This is an archive of the discontinued LLVM Phabricator instance.

Differential D45050

[clang-tidy] New checker for not null-terminated result caused by strlen(), size() or equal length
ClosedPublic

Authored by Charusso on Mar 29 2018, 8:46 AM.

Details

Reviewers
alexfh
aaron.ballman
whisperity
JonasToth
Commits
rCTE374707: [clang-tidy] New checker for not null-terminated result caused by strlen()…
rG82f8f8b44cd0: [clang-tidy] New checker for not null-terminated result caused by strlen()…
rL374707: [clang-tidy] New checker for not null-terminated result caused by strlen()…
Summary

New checker called bugprone-not-null-terminated-result. This checker finds
function calls where it is possible to cause a not null-terminated result.
Usually the proper length of a string is strlen(src) + 1 or equal length
of this expression, because the null terminator needs an extra space.
Without the null terminator it can result in undefined behaviour when the
string is read.

The following and their respective wchar_t based functions are checked:

memcpy, memcpy_s, memchr, memmove, memmove_s, strerror_s,
strncmp, strxfrm

The following is a real-world example where the programmer forgot to
increase the passed third argument, which is size_t length.
That is why the length of the allocated memory is not enough to hold the
null terminator.

static char *stringCpy(const std::string &str) {
  char *result = reinterpret_cast<char *>(malloc(str.size()));
  memcpy(result, str.data(), str.size());
  return result;
}

In addition to issuing warnings, fix-it rewrites all the necessary code.
It also tries to adjust the capacity of the destination array:

static char *stringCpy(const std::string &str) {
  char *result = reinterpret_cast<char *>(malloc(str.size() + 1));
  strcpy(result, str.data());
  return result;
}

Note: It cannot guarantee to rewrite every of the path-sensitive memory
allocations.

Diff Detail

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Charusso updated this revision to Diff 143698.Apr 24 2018, 2:52 AM
Charusso marked an inline comment as done.

Changed CXX11 to C11 and made a little refactor.

Charusso marked an inline comment as done.Apr 24 2018, 2:52 AM
Charusso edited the summary of this revision. (Show Details)Apr 24 2018, 2:55 AM
aaron.ballman added inline comments.Apr 24 2018, 4:20 AM
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
226 ↗(On Diff #140337)

I don't think you should assume the _s versions are available in C++, because they're not available everywhere. In fact, they're not available everywhere in C either (for instance, there is no Annex K implementation in glibc).

My recommendation would be to either gate this on the presence of a definition of the __STDC_LIB_EXT1__ macro and that the __STDC_WANT_LIB_EXT1__ macro is defined but not defined to 0, or to make it a configurable option. I have a slight preference for the config option because not all implementations implement all of Annex K but still have a reasonable _s implementation of the Annex K APIs (like Microsoft's implementation) so I can picture users wanting a way to opt-in even without the macros.

Charusso updated this revision to Diff 143825.EditedApr 24 2018, 3:50 PM
Charusso marked an inline comment as done.

Defined an option to switch off the _s suffixed functions usage.

Charusso edited the summary of this revision. (Show Details)Apr 24 2018, 3:57 PM
Charusso added a comment.Apr 24 2018, 4:28 PM
In D45050#1071897, @xbolva00 wrote:

Shouldn't it catch in curl also this code?

urllen = strlen(url_clone);
....
memcpy(newest, url_clone, urllen);

Edit: if possible, report these bugs to project developers :)

Thanks for your idea @xbolva00, I will implement this feature, but currently I have problems with parens which cause ugly fix-its. After the review I will share the results with the devs.

In D45050#1071926, @xbolva00 wrote:

Another idea if you want to implement it - check fopen.

FILE *f = fopen("file", "r"); read only
fputs("str", f); we are writing -> boom, sigsegv or something like that.

Thanks for your sharing but I think I will move forward to Static Analyzer with my own projects.

xbolva00 resigned from this revision.May 16 2018, 5:56 AM
Charusso updated this revision to Diff 149116.May 30 2018, 8:19 AM

@xbolva00 idea implemented, doubled the checker's power. Now if the given argument is a DeclRefExpr this should handle it as it would be inlined as a simple CallExpr.

Results:
I have found 37 memcpy() and 2 memchr() errors in: curl, FFmpeg, git, memcached, OpenSSL, PostGreSQL, Redis, twin.

Example of this new DRE case:

postgresql-src-common-md5-c.html206 KBDownload

Found memchr() errors:

git-vcs-svn-fast_export-c.html205 KBDownload

twin-clients-dialog-c.html204 KBDownload

All findings:

memcpy_and_memchr_errors.rar2 MBDownload

xbolva00 added a comment.May 30 2018, 8:28 AM

Thanks! Happy to see it is more powerful now :)

xbolva00 added a comment.May 30 2018, 8:40 AM

memcpy(crypt_buf, passwd, passwd_len); <--- warning
memcpy(crypt_buf + passwd_len, salt, salt_len);

This is a false warning since it appends strings using memcpy. But no idea what to do and if it is possible to avoid these false warnings.

Charusso updated this revision to Diff 149129.May 30 2018, 8:41 AM

Clang format.

Charusso added a comment.May 30 2018, 9:08 AM
In D45050#1116361, @xbolva00 wrote:

memcpy(crypt_buf, passwd, passwd_len); <--- warning
memcpy(crypt_buf + passwd_len, salt, salt_len);

This is a false warning since it appends strings using memcpy. But no idea what to do and if it is possible to avoid these false warnings.

I have just tested it because of the malloc() function. I'm using CodeChecker and leaved the default settings, so IsSafeFunctionsAreAvailable = 1. Because of the malloc strncpy_s() cannot handle this case, but if the check would ran with IsSafeFunctionsAreAvailable = 0, it rewrites it to strncpy(crypt_buf, passwd, passwd_len + 1) which is a good transformation, as the official memcpy()'s result not null-terminated.

xbolva00 added a comment.May 30 2018, 9:14 AM
In D45050#1116396, @Charusso wrote:
In D45050#1116361, @xbolva00 wrote:

memcpy(crypt_buf, passwd, passwd_len); <--- warning
memcpy(crypt_buf + passwd_len, salt, salt_len);

This is a false warning since it appends strings using memcpy. But no idea what to do and if it is possible to avoid these false warnings.

I have just tested it because of the malloc() function. I'm using CodeChecker and leaved the default settings, so IsSafeFunctionsAreAvailable = 1. Because of the malloc strncpy_s() cannot handle this case, but if the check would ran with IsSafeFunctionsAreAvailable = 0, it rewrites it to strncpy(crypt_buf, passwd, passwd_len + 1) which is a good transformation, as the official memcpy()'s result not null-terminated.

Yeah, it is a valid recommendation.

lebedev.ri added a comment.May 30 2018, 9:35 AM

I would like to see more negative tests.
What does it do if the len/size is a constant?
Variable that wasn't just assigned with strlen() return?

Charusso added a comment.Jun 2 2018, 9:12 AM
In D45050#1116446, @lebedev.ri wrote:

I would like to see more negative tests.
What does it do if the len/size is a constant?
Variable that wasn't just assigned with strlen() return?

Thanks for the comment! What do you mean by negative test?

lebedev.ri added a comment.Jun 2 2018, 9:15 AM
In D45050#1119973, @Charusso wrote:
In D45050#1116446, @lebedev.ri wrote:

I would like to see more negative tests.
What does it do if the len/size is a constant?
Variable that wasn't just assigned with strlen() return?

Thanks for the comment! What do you mean by negative test?

The tests where the check matches and issues a warning is a positive test.
The tests where the check does not match and/or does not issue a warning is a negative test.

xbolva00 added a comment.Jun 2 2018, 9:15 AM
In D45050#1119973, @Charusso wrote:
In D45050#1116446, @lebedev.ri wrote:

I would like to see more negative tests.
What does it do if the len/size is a constant?
Variable that wasn't just assigned with strlen() return?

Thanks for the comment! What do you mean by negative test?

To prove we have no false warnings.

whisperity requested changes to this revision.Jun 3 2018, 7:43 AM

In general, make sure the documentation page renders well in a browser.

Mostly style and phrasing stuff inline:

clang-tidy/bugprone/NotNullTerminatedResultCheck.h
34–36 ↗(On Diff #149129)

More of a language or phrasing thing, but the singular/plural wording is anything but matched in this case: handler functions which are safer. What is a "target version" in this case? Shouldn't it be something like "target environment" or "target standard" or just simply "target"?

The variable name is also problematic. AreSafeFunctionsAvailable would be better.

docs/clang-tidy/checks/bugprone-not-null-terminated-result.rst
20–21 ↗(On Diff #149129)

badly? Also, perhaps a half sentence of explanation would be nice here:

need an extra space, thus the result is not null-terminated, which can result in undefined behaviour when the string is read.

39 ↗(On Diff #149129)

That existed.

105 ↗(On Diff #149129)

Why is this an integer, rather than a bool?

This revision now requires changes to proceed.Jun 3 2018, 7:43 AM
Charusso updated this revision to Diff 150643.Jun 9 2018, 4:36 PM
Charusso marked 4 inline comments as done.

memchr() revision: it is problematic if the second argument is '\0', there is no other case. Added a new type of matcher, to match function calls. More static functions and test cases and huge refactor.

Charusso added a comment.EditedJun 9 2018, 4:46 PM

@lebedev.ri there is all the false positive results from the last publicated result-dump:

  1. curl-lib-curl_path-c.html201 KBDownload
  2. second result:
    ffmpeg-libavformat-sdp.c.html226 KBDownload
  3. all result:
    openssl-apps-ca-c.html278 KBDownload
  4. postgresql-src-interfaces-ecpg-preproc-pgc-c.html381 KBDownload
  5. redis-src-redis-benchmark-c.html225 KBDownload
  6. may false positive:
    ffmpeg-libavformat-rdt-c.html213 KBDownload

(Note: the two memchr() result were false positive in that post and there is no new result with the new matcher.)

Does the new test cases cover your advice?

docs/clang-tidy/checks/bugprone-not-null-terminated-result.rst
105 ↗(On Diff #149129)

This is how the other Tidy checkers are use their options, I do not know either.

Charusso marked an inline comment as done.Jun 9 2018, 4:46 PM
Charusso updated this revision to Diff 150644.Jun 9 2018, 4:49 PM

Clang format.

Charusso updated this revision to Diff 150645.Jun 9 2018, 5:10 PM

Fix some comment.

lebedev.ri added a comment.Jun 9 2018, 11:28 PM
In D45050#1127449, @Charusso wrote:
In D45050#1119974, @lebedev.ri wrote:
In D45050#1119973, @Charusso wrote:
In D45050#1116446, @lebedev.ri wrote:

I would like to see more negative tests.
What does it do if the len/size is a constant?
Variable that wasn't just assigned with strlen() return?

Thanks for the comment! What do you mean by negative test?

The tests where the check matches and issues a warning is a positive test.
The tests where the check does not match and/or does not issue a warning is a negative test.

@lebedev.ri there is all the false positive results from the last publicated result-dump:

  1. curl-lib-curl_path-c.html201 KBDownload
  2. second result:
    ffmpeg-libavformat-sdp.c.html226 KBDownload
  3. all result:
    openssl-apps-ca-c.html278 KBDownload
  4. postgresql-src-interfaces-ecpg-preproc-pgc-c.html381 KBDownload
  5. redis-src-redis-benchmark-c.html225 KBDownload
  6. may false positive:
    ffmpeg-libavformat-rdt-c.html213 KBDownload

(Note: the two memchr() result were false positive in that post and there is no new result with the new matcher.)

Does the new test cases cover your advice?

Not exactly.
I want to see tests.
I.e. they should be in test/clang-tidy/bugprone-not-null-terminated-result-*.
E.g. i did not find the following tests:

void test1(char* dst, char* src) {
  strcpy(dst, src, 10);
}
void test2(char* dst, char* src, int len) {
  strcpy(dst, src, len);
}
void test3(char* dst, char* src) {
  memcpy(dst, src, 10);
}
void test4(char* dst, char* src, int len) {
  memcpy(dst, src, len);
}
...
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
377–381 ↗(On Diff #150645)

The fixits are incorrect.
Increment by int(1) can result in overflow, which is then extended to size_t
It should be + 1UL.
https://godbolt.org/g/4nQiek

test/clang-tidy/bugprone-not-null-terminated-result-in-initialization.c
158–180 ↗(On Diff #150645)

??
These look like false-negatives.
How do you make an assumption about dest buffer from src string length?

Charusso updated this revision to Diff 157916.Jul 29 2018, 11:29 PM

Excuse me for the huge patch, but what I can done wrongly, I did, so I have made tons of revision.

I would like to show the current direction of the checker. Currently it has too much overlapping function, so please don't go too deep into the core.

Major fixes in every function:

  • Equal length of strlen(src) is now handled.
  • It can read out the length of the destination buffer.
  • If the length increases in the passed argument, it also increases the destination buffer (if overflow is looks like to possible).

Major fixes in memcpy() and memmove():

  • It can decide which function is the best in performance and safety. (The last implementation was rely on C++11 version, which was a huge mistake.)
  • Handles cases where the destination is unsigned char or signed char, which cannot be passed to any string handler function. (It haven't checked the type so that made wrong fix-its.)

Minor fixes:

  • Removed all memory allocation matchers in general, but the current functions behave the same to increase the buffer length.
  • Now the test files' RUN command working well. (CheckOptions was wrong.)

Problematic:

  1. It allows all custom memory allocation function. Sometimes the read buffer size is not the size parameter.
  2. May it is not a good idea to heuristically read and increase buffer lengths.
  3. If the new function transformed from memcpy() to strncpy(), the checker adds the null terminator expression in the next line, like dest[length] = '\0', which is looks like a quite big injection.
Charusso marked 2 inline comments as done.Jul 29 2018, 11:37 PM
Charusso added inline comments.
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
377–381 ↗(On Diff #150645)

Could you show me a true example where it causes a problem? I think it is too rare to rewrite all code as you mentioned.

test/clang-tidy/bugprone-not-null-terminated-result-in-initialization.c
158–180 ↗(On Diff #150645)

My idea here is you do not want to set your null terminator to anything else, because then the result is not null-terminated.

Szelethus added a subscriber: Szelethus.Jul 29 2018, 11:38 PM
MTC added a subscriber: MTC.Jul 30 2018, 1:09 AM
whisperity added a subscriber: gsd.Jul 31 2018, 9:22 AM
Charusso updated this revision to Diff 162942.EditedAug 28 2018, 1:49 PM
Charusso marked an inline comment as done.
Charusso retitled this revision from [clang-tidy] New checker for not null-terminated result caused by strlen or wcslen to [clang-tidy] New checker for not null-terminated result caused by strlen(), size() or equal length.
Charusso edited the summary of this revision. (Show Details)
  • The checker by default search for __STDC_WANT_LIB_EXT1__ macro to determine if _s suffixed functions are available. This behaviour could be overridden by specifying AreSafeFunctionsAvailable, which is became a string (it was an integer, but it can be used in the same way).
  • If the destination array length is based on a custom malloc() the current approach only want to rewrite it if it is 100% sure the chosen argument is specifying the length.
  • If the checker works with size() function now it is only match for std::string (e.g. it matched to StringRefs).
  • Now it handles macro defined lengths properly.
  • Added an option to inject UL suffix.
Charusso marked 2 inline comments as done.Aug 28 2018, 1:50 PM
whisperity added a comment.Sep 4 2018, 3:37 AM

Whew, this is a big one. Generally looks good, although I would separate implementation detail functions a bit better, with perhaps more comments to move them apart a bit, it is really harsh to scroll through.

