1//= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines UnixAPIChecker, which is an assortment of checks on calls
10// to various, widely used UNIX/Posix functions.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/Basic/TargetInfo.h"
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
24#include "llvm/ADT/STLExtras.h"
25#include "llvm/ADT/SmallString.h"
26#include "llvm/ADT/StringExtras.h"
27#include "llvm/Support/raw_ostream.h"
28#include <optional>
29
30using namespace clang;
31using namespace ento;
32
33enum class OpenVariant {
34 /// The standard open() call:
35 /// int open(const char *path, int oflag, ...);
36 Open,
37
38 /// The variant taking a directory file descriptor and a relative path:
39 /// int openat(int fd, const char *path, int oflag, ...);
40 OpenAt
41};
42
43namespace {
44
45class UnixAPIMisuseChecker
46 : public Checker<check::PreCall, check::ASTDecl<TranslationUnitDecl>> {
47 const BugType BT_open{this, "Improper use of 'open'", categories::UnixAPI};
48 const BugType BT_getline{this, "Improper use of getdelim",
49 categories::UnixAPI};
50 const BugType BT_pthreadOnce{this, "Improper use of 'pthread_once'",
51 categories::UnixAPI};
52 const BugType BT_ArgumentNull{this, "NULL pointer", categories::UnixAPI};
53 mutable std::optional<uint64_t> Val_O_CREAT;
54
55 ProgramStateRef
56 EnsurePtrNotNull(SVal PtrVal, const Expr *PtrExpr, CheckerContext &C,
57 ProgramStateRef State, const StringRef PtrDescr,
58 std::optional<std::reference_wrapper<const BugType>> BT =
59 std::nullopt) const;
60
61 ProgramStateRef EnsureGetdelimBufferAndSizeCorrect(
62 SVal LinePtrPtrSVal, SVal SizePtrSVal, const Expr *LinePtrPtrExpr,
63 const Expr *SizePtrExpr, CheckerContext &C, ProgramStateRef State) const;
64
65public:
66 void checkASTDecl(const TranslationUnitDecl *TU, AnalysisManager &Mgr,
67 BugReporter &BR) const;
68
69 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
70
71 void CheckOpen(CheckerContext &C, const CallEvent &Call) const;
72 void CheckOpenAt(CheckerContext &C, const CallEvent &Call) const;
73 void CheckGetDelim(CheckerContext &C, const CallEvent &Call) const;
74 void CheckPthreadOnce(CheckerContext &C, const CallEvent &Call) const;
75
76 void CheckOpenVariant(CheckerContext &C, const CallEvent &Call,
77 OpenVariant Variant) const;
78
79 void ReportOpenBug(CheckerContext &C, ProgramStateRef State, const char *Msg,
80 SourceRange SR) const;
81};
82
83class UnixAPIPortabilityChecker : public Checker< check::PreStmt<CallExpr> > {
84public:
85 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
86
87private:
88 const BugType BT_mallocZero{
89 this, "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)",
90 categories::UnixAPI};
91
92 void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const;
93 void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const;
94 void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const;
95 void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const;
96 void CheckAllocaZero(CheckerContext &C, const CallExpr *CE) const;
97 void CheckAllocaWithAlignZero(CheckerContext &C, const CallExpr *CE) const;
98 void CheckVallocZero(CheckerContext &C, const CallExpr *CE) const;
99
100 bool ReportZeroByteAllocation(CheckerContext &C,
101 ProgramStateRef falseState,
102 const Expr *arg,
103 const char *fn_name) const;
104 void BasicAllocationCheck(CheckerContext &C,
105 const CallExpr *CE,
106 const unsigned numArgs,
107 const unsigned sizeArg,
108 const char *fn) const;
109};
110
111} // end anonymous namespace
112
113ProgramStateRef UnixAPIMisuseChecker::EnsurePtrNotNull(
114 SVal PtrVal, const Expr *PtrExpr, CheckerContext &C, ProgramStateRef State,
115 const StringRef PtrDescr,
116 std::optional<std::reference_wrapper<const BugType>> BT) const {
117 const auto Ptr = PtrVal.getAs<DefinedSVal>();
118 if (!Ptr)
119 return State;
120
121 const auto [PtrNotNull, PtrNull] = State->assume(Cond: *Ptr);
122 if (!PtrNotNull && PtrNull) {
123 if (ExplodedNode *N = C.generateErrorNode(State: PtrNull)) {
124 auto R = std::make_unique<PathSensitiveBugReport>(
125 args: BT.value_or(u: std::cref(t: BT_ArgumentNull)),
126 args: (PtrDescr + " pointer might be NULL.").str(), args&: N);
127 if (PtrExpr)
128 bugreporter::trackExpressionValue(N, E: PtrExpr, R&: *R);
129 C.emitReport(R: std::move(R));
130 }
131 return nullptr;
132 }
133
134 return PtrNotNull;
135}
136
137void UnixAPIMisuseChecker::checkASTDecl(const TranslationUnitDecl *TU,
138 AnalysisManager &Mgr,
139 BugReporter &) const {
140 // The definition of O_CREAT is platform specific.
