This is an archive of the discontinued LLVM Phabricator instance.

Differential D18783

[clang-tidy] add new checker for string literal with NUL character.
ClosedPublic

Authored by etienneb on Apr 4 2016, 6:27 PM.

Details

Reviewers
hokein
alexfh
Commits
rGa5fd19ba1e6a: [clang-tidy] add new checker for string literal with NUL character.
rCTE265691: [clang-tidy] add new checker for string literal with NUL character.
rL265691: [clang-tidy] add new checker for string literal with NUL character.
Summary

This patch adds the support for detecting suspicious string
literals and their incorrect usage.

The following example shows a incorrect character escaping leading
to an embedded NUL character.

std::string str = "\0x42";   // Should be "\x42".

The patch also add detection of truncated literal when a literal
is passed to a string constructor.

Diff Detail

Event Timeline

etienneb updated this revision to Diff 52652.Apr 4 2016, 6:27 PM
etienneb retitled this revision from to [clang-tidy] add new checker for string literal with NUL character..
etienneb updated this object.
etienneb added a reviewer: alexfh.
etienneb added a subscriber: cfe-commits.
etienneb updated this object.Apr 4 2016, 6:29 PM
etienneb updated this revision to Diff 52653.Apr 4 2016, 6:34 PM

Fix list.rst (bad merge)

bkramer added a subscriber: bkramer.Apr 5 2016, 1:46 AM
bkramer added inline comments.
clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.cpp
22

Isn't this identical to StringLiteral::getCodeUnit? Also returning 0 for unknown sizes is not a good idea imo.

alexfh added a reviewer: hokein.Apr 5 2016, 2:13 AM
etienneb updated this revision to Diff 52707.Apr 5 2016, 9:54 AM
etienneb marked an inline comment as done.

fix comments.

Eugene.Zelenko added a subscriber: Eugene.Zelenko.Apr 5 2016, 10:04 AM

Please mention this check in docs/ReleaseNotes.rst.

etienneb updated this revision to Diff 52708.Apr 5 2016, 10:12 AM

add missing reference in release-notes.

Eugene.Zelenko added inline comments.Apr 5 2016, 10:16 AM
docs/ReleaseNotes.rst
167

I think will be good idea to sort check alphabetically. At least I did so :-)

etienneb updated this revision to Diff 52710.Apr 5 2016, 10:18 AM

alpha ordering

bcraig added a subscriber: bcraig.Apr 5 2016, 10:27 AM

Is this checker able to connect a std::string with a pre-declared string literal (i.e. constant propagation)? For example...

const char *bad_chars = "\0\1\2\3";
std::string bad_str = bad_chars;

I've had real code make that mistake before.

etienneb added a comment.Apr 5 2016, 10:49 AM
In D18783#392486, @bcraig wrote:

Is this checker able to connect a std::string with a pre-declared string literal (i.e. constant propagation)? For example...

const char *bad_chars = "\0\1\2\3";
std::string bad_str = bad_chars;

I've had real code make that mistake before.

Not yet, but I already started working in it.
There is more false-positive to remove first. It will follow this patch soon.

alexfh edited edge metadata.Apr 6 2016, 7:10 AM

A couple of nits for now. Will take a closer look later.

clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.cpp
23

Should this be an assert instead?

39

clang-format -style=LLVM (or -style=file), please.

etienneb updated this revision to Diff 52791.Apr 6 2016, 7:24 AM
etienneb marked 2 inline comments as done.
etienneb edited edge metadata.

alexfh comments.

etienneb updated this revision to Diff 52793.Apr 6 2016, 7:29 AM

nits.

etienneb added a comment.Apr 6 2016, 7:30 AM

I finally get rid of the GetCharAt function.

clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.cpp
23

No, because we are not doing bounds check later:

if (GetCharAt(SL, i) == 0 &&
    GetCharAt(SL, i + 1) == 'x' &&
    isDigit(GetCharAt(SL, i + 2)) &&
    isDigit(GetCharAt(SL, i + 3))) {

We can move this as an assert, and in this case... we can modify the "if" to check the length.

