2014-09-11 18:10:19 +02:00
/*
* Cppcheck - A tool for static C / C + + code analysis
2016-01-01 14:34:45 +01:00
* Copyright ( C ) 2007 - 2016 Cppcheck team .
2014-09-11 18:10:19 +02:00
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation , either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
# include "checktype.h"
# include "mathlib.h"
# include "symboldatabase.h"
# include <stack>
//---------------------------------------------------------------------------
// Register this check class (by creating a static instance of it)
namespace {
CheckType instance ;
}
//---------------------------------------------------------------------------
// Checking for shift by too many bits
//---------------------------------------------------------------------------
Mapped error ids stlBoundaries, stlcstr, useAutoPointerContainer, useAutoPointerArray, sprintfOverlappingData, strPlusChar, shiftTooManyBits, integerOverflow, uninitstring, uninitdata, uninitvar, uninitStructMember, deadpointer, va_start_referencePassed, va_end_missing, va_list_usedBeforeStarted, va_start_subsequentCalls to their CWEs.
2016-02-03 13:53:23 +01:00
//
// CWE ids used:
2016-07-16 21:21:24 +02:00
static const struct CWE CWE195 ( 195U ) ; // Signed to Unsigned Conversion Error
CWE mapping of useAutoPointerMalloc, uselessCallsCompare, uselessCallsSwap, uselessCallsSubstr, uselessCallsEmpty, uselessCallsRemove, derefInvalidIterator, reademptycontainer, multiplySizeof, divideSizeof, stringLiteralWrite, incorrectStringCompare, literalWithCharPtrCompare, charLiteralWithCharPtrCompare, incorrectStringBooleanError, staticStringCompare, stringCompare, signConversion, truncLongCastAssignment, truncLongCastReturn, unusedFunction, unusedVariable, unusedAllocatedMemory, unreadVariable, unassignedVariable, unusedStructMember, postfixOperator, va_start_wrongParameter (#824)
Add an optional extended description…
2016-09-03 00:31:35 +02:00
static const struct CWE CWE197 ( 197U ) ; // Numeric Truncation Error
2016-07-16 21:21:24 +02:00
static const struct CWE CWE758 ( 758U ) ; // Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
static const struct CWE CWE190 ( 190U ) ; // Integer Overflow or Wraparound
Mapped error ids stlBoundaries, stlcstr, useAutoPointerContainer, useAutoPointerArray, sprintfOverlappingData, strPlusChar, shiftTooManyBits, integerOverflow, uninitstring, uninitdata, uninitvar, uninitStructMember, deadpointer, va_start_referencePassed, va_end_missing, va_list_usedBeforeStarted, va_start_subsequentCalls to their CWEs.
2016-02-03 13:53:23 +01:00
2014-09-11 18:10:19 +02:00
void CheckType : : checkTooBigBitwiseShift ( )
{
// unknown sizeof(int) => can't run this checker
if ( _settings - > platformType = = Settings : : Unspecified )
return ;
const SymbolDatabase * symbolDatabase = _tokenizer - > getSymbolDatabase ( ) ;
const std : : size_t functions = symbolDatabase - > functionScopes . size ( ) ;
for ( std : : size_t i = 0 ; i < functions ; + + i ) {
const Scope * scope = symbolDatabase - > functionScopes [ i ] ;
2016-01-10 20:44:52 +01:00
for ( const Token * tok = scope - > classStart ; tok ! = scope - > classEnd ; tok = tok - > next ( ) ) {