141 // Try to get the macro value from the preprocessor.
142 Val_O_CREAT = tryExpandAsInteger(Macro: "O_CREAT", PP: Mgr.getPreprocessor());
143 // If we failed, fall-back to known values.
144 if (!Val_O_CREAT) {
145 if (TU->getASTContext().getTargetInfo().getTriple().getVendor() ==
146 llvm::Triple::Apple)
147 Val_O_CREAT = 0x0200;
148 }
149}
150
151//===----------------------------------------------------------------------===//
152// "open" (man 2 open)
153//===----------------------------------------------------------------------===/
154
155void UnixAPIMisuseChecker::checkPreCall(const CallEvent &Call,
156 CheckerContext &C) const {
157 const FunctionDecl *FD = dyn_cast_if_present<FunctionDecl>(Val: Call.getDecl());
158 if (!FD || FD->getKind() != Decl::Function)
159 return;
160
161 // Don't treat functions in namespaces with the same name a Unix function
162 // as a call to the Unix function.
163 const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext();
164 if (isa_and_nonnull<NamespaceDecl>(Val: NamespaceCtx))
165 return;
166
167 StringRef FName = C.getCalleeName(FunDecl: FD);
168 if (FName.empty())
169 return;
170
171 if (FName == "open")
172 CheckOpen(C, Call);
173
174 else if (FName == "openat")
175 CheckOpenAt(C, Call);
176
177 else if (FName == "pthread_once")
178 CheckPthreadOnce(C, Call);
179
180 else if (is_contained(Set: {"getdelim", "getline"}, Element: FName))
181 CheckGetDelim(C, Call);
182}
183void UnixAPIMisuseChecker::ReportOpenBug(CheckerContext &C,
184 ProgramStateRef State,
185 const char *Msg,
186 SourceRange SR) const {
187 ExplodedNode *N = C.generateErrorNode(State);
188 if (!N)
189 return;
190
191 auto Report = std::make_unique<PathSensitiveBugReport>(args: BT_open, args&: Msg, args&: N);
192 Report->addRange(R: SR);
193 C.emitReport(R: std::move(Report));
194}
195
196void UnixAPIMisuseChecker::CheckOpen(CheckerContext &C,
197 const CallEvent &Call) const {
198 CheckOpenVariant(C, Call, Variant: OpenVariant::Open);
199}
200
201void UnixAPIMisuseChecker::CheckOpenAt(CheckerContext &C,
202 const CallEvent &Call) const {
203 CheckOpenVariant(C, Call, Variant: OpenVariant::OpenAt);
204}
205
206void UnixAPIMisuseChecker::CheckOpenVariant(CheckerContext &C,
207 const CallEvent &Call,
208 OpenVariant Variant) const {
209 // The index of the argument taking the flags open flags (O_RDONLY,
210 // O_WRONLY, O_CREAT, etc.),
211 unsigned int FlagsArgIndex;
212 const char *VariantName;
213 switch (Variant) {
214 case OpenVariant::Open:
215 FlagsArgIndex = 1;
216 VariantName = "open";
217 break;
218 case OpenVariant::OpenAt:
219 FlagsArgIndex = 2;
220 VariantName = "openat";
221 break;
222 };
223
224 // All calls should at least provide arguments up to the 'flags' parameter.
225 unsigned int MinArgCount = FlagsArgIndex + 1;
226
227 // If the flags has O_CREAT set then open/openat() require an additional
228 // argument specifying the file mode (permission bits) for the created file.
229 unsigned int CreateModeArgIndex = FlagsArgIndex + 1;
230
231 // The create mode argument should be the last argument.