LegalizeAdulthood added a subscriber: LegalizeAdulthood.Apr 6 2016, 9:46 AM

There are some APIs where a series of strings are passed as a single char * with NUL separators between the strings and the last string is indicated by two NUL characters in a row. For instance, see the MSDN documentation for the lpDependencies argument to [[ https://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx | CreateService ]]. Such strings literals in the code look like:

LPCTSTR dependencies = _T("one\0two\0three\0four\0");

I don't see any annotation on this argument in <winsvc.h> where this function is declared, so there's no hint from the header about this argument. In this case, the biggest mistake people make is omitting the final NUL character, thinking that the \0 acts as a string separator and not a terminator:

LPCTSTR dependencies = _T("one\0two\0three\0four");

If you're lucky this results in a crash right away. If you're unlucky the compiler placed this constant in an area of memory with zero padding and it works by accident on your machine until it ships to a customer and then breaks on their machine mysteriously.

I was never a fan of these magic string array arguments and they mostly appear in the older portions of the Win32 API, but they are there nonetheless. I would hate for this check to signal a bunch of false positives on such strings.

etienneb added a comment.Apr 6 2016, 9:49 AM
In D18783#393367, @LegalizeAdulthood wrote:

There are some APIs where a series of strings are passed as a single char * with NUL separators between the strings and the last string is indicated by two NUL characters in a row. For instance, see the MSDN documentation for the lpDependencies argument to [[ https://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx | CreateService ]]. Such strings literals in the code look like:

LPCTSTR dependencies = _T("one\0two\0three\0four\0");

I don't see any annotation on this argument in <winsvc.h> where this function is declared, so there's no hint from the header about this argument. In this case, the biggest mistake people make is omitting the final NUL character, thinking that the \0 acts as a string separator and not a terminator:

LPCTSTR dependencies = _T("one\0two\0three\0four");

If you're lucky this results in a crash right away. If you're unlucky the compiler placed this constant in an area of memory with zero padding and it works by accident on your machine until it ships to a customer and then breaks on their machine mysteriously.

I was never a fan of these magic string array arguments and they mostly appear in the older portions of the Win32 API, but they are there nonetheless. I would hate for this check to signal a bunch of false positives on such strings.

I know about these kind functions, and they are not covered by the current state of this check.
The current check only apply if there is a conversion from char* -> std::string (implicit constructor).
For now, I want to keep the false-positive ratio low.

I made a prototype to detect instances passed to 'func(char*)' but there are too many false-positives.

etienneb updated this revision to Diff 52856.Apr 6 2016, 3:09 PM

rebased.

alexfh added a comment.Apr 7 2016, 2:20 AM

A couple of nits.

clang-tidy/misc/MisplacedWideningCastCheck.cpp
64 ↗(On Diff #52856)

If clang-format did this, it used an incorrect style. In LLVM style it should put return on the next line. It should do the right thing, if you run it with -style=file and your clang-tools-extra working copy is checked out inside the cfe working copy (the important part here is that there's clang's or llvm's .clang-format file in a parent directory of the files you're running clang-format on).

95 ↗(On Diff #52856)

s/RelativeIntSizes/relativeIntSize/ (singular, first character should be lower-case).

223 ↗(On Diff #52856)

Two spaces before comments are common for Google style, so your clang-format most certainly uses a wrong style.

alexfh added a comment.Apr 7 2016, 2:22 AM

Wait, it looks like you've updated the patch from an incorrect branch: I see only clang-tidy/misc/MisplacedWideningCastCheck.cpp file here.

alexfh requested changes to this revision.Apr 7 2016, 4:56 AM
alexfh edited edge metadata.
This revision now requires changes to proceed.Apr 7 2016, 4:56 AM
etienneb updated this revision to Diff 52926.Apr 7 2016, 8:31 AM
etienneb edited edge metadata.
etienneb marked 2 inline comments as done.

Revert last diff (invalid patchset).

etienneb updated this revision to Diff 52927.Apr 7 2016, 8:33 AM
etienneb edited edge metadata.

nit

alexfh requested changes to this revision.Apr 7 2016, 8:45 AM
alexfh edited edge metadata.
alexfh added inline comments.
docs/clang-tidy/checks/misc-string-literal-with-embedded-nul.rst
7

Please use third-person form (Finds, validates, etc.).