2016-01-10 21:00:42 +01:00
// C++ and macro: OUT(x<<y)
if ( _tokenizer - > isCPP ( ) & & Token : : Match ( tok , " [;{}] %name% ( " ) & & Token : : simpleMatch ( tok - > linkAt ( 2 ) , " ) ; " ) & & tok - > next ( ) - > isUpperCaseName ( ) & & ! tok - > next ( ) - > function ( ) )
2016-01-10 20:44:52 +01:00
tok = tok - > linkAt ( 2 ) ;
2016-02-05 19:48:30 +01:00
if ( ! tok - > astOperand1 ( ) | | ! tok - > astOperand2 ( ) )
2014-09-11 18:10:19 +02:00
continue ;
2016-02-05 19:48:30 +01:00
if ( ! Token : : Match ( tok , " <<|>>|<<=|>>= " ) )
2014-09-11 18:10:19 +02:00
continue ;
// get number of bits of lhs
2015-12-31 01:51:21 +01:00
const ValueType * lhstype = tok - > astOperand1 ( ) - > valueType ( ) ;
if ( ! lhstype | | ! lhstype - > isIntegral ( ) | | lhstype - > pointer > = 1U )
2014-09-11 18:10:19 +02:00
continue ;
int lhsbits = 0 ;
2015-12-31 01:51:21 +01:00
if ( lhstype - > type < = ValueType : : Type : : INT )
2016-01-05 13:16:00 +01:00
lhsbits = _settings - > int_bit ;
2015-12-31 01:51:21 +01:00
else if ( lhstype - > type = = ValueType : : Type : : LONG )
2016-01-05 13:16:00 +01:00
lhsbits = _settings - > long_bit ;
2015-12-31 01:51:21 +01:00
else if ( lhstype - > type = = ValueType : : Type : : LONGLONG )
2016-01-05 13:16:00 +01:00
lhsbits = _settings - > long_long_bit ;
2015-12-31 01:51:21 +01:00
else
2014-09-11 18:10:19 +02:00
continue ;
// Get biggest rhs value. preferably a value which doesn't have 'condition'.
const ValueFlow : : Value * value = tok - > astOperand2 ( ) - > getValueGE ( lhsbits , _settings ) ;
2017-05-22 07:58:56 +02:00
if ( value & & _settings - > isEnabled ( value , false ) )
tooBigBitwiseShiftError ( tok , lhsbits , * value ) ;
2014-09-11 18:10:19 +02:00
}
}
}
void CheckType : : tooBigBitwiseShiftError ( const Token * tok , int lhsbits , const ValueFlow : : Value & rhsbits )
{
2017-05-22 07:58:56 +02:00
if ( ! tok ) {
reportError ( tok , Severity : : error , " shiftTooManyBits " , " Shifting 32-bit value by 40 bits is undefined behaviour " , CWE758 , false ) ;
return ;
}
const ErrorPath errorPath = getErrorPath ( tok , & rhsbits , " Shift " ) ;
2014-09-11 18:10:19 +02:00
std : : ostringstream errmsg ;
errmsg < < " Shifting " < < lhsbits < < " -bit value by " < < rhsbits . intvalue < < " bits is undefined behaviour " ;
if ( rhsbits . condition )
errmsg < < " . See condition at line " < < rhsbits . condition - > linenr ( ) < < " . " ;
2017-05-22 07:58:56 +02:00
reportError ( errorPath , rhsbits . condition ? Severity : : warning : Severity : : error , " shiftTooManyBits " , errmsg . str ( ) , CWE758 , rhsbits . inconclusive ) ;
2014-09-11 18:10:19 +02:00
}
//---------------------------------------------------------------------------
// Checking for integer overflow
//---------------------------------------------------------------------------
void CheckType : : checkIntegerOverflow ( )
{
// unknown sizeof(int) => can't run this checker
2016-12-21 18:19:59 +01:00
if ( _settings - > platformType = = Settings : : Unspecified | | _settings - > int_bit > = 64 )
2014-09-11 18:10:19 +02:00
return ;
// max int value according to platform settings.
2016-11-07 22:29:40 +01:00
const MathLib : : bigint maxint = ( 1LL < < ( _settings - > int_bit - 1 ) ) - 1 ;
2014-09-11 18:10:19 +02:00
const SymbolDatabase * symbolDatabase = _tokenizer - > getSymbolDatabase ( ) ;
const std : : size_t functions = symbolDatabase - > functionScopes . size ( ) ;
for ( std : : size_t i = 0 ; i < functions ; + + i ) {
const Scope * scope = symbolDatabase - > functionScopes [ i ] ;
for ( const Token * tok = scope - > classStart - > next ( ) ; tok ! = scope - > classEnd ; tok = tok - > next ( ) ) {
if ( ! tok - > isArithmeticalOp ( ) )
continue ;
2016-02-05 19:48:30 +01:00
// is result signed integer?
const ValueType * vt = tok - > valueType ( ) ;
if ( ! vt | | vt - > type ! = ValueType : : Type : : INT | | vt - > sign ! = ValueType : : Sign : : SIGNED )
continue ;
2014-09-11 18:10:19 +02:00
// is there a overflow result value
const ValueFlow : : Value * value = tok - > getValueGE ( maxint + 1 , _settings ) ;
if ( ! value )
value = tok - > getValueLE ( - maxint - 2 , _settings ) ;
2017-05-22 10:10:56 +02:00
if ( ! value | | ! _settings - > isEnabled ( value , false ) )
2016-12-21 18:19:59 +01:00
continue ;
// For left shift, it's common practice to shift into the sign bit
if ( tok - > str ( ) = = " << " & & value - > intvalue > 0 & & value - > intvalue < ( 1LL < < _settings - > int_bit ) )
continue ;
integerOverflowError ( tok , * value ) ;
2014-09-11 18:10:19 +02:00
}
}
}
void CheckType : : integerOverflowError ( const Token * tok , const ValueFlow : : Value & value )
{
const std : : string expr ( tok ? tok - > expressionString ( ) : " " ) ;
2015-12-31 12:05:23 +01:00
std : : string msg ;
if ( value . condition )
msg = ValueFlow : : eitherTheConditionIsRedundant ( value . condition ) +
" or there is signed integer overflow for expression ' " + expr + " '. " ;
else
msg = " Signed integer overflow for expression ' " + expr + " '. " ;
2014-09-11 18:10:19 +02:00
2017-05-22 10:10:56 +02:00
reportError ( getErrorPath ( tok , & value , " Integer overflow " ) ,
2014-09-11 18:10:19 +02:00
value . condition ? Severity : : warning : Severity : : error ,
" integerOverflow " ,
2015-12-31 12:05:23 +01:00
msg ,
Mapped error ids stlBoundaries, stlcstr, useAutoPointerContainer, useAutoPointerArray, sprintfOverlappingData, strPlusChar, shiftTooManyBits, integerOverflow, uninitstring, uninitdata, uninitvar, uninitStructMember, deadpointer, va_start_referencePassed, va_end_missing, va_list_usedBeforeStarted, va_start_subsequentCalls to their CWEs.
2016-02-03 13:53:23 +01:00
CWE190 ,
2014-09-11 18:10:19 +02:00
value . inconclusive ) ;
}
//---------------------------------------------------------------------------
// Checking for sign conversion when operand can be negative
//---------------------------------------------------------------------------
void CheckType : : checkSignConversion ( )
{
2017-04-11 11:49:09 +02:00
if ( ! _settings - > isEnabled ( Settings : : WARNING ) )
2014-09-11 18:10:19 +02:00
return ;
2014-09-11 19:45:52 +02:00
2014-09-11 18:10:19 +02:00
const SymbolDatabase * symbolDatabase = _tokenizer - > getSymbolDatabase ( ) ;
const std : : size_t functions = symbolDatabase - > functionScopes . size ( ) ;
for ( std : : size_t i = 0 ; i < functions ; + + i ) {
const Scope * scope = symbolDatabase - > functionScopes [ i ] ;
for ( const Token * tok = scope - > classStart - > next ( ) ; tok ! = scope - > classEnd ; tok = tok - > next ( ) ) {
2014-09-12 18:58:31 +02:00
if ( ! tok - > isArithmeticalOp ( ) | | Token : : Match ( tok , " +|- " ) )
2014-09-11 18:10:19 +02:00
continue ;
2015-12-31 12:05:23 +01:00
// Is result unsigned?
if ( ! ( tok - > valueType ( ) & & tok - > valueType ( ) - > sign = = ValueType : : Sign : : UNSIGNED ) )
2014-09-11 18:10:19 +02:00
continue ;
2014-09-11 19:45:52 +02:00
2015-12-31 12:05:23 +01:00
// Check if an operand can be negative..
2014-09-11 18:10:19 +02:00
std : : stack < const Token * > tokens ;
2014-09-14 10:29:58 +02:00
tokens . push ( tok - > astOperand1 ( ) ) ;
tokens . push ( tok - > astOperand2 ( ) ) ;
2014-09-11 18:10:19 +02:00
while ( ! tokens . empty ( ) ) {
const Token * tok1 = tokens . top ( ) ;
tokens . pop ( ) ;
if ( ! tok1 )
continue ;
2015-12-31 12:05:23 +01:00
if ( ! tok1 - > getValueLE ( - 1 , _settings ) )
continue ;
if ( tok1 - > valueType ( ) & & tok1 - > valueType ( ) - > sign ! = ValueType : : Sign : : UNSIGNED )
2016-01-02 22:56:15 +01:00
signConversionError ( tok1 , tok1 - > isNumber ( ) ) ;
2014-09-11 18:10:19 +02:00
}
}
}
}
2016-01-02 22:56:15 +01:00
void CheckType : : signConversionError ( const Token * tok , const bool constvalue )
2014-09-11 18:10:19 +02:00
{
const std : : string varname ( tok ? tok - > str ( ) : " var " ) ;
2014-09-11 19:45:52 +02:00
2014-09-11 18:10:19 +02:00
reportError ( tok ,
Severity : : warning ,
" signConversion " ,
2016-01-02 22:56:15 +01:00
( constvalue ) ?
" Suspicious code: sign conversion of " + varname + " in calculation because ' " + varname + " ' has a negative value " :
2016-07-15 15:49:21 +02:00
" Suspicious code: sign conversion of " + varname + " in calculation, even though " + varname + " can have a negative value " , CWE195 , false ) ;
2014-09-11 18:10:19 +02:00
}
2015-05-25 10:02:17 +02:00
//---------------------------------------------------------------------------
// Checking for long cast of int result const long x = var1 * var2;
//---------------------------------------------------------------------------
void CheckType : : checkLongCast ( )
{
2017-04-11 11:49:09 +02:00
if ( ! _settings - > isEnabled ( Settings : : STYLE ) )
2015-05-25 10:02:17 +02:00
return ;
// Assignments..
for ( const Token * tok = _tokenizer - > tokens ( ) ; tok ; tok = tok - > next ( ) ) {
2015-12-31 12:05:23 +01:00
if ( tok - > str ( ) ! = " = " | | ! Token : : Match ( tok - > astOperand2 ( ) , " *|<< " ) )
2015-05-25 18:19:40 +02:00
continue ;
2015-12-31 12:05:23 +01:00
const ValueType * lhstype = tok - > astOperand1 ( ) ? tok - > astOperand1 ( ) - > valueType ( ) : nullptr ;
const ValueType * rhstype = tok - > astOperand2 ( ) - > valueType ( ) ;
if ( ! lhstype | | ! rhstype )
2015-05-25 10:02:17 +02:00
continue ;
2015-12-31 12:05:23 +01:00
// assign int result to long/longlong const nonpointer?
if ( rhstype - > type = = ValueType : : Type : : INT & &
rhstype - > pointer = = 0U & &
rhstype - > originalTypeName . empty ( ) & &
( lhstype - > type = = ValueType : : Type : : LONG | | lhstype - > type = = ValueType : : Type : : LONGLONG ) & &
lhstype - > pointer = = 0U & &
lhstype - > constness = = 1U & &
lhstype - > originalTypeName . empty ( ) )
2015-05-25 10:02:17 +02:00
longCastAssignError ( tok ) ;
}
// Return..
const SymbolDatabase * symbolDatabase = _tokenizer - > getSymbolDatabase ( ) ;
const std : : size_t functions = symbolDatabase - > functionScopes . size ( ) ;
for ( std : : size_t i = 0 ; i < functions ; + + i ) {
const Scope * scope = symbolDatabase - > functionScopes [ i ] ;
// function must return long data
const Token * def = scope - > classDef ;
bool islong = false ;
while ( Token : : Match ( def , " %type%|:: " ) ) {
2015-05-25 18:19:40 +02:00
if ( def - > str ( ) = = " long " & & def - > originalName ( ) . empty ( ) ) {
2015-05-25 10:02:17 +02:00
islong = true ;
break ;
}
def = def - > previous ( ) ;
}
if ( ! islong )
continue ;
2015-12-31 12:05:23 +01:00
// return statements
2015-05-25 10:02:17 +02:00
const Token * ret = nullptr ;
for ( const Token * tok = scope - > classStart ; tok ! = scope - > classEnd ; tok = tok - > next ( ) ) {
if ( tok - > str ( ) = = " return " ) {
2015-12-31 12:05:23 +01:00
if ( Token : : Match ( tok - > astOperand1 ( ) , " <<|* " ) ) {
const ValueType * type = tok - > astOperand1 ( ) - > valueType ( ) ;
2015-12-31 14:07:38 +01:00
if ( type & & type - > type = = ValueType : : Type : : INT & & type - > pointer = = 0U & & type - > originalTypeName . empty ( ) )
2015-12-31 12:05:23 +01:00
ret = tok ;
}
// All return statements must have problem otherwise no warning
if ( ret ! = tok ) {
ret = nullptr ;
2015-05-25 10:02:17 +02:00
break ;
}
}
}
2015-12-31 12:05:23 +01:00
if ( ret )
2015-05-25 10:02:17 +02:00
longCastReturnError ( ret ) ;
}
}
void CheckType : : longCastAssignError ( const Token * tok )
{
reportError ( tok ,
Severity : : style ,
" truncLongCastAssignment " ,
2015-06-01 21:22:47 +02:00
" int result is assigned to long variable. If the variable is long to avoid loss of information, then you have loss of information. \n "
CWE mapping of useAutoPointerMalloc, uselessCallsCompare, uselessCallsSwap, uselessCallsSubstr, uselessCallsEmpty, uselessCallsRemove, derefInvalidIterator, reademptycontainer, multiplySizeof, divideSizeof, stringLiteralWrite, incorrectStringCompare, literalWithCharPtrCompare, charLiteralWithCharPtrCompare, incorrectStringBooleanError, staticStringCompare, stringCompare, signConversion, truncLongCastAssignment, truncLongCastReturn, unusedFunction, unusedVariable, unusedAllocatedMemory, unreadVariable, unassignedVariable, unusedStructMember, postfixOperator, va_start_wrongParameter (#824)
Add an optional extended description…
2016-09-03 00:31:35 +02:00
" int result is assigned to long variable. If the variable is long to avoid loss of information, then there is loss of information. To avoid loss of information you must cast a calculation operand to long, for example 'l = a * b;' => 'l = (long)a * b;'. " , CWE197 , false ) ;
2015-05-25 10:02:17 +02:00
}
void CheckType : : longCastReturnError ( const Token * tok )
{
reportError ( tok ,
Severity : : style ,
" truncLongCastReturn " ,
2015-06-01 21:22:47 +02:00
" int result is returned as long value. If the return value is long to avoid loss of information, then you have loss of information. \n "
CWE mapping of useAutoPointerMalloc, uselessCallsCompare, uselessCallsSwap, uselessCallsSubstr, uselessCallsEmpty, uselessCallsRemove, derefInvalidIterator, reademptycontainer, multiplySizeof, divideSizeof, stringLiteralWrite, incorrectStringCompare, literalWithCharPtrCompare, charLiteralWithCharPtrCompare, incorrectStringBooleanError, staticStringCompare, stringCompare, signConversion, truncLongCastAssignment, truncLongCastReturn, unusedFunction, unusedVariable, unusedAllocatedMemory, unreadVariable, unassignedVariable, unusedStructMember, postfixOperator, va_start_wrongParameter (#824)