232 unsigned int MaxArgCount = CreateModeArgIndex + 1;
233
234 ProgramStateRef state = C.getState();
235
236 if (Call.getNumArgs() < MinArgCount) {
237 // The frontend should issue a warning for this case. Just return.
238 return;
239 } else if (Call.getNumArgs() == MaxArgCount) {
240 const Expr *Arg = Call.getArgExpr(Index: CreateModeArgIndex);
241 QualType QT = Arg->getType();
242 if (!QT->isIntegerType()) {
243 SmallString<256> SBuf;
244 llvm::raw_svector_ostream OS(SBuf);
245 OS << "The " << CreateModeArgIndex + 1
246 << llvm::getOrdinalSuffix(Val: CreateModeArgIndex + 1)
247 << " argument to '" << VariantName << "' is not an integer";
248
249 ReportOpenBug(C, State: state,
250 Msg: SBuf.c_str(),
251 SR: Arg->getSourceRange());
252 return;
253 }
254 } else if (Call.getNumArgs() > MaxArgCount) {
255 SmallString<256> SBuf;
256 llvm::raw_svector_ostream OS(SBuf);
257 OS << "Call to '" << VariantName << "' with more than " << MaxArgCount
258 << " arguments";
259
260 ReportOpenBug(C, State: state, Msg: SBuf.c_str(),
261 SR: Call.getArgExpr(Index: MaxArgCount)->getSourceRange());
262 return;
263 }
264
265 if (!Val_O_CREAT) {
266 return;
267 }
268
269 // Now check if oflags has O_CREAT set.
270 const Expr *oflagsEx = Call.getArgExpr(Index: FlagsArgIndex);
271 const SVal V = Call.getArgSVal(Index: FlagsArgIndex);
272 if (!isa<NonLoc>(Val: V)) {
273 // The case where 'V' can be a location can only be due to a bad header,
274 // so in this case bail out.
275 return;
276 }
277 NonLoc oflags = V.castAs<NonLoc>();
278 NonLoc ocreateFlag = C.getSValBuilder()
279 .makeIntVal(integer: *Val_O_CREAT, type: oflagsEx->getType())
280 .castAs<NonLoc>();
281 SVal maskedFlagsUC = C.getSValBuilder().evalBinOpNN(state, op: BO_And,
282 lhs: oflags, rhs: ocreateFlag,
283 resultTy: oflagsEx->getType());
284 if (maskedFlagsUC.isUnknownOrUndef())
285 return;
286 DefinedSVal maskedFlags = maskedFlagsUC.castAs<DefinedSVal>();
287
288 // Check if maskedFlags is non-zero.
289 ProgramStateRef trueState, falseState;
290 std::tie(args&: trueState, args&: falseState) = state->assume(Cond: maskedFlags);
291
292 // Only emit an error if the value of 'maskedFlags' is properly
293 // constrained;
294 if (!(trueState && !falseState))
295 return;
296
297 if (Call.getNumArgs() < MaxArgCount) {
298 SmallString<256> SBuf;
299 llvm::raw_svector_ostream OS(SBuf);
300 OS << "Call to '" << VariantName << "' requires a "
301 << CreateModeArgIndex + 1
302 << llvm::getOrdinalSuffix(Val: CreateModeArgIndex + 1)
303 << " argument when the 'O_CREAT' flag is set";
304 ReportOpenBug(C, State: trueState,
305 Msg: SBuf.c_str(),
306 SR: oflagsEx->getSourceRange());
307 }
308}
309
310//===----------------------------------------------------------------------===//
311// getdelim and getline
312//===----------------------------------------------------------------------===//
313
314ProgramStateRef UnixAPIMisuseChecker::EnsureGetdelimBufferAndSizeCorrect(
315 SVal LinePtrPtrSVal, SVal SizePtrSVal, const Expr *LinePtrPtrExpr,
316 const Expr *SizePtrExpr, CheckerContext &C, ProgramStateRef State) const {
317 static constexpr llvm::StringLiteral SizeGreaterThanBufferSize =
318 "The buffer from the first argument is smaller than the size "
319 "specified by the second parameter";
320 static constexpr llvm::StringLiteral SizeUndef =
321 "The buffer from the first argument is not NULL, but the size specified "
322 "by the second parameter is undefined.";
323
324 auto EmitBugReport = [this, &C, SizePtrExpr, LinePtrPtrExpr](
325 ProgramStateRef BugState, StringRef ErrMsg) {
326 if (ExplodedNode *N = C.generateErrorNode(State: BugState)) {
327 auto R = std::make_unique<PathSensitiveBugReport>(args: BT_getline, args&: ErrMsg, args&: N);
328 bugreporter::trackExpressionValue(N, E: SizePtrExpr, R&: *R);
329 bugreporter::trackExpressionValue(N, E: LinePtrPtrExpr, R&: *R);
330 C.emitReport(R: std::move(R));
331 }
332 };
333
334 // We have a pointer to a pointer to the buffer, and a pointer to the size.