28

s/an/a/

31

There doesn't seem to be anything bad with NUL-terminated. Did you mean with embedded NUL character?

This revision now requires changes to proceed.Apr 7 2016, 8:45 AM
etienneb updated this revision to Diff 52930.Apr 7 2016, 8:51 AM
etienneb edited edge metadata.
etienneb marked 3 inline comments as done.

fix doc.

alexfh accepted this revision.Apr 7 2016, 9:04 AM
alexfh edited edge metadata.

LG with one nit.

clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.cpp
71

nit: Should this be return instead?

This revision is now accepted and ready to land.Apr 7 2016, 9:04 AM
etienneb updated this revision to Diff 52935.Apr 7 2016, 9:21 AM
etienneb edited edge metadata.

nit

etienneb closed this revision.Apr 7 2016, 9:21 AM

Revision Contents

Diff 52935

clang-tidy/misc/CMakeLists.txt

Show All 17 Linesadd_clang_library(clangTidyMiscModule
MoveConstantArgumentCheck.cpp MoveConstantArgumentCheck.cpp
MoveConstructorInitCheck.cpp MoveConstructorInitCheck.cpp
NewDeleteOverloadsCheck.cpp NewDeleteOverloadsCheck.cpp
NoexceptMoveConstructorCheck.cpp NoexceptMoveConstructorCheck.cpp
NonCopyableObjects.cpp NonCopyableObjects.cpp
SizeofContainerCheck.cpp SizeofContainerCheck.cpp
StaticAssertCheck.cpp StaticAssertCheck.cpp
StringIntegerAssignmentCheck.cpp StringIntegerAssignmentCheck.cpp
StringLiteralWithEmbeddedNulCheck.cpp
SuspiciousMissingCommaCheck.cpp SuspiciousMissingCommaCheck.cpp
SuspiciousSemicolonCheck.cpp SuspiciousSemicolonCheck.cpp
SwappedArgumentsCheck.cpp SwappedArgumentsCheck.cpp
ThrowByValueCatchByReferenceCheck.cpp ThrowByValueCatchByReferenceCheck.cpp
UndelegatedConstructor.cpp UndelegatedConstructor.cpp
UnusedAliasDeclsCheck.cpp UnusedAliasDeclsCheck.cpp
UnusedParametersCheck.cpp UnusedParametersCheck.cpp
UnusedRAIICheck.cpp UnusedRAIICheck.cpp
Show All 11 Lines

