This is an archive of the discontinued LLVM Phabricator instance.

[PATCH] Add checker discouraging use of setjmp/longjmp in C++
ClosedPublic

Authored by aaron.ballman on Oct 8 2015, 11:13 AM.

Download Raw Diff

Details

Reviewers

alexfh
sbenza

Summary

setjmp and longjmp facilities in C++ are unsafe due to the likelihood of triggering undefined behavior with nontrivial type destruction, etc. Instead, exception handling facilities are a better choice. This patch adds a checker that discourages the use of setjmp and longjmp in C++.

This patch corresponds to CERT C++ Coding Standard rule: https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=1834

Diff Detail

Event Timeline

aaron.ballman updated this revision to Diff 36879.Oct 8 2015, 11:13 AM

aaron.ballman retitled this revision from to [PATCH] Add checker discouraging use of setjmp/longjmp in C++.

aaron.ballman updated this object.

aaron.ballman added reviewers: alexfh, sbenza.

aaron.ballman added a subscriber: cfe-commits.

sbenza added inline comments.Oct 8 2015, 12:47 PM

clang-tidy/cert/SetLongJmpCheck.cpp
31	Why do you pass one as a pointer and one as a reference?

Corrected a simple copy-paste error.

sbenza accepted this revision.Oct 8 2015, 12:54 PM

sbenza edited edge metadata.

This revision is now accepted and ready to land.Oct 8 2015, 12:54 PM

Thank you for the fast turn-around! I've commit in r249727.

~Aaron

Revision Contents

Path

Size

clang-tidy/

cert/

	CERTTidyModule.cpp
	CERTTidyModule.cpp (revision 249689)

4 lines

	CMakeLists.txt
	CMakeLists.txt (revision 249689)

1 line

	SetLongJmpCheck.h
	SetLongJmpCheck.h (revision 0)

37 lines

	SetLongJmpCheck.cpp
	SetLongJmpCheck.cpp (revision 0)

80 lines

docs/

clang-tidy/

checks/

	cert-setlongjmp.rst
	cert-setlongjmp.rst (revision 0)

11 lines

	list.rst
	list.rst (revision 249689)

1 line

test/

clang-tidy/

	cert-setlongjmp.cpp
	cert-setlongjmp.cpp (revision 0)

26 lines

Diff 36879

clang-tidy/cert/CERTTidyModule.cpp

Context not available.
	#include "../misc/NewDeleteOverloadsCheck.h"	#include "../misc/NewDeleteOverloadsCheck.h"
	#include "../misc/NonCopyableObjects.h"	#include "../misc/NonCopyableObjects.h"
	#include "../misc/StaticAssertCheck.h"	#include "../misc/StaticAssertCheck.h"
		#include "SetLongJmpCheck.h"
	#include "VariadicFunctionDefCheck.h"	#include "VariadicFunctionDefCheck.h"

	namespace clang {	namespace clang {
Context not available.
	// OOP	// OOP
	CheckFactories.registerCheck<MoveConstructorInitCheck>(	CheckFactories.registerCheck<MoveConstructorInitCheck>(
	"cert-oop11-cpp");	"cert-oop11-cpp");
		// ERR
		CheckFactories.registerCheck<SetLongJmpCheck>(
		"cert-err52-cpp");

	// C checkers	// C checkers
	// DCL	// DCL
Context not available.

clang-tidy/cert/CMakeLists.txt

Context not available.

	add_clang_library(clangTidyCERTModule	add_clang_library(clangTidyCERTModule
	CERTTidyModule.cpp	CERTTidyModule.cpp
		SetLongJmpCheck.cpp
	VariadicFunctionDefCheck.cpp	VariadicFunctionDefCheck.cpp

	LINK_LIBS	LINK_LIBS
Context not available.

clang-tidy/cert/SetLongJmpCheck.h

				//===--- SetLongJmpCheck.h - clang-tidy--------------------------- C++ --===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//

				#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_SETLONGJMPCHECK_H
				#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_SETLONGJMPCHECK_H

				#include "../ClangTidy.h"

				namespace clang {
				namespace tidy {

				/// Guards against use of setjmp/longjmp in C++ code
				///
				/// For the user-facing documentation see:
				/// http://clang.llvm.org/extra/clang-tidy/checks/cert-setlongjmp.html
				class SetLongJmpCheck : public ClangTidyCheck {
				public:
				SetLongJmpCheck(StringRef Name, ClangTidyContext *Context)
				: ClangTidyCheck(Name, Context) {}
				void registerMatchers(ast_matchers::MatchFinder *Finder) override;
				void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
				void registerPPCallbacks(CompilerInstance &Compiler) override;

				static const char DiagWording[];
				};

				} // namespace tidy
				} // namespace clang

				#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_SETLONGJMPCHECK_H

clang-tidy/cert/SetLongJmpCheck.cpp

				//===--- SetLongJmpCheck.cpp - clang-tidy----------------------------------===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//

