cppcheck/lib/checkother.cpp

3676 lines
170 KiB
C++

/*
* Cppcheck - A tool for static C/C++ code analysis
* Copyright (C) 2007-2022 Cppcheck team.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
#include "checkother.h"
#include "astutils.h"
#include "library.h"
#include "mathlib.h"
#include "settings.h"
#include "standards.h"
#include "symboldatabase.h"
#include "token.h"
#include "tokenize.h"
#include "valueflow.h"
#include "checkuninitvar.h" // CheckUninitVar::isVariableUsage
#include "checkclass.h" // CheckClass::stl_containers_not_const
#include <algorithm> // find_if()
#include <cctype>
#include <list>
#include <map>
#include <memory>
#include <ostream>
#include <set>
#include <type_traits>
#include <utility>
#include <numeric>
//---------------------------------------------------------------------------
// Register this check class (by creating a static instance of it)
namespace {
CheckOther instance;
}
static const struct CWE CWE128(128U); // Wrap-around Error
static const struct CWE CWE131(131U); // Incorrect Calculation of Buffer Size
static const struct CWE CWE197(197U); // Numeric Truncation Error
static const struct CWE CWE362(362U); // Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
static const struct CWE CWE369(369U); // Divide By Zero
static const struct CWE CWE398(398U); // Indicator of Poor Code Quality
static const struct CWE CWE475(475U); // Undefined Behavior for Input to API
static const struct CWE CWE482(482U); // Comparing instead of Assigning
static const struct CWE CWE561(561U); // Dead Code
static const struct CWE CWE563(563U); // Assignment to Variable without Use ('Unused Variable')
static const struct CWE CWE570(570U); // Expression is Always False
static const struct CWE CWE571(571U); // Expression is Always True
static const struct CWE CWE672(672U); // Operation on a Resource after Expiration or Release
static const struct CWE CWE628(628U); // Function Call with Incorrectly Specified Arguments
static const struct CWE CWE683(683U); // Function Call With Incorrect Order of Arguments
static const struct CWE CWE686(686U); // Function Call With Incorrect Argument Type
static const struct CWE CWE704(704U); // Incorrect Type Conversion or Cast
static const struct CWE CWE758(758U); // Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
static const struct CWE CWE768(768U); // Incorrect Short Circuit Evaluation
static const struct CWE CWE783(783U); // Operator Precedence Logic Error
//----------------------------------------------------------------------------------
// The return value of fgetc(), getc(), ungetc(), getchar() etc. is an integer value.
// If this return value is stored in a character variable and then compared
// to EOF, which is an integer, the comparison maybe be false.
//
// Reference:
// - Ticket #160
// - http://www.cplusplus.com/reference/cstdio/fgetc/
// - http://www.cplusplus.com/reference/cstdio/getc/
// - http://www.cplusplus.com/reference/cstdio/getchar/
// - http://www.cplusplus.com/reference/cstdio/ungetc/ ...
//----------------------------------------------------------------------------------
void CheckOther::checkCastIntToCharAndBack()
{
if (!mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
std::map<int, std::string> vars;
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
// Quick check to see if any of the matches below have any chances
if (!Token::Match(tok, "%var%|EOF %comp%|="))
continue;
if (Token::Match(tok, "%var% = fclose|fflush|fputc|fputs|fscanf|getchar|getc|fgetc|putchar|putc|puts|scanf|sscanf|ungetc (")) {
const Variable *var = tok->variable();
if (var && var->typeEndToken()->str() == "char" && !var->typeEndToken()->isSigned()) {
vars[tok->varId()] = tok->strAt(2);
}
} else if (Token::Match(tok, "EOF %comp% ( %var% = fclose|fflush|fputc|fputs|fscanf|getchar|getc|fgetc|putchar|putc|puts|scanf|sscanf|ungetc (")) {
tok = tok->tokAt(3);
const Variable *var = tok->variable();
if (var && var->typeEndToken()->str() == "char" && !var->typeEndToken()->isSigned()) {
checkCastIntToCharAndBackError(tok, tok->strAt(2));
}