clang-tidy/misc/MiscTidyModule.cpp

Show All 25 Lines
#include "MoveConstantArgumentCheck.h" #include "MoveConstantArgumentCheck.h"
#include "MoveConstructorInitCheck.h" #include "MoveConstructorInitCheck.h"
#include "NewDeleteOverloadsCheck.h" #include "NewDeleteOverloadsCheck.h"
#include "NoexceptMoveConstructorCheck.h" #include "NoexceptMoveConstructorCheck.h"
#include "NonCopyableObjects.h" #include "NonCopyableObjects.h"
#include "SizeofContainerCheck.h" #include "SizeofContainerCheck.h"
#include "StaticAssertCheck.h" #include "StaticAssertCheck.h"
#include "StringIntegerAssignmentCheck.h" #include "StringIntegerAssignmentCheck.h"
#include "StringLiteralWithEmbeddedNulCheck.h"
#include "SuspiciousMissingCommaCheck.h" #include "SuspiciousMissingCommaCheck.h"
#include "SuspiciousSemicolonCheck.h" #include "SuspiciousSemicolonCheck.h"
#include "SwappedArgumentsCheck.h" #include "SwappedArgumentsCheck.h"
#include "ThrowByValueCatchByReferenceCheck.h" #include "ThrowByValueCatchByReferenceCheck.h"
#include "UndelegatedConstructor.h" #include "UndelegatedConstructor.h"
#include "UniqueptrResetReleaseCheck.h" #include "UniqueptrResetReleaseCheck.h"
#include "UnusedAliasDeclsCheck.h" #include "UnusedAliasDeclsCheck.h"
#include "UnusedParametersCheck.h" #include "UnusedParametersCheck.h"
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines CheckFactories.registerCheck<NoexceptMoveConstructorCheck>(
"misc-noexcept-move-constructor"); "misc-noexcept-move-constructor");
CheckFactories.registerCheck<NonCopyableObjectsCheck>( CheckFactories.registerCheck<NonCopyableObjectsCheck>(
"misc-non-copyable-objects"); "misc-non-copyable-objects");
CheckFactories.registerCheck<SizeofContainerCheck>("misc-sizeof-container"); CheckFactories.registerCheck<SizeofContainerCheck>("misc-sizeof-container");
CheckFactories.registerCheck<StaticAssertCheck>( CheckFactories.registerCheck<StaticAssertCheck>(
"misc-static-assert"); "misc-static-assert");
CheckFactories.registerCheck<StringIntegerAssignmentCheck>( CheckFactories.registerCheck<StringIntegerAssignmentCheck>(
"misc-string-integer-assignment"); "misc-string-integer-assignment");
CheckFactories.registerCheck<StringLiteralWithEmbeddedNulCheck>(
"misc-string-literal-with-embedded-nul");
CheckFactories.registerCheck<SuspiciousMissingCommaCheck>( CheckFactories.registerCheck<SuspiciousMissingCommaCheck>(
"misc-suspicious-missing-comma"); "misc-suspicious-missing-comma");
CheckFactories.registerCheck<SuspiciousSemicolonCheck>( CheckFactories.registerCheck<SuspiciousSemicolonCheck>(
"misc-suspicious-semicolon"); "misc-suspicious-semicolon");
CheckFactories.registerCheck<SwappedArgumentsCheck>( CheckFactories.registerCheck<SwappedArgumentsCheck>(
"misc-swapped-arguments"); "misc-swapped-arguments");
CheckFactories.registerCheck<ThrowByValueCatchByReferenceCheck>( CheckFactories.registerCheck<ThrowByValueCatchByReferenceCheck>(
"misc-throw-by-value-catch-by-reference"); "misc-throw-by-value-catch-by-reference");
Show All 26 Lines

clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.h

  • This file was added.
//===--- StringLiteralWithEmbeddedNulCheck.h - clang-tidy--------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_STRING_LITERAL_WITH_EMBEDDED_NUL_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_STRING_LITERAL_WITH_EMBEDDED_NUL_H
#include "../ClangTidy.h"
namespace clang {
namespace tidy {
namespace misc {
/// Find suspicious string literals with embedded NUL characters.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/misc-string-literal-with-embedded-nul.html
class StringLiteralWithEmbeddedNulCheck : public ClangTidyCheck {
public:
StringLiteralWithEmbeddedNulCheck(StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context) {}
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace misc
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_STRING_LITERAL_WITH_EMBEDDED_NUL_H

clang-tidy/misc/StringLiteralWithEmbeddedNulCheck.cpp

  • This file was added.
//===--- StringLiteralWithEmbeddedNulCheck.cpp - clang-tidy----------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "StringLiteralWithEmbeddedNulCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace misc {
AST_MATCHER(StringLiteral, containsNul) {
for (size_t i = 0; i < Node.getLength(); ++i)
if (Node.getCodeUnit(i) == '\0')
bkramerUnsubmitted
Done
ReplyInline Actions

Isn't this identical to StringLiteral::getCodeUnit? Also returning 0 for unknown sizes is not a good idea imo.

bkramer: Isn't this identical to StringLiteral::getCodeUnit? Also returning 0 for unknown sizes is not a…
return true;
alexfhUnsubmitted
Done
ReplyInline Actions

Should this be an assert instead?

alexfh: Should this be an assert instead?
etiennebAuthorUnsubmitted
Not Done
ReplyInline Actions

No, because we are not doing bounds check later:

if (GetCharAt(SL, i) == 0 &&
    GetCharAt(SL, i + 1) == 'x' &&
    isDigit(GetCharAt(SL, i + 2)) &&
    isDigit(GetCharAt(SL, i + 3))) {