335 // We want what they point at.
336 auto LinePtrSVal = getPointeeVal(PtrSVal: LinePtrPtrSVal, State)->getAs<DefinedSVal>();
337 auto NSVal = getPointeeVal(PtrSVal: SizePtrSVal, State);
338 if (!LinePtrSVal || !NSVal || NSVal->isUnknown())
339 return nullptr;
340
341 assert(LinePtrPtrExpr && SizePtrExpr);
342
343 const auto [LinePtrNotNull, LinePtrNull] = State->assume(Cond: *LinePtrSVal);
344 if (LinePtrNotNull && !LinePtrNull) {
345 // If `*lineptr` is not null, but `*n` is undefined, there is UB.
346 if (NSVal->isUndef()) {
347 EmitBugReport(LinePtrNotNull, SizeUndef);
348 return nullptr;
349 }
350
351 // If it is defined, and known, its size must be less than or equal to
352 // the buffer size.
353 auto NDefSVal = NSVal->getAs<DefinedSVal>();
354 auto &SVB = C.getSValBuilder();
355 auto LineBufSize =
356 getDynamicExtent(State: LinePtrNotNull, MR: LinePtrSVal->getAsRegion(), SVB);
357 auto LineBufSizeGtN = SVB.evalBinOp(state: LinePtrNotNull, op: BO_GE, lhs: LineBufSize,
358 rhs: *NDefSVal, type: SVB.getConditionType())
359 .getAs<DefinedOrUnknownSVal>();
360 if (!LineBufSizeGtN)
361 return LinePtrNotNull;
362 if (auto LineBufSizeOk = LinePtrNotNull->assume(Cond: *LineBufSizeGtN, Assumption: true))
363 return LineBufSizeOk;
364
365 EmitBugReport(LinePtrNotNull, SizeGreaterThanBufferSize);
366 return nullptr;
367 }
368 return State;
369}
370
371void UnixAPIMisuseChecker::CheckGetDelim(CheckerContext &C,
372 const CallEvent &Call) const {
373 ProgramStateRef State = C.getState();
374
375 // The parameter `n` must not be NULL.
376 SVal SizePtrSval = Call.getArgSVal(Index: 1);
377 State = EnsurePtrNotNull(PtrVal: SizePtrSval, PtrExpr: Call.getArgExpr(Index: 1), C, State, PtrDescr: "Size");
378 if (!State)
379 return;
380
381 // The parameter `lineptr` must not be NULL.
382 SVal LinePtrPtrSVal = Call.getArgSVal(Index: 0);
383 State =
384 EnsurePtrNotNull(PtrVal: LinePtrPtrSVal, PtrExpr: Call.getArgExpr(Index: 0), C, State, PtrDescr: "Line");
385 if (!State)
386 return;
387
388 State = EnsureGetdelimBufferAndSizeCorrect(LinePtrPtrSVal, SizePtrSVal: SizePtrSval,
389 LinePtrPtrExpr: Call.getArgExpr(Index: 0),
390 SizePtrExpr: Call.getArgExpr(Index: 1), C, State);
391 if (!State)
392 return;
393
394 C.addTransition(State);
395}
396
397//===----------------------------------------------------------------------===//
398// pthread_once
399//===----------------------------------------------------------------------===//
400
401void UnixAPIMisuseChecker::CheckPthreadOnce(CheckerContext &C,
402 const CallEvent &Call) const {
403
404 // This is similar to 'CheckDispatchOnce' in the MacOSXAPIChecker.
405 // They can possibly be refactored.
406
407 if (Call.getNumArgs() < 1)
408 return;
409
410 // Check if the first argument is stack allocated. If so, issue a warning
411 // because that's likely to be bad news.
