DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "SprintfLiteralChecker.h"
#include "CustomMatchers.h"

void SprintfLiteralChecker::registerMatchers(MatchFinder *AstMatcher) {
  AstMatcher->addMatcher(
      callExpr(
          isSnprintfLikeFunc(),
          allOf(hasArgument(
                    0, ignoringParenImpCasts(declRefExpr().bind("buffer"))),
                anyOf(hasArgument(1, sizeOfExpr(has(ignoringParenImpCasts(
                                         declRefExpr().bind("size"))))),
                      hasArgument(1, integerLiteral().bind("immediate")),
                      hasArgument(1, declRefExpr(to(varDecl(
                                         hasType(isConstQualified()),
                                         hasInitializer(integerLiteral().bind(
                                             "constant")))))))))
          .bind("funcCall"),
      this);
}

void SprintfLiteralChecker::check(const MatchFinder::MatchResult &Result) {
  if (!Result.Context->getLangOpts().CPlusPlus) {
    // SprintfLiteral is not usable in C, so there is no point in issuing these
    // warnings.
    return;
  }

  const char *Error =
      "Use %1 instead of %0 when writing into a character array.";
  const char *Note =
      "This will prevent passing in the wrong size to %0 accidentally.";

  const CallExpr *D = Result.Nodes.getNodeAs<CallExpr>("funcCall");

  StringRef Name = D->getDirectCallee()->getName();
  const char *Replacement;
  if (Name == "snprintf") {
    Replacement = "SprintfLiteral";
  } else {
    assert(Name == "vsnprintf");
    Replacement = "VsprintfLiteral";
  }

  const DeclRefExpr *Buffer = Result.Nodes.getNodeAs<DeclRefExpr>("buffer");
  const DeclRefExpr *Size = Result.Nodes.getNodeAs<DeclRefExpr>("size");
  if (Size) {
    // Match calls like snprintf(x, sizeof(x), ...).
    if (Buffer->getFoundDecl() != Size->getFoundDecl()) {
      return;
    }

    diag(D->getBeginLoc(), Error, DiagnosticIDs::Error) << Name << Replacement;
    diag(D->getBeginLoc(), Note, DiagnosticIDs::Note) << Name;
    return;
  }

  const QualType QType = Buffer->getType();
  const ConstantArrayType *Type =
      dyn_cast<ConstantArrayType>(QType.getTypePtrOrNull());
  if (Type) {
    // Match calls like snprintf(x, 100, ...), where x is int[100];
    const IntegerLiteral *Literal =
        Result.Nodes.getNodeAs<IntegerLiteral>("immediate");
    if (!Literal) {
      // Match calls like: const int y = 100; snprintf(x, y, ...);
      Literal = Result.Nodes.getNodeAs<IntegerLiteral>("constant");
    }

    // We're going to assume here that the bitwidth of both of these values fits
    // within 64 bits. and zero-extend both values to 64-bits before comparing
    // them.
    uint64_t Size = Type->getSize().getZExtValue();
    uint64_t Lit = Literal->getValue().getZExtValue();
    if (Size <= Lit) {
      diag(D->getBeginLoc(), Error, DiagnosticIDs::Error)
          << Name << Replacement;
      diag(D->getBeginLoc(), Note, DiagnosticIDs::Note) << Name;
    }
  }
}