Could you please re-run the findings on the projects? There has been a lot of improvements to the checker.
I think we should review it as it is now, and do further enhancements later on, in subsequent patches, where the enhancement implementations themselves are revealed better in the diff.

whisperity added a comment.Sep 4 2018, 4:40 AM

Generally grammar / phrasing things that have caught my eye.

The rest of the code looks okay, bar my previous comment about better commenting / separating chunks of helper functions.

clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
74 ↗(On Diff #162942)

getLocEnd will be removed, see D50353

294 ↗(On Diff #162942)

getLocEnd and getLocStart used here too.

docs/clang-tidy/checks/bugprone-not-null-terminated-result.rst
42 ↗(On Diff #162942)

with -> of

46 ↗(On Diff #162942)

functions

47 ↗(On Diff #162942)

are, versions

(Perhaps as this is user-facing code a half sentence about what safe version means could also be put here.)

47 ↗(On Diff #162942)

Analogly -> Respectively, / In a similar fashion,

48 ↗(On Diff #162942)

``-related
handled

52 ↗(On Diff #162942)

What is "just char"? Is unsigned char or signed char not "just char"?

52–53 ↗(On Diff #162942)

"that means it cannot be any string handler function" This sentence doesn't make any sense.

54 ↗(On Diff #162942)

Will be, or can be? Simply allocating more memory won't magically make a null terminator happen, I think. (Although I can be wrong.)

59 ↗(On Diff #162942)

The destination by itself can't overflow as it is a properly allocated memory.

Perhaps you meant "If copy to the destination array cannot overflow"?

59 ↗(On Diff #162942)

... then the simple cpy()-like functions should be used as they are more efficient.

(is should be the)

62 ↗(On Diff #162942)

Same, mention that the copy/move/write overflows, not the array itself.

Also, I'd phrase it as such: and the option AreSafeFunctionsAvailable is 1.

63–64 ↗(On Diff #162942)

read?

could be the safe version, cpy_s().

66–67 ↗(On Diff #162942)

If the new function could be the safe version and C++ files are analysed, the length of the destination array can be omitted.

(the target environment is not C++, but Linux / Apple / PowerPC, etc.)

69 ↗(On Diff #162942)

Start this line with "Rewrite based on" too so the rhythm of the paragraphs are kept.

71 ↗(On Diff #162942)

What is an "equals length"?
Perhaps strlen(source) or source.length()?

72–73 ↗(On Diff #162942)

Same comment about the "is should be".

"because it is" can be rephrased as "as it is", and also mention why the safe version shouldn't be used.

95 ↗(On Diff #162942)

What is this third argument?

100–101 ↗(On Diff #162942)

Too many indirections here. Instead of specifying the position of the argument, name them: "length of the source string", etc.

103 ↗(On Diff #162942)

The third argument (whatever it actually is as opposed to a positional indirection) is incremented accordingly.

105 ↗(On Diff #162942)

same about "incremented" instead of "getting a +1 operation" (that sounds like a surgery).

Also, the function name's codeblock is not terminated, see the syntax highlight.

125 ↗(On Diff #162942)

A string which is can be used as an integer.

Okay, let's just bask in the fact that we are C++ people and not mention subtle type conversions from the user into the parser here...

125–132 ↗(On Diff #162942)

Generally if you can (RST syntax allows) please reformat this block to include individual cases bulleted.

126–127 ↗(On Diff #162942)

or not set empty string (default value), the checker relies on the __STDC_WANT_LIB_EXT1__ macro being defined.

128–130 ↗(On Diff #162942)

value

the target environment is considered to implements

"Character handler" -- did you mean "string transformation" or "string handling"?

131–132 ↗(On Diff #162942)

No, n, or 0 (zero), the ...

134 ↗(On Diff #162942)

If this is a user-facing thing, I would like to find a better name for this. Why and when are unsigned long increments needed?

whisperity requested changes to this revision.Sep 4 2018, 5:05 AM
This revision now requires changes to proceed.Sep 4 2018, 5:05 AM
whisperity added a comment.Sep 7 2018, 2:53 AM

D50353 has landed, so after a rebase this patch will not compile.

Szelethus mentioned this in D51680: [analyzer][UninitializedObjectChecker] New flag to ignore records based on it's fields.Sep 14 2018, 3:07 AM
Charusso updated this revision to Diff 166802.EditedSep 24 2018, 9:08 PM
Charusso marked 28 inline comments as done.
  • Removed InjectUL option so the checker handles the special case if the capacity of a buffer is int.Max()
Charusso added a comment.Sep 24 2018, 9:16 PM

The results are accessible trough the index.html in each folder:

results.rar3 MBDownload

@aaron.ballman a friendly reminder.

whisperity added a comment.Sep 25 2018, 8:35 AM

I have checked the results, thank you for uploading them, they look solid to me, although I'm not exactly a developer for these projects, without full understanding of what and where allocates and true path-sensitive analysis and memory modelling, they look good. (E.g. one thing this check misses I think is when the allocator returns an explicitly zero-filled memory, because that way the write without the good size is still NUL-terminated... but this requires modelling we might just not be capable of, especially not in Clang-Tidy.)

With a bit of focused glancing, the check's code is also understandable, thanks. :)

aaron.ballman added inline comments.Sep 25 2018, 1:31 PM
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
37 ↗(On Diff #166802)

Please drop the LHK_ prefix -- the enum class name is sufficient as a prefix.

44 ↗(On Diff #166802)

This seems like it should be a parameter threaded through the function calls from check() rather than a static data member.

55 ↗(On Diff #166802)

These functions don't really add much benefit given that they're one-liners where the implementation is shorter than the declaration.

75 ↗(On Diff #166802)

Length is could -> Length could

93 ↗(On Diff #166802)

it denoted as unknown -> it is denoted as unknown.

(Be sure to add the full stop at the end of the sentence.)

101 ↗(On Diff #166802)

prevents to increase -> prevents increasing

106 ↗(On Diff #166802)

Missing the full stop at the end of the sentence.

110 ↗(On Diff #166802)

that is not -> that it is not

Missing the full stop at the end of the sentence.

111 ↗(On Diff #166802)

isNoWrongLength should probably be named isNotWrongLength() or perhaps reverse the logic to isCorrectLength().

118 ↗(On Diff #166802)

EQ -> Equal, but perhaps "lenEquaSrcLen()" is more succinct?

131 ↗(On Diff #166802)

Reorder the words and add a full stop: Increase or decrease an integral expression by one.

137 ↗(On Diff #166802)

Similar: Increase or decrease the passed integral argument by one.

143 ↗(On Diff #166802)

Missing full stop.

196 ↗(On Diff #166802)

You can call IgnoreParenImpCasts() instead.

201 ↗(On Diff #166802)

You can remove the local const qualifications here (we don't typically use that for local unless the qualified type is a pointer or a reference).

Same elsewhere in the patch.

268 ↗(On Diff #166802)

case -> cases

331 ↗(On Diff #166802)

case -> cases

383 ↗(On Diff #166802)

You can use 0U here instead of an explicit cast.

387 ↗(On Diff #166802)

case -> cases

459–460 ↗(On Diff #166802)

This is insufficient. Just because the user *wants* the safe functions doesn't mean they're actually available. You also need to check that __STDC_LIB_EXT1__ is defined, as that tells you the implementation has Annex K functionality. If that's defined and the user also defines __STDC_WANT_LIB_EXT1__ before including C standard library headers, then they can access them.

I am betting our include fixer doesn't properly handle ensuring the correct macros are defined before including the headers, but I think that's acceptable for now.

514 ↗(On Diff #166802)

it is cannot -> it cannot

Also, add a full stop at the end of the sentence.

569–571 ↗(On Diff #166802)

This code is duplicated from above -- it'd be nice to refactor it into one place, perhaps.

595–596 ↗(On Diff #166802)

I think it's just as understandable, but more simple, to say "the length is too short to include the null terminator".

700 ↗(On Diff #166802)

Is there a way we can do this without storing duplicate information? This is already tracked by the Preprocessor instance, I believe, so if we had a way to query that rather than store our own list, that would be better.

715 ↗(On Diff #166802)

const auto *

733 ↗(On Diff #166802)

const auto *

843 ↗(On Diff #166802)

Missing full stop.

871–872 ↗(On Diff #166802)

Do not use auto when the type is not spelled out in the initialization.

879–883 ↗(On Diff #166802)

These should not be declared as auto -- can skip the assignment operator. Same suggestion applies elsewhere.

962 ↗(On Diff #166802)

Do not use auto here either.

983–984 ↗(On Diff #166802)

Don't use auto (elsewhere as well).

1038 ↗(On Diff #166802)

This should be done using a Twine.

clang-tidy/bugprone/NotNullTerminatedResultCheck.h
42–45 ↗(On Diff #166802)

These comments are out of date -- you don't need "Yes", just Y or y (e.g.) as the first character. So "Yolo" will also work. :-P

docs/clang-tidy/checks/bugprone-not-null-terminated-result.rst
9 ↗(On Diff #166802)

Drop "an".

whisperity added a subscriber: baloghadamsoftware.Sep 26 2018, 4:09 AM
whisperity added inline comments.
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
1038 ↗(On Diff #166802)

Can you please give an example of how to well-approach this? We had issues with using Twines on the stack and then later on running into weird undefined behaviour. The documentation is not clear to a lot of our colleagues on where the Twine's usage barriers are... (Asking this not just for @Charusso but also for a few more colleagues, @baloghadamsoftware e.g.)

JonasToth added a subscriber: JonasToth.Sep 26 2018, 6:45 AM
JonasToth added inline comments.
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
1038 ↗(On Diff #166802)

naive approach:

std::string New = Twine("\n").concat(SpaceBeforeStmtStr).concat(exprToStr(..))...).str();

I think retrieving a SmallString is not supported. Please note, that Twine does support taking integer and floats directly without prior conversion.
You can use operator+ instead of concat too.

Did this help or did you have more specific issues?

aaron.ballman added inline comments.Sep 26 2018, 8:57 AM
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
1038 ↗(On Diff #166802)

The important bit is -- don't try to store a Twine (locally or otherwise). It's fine as a parameter in a function, but otherwise you should try to use it only as part of an expression. e.g., (Twine("foo") + "bar" + baz).str() is a good pattern to get used to.

Charusso updated this revision to Diff 167597.Sep 29 2018, 6:38 AM
Charusso marked 37 inline comments as done.
Charusso edited the summary of this revision. (Show Details)

Thanks for the very in-depth review @aaron.ballman!

I have not found a way to obtain the instance of Preprocessor nicely, but it is working well. Changes:

  • Huge refactor .
  • Macro definition checking is rely on Preprocessor.
  • isUnjectUL() is now a function, not a static variable.
  • WantToUseSafeFunctions is the new integer specifying the AreSafeFunctionsAvailable variable without the override feature rely on the necessary macros has been defined.
  • Added a test case in bugprone-not-null-terminated-result-memcpy-before-safe.c if the user wants to use safe functions but it is unavailable.
  • Extra: the LOC is now a round number.
clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
1038 ↗(On Diff #166802)

+1 for @aaron.ballman's example, it is an unspoken standard.

Charusso marked an inline comment as done.Sep 29 2018, 6:39 AM
whisperity accepted this revision.Oct 12 2018, 3:15 AM

Have been looked at this far and wide too many times now. I say we roll this out and fix and improve later on, lest this only going into Clang 72. Results look promising, let's hope users start reporting good findings too.

Considering Tidy has no alpha group the name bugprone seems like a double-edged sword, as what is bugprone, the checker or what it finds? 😜

This revision is now accepted and ready to land.Oct 12 2018, 3:15 AM
aaron.ballman accepted this revision.Oct 12 2018, 7:45 AM

LGTM!

whisperity added a comment.Oct 12 2018, 8:21 AM

@aaron.ballman Neither I nor @Charusso has commit rights, could you please commit this in our stead?

JonasToth added a comment.EditedOct 12 2018, 10:11 AM

The patch does not apply clean, could you please take a look at it?

  • was a non-issue from arc **

Am 12.10.2018 um 17:21 schrieb Whisperity via Phabricator:

whisperity added a comment.

@aaron.ballman Neither I nor @Charusso has commit rights, could you please commit this in our stead?

https://reviews.llvm.org/D45050

JonasToth closed this revision.Oct 12 2018, 10:25 AM
Charusso added a comment.Oct 12 2018, 11:48 AM

Thanks everyone for the contribution!

JonasToth added a comment.Oct 12 2018, 11:51 AM

Committed with https://reviews.llvm.org/rCTE344374

JonasToth added a comment.Oct 13 2018, 2:28 AM

Unfortunatly this check does not compile on some ARM platforms. It seems that a matcher exceeds the recursion limit in template instantations.

http://lab.llvm.org:8011/builders/clang-cmake-armv7-quick/builds/4405/steps/build%20stage%201/logs/stdio

I will revert the check for now as I did not find an easy fix now.

JonasToth reopened this revision.Oct 13 2018, 2:34 AM
This revision is now accepted and ready to land.Oct 13 2018, 2:34 AM
JonasToth requested changes to this revision.Oct 13 2018, 2:34 AM
This revision now requires changes to proceed.Oct 13 2018, 2:34 AM
Charusso added a subscriber: klimek.Oct 13 2018, 5:28 AM
In D45050#1264435, @JonasToth wrote:

Unfortunatly this check does not compile on some ARM platforms. It seems that a matcher exceeds the recursion limit in template instantations.

http://lab.llvm.org:8011/builders/clang-cmake-armv7-quick/builds/4405/steps/build%20stage%201/logs/stdio

Well, I can do nothing, but ask for @klimek's help.

Manuel, could you review this error please?

JonasToth added a comment.Oct 14 2018, 3:44 AM

I am in contact with the guy that actually discovered this breakage. It seems to be a weird and hard to reproduce error, but happens on x86 as well. So it is a compile/header something combination that results in the error. I am pretty sure that will take a while until we figured it out :/

JonasToth added a comment.Oct 30 2018, 11:50 AM

Sorry for responding so late, but i thought i get a shot to look at it. Here is the mail from Douglas Yung who was so kind to isolate the breakage and find a reproducer.
If you have the chance please take a look at it.

Hi Jonas,

I have attached a bzipped preprocessed file that I can confirm will show the failure if built with clang++ version 3.7.1, specifically the version that shipped with ubuntu 14.04.5 LTS. Here is the full version information:

Ubuntu clang version 3.7.1-svn253742-1~exp1 (branches/release_37) (based on LLVM 3.7.1)

Target: x86_64-pc-linux-gnu
Thread model: posix

If you build it with “clang++ -std=c++11 NotNullTerminatedResultCheck.preproc.cpp” you should see the failure.

Hope this helps.
Douglas Yung

The file is in the attachement of this comment.

NotNullTerminatedResultCheck.preproc.cpp.bz2649 KBDownload

whisperity added a reviewer: dyung.Oct 30 2018, 2:11 PM
whisperity added a subscriber: dyung.
In D45050#1280831, @dyung wrote:

I have attached a bzipped preprocessed file that I can confirm will show the failure if built with clang++ version 3.7.1, specifically the version that shipped with ubuntu 14.04.5 LTS. Here is the full version information:

Ubuntu clang version 3.7.1-svn253742-1~exp1 (branches/release_37) (based on LLVM 3.7.1)

Target: x86_64-pc-linux-gnu
Thread model: posix

If you build it with “clang++ -std=c++11 NotNullTerminatedResultCheck.preproc.cpp” you should see the failure.

I have installed said Ubuntu in a virtual machine for testing this, but unfortunately only the following Clangs are available in the package manager for Trusty:

clang - C, C++ and Objective-C compiler (LLVM based)
clang-3.3 - C, C++ and Objective-C compiler (LLVM based)
clang-3.4 - C, C++ and Objective-C compiler (LLVM based)
clang-3.5 - C, C++ and Objective-C compiler (LLVM based)
clang-3.6 - C, C++ and Objective-C compiler (LLVM based)
clang-3.8 - C, C++ and Objective-C compiler (LLVM based)
clang-3.9 - C, C++ and Objective-C compiler (LLVM based)

(Where clang is just a synonym for clang-3.4.) There is no Clang 3.7 in the package upstream, it seems.

