From 266e3dda1746bbb8008c8162df398df9b502561b Mon Sep 17 00:00:00 2001
From: Peter Collingbourne <peter@pcc.me.uk>
Date: Thu, 8 Dec 2011 08:31:14 +0000
Subject: [PATCH] Add an experimental MallocSizeofChecker, which reports
 inconsistencies between the casted type of the return value of a
 malloc/calloc/realloc call and the operand of any sizeof expressions
 contained within its argument(s).

llvm-svn: 146144
---
 .../StaticAnalyzer/Checkers/CMakeLists.txt    |   1 +
 clang/lib/StaticAnalyzer/Checkers/Checkers.td |   4 +
 .../Checkers/MallocSizeofChecker.cpp          | 208 ++++++++++++++++++
 clang/test/Analysis/malloc-sizeof.c           |  27 +++
 4 files changed, 240 insertions(+)
 create mode 100644 clang/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp
 create mode 100644 clang/test/Analysis/malloc-sizeof.c

diff --git a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
index 75f57ace888e..0cce86b9358a 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
+++ b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -37,6 +37,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   MacOSXAPIChecker.cpp
   MallocChecker.cpp
   MallocOverflowSecurityChecker.cpp
+  MallocSizeofChecker.cpp
   NSAutoreleasePoolChecker.cpp
   NSErrorChecker.cpp
   NoReturnFunctionChecker.cpp
diff --git a/clang/lib/StaticAnalyzer/Checkers/Checkers.td b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
index 2e763f6032c5..4b8da086d683 100644
--- a/clang/lib/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/lib/StaticAnalyzer/Checkers/Checkers.td
@@ -256,6 +256,10 @@ def MallocChecker : Checker<"Malloc">,
   HelpText<"Check for potential memory leaks, double free, and use-after-free problems">,
   DescFile<"MallocChecker.cpp">;
 
+def MallocSizeofChecker : Checker<"MallocSizeof">,
+  HelpText<"Check for dubious malloc arguments involving sizeof">,
+  DescFile<"MallocSizeofChecker.cpp">;
+
 def PthreadLockChecker : Checker<"PthreadLock">,
   HelpText<"Simple lock -> unlock checker">,
   DescFile<"PthreadLockChecker.cpp">;
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp
new file mode 100644
index 000000000000..0ee0b2ab4cb6
--- /dev/null
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp
@@ -0,0 +1,208 @@
+// MallocSizeofChecker.cpp - Check for dubious malloc arguments ---*- C++ -*-=//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Reports inconsistencies between the casted type of the return value of a
+// malloc/calloc/realloc call and the operand of any sizeof expressions
+// contained within its argument(s).
+//
+//===----------------------------------------------------------------------===//
+
+#include "ClangSACheckers.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
+#include "clang/AST/StmtVisitor.h"
+#include "clang/AST/TypeLoc.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+
+typedef std::pair<const TypeSourceInfo *, const CallExpr *> TypeCallPair;
+typedef llvm::PointerUnion<const Stmt *, const VarDecl *> ExprParent;
+
+class CastedAllocFinder
+  : public ConstStmtVisitor<CastedAllocFinder, TypeCallPair> {
+  IdentifierInfo *II_malloc, *II_calloc, *II_realloc;
+
+public:
+  struct CallRecord {
+    ExprParent CastedExprParent;
+    const Expr *CastedExpr;
+    const TypeSourceInfo *ExplicitCastType;
+    const CallExpr *AllocCall;
+
+    CallRecord(ExprParent CastedExprParent, const Expr *CastedExpr,
+               const TypeSourceInfo *ExplicitCastType,
+               const CallExpr *AllocCall)
+      : CastedExprParent(CastedExprParent), CastedExpr(CastedExpr),
+        ExplicitCastType(ExplicitCastType), AllocCall(AllocCall) {}
+  };
+
+  typedef std::vector<CallRecord> CallVec;
