xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp (revision 97d2c9cae777cfc042bae9c4f7d2cc7705778491) 
1 //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
11 // whether the size of the symbolic region is a multiple of the size of T.
12 //
13 //===----------------------------------------------------------------------===//
14 #include "ClangSACheckers.h"
15 #include "clang/AST/CharUnits.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
26   mutable OwningPtr<BuiltinBug> BT;
27 public:
28   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
29 };
30 }
31 
32 /// Check if we are casting to a struct with a flexible array at the end.
33 /// \code
34 /// struct foo {
35 ///   size_t len;
36 ///   struct bar data[];
37 /// };
38 /// \endcode
39 /// or
40 /// \code
41 /// struct foo {
42 ///   size_t len;
43 ///   struct bar data[0];
44 /// }
45 /// \endcode
46 /// In these cases it is also valid to allocate size of struct foo + a multiple
47 /// of struct bar.
48 static bool evenFlexibleArraySize(ASTContext &Ctx, CharUnits RegionSize,
49                                   CharUnits TypeSize, QualType ToPointeeTy) {
50   const RecordType *RT = ToPointeeTy->getAs<RecordType>();
51   if (!RT)
52     return false;
53 
54   const RecordDecl *RD = RT->getDecl();
55   RecordDecl::field_iterator Iter(RD->field_begin());
56   RecordDecl::field_iterator End(RD->field_end());
57   const FieldDecl *Last = 0;
58   for (; Iter != End; ++Iter)
59     Last = *Iter;
60   assert(Last && "empty structs should already be handled");
61 
62   const Type *ElemType = Last->getType()->getArrayElementTypeNoTypeQual();
63   CharUnits FlexSize;
64   if (const ConstantArrayType *ArrayTy =
65         Ctx.getAsConstantArrayType(Last->getType())) {
66     FlexSize = Ctx.getTypeSizeInChars(ElemType);
67     if (ArrayTy->getSize() == 1 && TypeSize > FlexSize)
68       TypeSize -= FlexSize;
69     else if (ArrayTy->getSize() != 0)
70       return false;
71   } else if (RD->hasFlexibleArrayMember()) {
72     FlexSize = Ctx.getTypeSizeInChars(ElemType);
73   } else {
74     return false;
75   }
76 
77   if (FlexSize.isZero())
78     return false;
79 
80   CharUnits Left = RegionSize - TypeSize;
81   if (Left.isNegative())
82     return false;
83 
84   if (Left % FlexSize == 0)
85     return true;
86 
87   return false;
88 }
89 
90 void CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
91   const Expr *E = CE->getSubExpr();
92   ASTContext &Ctx = C.getASTContext();
93   QualType ToTy = Ctx.getCanonicalType(CE->getType());
94   const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
95 
96   if (!ToPTy)
97     return;
98 
99   QualType ToPointeeTy = ToPTy->getPointeeType();
100 
101   // Only perform the check if 'ToPointeeTy' is a complete type.
102   if (ToPointeeTy->isIncompleteType())
103     return;
104 
105   ProgramStateRef state = C.getState();
106   const MemRegion *R = state->getSVal(E, C.getLocationContext()).getAsRegion();
107   if (R == 0)
108     return;
109 
110   const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
111   if (SR == 0)
112     return;
113 
114   SValBuilder &svalBuilder = C.getSValBuilder();
115   SVal extent = SR->getExtent(svalBuilder);
116   const llvm::APSInt *extentInt = svalBuilder.getKnownValue(state, extent);
117   if (!extentInt)
118     return;
119 
120   CharUnits regionSize = CharUnits::fromQuantity(extentInt->getSExtValue());
121   CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);
122 
123   // Ignore void, and a few other un-sizeable types.
124   if (typeSize.isZero())
125     return;
126 
127   if (regionSize % typeSize == 0)
128     return;
129 
130   if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
131     return;
132 
133   if (ExplodedNode *errorNode = C.generateSink()) {
134     if (!BT)
135       BT.reset(new BuiltinBug(this, "Cast region with wrong size.",
136                                     "Cast a region whose size is not a multiple"
137                                     " of the destination type size."));
138     BugReport *R = new BugReport(*BT, BT->getDescription(), errorNode);
139     R->addRange(CE->getSourceRange());
140     C.emitReport(R);
141   }
142 }
143 
144 void ento::registerCastSizeChecker(CheckerManager &mgr) {
145   mgr.registerChecker<CastSizeChecker>();
146 }
147