However, 16.04 LTS (Xenial) at the time of writing this comment has an clang-3.7 package, specifically this version:

Ubuntu clang version 3.7.1-2ubuntu2 (tags/RELEASE_371/final) (based on LLVM 3.7.1)
Target: x86_64-pc-linux-gnu
Thread model: posix

With this I can confirm I get a huge trace and the template depth overflow failure.

However, from the filename-line mappings of the preprocessed output, I can see that the type_traits header comes from /usr/include/c++/4.8/type_traits, which is a version 4.8 standard library, but installing the clang-3.7 package (through some transitivity in libasan and such) depended on gcc-5-base, upgrading it from the system-default 5.3.1 to 5.4.0.

Isn't this a discrepancy, relying on an older standard library than what is seemingly available on the system?

JonasToth added a comment.Oct 30 2018, 3:01 PM

Interesting, did you try out gcc-4.8 and if it is reproducable with
that one? This version of gcc is still supported and if the problem
occurs with the libstdc++ shipped there, we need to consider it.

However, 16.04 LTS (Xenial) at the time of writing this comment has an clang-3.7 package, specifically this version:

Ubuntu clang version 3.7.1-2ubuntu2 (tags/RELEASE_371/final) (based on LLVM 3.7.1)
Target: x86_64-pc-linux-gnu
Thread model: posix

With this I can confirm I get a huge trace and the template depth overflow failure.

However, from the filename-line mappings of the preprocessed output, I can see that the type_traits header comes from /usr/include/c++/4.8/type_traits, which is a version 4.8 standard library, but installing the clang-3.7 package (through some transitivity in libasan and such) depended on gcc-5-base, upgrading it from the system-default 5.3.1 to 5.4.0.

Isn't this a discrepancy, relying on an older standard library than what is seemingly available on the system?

https://reviews.llvm.org/D45050

dyung added a comment.Oct 30 2018, 3:12 PM
In D45050#1281178, @whisperity wrote:

I have installed said Ubuntu in a virtual machine for testing this, but unfortunately only the following Clangs are available in the package manager for Trusty:

clang - C, C++ and Objective-C compiler (LLVM based)
clang-3.3 - C, C++ and Objective-C compiler (LLVM based)
clang-3.4 - C, C++ and Objective-C compiler (LLVM based)
clang-3.5 - C, C++ and Objective-C compiler (LLVM based)
clang-3.6 - C, C++ and Objective-C compiler (LLVM based)
clang-3.8 - C, C++ and Objective-C compiler (LLVM based)
clang-3.9 - C, C++ and Objective-C compiler (LLVM based)

(Where clang is just a synonym for clang-3.4.) There is no Clang 3.7 in the package upstream, it seems.

Hi, I did not initially setup the machine that hit the failure, so I cannot say for certain where it got clang. I did notice though that the llvm.org releases page does seem to include a download link for clang 3.7.1 for ubuntu 14.04 (http://releases.llvm.org/3.7.1/clang+llvm-3.7.1-x86_64-linux-gnu-ubuntu-14.04.tar.xz).

However, 16.04 LTS (Xenial) at the time of writing this comment has an clang-3.7 package, specifically this version:

Ubuntu clang version 3.7.1-2ubuntu2 (tags/RELEASE_371/final) (based on LLVM 3.7.1)
Target: x86_64-pc-linux-gnu
Thread model: posix

With this I can confirm I get a huge trace and the template depth overflow failure.

However, from the filename-line mappings of the preprocessed output, I can see that the type_traits header comes from /usr/include/c++/4.8/type_traits, which is a version 4.8 standard library, but installing the clang-3.7 package (through some transitivity in libasan and such) depended on gcc-5-base, upgrading it from the system-default 5.3.1 to 5.4.0.

Isn't this a discrepancy, relying on an older standard library than what is seemingly available on the system?

Again, I'm not sure how the toolchain was installed on the system, and if it was installed by simply unzipping the tarball above (or similar) then I could see how dependencies could go unmet. Offhand I do not even know if gcc 5+ is installed on the machine, but I can check if you think it is important.

gerazo added a subscriber: gerazo.Nov 26 2018, 7:20 AM
Charusso updated this revision to Diff 220215.Sep 14 2019, 8:23 AM
Charusso edited the summary of this revision. (Show Details)
Charusso removed reviewers: hokein, ilya-biryukov, xbolva00, dyung.
Charusso set the repository for this revision to rCTE Clang Tools Extra.

After a while I try to make this patch arrive. I wanted to split it up to multiple patches, but everything tied together so I decided to fix false positives instead with improving the existing APIs. Please visit the diff of the test cases and the documentation to see the changes.

Here are some interesting findings:

bitcoin/src/leveldb/db/c.cc:
- char* result = reinterpret_cast<char*>(malloc(sizeof(char) * str.size()));
- memcpy(result, str.data(), sizeof(char) * str.size());
+ char* result = reinterpret_cast<char*>(malloc((sizeof(char) * str.size()) + 1));
+ strcpy(result, str.data());

ffmpeg/libavformat/avio.c:
- memmove(start, key+1, strlen(key));
+ memmove(start, key+1, strlen(key) + 1);

ffmpeg/libavformat/mpeg.c:
- memcpy(ext, !strncmp(ext, "IDX", 3) ? "SUB" : "sub", 3);
+ strcpy(ext, !strncmp(ext, "IDX", 3) ? "SUB" : "sub");

ffmpeg/libavformat/oggparseskeleton.c:
- strncmp(buf, "fishead", 8)
+ strncmp(buf, "fishead", 7)

sqlite/shell.c:
#define APND_MARK_PREFIX     "Start-Of-SQLite3-"
#define APND_MARK_PREFIX_SZ  17
unsigned char a[APND_MARK_SIZE];
- memcpy(a, APND_MARK_PREFIX, APND_MARK_PREFIX_SZ);
+ strcpy((char *)a, APND_MARK_PREFIX);
Herald added a project: Restricted Project. · View Herald TranscriptSep 14 2019, 8:23 AM
Charusso added a comment.Sep 14 2019, 8:28 AM

Hm, I wanted to upload the new patch here to see the changes with the diff-mode, but it does not work, sorry.

alexfh added a comment.Sep 17 2019, 6:40 AM

A couple of drive-by comments.

clang-tools-extra/clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
23–34

Binding names are copied/read a lot (for memoization purposes, see BoundNodesMap) during matching. It makes sense to make them shorter. Ideally they should fit into the inline std::string buffer (15 characters in libc++ on x86-64, https://gcc.godbolt.org/z/oNBghM).

277–278

This conditional statement never affects the result of the function. Either there's a typo somewhere or this statement can be removed.

Charusso updated this revision to Diff 221096.EditedSep 20 2019, 12:58 PM
  • Fix.
  • Tiny refactor.
Charusso marked 3 inline comments as done.Sep 20 2019, 12:59 PM

Thanks!

clang-tools-extra/clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp
23–34

Great explanation, thanks you!

Charusso marked an inline comment as done.Sep 20 2019, 12:59 PM
JonasToth resigned from this revision.Oct 11 2019, 3:47 AM
This revision is now accepted and ready to land.Oct 11 2019, 3:47 AM
Closed by commit rG82f8f8b44cd0: [clang-tidy] New checker for not null-terminated result caused by strlen()… (authored by Charusso). · Explain WhyOct 13 2019, 1:33 AM
This revision was automatically updated to reflect the committed changes.
thakis added a subscriber: thakis.Oct 13 2019, 3:49 AM

This fails on Windows: http://45.33.8.238/win/386/step_7.txt

Please take a look, and if it's not immediately clear how to fix, b please revert while you investigate.

Charusso added a comment.Oct 13 2019, 4:00 AM
In D45050#1707483, @thakis wrote:

This fails on Windows: http://45.33.8.238/win/386/step_7.txt

Please take a look, and if it's not immediately clear how to fix, b please revert while you investigate.

Oh, thanks! We define it like typedef __typeof(sizeof(int)) size_t;, so by rL374715 it needs to work.

xbolva00 added a comment.EditedOct 13 2019, 4:09 AM

typedef __SIZE_TYPE__ size_t;

Charusso added a comment.Oct 13 2019, 4:26 AM
In D45050#1707489, @xbolva00 wrote:

typedef __SIZE_TYPE__ size_t;

Hm, yes, I have overestimated the uploaded solution:

$ clang/test grep -rn 'typedef __SIZE_TYPE__ size_t;' | wc -l
60
$ clang/test grep -rn 'typedef __typeof(sizeof(int)) size_t;' | wc -l
45

Thanks!

Charusso added a comment.Oct 13 2019, 5:03 AM

I think everything is working fine on the build-bot side. One tiny issue on Windows left where the getLength() could not obtain the length properly: rL374713, I will look into that.

In D45050#1071898, @xbolva00 wrote:

Shouldn't it catch in curl also this code?

urllen = strlen(url_clone);
....
memcpy(newest, url_clone, urllen);

Edit: if possible, report these bugs to project developers :)

@xbolva00, now I answer it: it is out of the scope of the Tidy, sadly. I really wanted to make this work with tons of heuristics, which made that patch so enormous. I have not forgotten it, I will report the found issues some months later. Now I want to do the same patch with the help of the Analyzer, and research that, whether this type of matching is could be done more appropriately. I have already started that idea by D68725. Thanks again!

Thanks @JonasToth, you really wanted to see my first patch upstreamed, and also thanks everyone, your support really helped me to understand how to do reviews and how to Clang. I apologize for the size, I felt that the larger the better.

NoQ mentioned this in D69813: [analyzer] CERTStrChecker: Model gets().Nov 13 2019, 3:27 PM

Revision Contents

Diff 224773

clang-tools-extra/clang-tidy/bugprone/BugproneTidyModule.cpp

Show All 26 Lines
#include "IntegerDivisionCheck.h" #include "IntegerDivisionCheck.h"
#include "LambdaFunctionNameCheck.h" #include "LambdaFunctionNameCheck.h"
#include "MacroParenthesesCheck.h" #include "MacroParenthesesCheck.h"
#include "MacroRepeatedSideEffectsCheck.h" #include "MacroRepeatedSideEffectsCheck.h"
#include "MisplacedOperatorInStrlenInAllocCheck.h" #include "MisplacedOperatorInStrlenInAllocCheck.h"
#include "MisplacedWideningCastCheck.h" #include "MisplacedWideningCastCheck.h"
#include "MoveForwardingReferenceCheck.h" #include "MoveForwardingReferenceCheck.h"
#include "MultipleStatementMacroCheck.h" #include "MultipleStatementMacroCheck.h"
#include "NotNullTerminatedResultCheck.h"
#include "ParentVirtualCallCheck.h" #include "ParentVirtualCallCheck.h"
#include "PosixReturnCheck.h" #include "PosixReturnCheck.h"
#include "SizeofContainerCheck.h" #include "SizeofContainerCheck.h"
#include "SizeofExpressionCheck.h" #include "SizeofExpressionCheck.h"
#include "StringConstructorCheck.h" #include "StringConstructorCheck.h"
#include "StringIntegerAssignmentCheck.h" #include "StringIntegerAssignmentCheck.h"
#include "StringLiteralWithEmbeddedNulCheck.h" #include "StringLiteralWithEmbeddedNulCheck.h"
#include "SuspiciousEnumUsageCheck.h" #include "SuspiciousEnumUsageCheck.h"
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Lines void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<MisplacedWideningCastCheck>( CheckFactories.registerCheck<MisplacedWideningCastCheck>(
"bugprone-misplaced-widening-cast"); "bugprone-misplaced-widening-cast");
CheckFactories.registerCheck<MoveForwardingReferenceCheck>( CheckFactories.registerCheck<MoveForwardingReferenceCheck>(
"bugprone-move-forwarding-reference"); "bugprone-move-forwarding-reference");
CheckFactories.registerCheck<MultipleStatementMacroCheck>( CheckFactories.registerCheck<MultipleStatementMacroCheck>(
"bugprone-multiple-statement-macro"); "bugprone-multiple-statement-macro");
CheckFactories.registerCheck<cppcoreguidelines::NarrowingConversionsCheck>( CheckFactories.registerCheck<cppcoreguidelines::NarrowingConversionsCheck>(
"bugprone-narrowing-conversions"); "bugprone-narrowing-conversions");
CheckFactories.registerCheck<NotNullTerminatedResultCheck>(
"bugprone-not-null-terminated-result");
CheckFactories.registerCheck<ParentVirtualCallCheck>( CheckFactories.registerCheck<ParentVirtualCallCheck>(
"bugprone-parent-virtual-call"); "bugprone-parent-virtual-call");
CheckFactories.registerCheck<PosixReturnCheck>( CheckFactories.registerCheck<PosixReturnCheck>(
"bugprone-posix-return"); "bugprone-posix-return");
CheckFactories.registerCheck<SizeofContainerCheck>( CheckFactories.registerCheck<SizeofContainerCheck>(
"bugprone-sizeof-container"); "bugprone-sizeof-container");
CheckFactories.registerCheck<SizeofExpressionCheck>( CheckFactories.registerCheck<SizeofExpressionCheck>(
"bugprone-sizeof-expression"); "bugprone-sizeof-expression");
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

clang-tools-extra/clang-tidy/bugprone/CMakeLists.txt

Show All 18 Linesadd_clang_library(clangTidyBugproneModule
IntegerDivisionCheck.cpp IntegerDivisionCheck.cpp
LambdaFunctionNameCheck.cpp LambdaFunctionNameCheck.cpp
MacroParenthesesCheck.cpp MacroParenthesesCheck.cpp
MacroRepeatedSideEffectsCheck.cpp MacroRepeatedSideEffectsCheck.cpp
MisplacedOperatorInStrlenInAllocCheck.cpp MisplacedOperatorInStrlenInAllocCheck.cpp
MisplacedWideningCastCheck.cpp MisplacedWideningCastCheck.cpp
MoveForwardingReferenceCheck.cpp MoveForwardingReferenceCheck.cpp
MultipleStatementMacroCheck.cpp MultipleStatementMacroCheck.cpp
NotNullTerminatedResultCheck.cpp
ParentVirtualCallCheck.cpp ParentVirtualCallCheck.cpp
PosixReturnCheck.cpp PosixReturnCheck.cpp
SizeofContainerCheck.cpp SizeofContainerCheck.cpp
SizeofExpressionCheck.cpp SizeofExpressionCheck.cpp
StringConstructorCheck.cpp StringConstructorCheck.cpp
StringIntegerAssignmentCheck.cpp StringIntegerAssignmentCheck.cpp
StringLiteralWithEmbeddedNulCheck.cpp StringLiteralWithEmbeddedNulCheck.cpp
SuspiciousEnumUsageCheck.cpp SuspiciousEnumUsageCheck.cpp
Show All 27 Lines