+  CallVec Calls;
+
+  CastedAllocFinder(ASTContext *Ctx) :
+    II_malloc(&Ctx->Idents.get("malloc")),
+    II_calloc(&Ctx->Idents.get("calloc")),
+    II_realloc(&Ctx->Idents.get("realloc")) {}
+
+  void VisitChild(ExprParent Parent, const Stmt *S) {
+    TypeCallPair AllocCall = Visit(S);
+    if (AllocCall.second && AllocCall.second != S)
+      Calls.push_back(CallRecord(Parent, cast<Expr>(S), AllocCall.first,
+                                 AllocCall.second));
+  }
+
+  void VisitChildren(const Stmt *S) {
+    for (Stmt::const_child_iterator I = S->child_begin(), E = S->child_end();
+         I!=E; ++I)
+      if (const Stmt *child = *I)
+        VisitChild(S, child);
+  }
+
+  TypeCallPair VisitCastExpr(const CastExpr *E) {
+    return Visit(E->getSubExpr());
+  }
+
+  TypeCallPair VisitExplicitCastExpr(const ExplicitCastExpr *E) {
+    return TypeCallPair(E->getTypeInfoAsWritten(),
+                        Visit(E->getSubExpr()).second);
+  }
+
+  TypeCallPair VisitParenExpr(const ParenExpr *E) {
+    return Visit(E->getSubExpr());
+  }
+
+  TypeCallPair VisitStmt(const Stmt *S) {
+    VisitChildren(S);
+    return TypeCallPair();
+  }
+
+  TypeCallPair VisitCallExpr(const CallExpr *E) {
+    VisitChildren(E);
+    const FunctionDecl *FD = E->getDirectCallee();
+    if (FD) {
+      IdentifierInfo *II = FD->getIdentifier();
+      if (II == II_malloc || II == II_calloc || II == II_realloc)
+        return TypeCallPair(0, E);
+    }
+    return TypeCallPair();
+  }
+
+  TypeCallPair VisitDeclStmt(const DeclStmt *S) {
+    for (DeclStmt::const_decl_iterator I = S->decl_begin(), E = S->decl_end();
+         I!=E; ++I)
+      if (const VarDecl *VD = dyn_cast<VarDecl>(*I))
+        if (const Expr *Init = VD->getInit())
+          VisitChild(VD, Init);
+    return TypeCallPair();
+  }
+};
+
+class SizeofFinder : public ConstStmtVisitor<SizeofFinder> {
+public:
+  std::vector<const UnaryExprOrTypeTraitExpr *> Sizeofs;
+
+  void VisitBinMul(const BinaryOperator *E) {
+    Visit(E->getLHS());
+    Visit(E->getRHS());
+  }
+
+  void VisitBinAdd(const BinaryOperator *E) {
+    Visit(E->getLHS());
+    Visit(E->getRHS());
+  }
+
+  void VisitImplicitCastExpr(const ImplicitCastExpr *E) {
+    return Visit(E->getSubExpr());
+  }
+
+  void VisitParenExpr(const ParenExpr *E) {
+    return Visit(E->getSubExpr());
+  }
+
+  void VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *E) {
+    if (E->getKind() != UETT_SizeOf)
+      return;
+
+    Sizeofs.push_back(E);
+  }
+};
+
+class MallocSizeofChecker : public Checker<check::ASTCodeBody> {
+public:
+  void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
+                        BugReporter &BR) const {
+    AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(D);
+    CastedAllocFinder Finder(&BR.getContext());
+    Finder.Visit(D->getBody());
+    for (CastedAllocFinder::CallVec::iterator i = Finder.Calls.begin(),
+         e = Finder.Calls.end(); i != e; ++i) {
+      QualType CastedType = i->CastedExpr->getType();
+      if (!CastedType->isPointerType())
+        continue;
+      QualType PointeeType = CastedType->getAs<PointerType>()->getPointeeType();
+      if (PointeeType->isVoidType())
+        continue;
+
+      for (CallExpr::const_arg_iterator ai = i->AllocCall->arg_begin(),
+           ae = i->AllocCall->arg_end(); ai != ae; ++ai) {
+        if (!(*ai)->getType()->isIntegerType())
+          continue;
+
+        SizeofFinder SFinder;
+        SFinder.Visit(*ai);
+        if (SFinder.Sizeofs.size() != 1)
+          continue;
+
+        QualType SizeofType = SFinder.Sizeofs[0]->getTypeOfArgument();