} else if (mTokenizer->isCPP() && (Token::Match(tok, "EOF %comp% ( %var% = std :: cin . get (") || Token::Match(tok, "EOF %comp% ( %var% = cin . get ("))) {
tok = tok->tokAt(3);
const Variable *var = tok->variable();
if (var && var->typeEndToken()->str() == "char" && !var->typeEndToken()->isSigned()) {
checkCastIntToCharAndBackError(tok, "cin.get");
}
} else if (mTokenizer->isCPP() && (Token::Match(tok, "%var% = std :: cin . get (") || Token::Match(tok, "%var% = cin . get ("))) {
const Variable *var = tok->variable();
if (var && var->typeEndToken()->str() == "char" && !var->typeEndToken()->isSigned()) {
vars[tok->varId()] = "cin.get";
}
} else if (Token::Match(tok, "%var% %comp% EOF")) {
if (vars.find(tok->varId()) != vars.end()) {
checkCastIntToCharAndBackError(tok, vars[tok->varId()]);
}
} else if (Token::Match(tok, "EOF %comp% %var%")) {
tok = tok->tokAt(2);
if (vars.find(tok->varId()) != vars.end()) {
checkCastIntToCharAndBackError(tok, vars[tok->varId()]);
}
}
}
}
}
void CheckOther::checkCastIntToCharAndBackError(const Token *tok, const std::string &strFunctionName)
{
reportError(
tok,
Severity::warning,
"checkCastIntToCharAndBack",
"$symbol:" + strFunctionName + "\n"
"Storing $symbol() return value in char variable and then comparing with EOF.\n"
"When saving $symbol() return value in char variable there is loss of precision. "
" When $symbol() returns EOF this value is truncated. Comparing the char "
"variable with EOF can have unexpected results. For instance a loop \"while (EOF != (c = $symbol());\" "
"loops forever on some compilers/platforms and on other compilers/platforms it will stop "
"when the file contains a matching character.", CWE197, Certainty::normal
);
}
//---------------------------------------------------------------------------
// Clarify calculation precedence for ternary operators.
//---------------------------------------------------------------------------
void CheckOther::clarifyCalculation()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
// ? operator where lhs is arithmetical expression
if (tok->str() != "?" || !tok->astOperand1() || !tok->astOperand1()->isCalculation())
continue;
if (!tok->astOperand1()->isArithmeticalOp() && tok->astOperand1()->tokType() != Token::eBitOp)
continue;
// non-pointer calculation in lhs and pointer in rhs => no clarification is needed
if (tok->astOperand1()->isBinaryOp() && Token::Match(tok->astOperand1(), "%or%|&|%|*|/") && tok->astOperand2()->valueType() && tok->astOperand2()->valueType()->pointer > 0)
continue;
// bit operation in lhs and char literals in rhs => probably no mistake
if (tok->astOperand1()->tokType() == Token::eBitOp && Token::Match(tok->astOperand2()->astOperand1(), "%char%") && Token::Match(tok->astOperand2()->astOperand2(), "%char%"))
continue;
// 2nd operand in lhs has known integer value => probably no mistake
if (tok->astOperand1()->isBinaryOp() && tok->astOperand1()->astOperand2()->hasKnownIntValue()) {
const Token *op = tok->astOperand1()->astOperand2();
if (op->isNumber())
continue;
if (op->valueType() && op->valueType()->isEnum())
continue;
}
// Is code clarified by parentheses already?
const Token *tok2 = tok->astOperand1();
for (; tok2; tok2 = tok2->next()) {
if (tok2->str() == "(")
tok2 = tok2->link();
else if (tok2->str() == ")")
break;
else if (tok2->str() == "?") {
clarifyCalculationError(tok, tok->astOperand1()->str());
break;
}
}
}
}
}
void CheckOther::clarifyCalculationError(const Token *tok, const std::string &op)
{
// suspicious calculation
const std::string calc("'a" + op + "b?c:d'");
// recommended calculation #1
const std::string s1("'(a" + op + "b)?c:d'");
// recommended calculation #2
const std::string s2("'a" + op + "(b?c:d)'");
reportError(tok,
Severity::style,
"clarifyCalculation",
"Clarify calculation precedence for '" + op + "' and '?'.\n"
"Suspicious calculation. Please use parentheses to clarify the code. "
"The code '" + calc + "' should be written as either '" + s1 + "' or '" + s2 + "'.", CWE783, Certainty::normal);
}
//---------------------------------------------------------------------------
// Clarify (meaningless) statements like *foo++; with parentheses.