clang-tools-extra/clang-tidy/bugprone/NotNullTerminatedResultCheck.h

  • This file was added.
//===--- NotNullTerminatedResultCheck.h - clang-tidy ------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_NOT_NULL_TERMINATED_RESULT_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_NOT_NULL_TERMINATED_RESULT_H
#include "../ClangTidy.h"
namespace clang {
namespace tidy {
namespace bugprone {
/// Finds function calls where it is possible to cause a not null-terminated
/// result. Usually the proper length of a string is 'strlen(src) + 1' or
/// equal length of this expression, because the null terminator needs an extra
/// space. Without the null terminator it can result in undefined behaviour
/// when the string is read.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/bugprone-not-null-terminated-result.html
class NotNullTerminatedResultCheck : public ClangTidyCheck {
public:
NotNullTerminatedResultCheck(StringRef Name, ClangTidyContext *Context);
void storeOptions(ClangTidyOptions::OptionMap &Opts) override;
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
void registerPPCallbacks(const SourceManager &SM, Preprocessor *PP,
Preprocessor *ModuleExpanderPP) override;
private:
// If non-zero it is specifying if the target environment is considered to
// implement '_s' suffixed memory and string handler functions which are safer
// than older version (e.g. 'memcpy_s()'). The default value is '1'.
const int WantToUseSafeFunctions;
bool UseSafeFunctions = false;
void memoryHandlerFunctionFix(
StringRef Name, const ast_matchers::MatchFinder::MatchResult &Result);
void memcpyFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag);
void memcpy_sFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag);
void memchrFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result);
void memmoveFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag);
void strerror_sFix(const ast_matchers::MatchFinder::MatchResult &Result);
void ncmpFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result);
void xfrmFix(StringRef Name,
const ast_matchers::MatchFinder::MatchResult &Result);
};
} // namespace bugprone
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_NOT_NULL_TERMINATED_RESULT_H

clang-tools-extra/clang-tidy/bugprone/NotNullTerminatedResultCheck.cpp

  • This file was added.
//===--- NotNullTerminatedResultCheck.cpp - clang-tidy ----------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "NotNullTerminatedResultCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Frontend/CompilerInstance.h"
#include "clang/Lex/Lexer.h"
#include "clang/Lex/PPCallbacks.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace bugprone {
constexpr llvm::StringLiteral FunctionExprName = "FunctionExpr";
constexpr llvm::StringLiteral CastExprName = "CastExpr";
constexpr llvm::StringLiteral UnknownDestName = "UnknownDest";
constexpr llvm::StringLiteral DestArrayTyName = "DestArrayTy";
constexpr llvm::StringLiteral DestVarDeclName = "DestVarDecl";
constexpr llvm::StringLiteral DestMallocExprName = "DestMalloc";
constexpr llvm::StringLiteral DestExprName = "DestExpr";
constexpr llvm::StringLiteral SrcVarDeclName = "SrcVarDecl";
constexpr llvm::StringLiteral SrcExprName = "SrcExpr";
constexpr llvm::StringLiteral LengthExprName = "LengthExpr";
constexpr llvm::StringLiteral WrongLengthExprName = "WrongLength";
constexpr llvm::StringLiteral UnknownLengthName = "UnknownLength";
alexfhUnsubmitted
Done
ReplyInline Actions

Binding names are copied/read a lot (for memoization purposes, see BoundNodesMap) during matching. It makes sense to make them shorter. Ideally they should fit into the inline std::string buffer (15 characters in libc++ on x86-64, https://gcc.godbolt.org/z/oNBghM).

alexfh: Binding names are copied/read a lot (for memoization purposes, see BoundNodesMap) during…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Great explanation, thanks you!

Charusso: Great explanation, thanks you!
enum class LengthHandleKind { Increase, Decrease };
namespace {
static Preprocessor *PP;
} // namespace
// Returns the expression of destination's capacity which is part of a
// 'VariableArrayType', 'ConstantArrayTypeLoc' or an argument of a 'malloc()'
// family function call.
static const Expr *getDestCapacityExpr(const MatchFinder::MatchResult &Result) {
if (const auto *DestMalloc = Result.Nodes.getNodeAs<Expr>(DestMallocExprName))
return DestMalloc;
if (const auto *DestVAT =
Result.Nodes.getNodeAs<VariableArrayType>(DestArrayTyName))
return DestVAT->getSizeExpr();
if (const auto *DestVD = Result.Nodes.getNodeAs<VarDecl>(DestVarDeclName))
if (const TypeLoc DestTL = DestVD->getTypeSourceInfo()->getTypeLoc())
if (const auto DestCTL = DestTL.getAs<ConstantArrayTypeLoc>())
return DestCTL.getSizeExpr();
return nullptr;
}
// Returns the length of \p E as an 'IntegerLiteral' or a 'StringLiteral'
// without the null-terminator.
static int getLength(const Expr *E, const MatchFinder::MatchResult &Result) {
if (!E)
return 0;
Expr::EvalResult Length;
E = E->IgnoreImpCasts();
if (const auto *LengthDRE = dyn_cast<DeclRefExpr>(E))
if (const auto *LengthVD = dyn_cast<VarDecl>(LengthDRE->getDecl()))
if (!isa<ParmVarDecl>(LengthVD))
if (const Expr *LengthInit = LengthVD->getInit())
if (LengthInit->EvaluateAsInt(Length, *Result.Context))
return Length.Val.getInt().getZExtValue();
if (const auto *LengthIL = dyn_cast<IntegerLiteral>(E))
return LengthIL->getValue().getZExtValue();
if (const auto *StrDRE = dyn_cast<DeclRefExpr>(E))
if (const auto *StrVD = dyn_cast<VarDecl>(StrDRE->getDecl()))
if (const Expr *StrInit = StrVD->getInit())
if (const auto *StrSL =
dyn_cast<StringLiteral>(StrInit->IgnoreImpCasts()))
return StrSL->getLength();
if (const auto *SrcSL = dyn_cast<StringLiteral>(E))
return SrcSL->getLength();
return 0;
}
// Returns the capacity of the destination array.
// For example in 'char dest[13]; memcpy(dest, ...)' it returns 13.
static int getDestCapacity(const MatchFinder::MatchResult &Result) {
if (const auto *DestCapacityExpr = getDestCapacityExpr(Result))
return getLength(DestCapacityExpr, Result);
return 0;
}
// Returns the 'strlen()' if it is the given length.
static const CallExpr *getStrlenExpr(const MatchFinder::MatchResult &Result) {
if (const auto *StrlenExpr =
Result.Nodes.getNodeAs<CallExpr>(WrongLengthExprName))
if (const Decl *D = StrlenExpr->getCalleeDecl())
if (const FunctionDecl *FD = D->getAsFunction())
if (const IdentifierInfo *II = FD->getIdentifier())
if (II->isStr("strlen") || II->isStr("wcslen"))
return StrlenExpr;
return nullptr;
}
// Returns the length which is given in the memory/string handler function.
// For example in 'memcpy(dest, "foobar", 3)' it returns 3.
static int getGivenLength(const MatchFinder::MatchResult &Result) {
if (Result.Nodes.getNodeAs<Expr>(UnknownLengthName))
return 0;
if (int Length =
getLength(Result.Nodes.getNodeAs<Expr>(WrongLengthExprName), Result))
return Length;
if (int Length =
getLength(Result.Nodes.getNodeAs<Expr>(LengthExprName), Result))
return Length;
// Special case, for example 'strlen("foo")'.
if (const CallExpr *StrlenCE = getStrlenExpr(Result))
if (const Expr *Arg = StrlenCE->getArg(0)->IgnoreImpCasts())
if (int ArgLength = getLength(Arg, Result))
return ArgLength;
return 0;
}
// Returns a string representation of \p E.
static StringRef exprToStr(const Expr *E,
const MatchFinder::MatchResult &Result) {
if (!E)
return "";
return Lexer::getSourceText(
CharSourceRange::getTokenRange(E->getSourceRange()),
*Result.SourceManager, Result.Context->getLangOpts(), 0);
}
// Returns the proper token based end location of \p E.
static SourceLocation exprLocEnd(const Expr *E,
const MatchFinder::MatchResult &Result) {
return Lexer::getLocForEndOfToken(E->getEndLoc(), 0, *Result.SourceManager,
Result.Context->getLangOpts());
}
//===----------------------------------------------------------------------===//
// Rewrite decision helper functions.
//===----------------------------------------------------------------------===//
// Increment by integer '1' can result in overflow if it is the maximal value.
// After that it would be extended to 'size_t' and its value would be wrong,
// therefore we have to inject '+ 1UL' instead.
static bool isInjectUL(const MatchFinder::MatchResult &Result) {
return getGivenLength(Result) == std::numeric_limits<int>::max();
}
// If the capacity of the destination array is unknown it is denoted as unknown.
static bool isKnownDest(const MatchFinder::MatchResult &Result) {
return !Result.Nodes.getNodeAs<Expr>(UnknownDestName);
}
// True if the capacity of the destination array is based on the given length,
// therefore we assume that it cannot overflow (e.g. 'malloc(given_length + 1)'
static bool isDestBasedOnGivenLength(const MatchFinder::MatchResult &Result) {
StringRef DestCapacityExprStr =
exprToStr(getDestCapacityExpr(Result), Result).trim();
StringRef LengthExprStr =
exprToStr(Result.Nodes.getNodeAs<Expr>(LengthExprName), Result).trim();
return DestCapacityExprStr != "" && LengthExprStr != "" &&
DestCapacityExprStr.contains(LengthExprStr);
}
// Writing and reading from the same memory cannot remove the null-terminator.
static bool isDestAndSrcEquals(const MatchFinder::MatchResult &Result) {
if (const auto *DestDRE = Result.Nodes.getNodeAs<DeclRefExpr>(DestExprName))
if (const auto *SrcDRE = Result.Nodes.getNodeAs<DeclRefExpr>(SrcExprName))
return DestDRE->getDecl()->getCanonicalDecl() ==
SrcDRE->getDecl()->getCanonicalDecl();
return false;
}
// For example 'std::string str = "foo"; memcpy(dst, str.data(), str.length())'.
static bool isStringDataAndLength(const MatchFinder::MatchResult &Result) {
const auto *DestExpr =
Result.Nodes.getNodeAs<CXXMemberCallExpr>(DestExprName);
const auto *SrcExpr = Result.Nodes.getNodeAs<CXXMemberCallExpr>(SrcExprName);
const auto *LengthExpr =
Result.Nodes.getNodeAs<CXXMemberCallExpr>(WrongLengthExprName);
StringRef DestStr = "", SrcStr = "", LengthStr = "";
if (DestExpr)
if (const CXXMethodDecl *DestMD = DestExpr->getMethodDecl())
DestStr = DestMD->getName();
if (SrcExpr)
if (const CXXMethodDecl *SrcMD = SrcExpr->getMethodDecl())
SrcStr = SrcMD->getName();
if (LengthExpr)
if (const CXXMethodDecl *LengthMD = LengthExpr->getMethodDecl())
LengthStr = LengthMD->getName();
return (LengthStr == "length" || LengthStr == "size") &&
(SrcStr == "data" || DestStr == "data");
}
static bool
isGivenLengthEqualToSrcLength(const MatchFinder::MatchResult &Result) {
if (Result.Nodes.getNodeAs<Expr>(UnknownLengthName))
return false;
if (isStringDataAndLength(Result))
return true;
int GivenLength = getGivenLength(Result);
int SrcLength = getLength(Result.Nodes.getNodeAs<Expr>(SrcExprName), Result);
if (GivenLength != 0 && SrcLength != 0 && GivenLength == SrcLength)
return true;
if (const auto *LengthExpr = Result.Nodes.getNodeAs<Expr>(LengthExprName))
if (dyn_cast<BinaryOperator>(LengthExpr->IgnoreParenImpCasts()))
return false;
// Check the strlen()'s argument's 'VarDecl' is equal to the source 'VarDecl'.
if (const CallExpr *StrlenCE = getStrlenExpr(Result))
if (const auto *ArgDRE =
dyn_cast<DeclRefExpr>(StrlenCE->getArg(0)->IgnoreImpCasts()))
if (const auto *SrcVD = Result.Nodes.getNodeAs<VarDecl>(SrcVarDeclName))
return dyn_cast<VarDecl>(ArgDRE->getDecl()) == SrcVD;
return false;
}
static bool isCorrectGivenLength(const MatchFinder::MatchResult &Result) {
if (Result.Nodes.getNodeAs<Expr>(UnknownLengthName))
return false;
return !isGivenLengthEqualToSrcLength(Result);
}
// If we rewrite the function call we need to create extra space to hold the
// null terminator. The new necessary capacity overflows without that '+ 1'
// size and we need to correct the given capacity.
static bool isDestCapacityOverflows(const MatchFinder::MatchResult &Result) {
if (!isKnownDest(Result))
return true;
const Expr *DestCapacityExpr = getDestCapacityExpr(Result);
int DestCapacity = getLength(DestCapacityExpr, Result);
int GivenLength = getGivenLength(Result);
if (GivenLength != 0 && DestCapacity != 0)
return isGivenLengthEqualToSrcLength(Result) && DestCapacity == GivenLength;
// Assume that the destination array's capacity cannot overflow if the
// expression of the memory allocation contains '+ 1'.
StringRef DestCapacityExprStr = exprToStr(DestCapacityExpr, Result);
if (DestCapacityExprStr.contains("+1") || DestCapacityExprStr.contains("+ 1"))
return false;
return true;
}
static bool
isFixedGivenLengthAndUnknownSrc(const MatchFinder::MatchResult &Result) {
if (Result.Nodes.getNodeAs<IntegerLiteral>(WrongLengthExprName))
alexfhUnsubmitted
Done
ReplyInline Actions

This conditional statement never affects the result of the function. Either there's a typo somewhere or this statement can be removed.

