/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | //===- EnumCastOutOfRangeChecker.cpp ---------------------------*- C++ -*--===// |
2 | | // |
3 | | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | | // See https://llvm.org/LICENSE.txt for license information. |
5 | | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | | // |
7 | | //===----------------------------------------------------------------------===// |
8 | | // |
9 | | // The EnumCastOutOfRangeChecker is responsible for checking integer to |
10 | | // enumeration casts that could result in undefined values. This could happen |
11 | | // if the value that we cast from is out of the value range of the enumeration. |
12 | | // Reference: |
13 | | // [ISO/IEC 14882-2014] ISO/IEC 14882-2014. |
14 | | // Programming Languages — C++, Fourth Edition. 2014. |
15 | | // C++ Standard, [dcl.enum], in paragraph 8, which defines the range of an enum |
16 | | // C++ Standard, [expr.static.cast], paragraph 10, which defines the behaviour |
17 | | // of casting an integer value that is out of range |
18 | | // SEI CERT C++ Coding Standard, INT50-CPP. Do not cast to an out-of-range |
19 | | // enumeration value |
20 | | //===----------------------------------------------------------------------===// |
21 | | |
22 | | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" |
23 | | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" |
24 | | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" |
25 | | #include <optional> |
26 | | |
27 | | using namespace clang; |
28 | | using namespace ento; |
29 | | |
30 | | namespace { |
31 | | // This evaluator checks two SVals for equality. The first SVal is provided via |
32 | | // the constructor, the second is the parameter of the overloaded () operator. |
33 | | // It uses the in-built ConstraintManager to resolve the equlity to possible or |
34 | | // not possible ProgramStates. |
35 | | class ConstraintBasedEQEvaluator { |
36 | | const DefinedOrUnknownSVal CompareValue; |
37 | | const ProgramStateRef PS; |
38 | | SValBuilder &SVB; |
39 | | |
40 | | public: |
41 | | ConstraintBasedEQEvaluator(CheckerContext &C, |
42 | | const DefinedOrUnknownSVal CompareValue) |
43 | 110 | : CompareValue(CompareValue), PS(C.getState()), SVB(C.getSValBuilder()) {} |
44 | | |
45 | 447 | bool operator()(const llvm::APSInt &EnumDeclInitValue) { |
46 | 447 | DefinedOrUnknownSVal EnumDeclValue = SVB.makeIntVal(EnumDeclInitValue); |
47 | 447 | DefinedOrUnknownSVal ElemEqualsValueToCast = |
48 | 447 | SVB.evalEQ(PS, EnumDeclValue, CompareValue); |
49 | | |
50 | 447 | return static_cast<bool>(PS->assume(ElemEqualsValueToCast, true)); |
51 | 447 | } |
52 | | }; |
53 | | |
54 | | // This checker checks CastExpr statements. |
55 | | // If the value provided to the cast is one of the values the enumeration can |
56 | | // represent, the said value matches the enumeration. If the checker can |
57 | | // establish the impossibility of matching it gives a warning. |
58 | | // Being conservative, it does not warn if there is slight possibility the |
59 | | // value can be matching. |
60 | | class EnumCastOutOfRangeChecker : public Checker<check::PreStmt<CastExpr>> { |
61 | | mutable std::unique_ptr<BugType> EnumValueCastOutOfRange; |
62 | | void reportWarning(CheckerContext &C, const CastExpr *CE, |
63 | | const EnumDecl *E) const; |
64 | | |
65 | | public: |
66 | | void checkPreStmt(const CastExpr *CE, CheckerContext &C) const; |
67 | | }; |
68 | | |
69 | | using EnumValueVector = llvm::SmallVector<llvm::APSInt, 6>; |
70 | | |
71 | | // Collects all of the values an enum can represent (as SVals). |
72 | 113 | EnumValueVector getDeclValuesForEnum(const EnumDecl *ED) { |
73 | 113 | EnumValueVector DeclValues( |
74 | 113 | std::distance(ED->enumerator_begin(), ED->enumerator_end())); |
75 | 113 | llvm::transform(ED->enumerators(), DeclValues.begin(), |
76 | 546 | [](const EnumConstantDecl *D) { return D->getInitVal(); }); |
77 | 113 | return DeclValues; |
78 | 113 | } |
79 | | } // namespace |
80 | | |
