xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp (revision d99bd55a5e092774214ba31fc5a871bfc31e711c) 
1 //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
11 // whether the size of the symbolic region is a multiple of the size of T.
12 //
13 //===----------------------------------------------------------------------===//
14 #include "clang/AST/CharUnits.h"
15 #include "clang/StaticAnalyzer/BugReporter/BugType.h"
16 #include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
17 #include "ExprEngineInternalChecks.h"
18 
19 using namespace clang;
20 using namespace ento;
21 
22 namespace {
23 class CastSizeChecker : public CheckerVisitor<CastSizeChecker> {
24   BuiltinBug *BT;
25 public:
26   CastSizeChecker() : BT(0) {}
27   static void *getTag();
28   void PreVisitCastExpr(CheckerContext &C, const CastExpr *B);
29 };
30 }
31 
32 void *CastSizeChecker::getTag() {
33   static int x;
34   return &x;
35 }
36 
37 void CastSizeChecker::PreVisitCastExpr(CheckerContext &C, const CastExpr *CE) {
38   const Expr *E = CE->getSubExpr();
39   ASTContext &Ctx = C.getASTContext();
40   QualType ToTy = Ctx.getCanonicalType(CE->getType());
41   PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
42 
43   if (!ToPTy)
44     return;
45 
46   QualType ToPointeeTy = ToPTy->getPointeeType();
47 
48   // Only perform the check if 'ToPointeeTy' is a complete type.
49   if (ToPointeeTy->isIncompleteType())
50     return;
51 
52   const GRState *state = C.getState();
53   const MemRegion *R = state->getSVal(E).getAsRegion();
54   if (R == 0)
55     return;
56 
57   const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
58   if (SR == 0)
59     return;
60 
61   SValBuilder &svalBuilder = C.getSValBuilder();
62   SVal extent = SR->getExtent(svalBuilder);
63   const llvm::APSInt *extentInt = svalBuilder.getKnownValue(state, extent);
64   if (!extentInt)
65     return;
66 
67   CharUnits regionSize = CharUnits::fromQuantity(extentInt->getSExtValue());
68   CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);
69 
70   // Ignore void, and a few other un-sizeable types.
71   if (typeSize.isZero())
72     return;
73 
74   if (regionSize % typeSize != 0) {
75     if (ExplodedNode *errorNode = C.generateSink()) {
76       if (!BT)
77         BT = new BuiltinBug("Cast region with wrong size.",
78                             "Cast a region whose size is not a multiple of the"
79                             " destination type size.");
80       RangedBugReport *R = new RangedBugReport(*BT, BT->getDescription(),
81                                                errorNode);
82       R->addRange(CE->getSourceRange());
83       C.EmitReport(R);
84     }
85   }
86 }
87 
88 
89 void ento::RegisterCastSizeChecker(ExprEngine &Eng) {
90   Eng.registerCheck(new CastSizeChecker());
91 }
92