alexfh: This conditional statement never affects the result of the function. Either there's a typo…
return !getLength(Result.Nodes.getNodeAs<Expr>(SrcExprName), Result);
return false;
}
//===----------------------------------------------------------------------===//
// Code injection functions.
//===----------------------------------------------------------------------===//
// Increase or decrease \p LengthExpr by one.
static void lengthExprHandle(const Expr *LengthExpr,
LengthHandleKind LengthHandle,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
LengthExpr = LengthExpr->IgnoreParenImpCasts();
// See whether we work with a macro.
bool IsMacroDefinition = false;
StringRef LengthExprStr = exprToStr(LengthExpr, Result);
Preprocessor::macro_iterator It = PP->macro_begin();
while (It != PP->macro_end() && !IsMacroDefinition) {
if (It->first->getName() == LengthExprStr)
IsMacroDefinition = true;
++It;
}
// Try to obtain an 'IntegerLiteral' and adjust it.
if (!IsMacroDefinition) {
if (const auto *LengthIL = dyn_cast<IntegerLiteral>(LengthExpr)) {
size_t NewLength = LengthIL->getValue().getZExtValue() +
(LengthHandle == LengthHandleKind::Increase
? (isInjectUL(Result) ? 1UL : 1)
: -1);
const auto NewLengthFix = FixItHint::CreateReplacement(
LengthIL->getSourceRange(),
(Twine(NewLength) + (isInjectUL(Result) ? "UL" : "")).str());
Diag << NewLengthFix;
return;
}
}
// Try to obtain and remove the '+ 1' string as a decrement fix.
const auto *BO = dyn_cast<BinaryOperator>(LengthExpr);
if (BO && BO->getOpcode() == BO_Add &&
LengthHandle == LengthHandleKind::Decrease) {
const Expr *LhsExpr = BO->getLHS()->IgnoreImpCasts();
const Expr *RhsExpr = BO->getRHS()->IgnoreImpCasts();
if (const auto *LhsIL = dyn_cast<IntegerLiteral>(LhsExpr)) {
if (LhsIL->getValue().getZExtValue() == 1) {
Diag << FixItHint::CreateRemoval(
{LhsIL->getBeginLoc(),
RhsExpr->getBeginLoc().getLocWithOffset(-1)});
return;
}
}
if (const auto *RhsIL = dyn_cast<IntegerLiteral>(RhsExpr)) {
if (RhsIL->getValue().getZExtValue() == 1) {
Diag << FixItHint::CreateRemoval(
{LhsExpr->getEndLoc().getLocWithOffset(1), RhsIL->getEndLoc()});
return;
}
}
}
// Try to inject the '+ 1'/'- 1' string.
bool NeedInnerParen = BO && BO->getOpcode() != BO_Add;
if (NeedInnerParen)
Diag << FixItHint::CreateInsertion(LengthExpr->getBeginLoc(), "(");
SmallString<8> Injection;
if (NeedInnerParen)
Injection += ')';
Injection += LengthHandle == LengthHandleKind::Increase ? " + 1" : " - 1";
if (isInjectUL(Result))
Injection += "UL";
Diag << FixItHint::CreateInsertion(exprLocEnd(LengthExpr, Result), Injection);
}
static void lengthArgHandle(LengthHandleKind LengthHandle,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *LengthExpr = Result.Nodes.getNodeAs<Expr>(LengthExprName);
lengthExprHandle(LengthExpr, LengthHandle, Result, Diag);
}
static void lengthArgPosHandle(unsigned ArgPos, LengthHandleKind LengthHandle,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
lengthExprHandle(FunctionExpr->getArg(ArgPos), LengthHandle, Result, Diag);
}
// The string handler functions are only operates with plain 'char'/'wchar_t'
// without 'unsigned/signed', therefore we need to cast it.
static bool isDestExprFix(const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *Dest = Result.Nodes.getNodeAs<Expr>(DestExprName);
if (!Dest)
return false;
std::string TempTyStr = Dest->getType().getAsString();
StringRef TyStr = TempTyStr;
if (TyStr.startswith("char") || TyStr.startswith("wchar_t"))
return false;
Diag << FixItHint::CreateInsertion(Dest->getBeginLoc(), "(char *)");
return true;
}
// If the destination array is the same length as the given length we have to
// increase the capacity by one to create space for the the null terminator.
static bool isDestCapacityFix(const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
bool IsOverflows = isDestCapacityOverflows(Result);
if (IsOverflows)
if (const Expr *CapacityExpr = getDestCapacityExpr(Result))
lengthExprHandle(CapacityExpr, LengthHandleKind::Increase, Result, Diag);
return IsOverflows;
}
static void removeArg(int ArgPos, const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
// This is the following structure: (src, '\0', strlen(src))
// ArgToRemove: ~~~~~~~~~~~
// LHSArg: ~~~~
// RemoveArgFix: ~~~~~~~~~~~~~
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
const Expr *ArgToRemove = FunctionExpr->getArg(ArgPos);
const Expr *LHSArg = FunctionExpr->getArg(ArgPos - 1);
const auto RemoveArgFix = FixItHint::CreateRemoval(
SourceRange(exprLocEnd(LHSArg, Result),
exprLocEnd(ArgToRemove, Result).getLocWithOffset(-1)));
Diag << RemoveArgFix;
}
static void renameFunc(StringRef NewFuncName,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
int FuncNameLength =
FunctionExpr->getDirectCallee()->getIdentifier()->getLength();
SourceRange FuncNameRange(
FunctionExpr->getBeginLoc(),
FunctionExpr->getBeginLoc().getLocWithOffset(FuncNameLength - 1));
const auto FuncNameFix =
FixItHint::CreateReplacement(FuncNameRange, NewFuncName);
Diag << FuncNameFix;
}
static void renameMemcpy(StringRef Name, bool IsCopy, bool IsSafe,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
SmallString<10> NewFuncName;
NewFuncName = (Name[0] != 'w') ? "str" : "wcs";
NewFuncName += IsCopy ? "cpy" : "ncpy";
NewFuncName += IsSafe ? "_s" : "";
renameFunc(NewFuncName, Result, Diag);
}
static void insertDestCapacityArg(bool IsOverflows, StringRef Name,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
SmallString<64> NewSecondArg;
if (int DestLength = getDestCapacity(Result)) {
NewSecondArg = Twine(IsOverflows ? DestLength + 1 : DestLength).str();
} else {
NewSecondArg =
(Twine(exprToStr(getDestCapacityExpr(Result), Result)) +
(IsOverflows ? (!isInjectUL(Result) ? " + 1" : " + 1UL") : ""))
.str();
}
NewSecondArg += ", ";
const auto InsertNewArgFix = FixItHint::CreateInsertion(
FunctionExpr->getArg(1)->getBeginLoc(), NewSecondArg);
Diag << InsertNewArgFix;
}
static void insertNullTerminatorExpr(StringRef Name,
const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
int FuncLocStartColumn = Result.SourceManager->getPresumedColumnNumber(
FunctionExpr->getBeginLoc());
SourceRange SpaceRange(
FunctionExpr->getBeginLoc().getLocWithOffset(-FuncLocStartColumn + 1),
FunctionExpr->getBeginLoc());
StringRef SpaceBeforeStmtStr = Lexer::getSourceText(
CharSourceRange::getCharRange(SpaceRange), *Result.SourceManager,
Result.Context->getLangOpts(), 0);
SmallString<128> NewAddNullTermExprStr;
NewAddNullTermExprStr =
(Twine('\n') + SpaceBeforeStmtStr +
exprToStr(Result.Nodes.getNodeAs<Expr>(DestExprName), Result) + "[" +
exprToStr(Result.Nodes.getNodeAs<Expr>(LengthExprName), Result) +
"] = " + ((Name[0] != 'w') ? "\'\\0\';" : "L\'\\0\';"))
.str();
const auto AddNullTerminatorExprFix = FixItHint::CreateInsertion(
exprLocEnd(FunctionExpr, Result).getLocWithOffset(1),
NewAddNullTermExprStr);
Diag << AddNullTerminatorExprFix;
}
//===----------------------------------------------------------------------===//
// Checker logic with the matchers.
//===----------------------------------------------------------------------===//
NotNullTerminatedResultCheck::NotNullTerminatedResultCheck(
StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context),
WantToUseSafeFunctions(Options.get("WantToUseSafeFunctions", 1)) {}
void NotNullTerminatedResultCheck::storeOptions(
ClangTidyOptions::OptionMap &Opts) {
Options.store(Opts, "WantToUseSafeFunctions", WantToUseSafeFunctions);
}
void NotNullTerminatedResultCheck::registerPPCallbacks(
const SourceManager &SM, Preprocessor *pp, Preprocessor *ModuleExpanderPP) {
PP = pp;
}
namespace {
AST_MATCHER_P(Expr, hasDefinition, ast_matchers::internal::Matcher<Expr>,
InnerMatcher) {
const Expr *SimpleNode = &Node;
SimpleNode = SimpleNode->IgnoreParenImpCasts();
if (InnerMatcher.matches(*SimpleNode, Finder, Builder))
return true;
auto DREHasInit = ignoringImpCasts(
declRefExpr(to(varDecl(hasInitializer(ignoringImpCasts(InnerMatcher))))));
if (DREHasInit.matches(*SimpleNode, Finder, Builder))
return true;
const char *const VarDeclName = "variable-declaration";
auto DREHasDefinition = ignoringImpCasts(declRefExpr(
allOf(to(varDecl().bind(VarDeclName)),
hasAncestor(compoundStmt(hasDescendant(binaryOperator(
hasLHS(declRefExpr(to(varDecl(equalsBoundNode(VarDeclName))))),
hasRHS(ignoringImpCasts(InnerMatcher)))))))));
if (DREHasDefinition.matches(*SimpleNode, Finder, Builder))
return true;
return false;
}
} // namespace
void NotNullTerminatedResultCheck::registerMatchers(MatchFinder *Finder) {
auto IncOp =
binaryOperator(hasOperatorName("+"),
hasEitherOperand(ignoringParenImpCasts(integerLiteral())));
auto DecOp =
binaryOperator(hasOperatorName("-"),
hasEitherOperand(ignoringParenImpCasts(integerLiteral())));
auto HasIncOp = anyOf(ignoringImpCasts(IncOp), hasDescendant(IncOp));
auto HasDecOp = anyOf(ignoringImpCasts(DecOp), hasDescendant(DecOp));
auto Container = ignoringImpCasts(cxxMemberCallExpr(hasDescendant(declRefExpr(
hasType(hasUnqualifiedDesugaredType(recordType(hasDeclaration(recordDecl(
hasAnyName("::std::vector", "::std::list", "::std::deque"))))))))));
auto StringTy = type(hasUnqualifiedDesugaredType(recordType(
hasDeclaration(cxxRecordDecl(hasName("::std::basic_string"))))));
auto AnyOfStringTy =
anyOf(hasType(StringTy), hasType(qualType(pointsTo(StringTy))));
auto CharTyArray = hasType(qualType(hasCanonicalType(
arrayType(hasElementType(isAnyCharacter())).bind(DestArrayTyName))));
auto CharTyPointer = hasType(
qualType(hasCanonicalType(pointerType(pointee(isAnyCharacter())))));
auto AnyOfCharTy = anyOf(CharTyArray, CharTyPointer);
//===--------------------------------------------------------------------===//
// The following six cases match problematic length expressions.
//===--------------------------------------------------------------------===//
// - Example: char src[] = "foo"; strlen(src);
auto Strlen =
callExpr(callee(functionDecl(hasAnyName("::strlen", "::wcslen"))))
.bind(WrongLengthExprName);
// - Example: std::string str = "foo"; str.size();
auto SizeOrLength =
cxxMemberCallExpr(
allOf(on(expr(AnyOfStringTy).bind("Foo")),
has(memberExpr(member(hasAnyName("size", "length"))))))
.bind(WrongLengthExprName);
// - Example: char src[] = "foo"; sizeof(src);
auto SizeOfCharExpr = unaryExprOrTypeTraitExpr(has(expr(AnyOfCharTy)));
auto WrongLength =
ignoringImpCasts(anyOf(Strlen, SizeOrLength, hasDescendant(Strlen),
hasDescendant(SizeOrLength)));
// - Example: length = strlen(src);
auto DREWithoutInc =
ignoringImpCasts(declRefExpr(to(varDecl(hasInitializer(WrongLength)))));
auto AnyOfCallOrDREWithoutInc = anyOf(DREWithoutInc, WrongLength);
// - Example: int getLength(const char *str) { return strlen(str); }
auto CallExprReturnWithoutInc = ignoringImpCasts(callExpr(callee(functionDecl(
hasBody(has(returnStmt(hasReturnValue(AnyOfCallOrDREWithoutInc))))))));
// - Example: int length = getLength(src);
auto DREHasReturnWithoutInc = ignoringImpCasts(
declRefExpr(to(varDecl(hasInitializer(CallExprReturnWithoutInc)))));
auto AnyOfWrongLengthInit =
anyOf(WrongLength, AnyOfCallOrDREWithoutInc, CallExprReturnWithoutInc,
DREHasReturnWithoutInc);
//===--------------------------------------------------------------------===//
// The following five cases match the 'destination' array length's
// expression which is used in 'memcpy()' and 'memmove()' matchers.
//===--------------------------------------------------------------------===//
// Note: Sometimes the size of char is explicitly written out.
auto SizeExpr = anyOf(SizeOfCharExpr, integerLiteral(equals(1)));
auto MallocLengthExpr = allOf(
callee(functionDecl(
hasAnyName("::alloca", "::calloc", "malloc", "realloc"))),
hasAnyArgument(allOf(unless(SizeExpr), expr().bind(DestMallocExprName))));
// - Example: (char *)malloc(length);
auto DestMalloc = anyOf(callExpr(MallocLengthExpr),
hasDescendant(callExpr(MallocLengthExpr)));
// - Example: new char[length];
auto DestCXXNewExpr = ignoringImpCasts(
cxxNewExpr(hasArraySize(expr().bind(DestMallocExprName))));
auto AnyOfDestInit = anyOf(DestMalloc, DestCXXNewExpr);
// - Example: char dest[13]; or char dest[length];
auto DestArrayTyDecl = declRefExpr(
to(anyOf(varDecl(CharTyArray).bind(DestVarDeclName),
varDecl(hasInitializer(AnyOfDestInit)).bind(DestVarDeclName))));
// - Example: foo[bar[baz]].qux; (or just ParmVarDecl)
auto DestUnknownDecl =
declRefExpr(allOf(to(varDecl(AnyOfCharTy).bind(DestVarDeclName)),
expr().bind(UnknownDestName)))
.bind(DestExprName);
auto AnyOfDestDecl = ignoringImpCasts(
anyOf(allOf(hasDefinition(anyOf(AnyOfDestInit, DestArrayTyDecl,
hasDescendant(DestArrayTyDecl))),
expr().bind(DestExprName)),
anyOf(DestUnknownDecl, hasDescendant(DestUnknownDecl))));
auto NullTerminatorExpr = binaryOperator(
hasLHS(anyOf(hasDescendant(declRefExpr(
to(varDecl(equalsBoundNode(DestVarDeclName))))),
hasDescendant(declRefExpr(equalsBoundNode(DestExprName))))),
hasRHS(ignoringImpCasts(
anyOf(characterLiteral(equals(0U)), integerLiteral(equals(0))))));
auto SrcDecl = declRefExpr(
allOf(to(decl().bind(SrcVarDeclName)),
anyOf(hasAncestor(cxxMemberCallExpr().bind(SrcExprName)),
expr().bind(SrcExprName))));
auto AnyOfSrcDecl =
ignoringImpCasts(anyOf(stringLiteral().bind(SrcExprName),
hasDescendant(stringLiteral().bind(SrcExprName)),
SrcDecl, hasDescendant(SrcDecl)));
//===--------------------------------------------------------------------===//
// Match the problematic function calls.
//===--------------------------------------------------------------------===//
struct CallContext {
CallContext(StringRef Name, Optional<unsigned> DestinationPos,
Optional<unsigned> SourcePos, unsigned LengthPos,
bool WithIncrease)
: Name(Name), DestinationPos(DestinationPos), SourcePos(SourcePos),
LengthPos(LengthPos), WithIncrease(WithIncrease){};
StringRef Name;
Optional<unsigned> DestinationPos;
Optional<unsigned> SourcePos;
unsigned LengthPos;
bool WithIncrease;
};
auto MatchDestination = [=](CallContext CC) {
return hasArgument(*CC.DestinationPos,
allOf(AnyOfDestDecl,
unless(hasAncestor(compoundStmt(
hasDescendant(NullTerminatorExpr)))),
unless(Container)));
};
auto MatchSource = [=](CallContext CC) {
return hasArgument(*CC.SourcePos, AnyOfSrcDecl);
};
auto MatchGivenLength = [=](CallContext CC) {
return hasArgument(
CC.LengthPos,
allOf(
anyOf(
ignoringImpCasts(integerLiteral().bind(WrongLengthExprName)),
allOf(unless(hasDefinition(SizeOfCharExpr)),
allOf(CC.WithIncrease
? ignoringImpCasts(hasDefinition(HasIncOp))
: ignoringImpCasts(allOf(
unless(hasDefinition(HasIncOp)),
anyOf(hasDefinition(binaryOperator().bind(
UnknownLengthName)),
hasDefinition(anything())))),
AnyOfWrongLengthInit))),
expr().bind(LengthExprName)));
};
auto MatchCall = [=](CallContext CC) {
std::string CharHandlerFuncName = "::" + CC.Name.str();
// Try to match with 'wchar_t' based function calls.
std::string WcharHandlerFuncName =
"::" + (CC.Name.startswith("mem") ? "w" + CC.Name.str()
: "wcs" + CC.Name.substr(3).str());
return allOf(callee(functionDecl(
hasAnyName(CharHandlerFuncName, WcharHandlerFuncName))),
MatchGivenLength(CC));
};
auto Match = [=](CallContext CC) {
if (CC.DestinationPos && CC.SourcePos)
return allOf(MatchCall(CC), MatchDestination(CC), MatchSource(CC));
if (CC.DestinationPos && !CC.SourcePos)
return allOf(MatchCall(CC), MatchDestination(CC),
hasArgument(*CC.DestinationPos, anything()));
if (!CC.DestinationPos && CC.SourcePos)
return allOf(MatchCall(CC), MatchSource(CC),
hasArgument(*CC.SourcePos, anything()));
llvm_unreachable("Unhandled match");
};
// void *memcpy(void *dest, const void *src, size_t count)
auto Memcpy = Match({"memcpy", 0, 1, 2, false});
// errno_t memcpy_s(void *dest, size_t ds, const void *src, size_t count)
auto Memcpy_s = Match({"memcpy_s", 0, 2, 3, false});
// void *memchr(const void *src, int c, size_t count)
auto Memchr = Match({"memchr", None, 0, 2, false});
// void *memmove(void *dest, const void *src, size_t count)
auto Memmove = Match({"memmove", 0, 1, 2, false});
// errno_t memmove_s(void *dest, size_t ds, const void *src, size_t count)
auto Memmove_s = Match({"memmove_s", 0, 2, 3, false});
// int strncmp(const char *str1, const char *str2, size_t count);
auto StrncmpRHS = Match({"strncmp", None, 1, 2, true});
auto StrncmpLHS = Match({"strncmp", None, 0, 2, true});
// size_t strxfrm(char *dest, const char *src, size_t count);
auto Strxfrm = Match({"strxfrm", 0, 1, 2, false});
// errno_t strerror_s(char *buffer, size_t bufferSize, int errnum);
auto Strerror_s = Match({"strerror_s", 0, None, 1, false});
auto AnyOfMatchers = anyOf(Memcpy, Memcpy_s, Memmove, Memmove_s, StrncmpRHS,
StrncmpLHS, Strxfrm, Strerror_s);
Finder->addMatcher(callExpr(AnyOfMatchers).bind(FunctionExprName), this);
// Need to remove the CastExpr from 'memchr()' as 'strchr()' returns 'char *'.
Finder->addMatcher(
callExpr(Memchr,
unless(hasAncestor(castExpr(unless(implicitCastExpr())))))
.bind(FunctionExprName),
this);
Finder->addMatcher(
castExpr(allOf(unless(implicitCastExpr()),
has(callExpr(Memchr).bind(FunctionExprName))))
.bind(CastExprName),
this);
}
void NotNullTerminatedResultCheck::check(
const MatchFinder::MatchResult &Result) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
if (FunctionExpr->getBeginLoc().isMacroID())
return;
if (WantToUseSafeFunctions && PP->isMacroDefined("__STDC_LIB_EXT1__")) {
Optional<bool> AreSafeFunctionsWanted;
Preprocessor::macro_iterator It = PP->macro_begin();
while (It != PP->macro_end() && !AreSafeFunctionsWanted.hasValue()) {
if (It->first->getName() == "__STDC_WANT_LIB_EXT1__") {
const auto *MI = PP->getMacroInfo(It->first);
const auto &T = MI->tokens().back();
StringRef ValueStr = StringRef(T.getLiteralData(), T.getLength());
llvm::APInt IntValue;
ValueStr.getAsInteger(10, IntValue);
AreSafeFunctionsWanted = IntValue.getZExtValue();
}
++It;
}
if (AreSafeFunctionsWanted.hasValue())
UseSafeFunctions = AreSafeFunctionsWanted.getValue();
}
StringRef Name = FunctionExpr->getDirectCallee()->getName();
if (Name.startswith("mem") || Name.startswith("wmem"))
memoryHandlerFunctionFix(Name, Result);
else if (Name == "strerror_s")
strerror_sFix(Result);
else if (Name.endswith("ncmp"))
ncmpFix(Name, Result);
else if (Name.endswith("xfrm"))
xfrmFix(Name, Result);
}
void NotNullTerminatedResultCheck::memoryHandlerFunctionFix(
StringRef Name, const MatchFinder::MatchResult &Result) {
if (isCorrectGivenLength(Result))
return;
if (Name.endswith("chr")) {
memchrFix(Name, Result);
return;
}
if ((Name.contains("cpy") || Name.contains("move")) &&
(isDestAndSrcEquals(Result) || isFixedGivenLengthAndUnknownSrc(Result)))
return;
auto Diag =
diag(Result.Nodes.getNodeAs<CallExpr>(FunctionExprName)->getBeginLoc(),
"the result from calling '%0' is not null-terminated")
<< Name;
if (Name.endswith("cpy")) {
memcpyFix(Name, Result, Diag);
} else if (Name.endswith("cpy_s")) {
memcpy_sFix(Name, Result, Diag);
} else if (Name.endswith("move")) {
memmoveFix(Name, Result, Diag);
} else if (Name.endswith("move_s")) {
isDestCapacityFix(Result, Diag);
lengthArgHandle(LengthHandleKind::Increase, Result, Diag);
}
}
void NotNullTerminatedResultCheck::memcpyFix(
StringRef Name, const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
bool IsOverflows = isDestCapacityFix(Result, Diag);
bool IsDestFixed = isDestExprFix(Result, Diag);
bool IsCopy =
isGivenLengthEqualToSrcLength(Result) || isDestBasedOnGivenLength(Result);
bool IsSafe = UseSafeFunctions && IsOverflows && isKnownDest(Result) &&
!isDestBasedOnGivenLength(Result);
bool IsDestLengthNotRequired =
IsSafe && getLangOpts().CPlusPlus &&
Result.Nodes.getNodeAs<ArrayType>(DestArrayTyName) && !IsDestFixed;
renameMemcpy(Name, IsCopy, IsSafe, Result, Diag);
if (IsSafe && !IsDestLengthNotRequired)
insertDestCapacityArg(IsOverflows, Name, Result, Diag);
if (IsCopy)
removeArg(2, Result, Diag);
if (!IsCopy && !IsSafe)
insertNullTerminatorExpr(Name, Result, Diag);
}
void NotNullTerminatedResultCheck::memcpy_sFix(
StringRef Name, const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
bool IsOverflows = isDestCapacityFix(Result, Diag);
bool IsDestFixed = isDestExprFix(Result, Diag);
bool RemoveDestLength = getLangOpts().CPlusPlus &&
Result.Nodes.getNodeAs<ArrayType>(DestArrayTyName) &&
!IsDestFixed;
bool IsCopy = isGivenLengthEqualToSrcLength(Result);
bool IsSafe = IsOverflows;
renameMemcpy(Name, IsCopy, IsSafe, Result, Diag);
if (!IsSafe || (IsSafe && RemoveDestLength))
removeArg(1, Result, Diag);
else if (IsOverflows && isKnownDest(Result))
lengthArgPosHandle(1, LengthHandleKind::Increase, Result, Diag);
if (IsCopy)
removeArg(3, Result, Diag);
if (!IsCopy && !IsSafe)
insertNullTerminatorExpr(Name, Result, Diag);
}
void NotNullTerminatedResultCheck::memchrFix(
StringRef Name, const MatchFinder::MatchResult &Result) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
if (const auto GivenCL = dyn_cast<CharacterLiteral>(FunctionExpr->getArg(1)))
if (GivenCL->getValue() != 0)
return;
auto Diag = diag(FunctionExpr->getArg(2)->IgnoreParenCasts()->getBeginLoc(),
"the length is too short to include the null terminator");
if (const auto *CastExpr = Result.Nodes.getNodeAs<Expr>(CastExprName)) {
const auto CastRemoveFix = FixItHint::CreateRemoval(
SourceRange(CastExpr->getBeginLoc(),
FunctionExpr->getBeginLoc().getLocWithOffset(-1)));
Diag << CastRemoveFix;
}
StringRef NewFuncName = (Name[0] != 'w') ? "strchr" : "wcschr";
renameFunc(NewFuncName, Result, Diag);
removeArg(2, Result, Diag);
}
void NotNullTerminatedResultCheck::memmoveFix(
StringRef Name, const MatchFinder::MatchResult &Result,
DiagnosticBuilder &Diag) {
bool IsOverflows = isDestCapacityFix(Result, Diag);
if (UseSafeFunctions && isKnownDest(Result)) {
renameFunc((Name[0] != 'w') ? "memmove_s" : "wmemmove_s", Result, Diag);
insertDestCapacityArg(IsOverflows, Name, Result, Diag);
}
lengthArgHandle(LengthHandleKind::Increase, Result, Diag);
}
void NotNullTerminatedResultCheck::strerror_sFix(
const MatchFinder::MatchResult &Result) {
auto Diag =
diag(Result.Nodes.getNodeAs<CallExpr>(FunctionExprName)->getBeginLoc(),
"the result from calling 'strerror_s' is not null-terminated and "
"missing the last character of the error message");
isDestCapacityFix(Result, Diag);
lengthArgHandle(LengthHandleKind::Increase, Result, Diag);
}
void NotNullTerminatedResultCheck::ncmpFix(
StringRef Name, const MatchFinder::MatchResult &Result) {
const auto *FunctionExpr = Result.Nodes.getNodeAs<CallExpr>(FunctionExprName);
const Expr *FirstArgExpr = FunctionExpr->getArg(0)->IgnoreImpCasts();
const Expr *SecondArgExpr = FunctionExpr->getArg(1)->IgnoreImpCasts();
bool IsLengthTooLong = false;
if (const CallExpr *StrlenExpr = getStrlenExpr(Result)) {
const Expr *LengthExprArg = StrlenExpr->getArg(0);
StringRef FirstExprStr = exprToStr(FirstArgExpr, Result).trim();
StringRef SecondExprStr = exprToStr(SecondArgExpr, Result).trim();
StringRef LengthArgStr = exprToStr(LengthExprArg, Result).trim();
IsLengthTooLong =
LengthArgStr == FirstExprStr || LengthArgStr == SecondExprStr;
} else {
int SrcLength =
getLength(Result.Nodes.getNodeAs<Expr>(SrcExprName), Result);
int GivenLength = getGivenLength(Result);
if (SrcLength != 0 && GivenLength != 0)
IsLengthTooLong = GivenLength > SrcLength;
}
if (!IsLengthTooLong && !isStringDataAndLength(Result))
return;
auto Diag = diag(FunctionExpr->getArg(2)->IgnoreParenCasts()->getBeginLoc(),
"comparison length is too long and might lead to a "
"buffer overflow");
lengthArgHandle(LengthHandleKind::Decrease, Result, Diag);
}
void NotNullTerminatedResultCheck::xfrmFix(
StringRef Name, const MatchFinder::MatchResult &Result) {
if (!isDestCapacityOverflows(Result))
return;
auto Diag =
diag(Result.Nodes.getNodeAs<CallExpr>(FunctionExprName)->getBeginLoc(),
"the result from calling '%0' is not null-terminated")
<< Name;
isDestCapacityFix(Result, Diag);
lengthArgHandle(LengthHandleKind::Increase, Result, Diag);
}
} // namespace bugprone
} // namespace tidy
} // namespace clang