//---------------------------------------------------------------------------
void CheckOther::clarifyStatement()
{
if (!mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart; tok && tok != scope->bodyEnd; tok = tok->next()) {
if (Token::Match(tok, "* %name%") && tok->astOperand1()) {
const Token *tok2 = tok->previous();
while (tok2 && tok2->str() == "*")
tok2 = tok2->previous();
if (tok2 && !tok2->astParent() && Token::Match(tok2, "[{};]")) {
tok2 = tok->astOperand1();
if (Token::Match(tok2, "++|-- [;,]"))
clarifyStatementError(tok2);
}
}
}
}
}
void CheckOther::clarifyStatementError(const Token *tok)
{
reportError(tok, Severity::warning, "clarifyStatement", "In expression like '*A++' the result of '*' is unused. Did you intend to write '(*A)++;'?\n"
"A statement like '*A++;' might not do what you intended. Postfix 'operator++' is executed before 'operator*'. "
"Thus, the dereference is meaningless. Did you intend to write '(*A)++;'?", CWE783, Certainty::normal);
}
//---------------------------------------------------------------------------
// Check for suspicious occurrences of 'if(); {}'.
//---------------------------------------------------------------------------
void CheckOther::checkSuspiciousSemicolon()
{
if (!mSettings->certainty.isEnabled(Certainty::inconclusive) || !mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase* const symbolDatabase = mTokenizer->getSymbolDatabase();
// Look for "if(); {}", "for(); {}" or "while(); {}"
for (const Scope &scope : symbolDatabase->scopeList) {
if (scope.type == Scope::eIf || scope.type == Scope::eElse || scope.type == Scope::eWhile || scope.type == Scope::eFor) {
// Ensure the semicolon is at the same line number as the if/for/while statement
// and the {..} block follows it without an extra empty line.
if (Token::simpleMatch(scope.bodyStart, "{ ; } {") &&
scope.bodyStart->previous()->linenr() == scope.bodyStart->tokAt(2)->linenr() &&
scope.bodyStart->linenr()+1 >= scope.bodyStart->tokAt(3)->linenr() &&
!scope.bodyStart->tokAt(3)->isExpandedMacro()) {
suspiciousSemicolonError(scope.classDef);
}
}
}
}
void CheckOther::suspiciousSemicolonError(const Token* tok)
{
reportError(tok, Severity::warning, "suspiciousSemicolon",
"Suspicious use of ; at the end of '" + (tok ? tok->str() : std::string()) + "' statement.", CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// For C++ code, warn if C-style casts are used on pointer types
//---------------------------------------------------------------------------
void CheckOther::warningOldStylePointerCast()
{
// Only valid on C++ code
if (!mSettings->severity.isEnabled(Severity::style) || !mTokenizer->isCPP())
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
const Token* tok;
if (scope->function && scope->function->isConstructor())
tok = scope->classDef;
else
tok = scope->bodyStart;
for (; tok && tok != scope->bodyEnd; tok = tok->next()) {
// Old style pointer casting..
if (!Token::Match(tok, "( const|volatile| const|volatile|class|struct| %type% * const|&| ) (| %name%|%num%|%bool%|%char%|%str%"))
continue;
if (Token::Match(tok->previous(), "%type%"))
continue;
// skip first "const" in "const Type* const"
while (Token::Match(tok->next(), "const|volatile|class|struct"))
tok = tok->next();
const Token* typeTok = tok->next();
// skip second "const" in "const Type* const"
if (tok->strAt(3) == "const")
tok = tok->next();
const Token *p = tok->tokAt(4);
if (p->hasKnownIntValue() && p->values().front().intvalue==0) // Casting nullpointers is safe
continue;
if (typeTok->tokType() == Token::eType || typeTok->tokType() == Token::eName)
cstyleCastError(tok);
}
}
}
void CheckOther::cstyleCastError(const Token *tok)
{
reportError(tok, Severity::style, "cstyleCast",
"C-style pointer casting\n"
"C-style pointer casting detected. C++ offers four different kinds of casts as replacements: "
"static_cast, const_cast, dynamic_cast and reinterpret_cast. A C-style cast could evaluate to "
"any of those automatically, thus it is considered safer if the programmer explicitly states "
"which kind of cast is expected. See also: https://www.securecoding.cert.org/confluence/display/cplusplus/EXP05-CPP.+Do+not+use+C-style+casts.", CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// float* f; double* d = (double*)f; <-- Pointer cast to a type with an incompatible binary data representation
//---------------------------------------------------------------------------
void CheckOther::invalidPointerCast()
{
if (!mSettings->severity.isEnabled(Severity::portability))
return;
const bool printInconclusive = mSettings->certainty.isEnabled(Certainty::inconclusive);
const SymbolDatabase* const symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
const Token* toTok = nullptr;
const Token* fromTok = nullptr;
// Find cast
if (Token::Match(tok, "( const|volatile| const|volatile| %type% %type%| const| * )")) {
toTok = tok;
fromTok = tok->astOperand1();
} else if (Token::simpleMatch(tok, "reinterpret_cast <") && tok->linkAt(1)) {
toTok = tok->linkAt(1)->next();
fromTok = toTok->astOperand2();
}
if (!fromTok)
continue;
const ValueType* fromType = fromTok->valueType();
const ValueType* toType = toTok->valueType();
if (!fromType || !toType || !fromType->pointer || !toType->pointer)
continue;
if (fromType->type != toType->type && fromType->type >= ValueType::Type::BOOL && toType->type >= ValueType::Type::BOOL && (toType->type != ValueType::Type::CHAR || printInconclusive)) {
if (toType->isIntegral() && fromType->isIntegral())
continue;
invalidPointerCastError(tok, fromType->str(), toType->str(), toType->type == ValueType::Type::CHAR, toType->isIntegral());
}
}
}
}
void CheckOther::invalidPointerCastError(const Token* tok, const std::string& from, const std::string& to, bool inconclusive, bool toIsInt)
{
if (toIsInt) { // If we cast something to int*, this can be useful to play with its binary data representation
reportError(tok, Severity::portability, "invalidPointerCast", "Casting from " + from + " to " + to + " is not portable due to different binary data representations on different platforms.", CWE704, inconclusive ? Certainty::inconclusive : Certainty::normal);
} else
reportError(tok, Severity::portability, "invalidPointerCast", "Casting between " + from + " and " + to + " which have an incompatible binary data representation.", CWE704, Certainty::normal);
}
//---------------------------------------------------------------------------
// This check detects errors on POSIX systems, when a pipe command called
// with a wrong dimensioned file descriptor array. The pipe command requires
// exactly an integer array of dimension two as parameter.
//
// References:
// - http://linux.die.net/man/2/pipe
// - ticket #3521
//---------------------------------------------------------------------------
void CheckOther::checkPipeParameterSize()
{
if (!mSettings->posix())
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
if (Token::Match(tok, "pipe ( %var% )") ||
Token::Match(tok, "pipe2 ( %var% ,")) {
const Token * const varTok = tok->tokAt(2);
const Variable *var = varTok->variable();
MathLib::bigint dim;
if (var && var->isArray() && !var->isArgument() && ((dim=var->dimension(0U)) < 2)) {
const std::string strDim = MathLib::toString(dim);
checkPipeParameterSizeError(varTok,varTok->str(), strDim);
}
}
}
}
}
void CheckOther::checkPipeParameterSizeError(const Token *tok, const std::string &strVarName, const std::string &strDim)
{
reportError(tok, Severity::error,
"wrongPipeParameterSize",
"$symbol:" + strVarName + "\n"
"Buffer '$symbol' must have size of 2 integers if used as parameter of pipe().\n"
"The pipe()/pipe2() system command takes an argument, which is an array of exactly two integers.\n"
"The variable '$symbol' is an array of size " + strDim + ", which does not match.", CWE686, Certainty::safe);
}
//---------------------------------------------------------------------------
// Detect redundant assignments: x = 0; x = 4;
//---------------------------------------------------------------------------
void CheckOther::checkRedundantAssignment()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase* symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope *scope : symbolDatabase->functionScopes) {
if (!scope->bodyStart)
continue;
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
if (Token::simpleMatch(tok, "] ("))
// todo: handle lambdas
break;
if (Token::simpleMatch(tok, "try {"))