				#include "SetLongJmpCheck.h"
				#include "clang/AST/ASTContext.h"
				#include "clang/ASTMatchers/ASTMatchFinder.h"
				#include "clang/Frontend/CompilerInstance.h"
				#include "clang/Lex/PPCallbacks.h"
				#include "clang/Lex/Preprocessor.h"

				using namespace clang::ast_matchers;

				namespace clang {
				namespace tidy {

				const char SetLongJmpCheck::DiagWording[] =
				"do not call %0; consider using exception handling instead";

				namespace {
				class SetJmpMacroCallbacks : public PPCallbacks {
				Preprocessor *PP;
				SetLongJmpCheck &Check;

				public:
				explicit SetJmpMacroCallbacks(Preprocessor *PP, SetLongJmpCheck &Check)
				sbenzaUnsubmitted Done Reply Inline Actions Why do you pass one as a pointer and one as a reference? sbenza: Why do you pass one as a pointer and one as a reference?
				: PP(PP), Check(Check) {}

				void MacroExpands(const Token &MacroNameTok, const MacroDefinition &MD,
				SourceRange Range, const MacroArgs *Args) override {
				const auto *II = MacroNameTok.getIdentifierInfo();
				if (!II)
				return;

				if (II->getName() == "setjmp")
				Check.diag(Range.getBegin(), Check.DiagWording) << II;
				}
				};
				} // namespace

				void SetLongJmpCheck::registerPPCallbacks(CompilerInstance &Compiler) {
				// This checker only applies to C++, where exception handling is a superior
				// solution to setjmp/longjmp calls.
				if (!getLangOpts().CPlusPlus)
				return;

				// Per [headers]p5, setjmp must be exposed as a macro instead of a function,
				// despite the allowance in C for setjmp to also be an extern function.
				Compiler.getPreprocessor().addPPCallbacks(
				llvm::make_unique<SetJmpMacroCallbacks>(&Compiler.getPreprocessor(),
				*this));
				}

				void SetLongJmpCheck::registerMatchers(MatchFinder *Finder) {
				// This checker only applies to C++, where exception handling is a superior
				// solution to setjmp/longjmp calls.
				if (!getLangOpts().CPlusPlus)
				return;

				// In case there is an implementation that happens to define setjmp as a
				// function instead of a macro, this will also catch use of it. However, we
				// are primarily searching for uses of longjmp.
				Finder->addMatcher(callExpr(callee(functionDecl(anyOf(hasName("setjmp"),
				hasName("longjmp")))))
				.bind("expr"),
				this);
				}

				void SetLongJmpCheck::check(const MatchFinder::MatchResult &Result) {
				const auto *E = Result.Nodes.getNodeAs<CallExpr>("expr");
				diag(E->getExprLoc(), DiagWording) << cast<NamedDecl>(E->getCalleeDecl());
				}

				} // namespace tidy
				} // namespace clang

docs/clang-tidy/checks/cert-setlongjmp.rst

				cert-err52-cpp
				==============

				The C standard library facilities setjmp() and longjmp() can be used to
				simulate throwing and catching exceptions. However, these facilities bypass
				automatic resource management and can result in undefined behavior, commonly
				including resource leaks, and denial-of-service attacks.

				This check corresponds to the CERT C++ Coding Standard rule
				`ERR52-CPP. Do not use setjmp() or longjmp()
				<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=1834>`_.

docs/clang-tidy/checks/list.rst

Context not available.
	=========================	=========================

	.. toctree::	.. toctree::
		cert-setlongjmp
	cert-variadic-function-def	cert-variadic-function-def
	cppcoreguidelines-pro-type-const-cast	cppcoreguidelines-pro-type-const-cast
	cppcoreguidelines-pro-type-reinterpret-cast	cppcoreguidelines-pro-type-reinterpret-cast
Context not available.

test/clang-tidy/cert-setlongjmp.cpp

				// RUN: %python %S/check_clang_tidy.py %s cert-err52-cpp %t -- -std=c++11

				typedef void *jmp_buf;
				extern int __setjmpimpl(jmp_buf);
				#define setjmp(x) __setjmpimpl(x)
				[[noreturn]] extern void longjmp(jmp_buf, int);

				namespace std {
				using ::jmp_buf;
				using ::longjmp;
				}

				static jmp_buf env;
				void g() {
				std::longjmp(env, 1);
				// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: do not call 'longjmp'; consider using exception handling instead [cert-err52-cpp]
				::longjmp(env, 1);
				// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: do not call 'longjmp'; consider using exception handling instead
				longjmp(env, 1);
				// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: do not call 'longjmp'; consider using exception handling instead
				}

				void f() {
				(void)setjmp(env);
				// CHECK-MESSAGES: :[[@LINE-1]]:9: warning: do not call 'setjmp'; consider using exception handling instead
				}

This is an archive of the discontinued LLVM Phabricator instance.

[PATCH] Add checker discouraging use of setjmp/longjmp in C++ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 36879

clang-tidy/cert/CERTTidyModule.cpp

clang-tidy/cert/CMakeLists.txt

clang-tidy/cert/SetLongJmpCheck.h

clang-tidy/cert/SetLongJmpCheck.cpp

docs/clang-tidy/checks/cert-setlongjmp.rst

docs/clang-tidy/checks/list.rst

test/clang-tidy/cert-setlongjmp.cpp

[PATCH] Add checker discouraging use of setjmp/longjmp in C++
ClosedPublic