clang-tools-extra/docs/ReleaseNotes.rst

Show First 20 LinesShow All 73 Lines▼ Show 20 Lines- New :doc:`bugprone-dynamic-static-initializers
dynamically in header files. dynamically in header files.
- New :doc:`bugprone-infinite-loop - New :doc:`bugprone-infinite-loop
<clang-tidy/checks/bugprone-infinite-loop>` check. <clang-tidy/checks/bugprone-infinite-loop>` check.
Finds obvious infinite loops (loops where the condition variable is not Finds obvious infinite loops (loops where the condition variable is not
changed at all). changed at all).
- New :doc:`bugprone-not-null-terminated-result
<clang-tidy/checks/bugprone-not-null-terminated-result>` check
Finds function calls where it is possible to cause a not null-terminated
result. Usually the proper length of a string is ``strlen(str) + 1`` or equal
length of this expression, because the null terminator needs an extra space.
Without the null terminator it can result in undefined behaviour when the
string is read.
- New :doc:`cppcoreguidelines-init-variables - New :doc:`cppcoreguidelines-init-variables
<clang-tidy/checks/cppcoreguidelines-init-variables>` check. <clang-tidy/checks/cppcoreguidelines-init-variables>` check.
- New :doc:`darwin-dispatch-once-nonstatic - New :doc:`darwin-dispatch-once-nonstatic
<clang-tidy/checks/darwin-dispatch-once-nonstatic>` check. <clang-tidy/checks/darwin-dispatch-once-nonstatic>` check.
Finds declarations of ``dispatch_once_t`` variables without static or global Finds declarations of ``dispatch_once_t`` variables without static or global
storage. storage.
▲ Show 20 LinesShow All 61 LinesShow Last 20 Lines

clang-tools-extra/docs/clang-tidy/checks/bugprone-not-null-terminated-result.rst

  • This file was added.
.. title:: clang-tidy - bugprone-not-null-terminated-result
bugprone-not-null-terminated-result
===================================
Finds function calls where it is possible to cause a not null-terminated result.
Usually the proper length of a string is ``strlen(src) + 1`` or equal length of
this expression, because the null terminator needs an extra space. Without the
null terminator it can result in undefined behaviour when the string is read.
The following and their respective ``wchar_t`` based functions are checked:
``memcpy``, ``memcpy_s``, ``memchr``, ``memmove``, ``memmove_s``,
``strerror_s``, ``strncmp``, ``strxfrm``
The following is a real-world example where the programmer forgot to increase
the passed third argument, which is ``size_t length``. That is why the length
of the allocated memory is not enough to hold the null terminator.
.. code-block:: c
static char *stringCpy(const std::string &str) {
char *result = reinterpret_cast<char *>(malloc(str.size()));
memcpy(result, str.data(), str.size());
return result;
}
In addition to issuing warnings, fix-it rewrites all the necessary code. It also
tries to adjust the capacity of the destination array:
.. code-block:: c
static char *stringCpy(const std::string &str) {
char *result = reinterpret_cast<char *>(malloc(str.size() + 1));
strcpy(result, str.data());
return result;
}
Note: It cannot guarantee to rewrite every of the path-sensitive memory
allocations.
.. _MemcpyTransformation:
Transformation rules of 'memcpy()'
----------------------------------
It is possible to rewrite the ``memcpy()`` and ``memcpy_s()`` calls as the
following four functions: ``strcpy()``, ``strncpy()``, ``strcpy_s()``,
``strncpy_s()``, where the latter two are the safer versions of the former two.
It rewrites the ``wchar_t`` based memory handler functions respectively.
Rewrite based on the destination array
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- If copy to the destination array cannot overflow [1] the new function should
be the older copy function (ending with ``cpy``), because it is more
efficient than the safe version.
- If copy to the destination array can overflow [1] and
``AreSafeFunctionsAvailable`` is set to ``Yes``, ``y`` or non-zero and it is
possible to obtain the capacity of the destination array then the new function
could be the safe version (ending with ``cpy_s``).
- If the new function is could be safe version and C++ files are analysed and
the destination array is plain ``char``/``wchar_t`` without ``un/signed`` then
the length of the destination array can be omitted.
- If the new function is could be safe version and the destination array is
``un/signed`` it needs to be casted to plain ``char *``/``wchar_t *``.
[1] It is possible to overflow:
- If the capacity of the destination array is unknown.
- If the given length is equal to the destination array's capacity.
Rewrite based on the length of the source string
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- If the given length is ``strlen(source)`` or equal length of this expression
then the new function should be the older copy function (ending with ``cpy``),
as it is more efficient than the safe version (ending with ``cpy_s``).
- Otherwise we assume that the programmer wanted to copy 'N' characters, so the
new function is ``ncpy``-like which copies 'N' characters.
Transformations with 'strlen()' or equal length of this expression
------------------------------------------------------------------
It transforms the ``wchar_t`` based memory and string handler functions
respectively (where only ``strerror_s`` does not have ``wchar_t`` based alias).
Memory handler functions
^^^^^^^^^^^^^^^^^^^^^^^^
- ``memcpy``: Visit the
:ref:`Transformation rules of 'memcpy()'<MemcpyTransformation>` section.
- ``memchr``:
- Usually there is a C-style cast and it is needed to be removed, because the
new function ``strchr``'s return type is correct.
- The given length is going to be removed.
- ``memmove``:
- If safe functions are available the new function is ``memmove_s``, which has
a new second argument which is the length of the destination array, it is
adjusted, and the length of the source string is incremented by one.
- If safe functions are not available the given length is incremented by one.
- ``memmove_s``: given length is incremented by one.
String handler functions
^^^^^^^^^^^^^^^^^^^^^^^^
- ``strerror_s``: given length is incremented by one.
- ``strncmp``: If the third argument is the first or the second argument's
``length + 1`` it has to be truncated without the ``+ 1`` operation.
- ``strxfrm``: given length is incremented by one.
Options
-------
.. option:: WantToUseSafeFunctions
An integer non-zero value specifying if the target environment is considered
to implement '_s' suffixed memory and string handler functions which are
safer than older versions (e.g. 'memcpy_s()'). The default value is ``1``.

