If not, see . */ //--------------------------------------------------------------------------- #include "checktype.h" #include "mathlib.h" #include "symboldatabase.h" #include //--------------------------------------------------------------------------- // Register this check class (by creating a static instance of it) namespace { CheckType instance; } //--------------------------------------------------------------------------- // Checking for shift by too many bits //--------------------------------------------------------------------------- // // CWE ids used: static const struct CWE CWE758(758U); static const struct CWE CWE190(190U); void CheckType::checkTooBigBitwiseShift() { const bool printWarnings = _settings->isEnabled("warning"); const bool printInconclusive = _settings->inconclusive; // unknown sizeof(int) => can't run this checker if (_settings->platformType == Settings::Unspecified) return; const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; for (const Token* tok = scope->classStart; tok != scope->classEnd; tok = tok->next()) { // C++ and macro: OUT(x<isCPP() && Token::Match(tok, "[;{}] %name% (") && Token::simpleMatch(tok->linkAt(2), ") ;") && tok->next()->isUpperCaseName() && !tok->next()->function()) tok = tok->linkAt(2); if (!tok->astOperand1() || !tok->astOperand2()) continue; if (!Token::Match(tok, "<<|>>|<<=|>>=")) continue; // get number of bits of lhs const ValueType *lhstype = tok->astOperand1()->valueType(); if (!lhstype || !lhstype->isIntegral() || lhstype->pointer >= 1U) continue; int lhsbits = 0; if (lhstype->type <= ValueType::Type::INT) lhsbits = _settings->int_bit; else if (lhstype->type == ValueType::Type::LONG) lhsbits = _settings->long_bit; else if (lhstype->type == ValueType::Type::LONGLONG) lhsbits = _settings->long_long_bit; else continue; // Get biggest rhs value. preferably a value which doesn't have 'condition'. const ValueFlow::Value *value = tok->astOperand2()->getValueGE(lhsbits, _settings); if (!value) continue; if (value->condition && !printWarnings) continue; if (value->inconclusive && !printInconclusive) continue; tooBigBitwiseShiftError(tok, lhsbits, *value); } } } void CheckType::tooBigBitwiseShiftError(const Token *tok, int lhsbits, const ValueFlow::Value &rhsbits) { std::list callstack; callstack.push_back(tok); if (rhsbits.condition) callstack.push_back(rhsbits.condition); std::ostringstream errmsg; errmsg << "Shifting " << lhsbits << "-bit value by " << rhsbits.intvalue << " bits is undefined behaviour"; if (rhsbits.condition) errmsg << ". See condition at line " << rhsbits.condition->linenr() << "."; reportError(callstack, rhsbits.condition ? Severity::warning : Severity::error, "shiftTooManyBits", errmsg.str(), CWE758, rhsbits.inconclusive); } //--------------------------------------------------------------------------- // Checking for integer overflow //--------------------------------------------------------------------------- void CheckType::checkIntegerOverflow() { // unknown sizeof(int) => can't run this checker if (_settings->platformType == Settings::Unspecified) return; // max int value according to platform settings. const MathLib::bigint maxint = (1LL << (_settings->int_bit - 1)) - 1; const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; for (const Token* tok = scope->classStart->next(); tok != scope->classEnd; tok = tok->next()) { if (!tok->isArithmeticalOp()) continue; // is result signed integer? const ValueType *vt = tok->valueType(); if (!vt || vt->type != ValueType::Type::INT || vt->sign != ValueType::Sign::SIGNED) continue; // is there a overflow result value const ValueFlow::Value *value = tok->getValueGE(maxint + 1, _settings); if (!value) value = tok->getValueLE(-maxint - 2, _settings); if (value) integerOverflowError(tok, *value); } } } void CheckType::integerOverflowError(const Token *tok, const ValueFlow::Value &value) { const std::string expr(tok ? tok->expressionString() : ""); std::string msg; if (value.condition) msg = ValueFlow::eitherTheConditionIsRedundant(value.condition) + " or there is signed integer overflow for expression '" + expr + "'."; else msg = "Signed integer overflow for expression '" + expr + "'."; reportError(tok, value.condition ? Severity::warning : Severity::error, "integerOverflow", msg, CWE190, value.inconclusive); } //--------------------------------------------------------------------------- // Checking for sign conversion when operand can be negative //--------------------------------------------------------------------------- void CheckType::checkSignConversion() { if (!_settings->isEnabled("warning")) return; const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; for (const Token* tok = scope->classStart->next(); tok != scope->classEnd; tok = tok->next()) { if (!tok->isArithmeticalOp() || Token::Match(tok,"+|-")) continue; // Is result unsigned? if (!