Add an optional extended description…
2016-09-03 00:31:35 +02:00
" int result is returned as long value. If the return value is long to avoid loss of information, then there is loss of information. To avoid loss of information you must cast a calculation operand to long, for example 'return a*b;' => 'return (long)a*b'. " , CWE197 , false ) ;
2015-05-25 10:02:17 +02:00
}
2016-11-22 22:37:13 +01:00
//---------------------------------------------------------------------------
// Checking for float to integer overflow
//---------------------------------------------------------------------------
void CheckType : : checkFloatToIntegerOverflow ( )
{
const SymbolDatabase * symbolDatabase = _tokenizer - > getSymbolDatabase ( ) ;
const std : : size_t functions = symbolDatabase - > functionScopes . size ( ) ;
for ( std : : size_t i = 0 ; i < functions ; + + i ) {
const Scope * scope = symbolDatabase - > functionScopes [ i ] ;
for ( const Token * tok = scope - > classStart - > next ( ) ; tok ! = scope - > classEnd ; tok = tok - > next ( ) ) {
if ( tok - > str ( ) ! = " ( " )
continue ;
if ( ! tok - > astOperand1 ( ) | | tok - > astOperand2 ( ) )
continue ;
// is result integer?
const ValueType * vt = tok - > valueType ( ) ;
if ( ! vt | | ! vt - > isIntegral ( ) )
continue ;
// is value float?
const ValueType * vt1 = tok - > astOperand1 ( ) - > valueType ( ) ;
if ( ! vt1 | | ! vt1 - > isFloat ( ) )
continue ;
const Token * op1 = tok - > astOperand1 ( ) ;
2017-03-27 18:48:34 +02:00
for ( std : : list < ValueFlow : : Value > : : const_iterator it = op1 - > values ( ) . begin ( ) ; it ! = op1 - > values ( ) . end ( ) ; + + it ) {
2016-11-22 22:37:13 +01:00
if ( it - > valueType ! = ValueFlow : : Value : : FLOAT )
continue ;
2017-05-22 11:04:24 +02:00
if ( ! _settings - > isEnabled ( & ( * it ) , false ) )
2016-11-22 22:37:13 +01:00
continue ;
if ( it - > floatValue > ~ 0ULL )
floatToIntegerOverflowError ( tok , * it ) ;
else if ( ( - it - > floatValue ) > ( 1ULL < < 62 ) )
floatToIntegerOverflowError ( tok , * it ) ;
else if ( _settings - > platformType ! = Settings : : Unspecified ) {
int bits = 0 ;
if ( vt - > type = = ValueType : : Type : : CHAR )
bits = _settings - > char_bit ;
else if ( vt - > type = = ValueType : : Type : : SHORT )
bits = _settings - > short_bit ;
else if ( vt - > type = = ValueType : : Type : : INT )
bits = _settings - > int_bit ;
else if ( vt - > type = = ValueType : : Type : : LONG )
bits = _settings - > long_bit ;
else if ( vt - > type = = ValueType : : Type : : LONGLONG )
bits = _settings - > long_long_bit ;
else
continue ;
2016-12-10 23:14:40 +01:00
if ( bits < 64 & & it - > floatValue > = ( 1ULL < < bits ) )
2016-11-22 22:37:13 +01:00
floatToIntegerOverflowError ( tok , * it ) ;
}
}
}
}
}
void CheckType : : floatToIntegerOverflowError ( const Token * tok , const ValueFlow : : Value & value )
{
std : : ostringstream errmsg ;
2017-05-22 11:04:24 +02:00
errmsg < < " Undefined behaviour: float ( " < < value . floatValue < < " ) to integer conversion overflow. " ;
reportError ( getErrorPath ( tok , & value , " float to integer conversion " ) ,
value . condition ? Severity : : warning : Severity : : error ,
2016-11-22 22:37:13 +01:00
" floatConversionOverflow " ,
errmsg . str ( ) , CWE190 , value . inconclusive ) ;
}