We can move this as an assert, and in this case... we can modify the "if" to check the length.

etienneb: No, because we are not doing bounds check later: if (GetCharAt(SL, i) == 0 &&…
return false;
}
void StringLiteralWithEmbeddedNulCheck::registerMatchers(MatchFinder *Finder) {
// Match a string that contains embedded NUL character. Extra-checks are
// applied in |check| to find incorectly escaped characters.
Finder->addMatcher(stringLiteral(containsNul()).bind("strlit"), this);
// The remaining checks only apply to C++.
if (!getLangOpts().CPlusPlus)
return;
const auto StrLitWithNul =
ignoringParenImpCasts(stringLiteral(containsNul()).bind("truncated"));
// Match string constructor.
alexfhUnsubmitted
Done
ReplyInline Actions

clang-format -style=LLVM (or -style=file), please.

alexfh: clang-format -style=LLVM (or -style=file), please.
const auto StringConstructorExpr = expr(anyOf(
cxxConstructExpr(argumentCountIs(1),
hasDeclaration(cxxMethodDecl(hasName("basic_string")))),
// If present, the second argument is the alloc object which must not
// be present explicitly.
cxxConstructExpr(argumentCountIs(2),
hasDeclaration(cxxMethodDecl(hasName("basic_string"))),
hasArgument(1, cxxDefaultArgExpr()))));
// Detect passing a suspicious string literal to a string constructor.
// example: std::string str = "abc\0def";
Finder->addMatcher(
cxxConstructExpr(StringConstructorExpr, hasArgument(0, StrLitWithNul)),
this);
// Detect passing a suspicious string literal through an overloaded operator.
Finder->addMatcher(cxxOperatorCallExpr(hasAnyArgument(StrLitWithNul)), this);
}
void StringLiteralWithEmbeddedNulCheck::check(
const MatchFinder::MatchResult &Result) {
if (const auto *SL = Result.Nodes.getNodeAs<StringLiteral>("strlit")) {
for (size_t Offset = 0, Length = SL->getLength(); Offset < Length;
++Offset) {
// Find a sequence of character like "\0x12".
if (Offset + 3 < Length && SL->getCodeUnit(Offset) == '\0' &&
SL->getCodeUnit(Offset + 1) == 'x' &&
isDigit(SL->getCodeUnit(Offset + 2)) &&
isDigit(SL->getCodeUnit(Offset + 3))) {
diag(SL->getLocStart(), "suspicious embedded NUL character");
return;
}
alexfhUnsubmitted
Not Done
ReplyInline Actions

nit: Should this be return instead?

alexfh: nit: Should this be `return` instead?
}
}
if (const auto *SL = Result.Nodes.getNodeAs<StringLiteral>("truncated")) {
diag(SL->getLocStart(),
"truncated string literal with embedded NUL character");
}
}
} // namespace misc
} // namespace tidy
} // namespace clang

docs/ReleaseNotes.rst

Show First 20 LinesShow All 91 Lines▼ Show 20 Lines- New `misc-forward-declaration-namespace
Checks if an unused forward declaration is in a wrong namespace. Checks if an unused forward declaration is in a wrong namespace.
- New `misc-misplaced-widening-cast - New `misc-misplaced-widening-cast
<http://clang.llvm.org/extra/clang-tidy/checks/misc-misplaced-widening-cast.html>`_ check <http://clang.llvm.org/extra/clang-tidy/checks/misc-misplaced-widening-cast.html>`_ check
Warns when there is a explicit redundant cast of a calculation result to a Warns when there is a explicit redundant cast of a calculation result to a
bigger type. bigger type.
- New `misc-string-literal-with-embedded-nul
<http://clang.llvm.org/extra/clang-tidy/checks/misc-string-literal-with-embedded-nul.html>`_ check
Warns about suspicious NUL character in string literals which may lead to
truncation or invalid character escaping.
- New `misc-suspicious-missing-comma - New `misc-suspicious-missing-comma
<http://clang.llvm.org/extra/clang-tidy/checks/misc-suspicious-missing-comma.html>`_ check <http://clang.llvm.org/extra/clang-tidy/checks/misc-suspicious-missing-comma.html>`_ check
Warns about 'probably' missing comma in string literals initializer list. Warns about 'probably' missing comma in string literals initializer list.
- New `misc-suspicious-semicolon - New `misc-suspicious-semicolon
<http://clang.llvm.org/extra/clang-tidy/checks/misc-suspicious-semicolon.html>`_ check <http://clang.llvm.org/extra/clang-tidy/checks/misc-suspicious-semicolon.html>`_ check
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines- New `readability-redundant-string-init
Finds unnecessary string initializations. Finds unnecessary string initializations.
Fixed bugs: Fixed bugs:
- Crash when running on compile database with relative source files paths. - Crash when running on compile database with relative source files paths.
- Crash when running with the `-fdelayed-template-parsing` flag. - Crash when running with the `-fdelayed-template-parsing` flag.
Eugene.ZelenkoUnsubmitted
Not Done
ReplyInline Actions