412 ProgramStateRef state = C.getState();
413 const MemRegion *R = Call.getArgSVal(Index: 0).getAsRegion();
414 if (!R || !isa<StackSpaceRegion>(Val: R->getMemorySpace()))
415 return;
416
417 ExplodedNode *N = C.generateErrorNode(State: state);
418 if (!N)
419 return;
420
421 SmallString<256> S;
422 llvm::raw_svector_ostream os(S);
423 os << "Call to 'pthread_once' uses";
424 if (const VarRegion *VR = dyn_cast<VarRegion>(Val: R))
425 os << " the local variable '" << VR->getDecl()->getName() << '\'';
426 else
427 os << " stack allocated memory";
428 os << " for the \"control\" value. Using such transient memory for "
429 "the control value is potentially dangerous.";
430 if (isa<VarRegion>(Val: R) && isa<StackLocalsSpaceRegion>(Val: R->getMemorySpace()))
431 os << " Perhaps you intended to declare the variable as 'static'?";
432
433 auto report =
434 std::make_unique<PathSensitiveBugReport>(args: BT_pthreadOnce, args: os.str(), args&: N);
435 report->addRange(R: Call.getArgExpr(Index: 0)->getSourceRange());
436 C.emitReport(R: std::move(report));
437}
438
439//===----------------------------------------------------------------------===//
440// "calloc", "malloc", "realloc", "reallocf", "alloca" and "valloc"
441// with allocation size 0
442//===----------------------------------------------------------------------===//
443
444// FIXME: Eventually these should be rolled into the MallocChecker, but right now
445// they're more basic and valuable for widespread use.
446
447// Returns true if we try to do a zero byte allocation, false otherwise.
448// Fills in trueState and falseState.
449static bool IsZeroByteAllocation(ProgramStateRef state,
450 const SVal argVal,
451 ProgramStateRef *trueState,
452 ProgramStateRef *falseState) {
453 std::tie(args&: *trueState, args&: *falseState) =
454 state->assume(Cond: argVal.castAs<DefinedSVal>());
455
456 return (*falseState && !*trueState);
457}
458
459// Generates an error report, indicating that the function whose name is given
460// will perform a zero byte allocation.
461// Returns false if an error occurred, true otherwise.
462bool UnixAPIPortabilityChecker::ReportZeroByteAllocation(
463 CheckerContext &C,
464 ProgramStateRef falseState,
465 const Expr *arg,
466 const char *fn_name) const {
467 ExplodedNode *N = C.generateErrorNode(State: falseState);
468 if (!N)
469 return false;
470
471 SmallString<256> S;
472 llvm::raw_svector_ostream os(S);
473 os << "Call to '" << fn_name << "' has an allocation size of 0 bytes";
474 auto report =
475 std::make_unique<PathSensitiveBugReport>(args: BT_mallocZero, args: os.str(), args&: N);
476
477 report->addRange(R: arg->getSourceRange());
478 bugreporter::trackExpressionValue(N, E: arg, R&: *report);
479 C.emitReport(R: std::move(report));
480
481 return true;
482}
483
484// Does a basic check for 0-sized allocations suitable for most of the below
485// functions (modulo "calloc")
486void UnixAPIPortabilityChecker::BasicAllocationCheck(CheckerContext &C,
487 const CallExpr *CE,
488 const unsigned numArgs,
489 const unsigned sizeArg,
490 const char *fn) const {
491 // Check for the correct number of arguments.
492 if (CE->getNumArgs() != numArgs)
493 return;
494
495 // Check if the allocation size is 0.
496 ProgramStateRef state = C.getState();
497 ProgramStateRef trueState = nullptr, falseState = nullptr;
498 const Expr *arg = CE->getArg(Arg: sizeArg);
499 SVal argVal = C.getSVal(arg);
500
501 if (argVal.isUnknownOrUndef())
502 return;
503
504 // Is the value perfectly constrained to zero?
505 if (IsZeroByteAllocation(state, argVal, trueState: &trueState, falseState: &falseState)) {
506 (void) ReportZeroByteAllocation(C, falseState, arg, fn_name: fn);
507 return;
508 }
509 // Assume the value is non-zero going forward.