81 | | void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C, |
82 | | const CastExpr *CE, |
83 | 60 | const EnumDecl *E) const { |
84 | 60 | assert(E && "valid EnumDecl* is expected"); |
85 | 60 | if (const ExplodedNode *N = C.generateNonFatalErrorNode()) { |
86 | 60 | if (!EnumValueCastOutOfRange) |
87 | 2 | EnumValueCastOutOfRange.reset( |
88 | 2 | new BugType(this, "Enum cast out of range")); |
89 | | |
90 | 60 | llvm::SmallString<128> Msg{"The value provided to the cast expression is " |
91 | 60 | "not in the valid range of values for "}; |
92 | 60 | StringRef EnumName{E->getName()}; |
93 | 60 | if (EnumName.empty()) { |
94 | 1 | Msg += "the enum"; |
95 | 59 | } else { |
96 | 59 | Msg += '\''; |
97 | 59 | Msg += EnumName; |
98 | 59 | Msg += '\''; |
99 | 59 | } |
100 | | |
101 | 60 | auto BR = std::make_unique<PathSensitiveBugReport>(*EnumValueCastOutOfRange, |
102 | 60 | Msg, N); |
103 | 60 | bugreporter::trackExpressionValue(N, CE->getSubExpr(), *BR); |
104 | 60 | BR->addNote("enum declared here", |
105 | 60 | PathDiagnosticLocation::create(E, C.getSourceManager()), |
106 | 60 | {E->getSourceRange()}); |
107 | 60 | C.emitReport(std::move(BR)); |
108 | 60 | } |
109 | 60 | } |
110 | | |
111 | | void EnumCastOutOfRangeChecker::checkPreStmt(const CastExpr *CE, |
112 | 144 | CheckerContext &C) const { |
113 | | |
114 | | // Only perform enum range check on casts where such checks are valid. For |
115 | | // all other cast kinds (where enum range checks are unnecessary or invalid), |
116 | | // just return immediately. TODO: The set of casts allowed for enum range |
117 | | // checking may be incomplete. Better to add a missing cast kind to enable a |
118 | | // missing check than to generate false negatives and have to remove those |
119 | | // later. |
120 | 144 | switch (CE->getCastKind()) { |
121 | 113 | case CK_IntegralCast: |
122 | 113 | break; |
123 | | |
124 | 31 | default: |
125 | 31 | return; |
126 | 31 | break0 ; |
127 | 144 | } |
128 | | |
129 | | // Get the value of the expression to cast. |
130 | 113 | const std::optional<DefinedOrUnknownSVal> ValueToCast = |
131 | 113 | C.getSVal(CE->getSubExpr()).getAs<DefinedOrUnknownSVal>(); |
132 | | |
133 | | // If the value cannot be reasoned about (not even a DefinedOrUnknownSVal), |
134 | | // don't analyze further. |
135 | 113 | if (!ValueToCast) |
136 | 0 | return; |
137 | | |
138 | 113 | const QualType T = CE->getType(); |
139 | | // Check whether the cast type is an enum. |
140 | 113 | if (!T->isEnumeralType()) |
141 | 0 | return; |
142 | | |
143 | | // If the cast is an enum, get its declaration. |
144 | | // If the isEnumeralType() returned true, then the declaration must exist |
145 | | // even if it is a stub declaration. It is up to the getDeclValuesForEnum() |
146 | | // function to handle this. |
147 | 113 | const EnumDecl *ED = T->castAs<EnumType>()->getDecl(); |
148 | | |
149 | 113 | EnumValueVector DeclValues = getDeclValuesForEnum(ED); |
150 | | |
151 | | // If the declarator list is empty, bail out. |
152 | | // Every initialization an enum with a fixed underlying type but without any |
153 | | // enumerators would produce a warning if we were to continue at this point. |
154 | | // The most notable example is std::byte in the C++17 standard library. |
155 | 113 | if (DeclValues.size() == 0) |
156 | 3 | return; |
157 | | |
158 | | // Check if any of the enum values possibly match. |
159 | 110 | bool PossibleValueMatch = |
160 | 110 | llvm::any_of(DeclValues, ConstraintBasedEQEvaluator(C, *ValueToCast)); |
161 | | |
162 | | // If there is no value that can possibly match any of the enum values, then |
163 | | // warn. |
164 | 110 | if (!PossibleValueMatch) |
165 | 60 | reportWarning(C, CE, ED); |
166 | 110 | } |
167 | | |
168 | 2 | void ento::registerEnumCastOutOfRangeChecker(CheckerManager &mgr) { |
169 | 2 | mgr.registerChecker<EnumCastOutOfRangeChecker>(); |
170 | 2 | } |
171 | | |
172 | 4 | bool ento::shouldRegisterEnumCastOutOfRangeChecker(const CheckerManager &mgr) { |
173 | 4 | return true; |
174 | 4 | } |