1//===- UnsafeBufferUsage.h - Replace pointers with modern C++ ---*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines an analysis that aids replacing buffer accesses through
10// raw pointers with safer C++ abstractions such as containers and views/spans.
11//
12//===----------------------------------------------------------------------===//
13
14#ifndef LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H
15#define LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H
16
17#include "clang/AST/ASTTypeTraits.h"
18#include "clang/AST/Decl.h"
19#include "clang/AST/Expr.h"
20#include "clang/AST/Stmt.h"
21#include "clang/Basic/SourceLocation.h"
22#include "llvm/Support/Debug.h"
23#include <set>
24
25namespace clang {
26
27using VarGrpTy = std::vector<const VarDecl *>;
28using VarGrpRef = ArrayRef<const VarDecl *>;
29
30class VariableGroupsManager {
31public:
32 VariableGroupsManager() = default;
33 virtual ~VariableGroupsManager() = default;
34 /// Returns the set of variables (including `Var`) that need to be fixed
35 /// together in one step.
36 ///
37 /// `Var` must be a variable that needs fix (so it must be in a group).
38 /// `HasParm` is an optional argument that will be set to true if the set of
39 /// variables, where `Var` is in, contains parameters.
40 virtual VarGrpRef getGroupOfVar(const VarDecl *Var,
41 bool *HasParm = nullptr) const =0;
42
43 /// Returns the non-empty group of variables that include parameters of the
44 /// analyzing function, if such a group exists. An empty group, otherwise.
45 virtual VarGrpRef getGroupOfParms() const =0;
46};
47
48// FixitStrategy is a map from variables to the way we plan to emit fixes for
49// these variables. It is figured out gradually by trying different fixes
50// for different variables depending on gadgets in which these variables
51// participate.
52class FixitStrategy {
53public:
54 enum class Kind {
55 Wontfix, // We don't plan to emit a fixit for this variable.
56 Span, // We recommend replacing the variable with std::span.
57 Iterator, // We recommend replacing the variable with std::span::iterator.
58 Array, // We recommend replacing the variable with std::array.
59 Vector // We recommend replacing the variable with std::vector.
60 };
61
62private:
63 using MapTy = llvm::DenseMap<const VarDecl *, Kind>;
64
65 MapTy Map;
66
67public:
68 FixitStrategy() = default;
69 FixitStrategy(const FixitStrategy &) = delete; // Let's avoid copies.
70 FixitStrategy &operator=(const FixitStrategy &) = delete;
71 FixitStrategy(FixitStrategy &&) = default;
72 FixitStrategy &operator=(FixitStrategy &&) = default;
73
74 void set(const VarDecl *VD, Kind K) { Map[VD] = K; }
75
76 Kind lookup(const VarDecl *VD) const {
77 auto I = Map.find(Val: VD);
78 if (I == Map.end())
79 return Kind::Wontfix;
80
81 return I->second;
82 }
83};
84
85/// The interface that lets the caller handle unsafe buffer usage analysis
86/// results by overriding this class's handle... methods.
87class UnsafeBufferUsageHandler {
88#ifndef NDEBUG
89public:
90 // A self-debugging facility that you can use to notify the user when
91 // suggestions or fixits are incomplete.
92 // Uses std::function to avoid computing the message when it won't
93 // actually be displayed.
94 using DebugNote = std::pair<SourceLocation, std::string>;
95 using DebugNoteList = std::vector<DebugNote>;
96 using DebugNoteByVar = std::map<const VarDecl *, DebugNoteList>;
97 DebugNoteByVar DebugNotesByVar;
98#endif
99
100public:
101 UnsafeBufferUsageHandler() = default;
102 virtual ~UnsafeBufferUsageHandler() = default;
103
104 /// This analyses produces large fixits that are organized into lists
105 /// of primitive fixits (individual insertions/removals/replacements).
106 using FixItList = llvm::SmallVectorImpl<FixItHint>;
107
108 /// Invoked when an unsafe operation over raw pointers is found.
109 virtual void handleUnsafeOperation(const Stmt *Operation,
110 bool IsRelatedToDecl, ASTContext &Ctx) = 0;
111
112 /// Invoked when a call to an unsafe libc function is found.