510 assert(trueState);
511 if (trueState != state)
512 C.addTransition(State: trueState);
513}
514
515void UnixAPIPortabilityChecker::CheckCallocZero(CheckerContext &C,
516 const CallExpr *CE) const {
517 unsigned int nArgs = CE->getNumArgs();
518 if (nArgs != 2)
519 return;
520
521 ProgramStateRef state = C.getState();
522 ProgramStateRef trueState = nullptr, falseState = nullptr;
523
524 unsigned int i;
525 for (i = 0; i < nArgs; i++) {
526 const Expr *arg = CE->getArg(Arg: i);
527 SVal argVal = C.getSVal(arg);
528 if (argVal.isUnknownOrUndef()) {
529 if (i == 0)
530 continue;
531 else
532 return;
533 }
534
535 if (IsZeroByteAllocation(state, argVal, trueState: &trueState, falseState: &falseState)) {
536 if (ReportZeroByteAllocation(C, falseState, arg, fn_name: "calloc"))
537 return;
538 else if (i == 0)
539 continue;
540 else
541 return;
542 }
543 }
544
545 // Assume the value is non-zero going forward.
546 assert(trueState);
547 if (trueState != state)
548 C.addTransition(State: trueState);
549}
550
551void UnixAPIPortabilityChecker::CheckMallocZero(CheckerContext &C,
552 const CallExpr *CE) const {
553 BasicAllocationCheck(C, CE, numArgs: 1, sizeArg: 0, fn: "malloc");
554}
555
556void UnixAPIPortabilityChecker::CheckReallocZero(CheckerContext &C,
557 const CallExpr *CE) const {
558 BasicAllocationCheck(C, CE, numArgs: 2, sizeArg: 1, fn: "realloc");
559}
560
561void UnixAPIPortabilityChecker::CheckReallocfZero(CheckerContext &C,
562 const CallExpr *CE) const {
563 BasicAllocationCheck(C, CE, numArgs: 2, sizeArg: 1, fn: "reallocf");
564}
565
566void UnixAPIPortabilityChecker::CheckAllocaZero(CheckerContext &C,
567 const CallExpr *CE) const {
568 BasicAllocationCheck(C, CE, numArgs: 1, sizeArg: 0, fn: "alloca");
569}
570
571void UnixAPIPortabilityChecker::CheckAllocaWithAlignZero(
572 CheckerContext &C,
573 const CallExpr *CE) const {
574 BasicAllocationCheck(C, CE, numArgs: 2, sizeArg: 0, fn: "__builtin_alloca_with_align");
575}
576
577void UnixAPIPortabilityChecker::CheckVallocZero(CheckerContext &C,
578 const CallExpr *CE) const {
579 BasicAllocationCheck(C, CE, numArgs: 1, sizeArg: 0, fn: "valloc");
580}
581
582void UnixAPIPortabilityChecker::checkPreStmt(const CallExpr *CE,
583 CheckerContext &C) const {
584 const FunctionDecl *FD = C.getCalleeDecl(CE);
585 if (!FD || FD->getKind() != Decl::Function)
586 return;
587
588 // Don't treat functions in namespaces with the same name a Unix function
589 // as a call to the Unix function.
590 const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext();
591 if (isa_and_nonnull<NamespaceDecl>(Val: NamespaceCtx))
592 return;
593
594 StringRef FName = C.getCalleeName(FunDecl: FD);
595 if (FName.empty())
596 return;
597
598 if (FName == "calloc")
599 CheckCallocZero(C, CE);
600
601 else if (FName == "malloc")
602 CheckMallocZero(C, CE);
603
604 else if (FName == "realloc")
605 CheckReallocZero(C, CE);
606
607 else if (FName == "reallocf")
608 CheckReallocfZero(C, CE);
609
610 else if (FName == "alloca" || FName == "__builtin_alloca")
611 CheckAllocaZero(C, CE);
612
613 else if (FName == "__builtin_alloca_with_align")
614 CheckAllocaWithAlignZero(C, CE);
615
616 else if (FName == "valloc")
617 CheckVallocZero(C, CE);
618}
619
620//===----------------------------------------------------------------------===//
621// Registration.
622//===----------------------------------------------------------------------===//
623
624#define REGISTER_CHECKER(CHECKERNAME) \
625 void ento::register##CHECKERNAME(CheckerManager &mgr) { \
626 mgr.registerChecker<CHECKERNAME>(); \
627 } \
628 \
629 bool ento::shouldRegister##CHECKERNAME(const CheckerManager &mgr) { \
630 return true; \
631 }
632
633REGISTER_CHECKER(UnixAPIMisuseChecker)
634REGISTER_CHECKER(UnixAPIPortabilityChecker)
635

source code of clang/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp