1 //===--- SuspiciousMemsetUsageCheck.cpp - clang-tidy-----------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "SuspiciousMemsetUsageCheck.h"
10 #include "clang/AST/ASTContext.h"
11 #include "clang/ASTMatchers/ASTMatchFinder.h"
12 #include "clang/ASTMatchers/ASTMatchers.h"
13 #include "clang/Lex/Lexer.h"
14 #include "clang/Tooling/FixIt.h"
15 
16 using namespace clang::ast_matchers;
17 
18 namespace clang {
19 namespace tidy {
20 namespace bugprone {
21 
registerMatchers(MatchFinder * Finder)22 void SuspiciousMemsetUsageCheck::registerMatchers(MatchFinder *Finder) {
23   // Match the standard memset:
24   // void *memset(void *buffer, int fill_char, size_t byte_count);
25   auto MemsetDecl =
26       functionDecl(hasName("::memset"),
27                    parameterCountIs(3),
28                    hasParameter(0, hasType(pointerType(pointee(voidType())))),
29                    hasParameter(1, hasType(isInteger())),
30                    hasParameter(2, hasType(isInteger())));
31 
32   // Look for memset(x, '0', z). Probably memset(x, 0, z) was intended.
33   Finder->addMatcher(
34       callExpr(
35           callee(MemsetDecl),
36           hasArgument(1, characterLiteral(equals(static_cast<unsigned>('0')))
37                              .bind("char-zero-fill")),
38           unless(
39               eachOf(hasArgument(0, anyOf(hasType(pointsTo(isAnyCharacter())),
40                                           hasType(arrayType(hasElementType(
41                                               isAnyCharacter()))))),
42                      isInTemplateInstantiation()))),
43       this);
44 
45   // Look for memset with an integer literal in its fill_char argument.
46   // Will check if it gets truncated.
47   Finder->addMatcher(callExpr(callee(MemsetDecl),
48                               hasArgument(1, integerLiteral().bind("num-fill")),
49                               unless(isInTemplateInstantiation())),
50                      this);
51 
52   // Look for memset(x, y, 0) as that is most likely an argument swap.
53   Finder->addMatcher(
54       callExpr(callee(MemsetDecl),
55                unless(hasArgument(1, anyOf(characterLiteral(equals(
56                                                static_cast<unsigned>('0'))),
57                                            integerLiteral()))),
58                unless(isInTemplateInstantiation()))
59           .bind("call"),
60       this);
61 }
62 
check(const MatchFinder::MatchResult & Result)63 void SuspiciousMemsetUsageCheck::check(const MatchFinder::MatchResult &Result) {
64   if (const auto *CharZeroFill =
65           Result.Nodes.getNodeAs<CharacterLiteral>("char-zero-fill")) {
66     // Case 1: fill_char of memset() is a character '0'. Probably an
67     // integer zero was intended.
68 
69     SourceRange CharRange = CharZeroFill->getSourceRange();
70     auto Diag =
71         diag(CharZeroFill->getBeginLoc(), "memset fill value is char '0', "
72                                           "potentially mistaken for int 0");
73 
74     // Only suggest a fix if no macros are involved.
75     if (CharRange.getBegin().isMacroID())
76       return;
77     Diag << FixItHint::CreateReplacement(
78         CharSourceRange::getTokenRange(CharRange), "0");
79   }
80 
81   else if (const auto *NumFill =
82                Result.Nodes.getNodeAs<IntegerLiteral>("num-fill")) {
83     // Case 2: fill_char of memset() is larger in size than an unsigned char
84     // so it gets truncated during conversion.
85 
86     const auto UCharMax = (1 << Result.Context->getCharWidth()) - 1;
87     Expr::EvalResult EVResult;
88     if (!NumFill->EvaluateAsInt(EVResult, *Result.Context))
89       return;
90 
91     llvm::APSInt NumValue = EVResult.Val.getInt();
92     if (NumValue >= 0 && NumValue <= UCharMax)
93       return;
94 
95     diag(NumFill->getBeginLoc(), "memset fill value is out of unsigned "
96                                  "character range, gets truncated");
97   }
98 
99   else if (const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call")) {
100     // Case 3: byte_count of memset() is zero. This is most likely an
101     // argument swap.
102 
103     const Expr *FillChar = Call->getArg(1);
104     const Expr *ByteCount = Call->getArg(2);
105 
106     // Return if `byte_count` is not zero at compile time.
107     Expr::EvalResult Value2;
108     if (ByteCount->isValueDependent() ||
109         !ByteCount->EvaluateAsInt(Value2, *Result.Context) ||
110         Value2.Val.getInt() != 0)
111       return;
112 
113     // Return if `fill_char` is known to be zero or negative at compile
114     // time. In these cases, swapping the args would be a nop, or
115     // introduce a definite bug. The code is likely correct.
116     Expr::EvalResult EVResult;
117     if (!FillChar->isValueDependent() &&
118         FillChar->EvaluateAsInt(EVResult, *Result.Context)) {
119       llvm::APSInt Value1 = EVResult.Val.getInt();
120       if (Value1 == 0 || Value1.isNegative())
121         return;
122     }
123 
124     // `byte_count` is known to be zero at compile time, and `fill_char` is
125     // either not known or known to be a positive integer. Emit a warning
126     // and fix-its to swap the arguments.
127     auto D = diag(Call->getBeginLoc(),
128                   "memset of size zero, potentially swapped arguments");
129     StringRef RHSString = tooling::fixit::getText(*ByteCount, *Result.Context);
130     StringRef LHSString = tooling::fixit::getText(*FillChar, *Result.Context);
131     if (LHSString.empty() || RHSString.empty())
132       return;
133 
134     D << tooling::fixit::createReplacement(*FillChar, RHSString)
135       << tooling::fixit::createReplacement(*ByteCount, LHSString);
136   }
137 }
138 
139 } // namespace bugprone
140 } // namespace tidy
141 } // namespace clang
142