113 /// \param PrintfInfo
114 /// is 0 if the callee function is not a member of the printf family;
115 /// is 1 if the callee is `sprintf`;
116 /// is 2 if arguments of the call have `__size_by` relation but are not in a
117 /// safe pattern;
118 /// is 3 if string arguments do not guarantee null-termination
119 /// is 4 if the callee takes va_list
120 /// has bit 3 (0x8) set if the callee is a function with the format attribute
121 /// \param UnsafeArg one of the actual arguments that is unsafe, non-null
122 /// only when `2 <= PrintfInfo <= 3 (ignoring the "format attribute" bit)`
123 virtual void handleUnsafeLibcCall(const CallExpr *Call, unsigned PrintfInfo,
124 ASTContext &Ctx,
125 const Expr *UnsafeArg = nullptr) = 0;
126
127 /// Invoked when an unsafe operation with a std container is found.
128 virtual void handleUnsafeOperationInContainer(const Stmt *Operation,
129 bool IsRelatedToDecl,
130 ASTContext &Ctx) = 0;
131
132 /// Invoked when a fix is suggested against a variable. This function groups
133 /// all variables that must be fixed together (i.e their types must be changed
134 /// to the same target type to prevent type mismatches) into a single fixit.
135 ///
136 /// `D` is the declaration of the callable under analysis that owns `Variable`
137 /// and all of its group mates.
138 virtual void
139 handleUnsafeVariableGroup(const VarDecl *Variable,
140 const VariableGroupsManager &VarGrpMgr,
141 FixItList &&Fixes, const Decl *D,
142 const FixitStrategy &VarTargetTypes) = 0;
143
144 // Invoked when an array subscript operator[] is used on a
145 // std::unique_ptr<T[]>.
146 virtual void handleUnsafeUniquePtrArrayAccess(const DynTypedNode &Node,
147 bool IsRelatedToDecl,
148 ASTContext &Ctx) = 0;
149
150#ifndef NDEBUG
151public:
152 bool areDebugNotesRequested() {
153 DEBUG_WITH_TYPE("SafeBuffers", return true);
154 return false;
155 }
156
157 void addDebugNoteForVar(const VarDecl *VD, SourceLocation Loc,
158 std::string Text) {
159 if (areDebugNotesRequested())
160 DebugNotesByVar[VD].push_back(std::make_pair(Loc, Text));
161 }
162
163 void clearDebugNotes() {
164 if (areDebugNotesRequested())
165 DebugNotesByVar.clear();
166 }
167#endif
168
169public:
170 /// \return true iff buffer safety is opt-out at `Loc`; false otherwise.
171 virtual bool isSafeBufferOptOut(const SourceLocation &Loc) const = 0;
172
173 /// \return true iff unsafe uses in containers should NOT be reported at
174 /// `Loc`; false otherwise.
175 virtual bool
176 ignoreUnsafeBufferInContainer(const SourceLocation &Loc) const = 0;
177
178 /// \return true iff unsafe libc call should NOT be reported at `Loc`
179 virtual bool
180 ignoreUnsafeBufferInLibcCall(const SourceLocation &Loc) const = 0;
181
182 /// \return true iff array subscript accesses on fixed size arrays should NOT
183 /// be reported at `Loc`
184 virtual bool
185 ignoreUnsafeBufferInStaticSizedArray(const SourceLocation &Loc) const = 0;
186
187 virtual std::string
188 getUnsafeBufferUsageAttributeTextAt(SourceLocation Loc,
189 StringRef WSSuffix = "") const = 0;
190};
191
192// This function invokes the analysis and allows the caller to react to it
193// through the handler class.
194void checkUnsafeBufferUsage(const Decl *D, UnsafeBufferUsageHandler &Handler,
195 bool EmitSuggestions);
196
197namespace internal {
198// Tests if any two `FixItHint`s in `FixIts` conflict. Two `FixItHint`s
199// conflict if they have overlapping source ranges.
200bool anyConflict(const llvm::SmallVectorImpl<FixItHint> &FixIts,
201 const SourceManager &SM);
202} // namespace internal
203
204std::set<const Expr *> findUnsafePointers(const FunctionDecl *FD);
205} // end namespace clang
206
207#endif /* LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H */
208