xref: /llvm-project/clang-tools-extra/clang-tidy/bugprone/SuspiciousMemsetUsageCheck.cpp (revision 7d2ea6c422d3f5712b7253407005e1a465a76946) 
1 //===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "SuspiciousMemsetUsageCheck.h"
10 #include "clang/AST/ASTContext.h"
11 #include "clang/ASTMatchers/ASTMatchFinder.h"
12 #include "clang/ASTMatchers/ASTMatchers.h"
13 #include "clang/Lex/Lexer.h"
14 #include "clang/Tooling/FixIt.h"
15 
16 using namespace clang::ast_matchers;
17 
18 namespace clang::tidy::bugprone {
19 
registerMatchers(MatchFinder * Finder)20 void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
21   // Match the standard memset:
22   // void *memset(void *buffer, int fill_char, size_t byte_count);
23   auto MemsetDecl =
24       functionDecl(hasName("::memset"),
25                    parameterCountIs(3),
26                    hasParameter(0, hasType(pointerType(pointee(voidType())))),
27                    hasParameter(1, hasType(isInteger())),
28                    hasParameter(2, hasType(isInteger())));
29 
30   // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
31   Finder->addMatcher(
32       callExpr(
33           callee(MemsetDecl), argumentCountIs(3),
34           hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
35                              .bind("char-zero-fill")),
36           unless(hasArgument(
37               0, anyOf(hasType(pointsTo(isAnyCharacter())),
38                        hasType(arrayType(hasElementType(isAnyCharacter()))))))),
39       this);
40 
41   // Look for memset with an integer literal in its fill_char argument.
42   // Will check if it gets truncated.
43   Finder->addMatcher(
44       callExpr(callee(MemsetDecl), argumentCountIs(3),
45                hasArgument(1, integerLiteral().bind("num-fill"))),
46       this);
47 
48   // Look for memset(x, y, 0) as that is most likely an argument swap.
49   Finder->addMatcher(
50       callExpr(callee(MemsetDecl), argumentCountIs(3),
51                unless(hasArgument(1, anyOf(characterLiteral(equals(
52                                                static_cast<unsigned>('0'))),
53                                            integerLiteral()))))
54           .bind("call"),
55       this);
56 }
57 
check(const MatchFinder::MatchResult & Result)58 void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
59   if (const auto *CharZeroFill =
60           Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
61     // Case 1: fill_char of memset() is a character '0'. Probably an
62     // integer zero was intended.
63 
64     SourceRange CharRange = CharZeroFill->getSourceRange();
65     auto Diag =
66         diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
67                                           "potentially mistaken for int 0");
68 
69     // Only suggest a fix if no macros are involved.
70     if (CharRange.getBegin().isMacroID())
71       return;
72     Diag << FixItHint::CreateReplacement(
73         CharSourceRange::getTokenRange(CharRange), "0");
74   }
75 
76   else if (const auto *NumFill =
77                Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
78     // Case 2: fill_char of memset() is larger in size than an unsigned char
79     // so it gets truncated during conversion.
80 
81     const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
82     Expr::EvalResult EVResult;
83     if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
84       return;
85 
86     llvm::APSInt NumValue = EVResult.Val.getInt();
87     if (NumValue >= 0 && NumValue <= UCharMax)
88       return;
89 
90     diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
91                                  "character range, gets truncated");
92   }
93 
94   else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
95     // Case 3: byte_count of memset() is zero. This is most likely an
96     // argument swap.
97 
98     const Expr *FillChar = Call->getArg(1);
99     const Expr *ByteCount = Call->getArg(2);
100 
101     // Return if `byte_count` is not zero at compile time.
102     Expr::EvalResult Value2;
103     if (ByteCount->isValueDependent() ||
104         !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
105         Value2.Val.getInt() != 0)
106       return;
107 
108     // Return if `fill_char` is known to be zero or negative at compile
109     // time. In these cases, swapping the args would be a nop, or
110     // introduce a definite bug. The code is likely correct.
111     Expr::EvalResult EVResult;
112     if (!FillChar->isValueDependent() &&
113         FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
114       llvm::APSInt Value1 = EVResult.Val.getInt();
115       if (Value1 == 0 || Value1.isNegative())
116         return;
117     }
118 
119     // `byte_count` is known to be zero at compile time, and `fill_char` is
120     // either not known or known to be a positive integer. Emit a warning
121     // and fix-its to swap the arguments.
122     auto D = diag(Call->getBeginLoc(),
123                   "memset of size zero, potentially swapped arguments");
124     StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
125     StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
126     if (LHSString.empty() || RHSString.empty())
127       return;
128 
129     D << tooling::fixit::createReplacement(*FillChar, RHSString)
130       << tooling::fixit::createReplacement(*ByteCount, LHSString);
131   }
132 }
133 
134 } // namespace clang::tidy::bugprone
135