84
85	llvm::APSInt NumValue = EVResult.Val.getInt();
86	if (NumValue >= `0` && NumValue <= UCharMax)
87	return;
88
89	diag(Loc: NumFill->getBeginLoc(), Description: "memset fill value is out of unsigned "
90	"character range, gets truncated");
91	}
92
93	else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>(ID: "call")) {
94	// Case 3: byte_count of memset() is zero. This is most likely an
95	// argument swap.
96
97	const Expr *FillChar = Call->getArg(Arg: `1`);
98	const Expr *ByteCount = Call->getArg(Arg: `2`);
99
100	// Return if `byte_count` is not zero at compile time.
101	Expr::EvalResult Value2;
102	if (ByteCount->isValueDependent() \|\|
103	!ByteCount->EvaluateAsInt(Result&: Value2, Ctx: *Result.Context) \|\|
104	Value2.Val.getInt() != `0`)
105	return;
106
107	// Return if `fill_char` is known to be zero or negative at compile
108	// time. In these cases, swapping the args would be a nop, or
109	// introduce a definite bug. The code is likely correct.
110	Expr::EvalResult EVResult;
111	if (!FillChar->isValueDependent() &&
112	FillChar->EvaluateAsInt(Result&: EVResult, Ctx: *Result.Context)) {
113	llvm::APSInt Value1 = EVResult.Val.getInt();
114	if (Value1 == `0` \|\| Value1.isNegative())
115	return;
116	}
117
118	// `byte_count` is known to be zero at compile time, and `fill_char` is
119	// either not known or known to be a positive integer. Emit a warning
120	// and fix-its to swap the arguments.
121	auto D = diag(Loc: Call->getBeginLoc(),
122	Description: "memset of size zero, potentially swapped arguments");
123	StringRef RHSString = tooling::fixit::getText(Node: ByteCount, Context: Result.Context);
124	StringRef LHSString = tooling::fixit::getText(Node: FillChar, Context: Result.Context);
125	if (LHSString.empty() \|\| RHSString.empty())
126	return;
127
128	D << tooling::fixit::createReplacement(Destination: *FillChar, Source: RHSString)
129	<< tooling::fixit::createReplacement(Destination: *ByteCount, Source: LHSString);
130	}
131	}
132
133	} // namespace clang::tidy::bugprone
134

source code of clang-tools-extra/clang-tidy/bugprone/SuspiciousMemsetUsageCheck.cpp