I think will be good idea to sort check alphabetically. At least I did so :-)

Eugene.Zelenko: I think will be good idea to sort check alphabetically. At least I did so :-)
- The ``modernize-use-override`` check: incorrect fix-its placement around - The ``modernize-use-override`` check: incorrect fix-its placement around
``__declspec`` and other attributes. ``__declspec`` and other attributes.
Clang-tidy changes from 3.7 to 3.8 Clang-tidy changes from 3.7 to 3.8
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The 3.8 release didn't include release notes for :program:`clang-tidy`. In the The 3.8 release didn't include release notes for :program:`clang-tidy`. In the
3.8 release many new checks have been added to :program:`clang-tidy`: 3.8 release many new checks have been added to :program:`clang-tidy`:
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines

docs/clang-tidy/checks/list.rst

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines.. toctree::
misc-misplaced-widening-cast misc-misplaced-widening-cast
misc-move-constructor-init misc-move-constructor-init
misc-new-delete-overloads misc-new-delete-overloads
misc-noexcept-move-constructor misc-noexcept-move-constructor
misc-non-copyable-objects misc-non-copyable-objects
misc-sizeof-container misc-sizeof-container
misc-static-assert misc-static-assert
misc-string-integer-assignment misc-string-integer-assignment
misc-string-literal-with-embedded-nul
misc-suspicious-missing-comma misc-suspicious-missing-comma
misc-suspicious-semicolon misc-suspicious-semicolon
misc-swapped-arguments misc-swapped-arguments
misc-throw-by-value-catch-by-reference misc-throw-by-value-catch-by-reference
misc-undelegated-constructor misc-undelegated-constructor
misc-uniqueptr-reset-release misc-uniqueptr-reset-release
misc-unused-alias-decls misc-unused-alias-decls
misc-unused-parameters misc-unused-parameters
Show All 35 Lines

docs/clang-tidy/checks/misc-string-literal-with-embedded-nul.rst

  • This file was added.
.. title:: clang-tidy - misc-string-literal-with-embedded-nul
misc-string-literal-with-embedded-nul
=====================================
Finds occurences of string literal with embedded NUL character and validates
their usage.
alexfhUnsubmitted
Done
ReplyInline Actions

Please use third-person form (Finds, validates, etc.).

alexfh: Please use third-person form (Finds, validates, etc.).
Invalid escaping
^^^^^^^^^^^^^^^^
Special characters can be escaped within a string literal by using their
hexadecimal encoding like ``\x42``. A common mistake is to escape them
like this ``\0x42`` where the ``\0`` stands for the NUL character.
.. code:: c++
const char* Example[] = "Invalid character: \0x12 should be \x12";
const char* Bytes[] = "\x03\0x02\0x01\0x00\0xFF\0xFF\0xFF";
Truncated literal
^^^^^^^^^^^^^^^^^
String-like classes can manipulate strings with embedded NUL as they are
keeping track of the bytes and the length. This is not the case for a
``char*`` (NUL-terminated) string.
alexfhUnsubmitted
Done
ReplyInline Actions

s/an/a/

alexfh: s/an/a/
A common mistake is to pass a string-literal with embedded NUL to a string
constructor expecting a NUL-terminated string. The bytes after the first NUL
alexfhUnsubmitted
Done
ReplyInline Actions