+        if (!BR.getContext().hasSameUnqualifiedType(PointeeType, SizeofType)) {
+          const TypeSourceInfo *TSI = 0;
+          if (i->CastedExprParent.is<const VarDecl *>()) {
+            TSI =
+              i->CastedExprParent.get<const VarDecl *>()->getTypeSourceInfo();
+          } else {
+            TSI = i->ExplicitCastType;
+          }
+
+          llvm::SmallString<64> buf;
+          llvm::raw_svector_ostream OS(buf);
+
+          OS << "Result of '"
+             << i->AllocCall->getDirectCallee()->getIdentifier()->getName()
+             << "' is converted to type '"
+             << CastedType.getAsString() << "', whose pointee type '"
+             << PointeeType.getAsString() << "' is incompatible with "
+             << "sizeof operand type '" << SizeofType.getAsString() << "'";
+          llvm::SmallVector<SourceRange, 4> Ranges;
+          Ranges.push_back(i->AllocCall->getCallee()->getSourceRange());
+          Ranges.push_back(SFinder.Sizeofs[0]->getSourceRange());
+          if (TSI)
+            Ranges.push_back(TSI->getTypeLoc().getSourceRange());
+
+          PathDiagnosticLocation L =
+            PathDiagnosticLocation::createBegin(i->AllocCall->getCallee(),
+                                                BR.getSourceManager(), ADC);
+
+          BR.EmitBasicReport("allocator sizeof operand mismatch", OS.str(), L,
+                             Ranges.data(), Ranges.size());
+        }
+      }
+    }
+  }
+};
+
+}
+
+void ento::registerMallocSizeofChecker(CheckerManager &mgr) {
+  mgr.registerChecker<MallocSizeofChecker>();
+}
diff --git a/clang/test/Analysis/malloc-sizeof.c b/clang/test/Analysis/malloc-sizeof.c
new file mode 100644
index 000000000000..d2b3bcf3c84d
--- /dev/null
+++ b/clang/test/Analysis/malloc-sizeof.c
@@ -0,0 +1,27 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.unix.MallocSizeof -verify %s
+
+#include <stddef.h>
+
+void *malloc(size_t size);
+void *calloc(size_t nmemb, size_t size);
+void *realloc(void *ptr, size_t size);
+
+struct A {};
+struct B {};
+
+void foo() {
+  int *ip1 = malloc(sizeof(1));
+  int *ip2 = malloc(4 * sizeof(int));
+
+  long *lp1 = malloc(sizeof(short)); // expected-warning {{Result of 'malloc' is converted to type 'long *', whose pointee type 'long' is incompatible with sizeof operand type 'short'}}
+  long *lp2 = malloc(5 * sizeof(double)); // expected-warning {{Result of 'malloc' is converted to type 'long *', whose pointee type 'long' is incompatible with sizeof operand type 'double'}}
+  long *lp3 = malloc(5 * sizeof(char) + 2); // expected-warning {{Result of 'malloc' is converted to type 'long *', whose pointee type 'long' is incompatible with sizeof operand type 'char'}}
+
+  struct A *ap1 = calloc(1, sizeof(struct A));
+  struct A *ap2 = calloc(2, sizeof(*ap1));
+  struct A *ap3 = calloc(2, sizeof(ap1)); // expected-warning {{Result of 'calloc' is converted to type 'struct A *', whose pointee type 'struct A' is incompatible with sizeof operand type 'struct A *'}}
+  struct A *ap4 = calloc(3, sizeof(struct A*)); // expected-warning {{Result of 'calloc' is converted to type 'struct A *', whose pointee type 'struct A' is incompatible with sizeof operand type 'struct A *'}}
+  struct A *ap5 = calloc(4, sizeof(struct B)); // expected-warning {{Result of 'calloc' is converted to type 'struct A *', whose pointee type 'struct A' is incompatible with sizeof operand type 'struct B'}}
+  struct A *ap6 = realloc(ap5, sizeof(struct A));
+  struct A *ap7 = realloc(ap5, sizeof(struct B)); // expected-warning {{Result of 'realloc' is converted to type 'struct A *', whose pointee type 'struct A' is incompatible with sizeof operand type 'struct B'}}
+}
-- 
GitLab