1 //=======- UncountedCallArgsChecker.cpp --------------------------*- C++ -*-==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 9 #include "ASTUtils.h" 10 #include "DiagOutputUtils.h" 11 #include "PtrTypesSemantics.h" 12 #include "clang/AST/CXXInheritance.h" 13 #include "clang/AST/Decl.h" 14 #include "clang/AST/DeclCXX.h" 15 #include "clang/AST/RecursiveASTVisitor.h" 16 #include "clang/Basic/SourceLocation.h" 17 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 18 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "llvm/ADT/DenseSet.h" 22 23 using namespace clang; 24 using namespace ento; 25 26 namespace { 27 28 class UncountedCallArgsChecker 29 : public Checker<check::ASTDecl<TranslationUnitDecl>> { 30 BugType Bug{this, 31 "Uncounted call argument for a raw pointer/reference parameter", 32 "WebKit coding guidelines"}; 33 mutable BugReporter *BR; 34 35 public: 36 37 void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR, 38 BugReporter &BRArg) const { 39 BR = &BRArg; 40 41 // The calls to checkAST* from AnalysisConsumer don't 42 // visit template instantiations or lambda classes. We 43 // want to visit those, so we make our own RecursiveASTVisitor. 44 struct LocalVisitor : public RecursiveASTVisitor<LocalVisitor> { 45 const UncountedCallArgsChecker *Checker; 46 explicit LocalVisitor(const UncountedCallArgsChecker *Checker) 47 : Checker(Checker) { 48 assert(Checker); 49 } 50 51 bool shouldVisitTemplateInstantiations() const { return true; } 52 bool shouldVisitImplicitCode() const { return false; } 53 54 bool VisitCallExpr(const CallExpr *CE) { 55 Checker->visitCallExpr(CE); 56 return true; 57 } 58 }; 59 60 LocalVisitor visitor(this); 61 visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD)); 62 } 63 64 void visitCallExpr(const CallExpr *CE) const { 65 if (shouldSkipCall(CE)) 66 return; 67 68 if (auto *F = CE->getDirectCallee()) { 69 // Skip the first argument for overloaded member operators (e. g. lambda 70 // or std::function call operator). 71 unsigned ArgIdx = 72 isa<CXXOperatorCallExpr>(CE) && dyn_cast_or_null<CXXMethodDecl>(F); 73 74 for (auto P = F->param_begin(); 75 // FIXME: Also check variadic function parameters. 76 // FIXME: Also check default function arguments. Probably a different 77 // checker. In case there are default arguments the call can have 78 // fewer arguments than the callee has parameters. 79 P < F->param_end() && ArgIdx < CE->getNumArgs(); ++P, ++ArgIdx) { 80 // TODO: attributes. 81 // if ((*P)->hasAttr<SafeRefCntblRawPtrAttr>()) 82 // continue; 83 84 const auto *ArgType = (*P)->getType().getTypePtrOrNull(); 85 if (!ArgType) 86 continue; // FIXME? Should we bail? 87 88 // FIXME: more complex types (arrays, references to raw pointers, etc) 89 Optional<bool> IsUncounted = isUncountedPtr(ArgType); 90 if (!IsUncounted || !(*IsUncounted)) 91 continue; 92 93 const auto *Arg = CE->getArg(ArgIdx); 94 95 std::pair<const clang::Expr *, bool> ArgOrigin = 96 tryToFindPtrOrigin(Arg, true); 97 98 // Temporary ref-counted object created as part of the call argument 99 // would outlive the call. 100 if (ArgOrigin.second) 101 continue; 102 103 if (isa<CXXNullPtrLiteralExpr>(ArgOrigin.first)) { 104 // foo(nullptr) 105 continue; 106 } 107 if (isa<IntegerLiteral>(ArgOrigin.first)) { 108 // FIXME: Check the value. 109 // foo(NULL) 110 continue; 111 } 112 113 if (isASafeCallArg(ArgOrigin.first)) 114 continue; 115 116 reportBug(Arg, *P); 117 } 118 } 119 } 120 121 bool shouldSkipCall(const CallExpr *CE) const { 122 if (CE->getNumArgs() == 0) 123 return false; 124 125 // If an assignment is problematic we should warn about the sole existence 126 // of object on LHS. 127 if (auto *MemberOp = dyn_cast<CXXOperatorCallExpr>(CE)) { 128 // Note: assignemnt to built-in type isn't derived from CallExpr. 129 if (MemberOp->isAssignmentOp()) 130 return false; 131 } 132 133 const auto *Callee = CE->getDirectCallee(); 134 if (!Callee) 135 return false; 136 137 auto overloadedOperatorType = Callee->getOverloadedOperator(); 138 if (overloadedOperatorType == OO_EqualEqual || 139 overloadedOperatorType == OO_ExclaimEqual || 140 overloadedOperatorType == OO_LessEqual || 141 overloadedOperatorType == OO_GreaterEqual || 142 overloadedOperatorType == OO_Spaceship || 143 overloadedOperatorType == OO_AmpAmp || 144 overloadedOperatorType == OO_PipePipe) 145 return true; 146 147 if (isCtorOfRefCounted(Callee)) 148 return true; 149 150 auto name = safeGetName(Callee); 151 if (name == "adoptRef" || name == "getPtr" || name == "WeakPtr" || 152 name == "makeWeakPtr" || name == "downcast" || name == "bitwise_cast" || 153 name == "is" || name == "equal" || name == "hash" || 154 name == "isType" 155 // FIXME: Most/all of these should be implemented via attributes. 156 || name == "equalIgnoringASCIICase" || 157 name == "equalIgnoringASCIICaseCommon" || 158 name == "equalIgnoringNullity") 159 return true; 160 161 return false; 162 } 163 164 void reportBug(const Expr *CallArg, const ParmVarDecl *Param) const { 165 assert(CallArg); 166 167 SmallString<100> Buf; 168 llvm::raw_svector_ostream Os(Buf); 169 170 const std::string paramName = safeGetName(Param); 171 Os << "Call argument"; 172 if (!paramName.empty()) { 173 Os << " for parameter "; 174 printQuotedQualifiedName(Os, Param); 175 } 176 Os << " is uncounted and unsafe."; 177 178 const SourceLocation SrcLocToReport = 179 isa<CXXDefaultArgExpr>(CallArg) ? Param->getDefaultArg()->getExprLoc() 180 : CallArg->getSourceRange().getBegin(); 181 182 PathDiagnosticLocation BSLoc(SrcLocToReport, BR->getSourceManager()); 183 auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc); 184 Report->addRange(CallArg->getSourceRange()); 185 BR->emitReport(std::move(Report)); 186 } 187 }; 188 } // namespace 189 190 void ento::registerUncountedCallArgsChecker(CheckerManager &Mgr) { 191 Mgr.registerChecker<UncountedCallArgsChecker>(); 192 } 193 194 bool ento::shouldRegisterUncountedCallArgsChecker(const CheckerManager &) { 195 return true; 196 } 197