clang-tools-extra/docs/clang-tidy/checks/list.rst

Show First 20 LinesShow All 54 Lines▼ Show 20 Lines.. toctree::
bugprone-integer-division bugprone-integer-division
bugprone-lambda-function-name bugprone-lambda-function-name
bugprone-macro-parentheses bugprone-macro-parentheses
bugprone-macro-repeated-side-effects bugprone-macro-repeated-side-effects
bugprone-misplaced-operator-in-strlen-in-alloc bugprone-misplaced-operator-in-strlen-in-alloc
bugprone-misplaced-widening-cast bugprone-misplaced-widening-cast
bugprone-move-forwarding-reference bugprone-move-forwarding-reference
bugprone-multiple-statement-macro bugprone-multiple-statement-macro
bugprone-not-null-terminated-result
bugprone-parent-virtual-call bugprone-parent-virtual-call
bugprone-posix-return bugprone-posix-return
bugprone-sizeof-container bugprone-sizeof-container
bugprone-sizeof-expression bugprone-sizeof-expression
bugprone-string-constructor bugprone-string-constructor
bugprone-string-integer-assignment bugprone-string-integer-assignment
bugprone-string-literal-with-embedded-nul bugprone-string-literal-with-embedded-nul
bugprone-suspicious-enum-usage bugprone-suspicious-enum-usage
▲ Show 20 LinesShow All 312 LinesShow Last 20 Lines

clang-tools-extra/test/clang-tidy/Inputs/bugprone-not-null-terminated-result/not-null-terminated-result-c.h

  • This file was added.
//===- not-null-terminated-result-c.h - Helper header -------------*- C -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This header helps to maintain every function call checked by the
// NotNullTerminatedResult checker.
//
//===----------------------------------------------------------------------===//
#pragma clang system_header
typedef unsigned int size_t;
typedef int errno_t;
size_t strlen(const char *str);
void *malloc(size_t size);
char *strerror(int errnum);
errno_t strerror_s(char *buffer, size_t bufferSize, int errnum);
char *strcpy(char *dest, const char *src);
errno_t strcpy_s(char *dest, size_t destSize, const char *src);
char *strncpy(char *dest, const char *src, size_t count);
errno_t strncpy_s(char *dest, size_t destSize, const char *src, size_t count);
void *memcpy(void *dest, const void *src, size_t count);
errno_t memcpy_s(void *dest, size_t destSize, const void *src, size_t count);
char *strchr(char *str, int c);
int strncmp(const char *str1, const char *str2, size_t count);
size_t strxfrm(char *dest, const char *src, size_t count);
void *memchr(const void *buffer, int c, size_t count);
void *memmove(void *dest, const void *src, size_t count);
errno_t memmove_s(void *dest, size_t destSize, const void *src, size_t count);
void *memset(void *dest, int c, size_t count);

clang-tools-extra/test/clang-tidy/Inputs/bugprone-not-null-terminated-result/not-null-terminated-result-cxx.h

  • This file was added.
//===- not-null-terminated-result-cxx.h - Helper header ---------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This header helps to maintain every function call checked by the
// NotNullTerminatedResult checker.
//
//===----------------------------------------------------------------------===//
#pragma clang system_header
#include "not-null-terminated-result-c.h"
namespace std {
template <typename T>
struct basic_string {
basic_string();
const T *data() const;
unsigned long size() const;
unsigned long length() const;
};
typedef basic_string<char> string;
} // namespace std
size_t wcslen(const wchar_t *str);
template <size_t size>
char *strcpy(char (&dest)[size], const char *src);
template <size_t size>
wchar_t *wcscpy(wchar_t (&dest)[size], const wchar_t *src);
wchar_t *wcscpy(wchar_t *dest, const wchar_t *src);
template <size_t size>
errno_t strcpy_s(char (&dest)[size], const char *src);
template <size_t size>
errno_t wcscpy_s(wchar_t (&dest)[size], const wchar_t *src);
errno_t wcscpy_s(wchar_t *dest, size_t destSize, const wchar_t *src);
template <size_t size>
char *strncpy(char (&dest)[size], const char *src, size_t count);
template <size_t size>
wchar_t *wcsncpy(wchar_t (&dest)[size], const wchar_t *src, size_t count);
wchar_t *wcsncpy(wchar_t *dest, const wchar_t *src, size_t count);
template <size_t size>
errno_t strncpy_s(char (&dest)[size], const char *src, size_t count);
template <size_t size>
errno_t wcsncpy_s(wchar_t (&dest)[size], const wchar_t *src, size_t length);
errno_t wcsncpy_s(wchar_t *dest, size_t destSize, const wchar_t *src, size_t c);
wchar_t *wmemcpy(wchar_t *dest, const wchar_t *src, size_t count);
errno_t wmemcpy_s(wchar_t *dest, size_t destSize, const wchar_t *src, size_t c);
wchar_t *wcschr(const wchar_t *str, int c);
int wcsncmp(const wchar_t *str1, const wchar_t *str2, size_t count);
size_t wcsxfrm(wchar_t *dest, const wchar_t *src, size_t count);
void *wmemchr(const void *buffer, int c, size_t count);
void *wmemmove(void *dest, const void *src, size_t count);
errno_t wmemmove_s(void *dest, size_t destSize, const void *src, size_t count);
void *wmemset(void *dest, int c, size_t count);

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-in-initialization-strlen.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-c.h"
void path_sensitive_unknown_length(char *position, const char *src) {
int length;
length = strlen(src);
position = (char *)memchr(src, '\0', length);
}
void bad_memchr(char *position, const char *src) {
int length = strlen(src);
position = (char *)memchr(src, '\0', length);
// CHECK-MESSAGES: :[[@LINE-1]]:40: warning: the length is too short to include the null terminator [bugprone-not-null-terminated-result]
// CHECK-FIXES: position = strchr(src, '\0');
}
void good_memchr(char *pos, const char *src) {
pos = strchr(src, '\0');
}
void bad_strerror_s(int errno) {
char dest[13];
int length = strlen(strerror(errno));
strerror_s(dest, length, errno);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'strerror_s' is not null-terminated and missing the last character of the error message [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest[14];
// CHECK-FIXES-NEXT: int length = strlen(strerror(errno));
// CHECK-FIXES-NEXT: strerror_s(dest, length + 1, errno);
}
void good_strerror_s(int errno) {
char dst[14];
int length = strlen(strerror(errno));
strerror_s(dst, length + 1, errno);
}
int bad_strncmp_1(char *str1, const char *str2) {
int length = strlen(str1) + 1;
return strncmp(str1, str2, length);
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str1, str2, length - 1);
}
int good_strncmp_1(char *str1, const char *str2) {
int length = strlen(str1) + 1;
return strncmp(str1, str2, length - 1);
}
int bad_strncmp_2(char *str2) {
return strncmp(str2, "foobar", (strlen("foobar") + 1));
// CHECK-MESSAGES: :[[@LINE-1]]:35: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str2, "foobar", (strlen("foobar")));
}
int bad_strncmp_3(char *str3) {
return strncmp(str3, "foobar", 1 + strlen("foobar"));
// CHECK-MESSAGES: :[[@LINE-1]]:34: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str3, "foobar", strlen("foobar"));
}
int good_strncmp_2_3(char *str) {
return strncmp(str, "foobar", strlen("foobar"));
}
void bad_strxfrm(const char *long_source_name) {
char long_destination_name[13];
int very_long_length_definition_name = strlen(long_source_name);
strxfrm(long_destination_name, long_source_name,
very_long_length_definition_name);
// CHECK-MESSAGES: :[[@LINE-2]]:3: warning: the result from calling 'strxfrm' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char long_destination_name[14];
// CHECK-FIXES-NEXT: int very_long_length_definition_name = strlen(long_source_name);
// CHECK-FIXES-NEXT: strxfrm(long_destination_name, long_source_name,
// CHECK-FIXES-NEXT: very_long_length_definition_name + 1);
}
void good_strxfrm(const char *long_source_name) {
char long_destination_name[14];
int very_long_length_definition_name = strlen(long_source_name);
strxfrm(long_destination_name, long_source_name,
very_long_length_definition_name + 1);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-memcpy-before-safe.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -config="{CheckOptions: \
// RUN: [{key: bugprone-not-null-terminated-result.WantToUseSafeFunctions, \
// RUN: value: 1}]}" \
// RUN: -- -std=c11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-c.h"
// The following is not defined therefore the safe functions are unavailable.
// #define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
//===----------------------------------------------------------------------===//
// memcpy() - destination array tests
//===----------------------------------------------------------------------===//
void bad_memcpy_not_just_char_dest(const char *src) {
unsigned char dest00[13];
memcpy(dest00, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: unsigned char dest00[14];
// CHECK-FIXES-NEXT: strcpy((char *)dest00, src);
}
void good_memcpy_not_just_char_dest(const char *src) {
unsigned char dst00[14];
strcpy((char *)dst00, src);
}
void bad_memcpy_known_dest(const char *src) {
char dest01[13];
memcpy(dest01, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy(dest01, src);
}
void good_memcpy_known_dest(const char *src) {
char dst01[13];
strcpy(dst01, src);
}
//===----------------------------------------------------------------------===//
// memcpy() - length tests
//===----------------------------------------------------------------------===//
void bad_memcpy_full_source_length(const char *src) {
char dest20[13];
memcpy(dest20, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy(dest20, src);
}
void good_memcpy_full_source_length(const char *src) {
char dst20[13];
strcpy(dst20, src);
}
void bad_memcpy_partial_source_length(const char *src) {
char dest21[13];
memcpy(dest21, src, strlen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncpy(dest21, src, strlen(src) - 1);
// CHECK-FIXES-NEXT: dest21[strlen(src) - 1] = '\0';
}
void good_memcpy_partial_source_length(const char *src) {
char dst21[13];
strncpy(dst21, src, strlen(src) - 1);
dst21[strlen(src) - 1] = '\0';
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-memcpy-safe-cxx.cpp

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c++11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-cxx.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
//===----------------------------------------------------------------------===//
// memcpy() - destination array tests
//===----------------------------------------------------------------------===//
void bad_memcpy_not_just_char_dest(const char *src) {
unsigned char dest00[13];
memcpy(dest00, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: unsigned char dest00[14];
// CHECK-FIXES-NEXT: strcpy_s((char *)dest00, 14, src);
}
void good_memcpy_not_just_char_dest(const char *src) {
unsigned char dst00[14];
strcpy_s((char *)dst00, 14, src);
}
void bad_memcpy_known_dest(const char *src) {
char dest01[13];
memcpy(dest01, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: dest01[14];
// CHECK-FIXES-NEXT: strcpy_s(dest01, src);
}
void good_memcpy_known_dest(const char *src) {
char dst01[14];
strcpy_s(dst01, src);
}
//===----------------------------------------------------------------------===//
// memcpy() - length tests
//===----------------------------------------------------------------------===//
void bad_memcpy_full_source_length(std::string src) {
char *dest20 = reinterpret_cast<char *>(malloc(src.size()));
memcpy(dest20, src.data(), src.size());
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: dest20 = reinterpret_cast<char *>(malloc(src.size() + 1));
// CHECK-FIXES-NEXT: strcpy(dest20, src.data());
}
void good_memcpy_full_source_length(std::string src) {
char dst20[14];
strcpy_s(dst20, src.data());
}
void bad_memcpy_partial_source_length(const char *src) {
char dest21[13];
memcpy(dest21, src, strlen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest21[14];
// CHECK-FIXES-NEXT: strncpy_s(dest21, src, strlen(src) - 1);
}
void good_memcpy_partial_source_length(const char *src) {
char dst21[14];
strncpy_s(dst21, src, strlen(src) - 1);
}
//===----------------------------------------------------------------------===//
// memcpy_s() - destination array tests
//===----------------------------------------------------------------------===//
void bad_memcpy_s_unknown_dest(char *dest40, const char *src) {
memcpy_s(dest40, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy_s(dest40, 13, src);
}
void good_memcpy_s_unknown_dest(char *dst40, const char *src) {
strcpy_s(dst40, 13, src);
}
void bad_memcpy_s_known_dest(const char *src) {
char dest41[13];
memcpy_s(dest41, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest41[14];
// CHECK-FIXES: strcpy_s(dest41, src);
}
void good_memcpy_s_known_dest(const char *src) {
char dst41[14];
strcpy_s(dst41, src);
}
//===----------------------------------------------------------------------===//
// memcpy_s() - length tests
//===----------------------------------------------------------------------===//
void bad_memcpy_s_full_source_length(const char *src) {
char dest60[13];
memcpy_s(dest60, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest60[14];
// CHECK-FIXES-NEXT: strcpy_s(dest60, src);
}
void good_memcpy_s_full_source_length(const char *src) {
char dst60[14];
strcpy_s(dst60, src);
}
void bad_memcpy_s_partial_source_length(const char *src) {
char dest61[13];
memcpy_s(dest61, 13, src, strlen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest61[14];
// CHECK-FIXES-NEXT: strncpy_s(dest61, src, strlen(src) - 1);
}
void good_memcpy_s_partial_source_length(const char *src) {
char dst61[14];
strncpy_s(dst61, src, strlen(src) - 1);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-memcpy-safe-other.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-c.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
#define SRC_LENGTH 3
#define SRC "foo"
//===----------------------------------------------------------------------===//
// False positive suppression.
//===----------------------------------------------------------------------===//
void good_memcpy_known_src() {
char dest[13];
char src[] = "foobar";
memcpy(dest, src, sizeof(src));
}
void good_memcpy_null_terminated(const char *src) {
char dest[13];
const int length = strlen(src);
memcpy(dest, src, length);
dest[length] = '\0';
}
void good_memcpy_proper_length(const char *src) {
char *dest = 0;
int length = strlen(src) + 1;
dest = (char *)malloc(length);
memcpy(dest, src, length);
}
void may_bad_memcpy_unknown_length(const char *src, int length) {
char dest[13];
memcpy(dest, src, length);
}
void may_bad_memcpy_const_length(const char *src) {
char dest[13];
memcpy(dest, src, 12);
}
//===----------------------------------------------------------------------===//
// Special cases.
//===----------------------------------------------------------------------===//
void bad_memcpy_unknown_dest(char *dest01, const char *src) {
memcpy(dest01, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy(dest01, src);
}
void good_memcpy_unknown_dest(char *dst01, const char *src) {
strcpy(dst01, src);
}
void bad_memcpy_variable_array(int dest_length) {
char dest02[dest_length + 1];
memcpy(dest02, "foobarbazqux", strlen("foobarbazqux"));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy(dest02, "foobarbazqux");
}
void good_memcpy_variable_array(int dest_length) {
char dst02[dest_length + 1];
strcpy(dst02, "foobarbazqux");
}
void bad_memcpy_equal_src_length_and_length() {
char dest03[13];
const char *src = "foobarbazqux";
memcpy(dest03, src, 12);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy(dest03, src);
}
void good_memcpy_equal_src_length_and_length() {
char dst03[13];
const char *src = "foobarbazqux";
strcpy(dst03, src);
}
void bad_memcpy_dest_size_overflows(const char *src) {
const int length = strlen(src);
char *dest04 = (char *)malloc(length);
memcpy(dest04, src, length);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char *dest04 = (char *)malloc(length + 1);
// CHECK-FIXES-NEXT: strcpy(dest04, src);
}
void good_memcpy_dest_size_overflows(const char *src) {
const int length = strlen(src);
char *dst04 = (char *)malloc(length + 1);
strcpy(dst04, src);
}
void bad_memcpy_macro() {
char dest05[SRC_LENGTH];
memcpy(dest05, SRC, SRC_LENGTH);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest05[SRC_LENGTH + 1];
// CHECK-FIXES-NEXT: strcpy(dest05, SRC);
}
void good_memcpy_macro() {
char dst05[SRC_LENGTH + 1];
strcpy(dst05, SRC);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-memcpy-safe.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-c.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
//===----------------------------------------------------------------------===//
// memcpy() - destination array tests
//===----------------------------------------------------------------------===//
void bad_memcpy_not_just_char_dest(const char *src) {
unsigned char dest00[13];
memcpy(dest00, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: unsigned char dest00[14];
// CHECK-FIXES-NEXT: strcpy_s((char *)dest00, 14, src);
}
void good_memcpy_not_just_char_dest(const char *src) {
unsigned char dst00[14];
strcpy_s((char *)dst00, 14, src);
}
void bad_memcpy_known_dest(const char *src) {
char dest01[13];
memcpy(dest01, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest01[14];
// CHECK-FIXES: strcpy_s(dest01, 14, src);
}
void good_memcpy_known_dest(const char *src) {
char dst01[14];
strcpy_s(dst01, 14, src);
}
//===----------------------------------------------------------------------===//
// memcpy() - length tests
//===----------------------------------------------------------------------===//
void bad_memcpy_full_source_length(const char *src) {
char dest20[13];
memcpy(dest20, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest20[14];
// CHECK-FIXES-NEXT: strcpy_s(dest20, 14, src);
}
void good_memcpy_full_source_length(const char *src) {
char dst20[14];
strcpy_s(dst20, 14, src);
}
void bad_memcpy_partial_source_length(const char *src) {
char dest21[13];
memcpy(dest21, src, strlen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest21[14];
// CHECK-FIXES-NEXT: strncpy_s(dest21, 14, src, strlen(src) - 1);
}
void good__memcpy_partial_source_length(const char *src) {
char dst21[14];
strncpy_s(dst21, 14, src, strlen(src) - 1);
}
//===----------------------------------------------------------------------===//
// memcpy_s() - destination array tests
//===----------------------------------------------------------------------===//
void bad_memcpy_s_unknown_dest(char *dest40, const char *src) {
memcpy_s(dest40, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: strcpy_s(dest40, 13, src);
}
void good_memcpy_s_unknown_dest(char *dst40, const char *src) {
strcpy_s(dst40, 13, src);
}
void bad_memcpy_s_known_dest(const char *src) {
char dest41[13];
memcpy_s(dest41, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest41[14];
// CHECK-FIXES-NEXT: strcpy_s(dest41, 14, src);
}
void good_memcpy_s_known_dest(const char *src) {
char dst41[14];
strcpy_s(dst41, 14, src);
}
//===----------------------------------------------------------------------===//
// memcpy_s() - length tests
//===----------------------------------------------------------------------===//
void bad_memcpy_s_full_source_length(const char *src) {
char dest60[13];
memcpy_s(dest60, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest60[14];
// CHECK-FIXES-NEXT: strcpy_s(dest60, 14, src);
}
void good_memcpy_s_full_source_length(const char *src) {
char dst60[14];
strcpy_s(dst60, 14, src);
}
void bad_memcpy_s_partial_source_length(const char *src) {
char dest61[13];
memcpy_s(dest61, 13, src, strlen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest61[14];
// CHECK-FIXES-NEXT: strncpy_s(dest61, 14, src, strlen(src) - 1);
}
void good_memcpy_s_partial_source_length(const char *src) {
char dst61[14];
strncpy_s(dst61, 14, src, strlen(src) - 1);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-strlen.c