(tok->valueType() && tok->valueType()->sign == ValueType::Sign::UNSIGNED)) continue; // Check if an operand can be negative.. std::stack tokens; tokens.push(tok->astOperand1()); tokens.push(tok->astOperand2()); while (!tokens.empty()) { const Token *tok1 = tokens.top(); tokens.pop(); if (!tok1) continue; if (!tok1->getValueLE(-1,_settings)) continue; if (tok1->valueType() && tok1->valueType()->sign != ValueType::Sign::UNSIGNED) signConversionError(tok1, tok1->isNumber()); } } } } void CheckType::signConversionError(const Token *tok, const bool constvalue) { const std::string varname(tok ? tok->str() : "var"); reportError(tok, Severity::warning, "signConversion", (constvalue) ? "Suspicious code: sign conversion of " + varname + " in calculation because '" + varname + "' has a negative value" : "Suspicious code: sign conversion of " + varname + " in calculation, even though " + varname + " can have a negative value"); } //--------------------------------------------------------------------------- // Checking for long cast of int result const long x = var1 * var2; //--------------------------------------------------------------------------- void CheckType::checkLongCast() { if (!_settings->isEnabled("style")) return; // Assignments.. for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) { if (tok->str() != "=" || !Token::Match(tok->astOperand2(), "*|<<")) continue; const ValueType *lhstype = tok->astOperand1() ? tok->astOperand1()->valueType() : nullptr; const ValueType *rhstype = tok->astOperand2()->valueType(); if (!lhstype || !rhstype) continue; // assign int result to long/longlong const nonpointer? if (rhstype->type == ValueType::Type::INT && rhstype->pointer == 0U && rhstype->originalTypeName.empty() && (lhstype->type == ValueType::Type::LONG || lhstype->type == ValueType::Type::LONGLONG) && lhstype->pointer == 0U && lhstype->constness == 1U && lhstype->originalTypeName.empty()) longCastAssignError(tok); } // Return.. const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; // function must return long data const Token * def = scope->classDef; bool islong = false; while (Token::Match(def, "%type%|::")) { if (def->str() == "long" && def->originalName().empty()) { islong = true; break; } def = def->previous(); } if (!islong) continue; // return statements const Token *ret = nullptr; for (const Token *tok = scope->classStart; tok != scope->classEnd; tok = tok->next()) { if (tok->str() == "return") { if (Token::Match(tok->astOperand1(), "<<|*")) { const ValueType *type = tok->astOperand1()->valueType(); if (type && type->type == ValueType::Type::INT && type->pointer == 0U && type->originalTypeName.empty()) ret = tok; } // All return statements must have problem otherwise no warning if (ret != tok) { ret = nullptr; break; } } } if (ret) longCastReturnError(ret); } } void CheckType::longCastAssignError(const Token *tok) { reportError(tok, Severity::style, "truncLongCastAssignment", "int result is assigned to long variable. If the variable is long to avoid loss of information, then you have loss of information.\n" "int result is assigned to long variable. If the variable is long to avoid loss of information, then there is loss of information. To avoid loss of information you must cast a calculation operand to long, for example 'l = a * b;' => 'l = (long)a * b;'."); } void CheckType::longCastReturnError(const Token *tok) { reportError(tok, Severity::style, "truncLongCastReturn", "int result is returned as long value. If the return value is long to avoid loss of information, then you have loss of information.\n" "int result is returned as long value. If the return value is long to avoid loss of information, then there is loss of information. To avoid loss of information you must cast a calculation operand to long, for example 'return a*b;' => 'return (long)a*b'."); } static const ValueFlow::Value *mismatchingValue(const ValueType *enumType, const std::list &values) { if (!enumType || !enumType->typeScope || enumType->typeScope->type != Scope::eEnum) return nullptr; const Scope * const enumScope = enumType->typeScope; for (std::list::const_iterator it = values.begin(); it != values.end(); ++it) { if (it->tokvalue) continue; bool found = false; for (unsigned int i = 0; i < enumScope->enumeratorList.size(); ++i) { if (enumScope->enumeratorList[i].value_known && enumScope->enumeratorList[i].value == it->intvalue) { found = true; break; } } if (!found) return &(*it); } return nullptr; } void CheckType::checkEnumMismatch() { if (!_settings->isEnabled("style")) return; for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) { // Assigning mismatching value to enum variable if (tok->str() == "=") { if (!tok->astOperand1() || !tok->astOperand2()) continue; const ValueFlow::Value *v = mismatchingValue(tok->astOperand1()->valueType(), tok->astOperand2()->values); if (v) enumMismatchAssignError(tok, *v); } // Comparing enum variable against mismatching value else if (tok->isComparisonOp()) { if (!tok->astOperand1() || !tok->astOperand2()) continue; const ValueFlow::Value * const v1 = mismatchingValue(tok->astOperand1()->valueType(), tok->astOperand2()->values); if (v1) enumMismatchCompareError(tok, *v1); const ValueFlow::Value * const v2 = mismatchingValue(tok->astOperand2()->valueType(), tok->astOperand1()->values); if (v2) enumMismatchCompareError(tok, *v2); } } } void CheckType::enumMismatchAssignError(const Token *tok, const ValueFlow::Value &value) { reportError(tok, Severity::style, "enumMismatch", "Assigning mismatching value " + MathLib::toString(value.intvalue) + " to enum variable."); } void CheckType::enumMismatchCompareError(const Token *tok, const ValueFlow::Value &value) { reportError(tok, Severity::style, "enumMismatch", "Comparing mismatching value " + MathLib::toString(value.intvalue) + " with enum variable."); }