There doesn't seem to be anything bad with NUL-terminated. Did you mean with embedded NUL character?

alexfh: There doesn't seem to be anything bad with `NUL-terminated`. Did you mean `with embedded NUL…
character are truncated.
.. code:: c++
std::string str("abc\0def"); // "def" is truncated
str += "\0"; // This statement is doing nothing
if (str == "\0abc") return; // This expression is always true

test/clang-tidy/misc-string-literal-with-embedded-nul.cpp

  • This file was added.
// RUN: %check_clang_tidy %s misc-string-literal-with-embedded-nul %t
namespace std {
template <typename T>
class allocator {};
template <typename T>
class char_traits {};
template <typename C, typename T, typename A>
struct basic_string {
typedef basic_string<C, T, A> _Type;
basic_string();
basic_string(const C *p, const A &a = A());
_Type& operator+=(const C* s);
_Type& operator=(const C* s);
};
typedef basic_string<char, std::char_traits<char>, std::allocator<char>> string;
typedef basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t>> wstring;
}
bool operator==(const std::string&, const char*);
bool operator==(const char*, const std::string&);
const char Valid[] = "This is valid \x12.";
const char Strange[] = "This is strange \0x12 and must be fixed";
// CHECK-MESSAGES: :[[@LINE-1]]:24: warning: suspicious embedded NUL character [misc-string-literal-with-embedded-nul]
const char textA[] = "\0x01\0x02\0x03\0x04";
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: suspicious embedded NUL character
const wchar_t textW[] = L"\0x01\0x02\0x03\0x04";
// CHECK-MESSAGES: :[[@LINE-1]]:25: warning: suspicious embedded NUL character
const char A[] = "\0";
const char B[] = "\0x";
const char C[] = "\0x1";
const char D[] = "\0x11";
// CHECK-MESSAGES: :[[@LINE-1]]:18: warning: suspicious embedded NUL character
const wchar_t E[] = L"\0";
const wchar_t F[] = L"\0x";
const wchar_t G[] = L"\0x1";
const wchar_t H[] = L"\0x11";
// CHECK-MESSAGES: :[[@LINE-1]]:21: warning: suspicious embedded NUL character
const char I[] = "\000\000\000\000";
const char J[] = "\0\0\0\0\0\0";
const char K[] = "";
const char L[] = "\0x12" "\0x12" "\0x12" "\0x12";
// CHECK-MESSAGES: :[[@LINE-1]]:18: warning: suspicious embedded NUL character
void TestA() {
std::string str1 = "abc\0def";
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: truncated string literal
std::string str2 = "\0";
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: truncated string literal
std::string str3("\0");
// CHECK-MESSAGES: :[[@LINE-1]]:20: warning: truncated string literal
std::string str4{"\x00\x01\x02\x03"};
// CHECK-MESSAGES: :[[@LINE-1]]:20: warning: truncated string literal
std::string str;
str += "abc\0def";
// CHECK-MESSAGES: :[[@LINE-1]]:10: warning: truncated string literal
str = "abc\0def";
// CHECK-MESSAGES: :[[@LINE-1]]:9: warning: truncated string literal
if (str == "abc\0def") return;
// CHECK-MESSAGES: :[[@LINE-1]]:14: warning: truncated string literal
if ("abc\0def" == str) return;
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: truncated string literal
}
void TestW() {
std::wstring str1 = L"abc\0def";
// CHECK-MESSAGES: :[[@LINE-1]]:23: warning: truncated string literal
std::wstring str2 = L"\0";
// CHECK-MESSAGES: :[[@LINE-1]]:23: warning: truncated string literal
std::wstring str3(L"\0");
// CHECK-MESSAGES: :[[@LINE-1]]:21: warning: truncated string literal
std::wstring str4{L"\x00\x01\x02\x03"};
// CHECK-MESSAGES: :[[@LINE-1]]:21: warning: truncated string literal
}