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-c.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
void bad_memchr_1(char *position, const char *src) {
position = (char *)memchr(src, '\0', strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:40: warning: the length is too short to include the null terminator [bugprone-not-null-terminated-result]
// CHECK-FIXES: position = strchr(src, '\0');
}
void good_memchr_1(char *pos, const char *src) {
pos = strchr(src, '\0');
}
void bad_memchr_2(char *position) {
position = (char *)memchr("foobar", '\0', 6);
// CHECK-MESSAGES: :[[@LINE-1]]:45: warning: the length is too short to include the null terminator [bugprone-not-null-terminated-result]
// CHECK-FIXES: position = strchr("foobar", '\0');
}
void good_memchr_2(char *pos) {
pos = strchr("foobar", '\0');
}
void bad_memmove(const char *src) {
char dest[13];
memmove(dest, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memmove' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest[14];
// CHECK-FIXES-NEXT: memmove_s(dest, 14, src, strlen(src) + 1);
}
void good_memmove(const char *src) {
char dst[14];
memmove_s(dst, 13, src, strlen(src) + 1);
}
void bad_memmove_s(char *dest, const char *src) {
memmove_s(dest, 13, src, strlen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'memmove_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: memmove_s(dest, 13, src, strlen(src) + 1);
}
void good_memmove_s_1(char *dest, const char *src) {
memmove_s(dest, 13, src, strlen(src) + 1);
}
void bad_strerror_s(int errno) {
char dest[13];
strerror_s(dest, strlen(strerror(errno)), errno);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'strerror_s' is not null-terminated and missing the last character of the error message [bugprone-not-null-terminated-result]
// CHECK-FIXES: char dest[14];
// CHECK-FIXES-NEXT: strerror_s(dest, strlen(strerror(errno)) + 1, errno);
}
void good_strerror_s(int errno) {
char dst[14];
strerror_s(dst, strlen(strerror(errno)) + 1, errno);
}
int bad_strncmp_1(char *str0, const char *str1) {
return strncmp(str0, str1, (strlen(str0) + 1));
// CHECK-MESSAGES: :[[@LINE-1]]:31: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str0, str1, (strlen(str0)));
}
int bad_strncmp_2(char *str2, const char *str3) {
return strncmp(str2, str3, 1 + strlen(str2));
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str2, str3, strlen(str2));
}
int good_strncmp_1_2(char *str4, const char *str5) {
return strncmp(str4, str5, strlen(str4));
}
int bad_strncmp_3(char *str6) {
return strncmp(str6, "string", 7);
// CHECK-MESSAGES: :[[@LINE-1]]:34: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: strncmp(str6, "string", 6);
}
int good_strncmp_3(char *str7) {
return strncmp(str7, "string", 6);
}
void bad_strxfrm_1(const char *long_source_name) {
char long_destination_array_name[13];
strxfrm(long_destination_array_name, long_source_name,
strlen(long_source_name));
// CHECK-MESSAGES: :[[@LINE-2]]:3: warning: the result from calling 'strxfrm' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char long_destination_array_name[14];
// CHECK-FIXES-NEXT: strxfrm(long_destination_array_name, long_source_name,
// CHECK-FIXES-NEXT: strlen(long_source_name) + 1);
}
void good_strxfrm_1(const char *long_source_name) {
char long_destination_array_name[14];
strxfrm(long_destination_array_name, long_source_name,
strlen(long_source_name) + 1);
}
void bad_strxfrm_2() {
char long_destination_array_name1[16];
strxfrm(long_destination_array_name1, "long_source_name", 16);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'strxfrm' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: char long_destination_array_name1[17];
// CHECK-FIXES: strxfrm(long_destination_array_name1, "long_source_name", 17);
}
void good_strxfrm_2() {
char long_destination_array_name2[17];
strxfrm(long_destination_array_name2, "long_source_name", 17);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-wcslen.cpp

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c++11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-cxx.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
void bad_wmemchr_1(wchar_t *position, const wchar_t *src) {
position = (wchar_t *)wmemchr(src, L'\0', wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:45: warning: the length is too short to include the null terminator [bugprone-not-null-terminated-result]
// CHECK-FIXES: position = wcschr(src, L'\0');
}
void good_wmemchr_1(wchar_t *pos, const wchar_t *src) {
pos = wcschr(src, L'\0');
}
void bad_wmemchr_2(wchar_t *position) {
position = (wchar_t *)wmemchr(L"foobar", L'\0', 6);
// CHECK-MESSAGES: :[[@LINE-1]]:51: warning: the length is too short to include the null terminator [bugprone-not-null-terminated-result]
// CHECK-FIXES: position = wcschr(L"foobar", L'\0');
}
void good_wmemchr_2(wchar_t *pos) {
pos = wcschr(L"foobar", L'\0');
}
void bad_wmemmove(const wchar_t *src) {
wchar_t dest[13];
wmemmove(dest, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemmove' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest[14];
// CHECK-FIXES-NEXT: wmemmove_s(dest, 14, src, wcslen(src) + 1);
}
void good_wmemmove(const wchar_t *src) {
wchar_t dst[14];
wmemmove_s(dst, 13, src, wcslen(src) + 1);
}
void bad_wmemmove_s(wchar_t *dest, const wchar_t *src) {
wmemmove_s(dest, 13, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemmove_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wmemmove_s(dest, 13, src, wcslen(src) + 1);
}
void good_wmemmove_s_1(wchar_t *dest, const wchar_t *src) {
wmemmove_s(dest, 13, src, wcslen(src) + 1);
}
int bad_wcsncmp_1(wchar_t *wcs0, const wchar_t *wcs1) {
return wcsncmp(wcs0, wcs1, (wcslen(wcs0) + 1));
// CHECK-MESSAGES: :[[@LINE-1]]:31: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: wcsncmp(wcs0, wcs1, (wcslen(wcs0)));
}
int bad_wcsncmp_2(wchar_t *wcs2, const wchar_t *wcs3) {
return wcsncmp(wcs2, wcs3, 1 + wcslen(wcs2));
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: wcsncmp(wcs2, wcs3, wcslen(wcs2));
}
int good_wcsncmp_1_2(wchar_t *wcs4, const wchar_t *wcs5) {
return wcsncmp(wcs4, wcs5, wcslen(wcs4));
}
int bad_wcsncmp_3(wchar_t *wcs6) {
return wcsncmp(wcs6, L"string", 7);
// CHECK-MESSAGES: :[[@LINE-1]]:35: warning: comparison length is too long and might lead to a buffer overflow [bugprone-not-null-terminated-result]
// CHECK-FIXES: wcsncmp(wcs6, L"string", 6);
}
int good_wcsncmp_3(wchar_t *wcs7) {
return wcsncmp(wcs7, L"string", 6);
}
void bad_wcsxfrm_1(const wchar_t *long_source_name) {
wchar_t long_destination_array_name[13];
wcsxfrm(long_destination_array_name, long_source_name,
wcslen(long_source_name));
// CHECK-MESSAGES: :[[@LINE-2]]:3: warning: the result from calling 'wcsxfrm' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t long_destination_array_name[14];
// CHECK-FIXES-NEXT: wcsxfrm(long_destination_array_name, long_source_name,
// CHECK-FIXES-NEXT: wcslen(long_source_name) + 1);
}
void good_wcsxfrm_1(const wchar_t *long_source_name) {
wchar_t long_destination_array_name[14];
wcsxfrm(long_destination_array_name, long_source_name,
wcslen(long_source_name) + 1);
}
void bad_wcsxfrm_2() {
wchar_t long_destination_array_name1[16];
wcsxfrm(long_destination_array_name1, L"long_source_name", 16);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wcsxfrm' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t long_destination_array_name1[17];
// CHECK-FIXES: wcsxfrm(long_destination_array_name1, L"long_source_name", 17);
}
void good_wcsxfrm_2() {
wchar_t long_destination_array_name2[17];
wcsxfrm(long_destination_array_name2, L"long_source_name", 17);
}

clang-tools-extra/test/clang-tidy/bugprone-not-null-terminated-result-wmemcpy-safe-cxx.cpp

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-not-null-terminated-result %t -- \
// RUN: -- -std=c++11 -I %S/Inputs/bugprone-not-null-terminated-result
#include "not-null-terminated-result-cxx.h"
#define __STDC_LIB_EXT1__ 1
#define __STDC_WANT_LIB_EXT1__ 1
//===----------------------------------------------------------------------===//
// wmemcpy() - destination array tests
//===----------------------------------------------------------------------===//
void bad_wmemcpy_known_dest(const wchar_t *src) {
wchar_t dest01[13];
wmemcpy(dest01, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest01[14];
// CHECK-FIXES-NEXT: wcscpy_s(dest01, src);
}
void good_wmemcpy_known_dest(const wchar_t *src) {
wchar_t dst01[14];
wcscpy_s(dst01, src);
}
//===----------------------------------------------------------------------===//
// wmemcpy() - length tests
//===----------------------------------------------------------------------===//
void bad_wmemcpy_full_source_length(const wchar_t *src) {
wchar_t dest20[13];
wmemcpy(dest20, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest20[14];
// CHECK-FIXES-NEXT: wcscpy_s(dest20, src);
}
void good_wmemcpy_full_source_length(const wchar_t *src) {
wchar_t dst20[14];
wcscpy_s(dst20, src);
}
void bad_wmemcpy_partial_source_length(const wchar_t *src) {
wchar_t dest21[13];
wmemcpy(dest21, src, wcslen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest21[14];
// CHECK-FIXES-NEXT: wcsncpy_s(dest21, src, wcslen(src) - 1);
}
void good_wmemcpy_partial_source_length(const wchar_t *src) {
wchar_t dst21[14];
wcsncpy_s(dst21, src, wcslen(src) - 1);
}
//===----------------------------------------------------------------------===//
// wmemcpy_s() - destination array tests
//===----------------------------------------------------------------------===//
void bad_wmemcpy_s_unknown_dest(wchar_t *dest40, const wchar_t *src) {
wmemcpy_s(dest40, 13, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wcscpy_s(dest40, 13, src);
}
void good_wmemcpy_s_unknown_dest(wchar_t *dst40, const wchar_t *src) {
wcscpy_s(dst40, 13, src);
}
void bad_wmemcpy_s_known_dest(const wchar_t *src) {
wchar_t dest41[13];
wmemcpy_s(dest41, 13, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest41[14];
// CHECK-FIXES-NEXT: wcscpy_s(dest41, src);
}
void good_wmemcpy_s_known_dest(const wchar_t *src) {
wchar_t dst41[13];
wcscpy_s(dst41, src);
}
//===----------------------------------------------------------------------===//
// wmemcpy_s() - length tests
//===----------------------------------------------------------------------===//
void bad_wmemcpy_s_full_source_length(const wchar_t *src) {
wchar_t dest60[13];
wmemcpy_s(dest60, 13, src, wcslen(src));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest60[14];
// CHECK-FIXES-NEXT: wcscpy_s(dest60, src);
}
void good_wmemcpy_s_full_source_length(const wchar_t *src) {
wchar_t dst60[13];
wcscpy_s(dst60, src);
}
void bad_wmemcpy_s_partial_source_length(const wchar_t *src) {
wchar_t dest61[13];
wmemcpy_s(dest61, 13, src, wcslen(src) - 1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: the result from calling 'wmemcpy_s' is not null-terminated [bugprone-not-null-terminated-result]
// CHECK-FIXES: wchar_t dest61[14];
// CHECK-FIXES-NEXT: wcsncpy_s(dest61, src, wcslen(src) - 1);
}
void good_wmemcpy_s_partial_source_length(const wchar_t *src) {
wchar_t dst61[13];
wcsncpy_s(dst61, src, wcslen(src) - 1);
}