// todo: check try blocks
tok = tok->linkAt(1);
if ((tok->isAssignmentOp() || Token::Match(tok, "++|--")) && tok->astOperand1()) {
if (tok->astParent())
continue;
// Do not warn about redundant initialization when rhs is trivial
// TODO : do not simplify the variable declarations
bool isInitialization = false;
if (Token::Match(tok->tokAt(-2), "; %var% =") && tok->tokAt(-2)->isSplittedVarDeclEq()) {
isInitialization = true;
bool trivial = true;
visitAstNodes(tok->astOperand2(),
[&](const Token *rhs) {
if (Token::simpleMatch(rhs, "{ 0 }"))
return ChildrenToVisit::none;
if (Token::Match(rhs, "%str%|%num%|%name%") && !rhs->varId())
return ChildrenToVisit::none;
if (Token::Match(rhs, ":: %name%") && rhs->hasKnownIntValue())
return ChildrenToVisit::none;
if (rhs->isCast())
return ChildrenToVisit::op2;
trivial = false;
return ChildrenToVisit::done;
});
if (trivial)
continue;
}
const Token* rhs = tok->astOperand2();
// Do not warn about assignment with 0 / NULL
if ((rhs && MathLib::isNullValue(rhs->str())) || isNullOperand(rhs))
continue;
if (tok->astOperand1()->variable() && tok->astOperand1()->variable()->isReference())
// todo: check references
continue;
if (tok->astOperand1()->variable() && tok->astOperand1()->variable()->isStatic())
// todo: check static variables
continue;
bool inconclusive = false;
if (mTokenizer->isCPP() && tok->astOperand1()->valueType()) {
// If there is a custom assignment operator => this is inconclusive
if (tok->astOperand1()->valueType()->typeScope) {
const std::string op = "operator" + tok->str();
for (const Function& f : tok->astOperand1()->valueType()->typeScope->functionList) {
if (f.name() == op) {
inconclusive = true;
break;
}
}
}
// assigning a smart pointer has side effects
if (tok->astOperand1()->valueType()->type == ValueType::SMART_POINTER)
break;
}
if (inconclusive && !mSettings->certainty.isEnabled(Certainty::inconclusive))
continue;
FwdAnalysis fwdAnalysis(mTokenizer->isCPP(), mSettings->library);
if (fwdAnalysis.hasOperand(tok->astOperand2(), tok->astOperand1()))
continue;
// Is there a redundant assignment?
const Token *start;
if (tok->isAssignmentOp())
start = tok->next();
else
start = tok->findExpressionStartEndTokens().second->next();
// Get next assignment..
const Token *nextAssign = fwdAnalysis.reassign(tok->astOperand1(), start, scope->bodyEnd);
if (!nextAssign)
continue;
// there is redundant assignment. Is there a case between the assignments?
bool hasCase = false;
for (const Token *tok2 = tok; tok2 != nextAssign; tok2 = tok2->next()) {
if (tok2->str() == "break" || tok2->str() == "return")
break;
if (tok2->str() == "case") {
hasCase = true;
break;
}
}
// warn
if (hasCase)
redundantAssignmentInSwitchError(tok, nextAssign, tok->astOperand1()->expressionString());
else if (isInitialization)
redundantInitializationError(tok, nextAssign, tok->astOperand1()->expressionString(), inconclusive);
else
redundantAssignmentError(tok, nextAssign, tok->astOperand1()->expressionString(), inconclusive);
}
}
}
}
void CheckOther::redundantCopyError(const Token *tok1, const Token* tok2, const std::string& var)
{
const std::list<const Token *> callstack = { tok1, tok2 };
reportError(callstack, Severity::performance, "redundantCopy",
"$symbol:" + var + "\n"
"Buffer '$symbol' is being written before its old content has been used.", CWE563, Certainty::normal);
}
void CheckOther::redundantCopyInSwitchError(const Token *tok1, const Token* tok2, const std::string &var)
{
const std::list<const Token *> callstack = { tok1, tok2 };
reportError(callstack, Severity::style, "redundantCopyInSwitch",
"$symbol:" + var + "\n"
"Buffer '$symbol' is being written before its old content has been used. 'break;' missing?", CWE563, Certainty::normal);
}
void CheckOther::redundantAssignmentError(const Token *tok1, const Token* tok2, const std::string& var, bool inconclusive)
{
const ErrorPath errorPath = { ErrorPathItem(tok1, var + " is assigned"), ErrorPathItem(tok2, var + " is overwritten") };
if (inconclusive)
reportError(errorPath, Severity::style, "redundantAssignment",
"$symbol:" + var + "\n"
"Variable '$symbol' is reassigned a value before the old one has been used if variable is no semaphore variable.\n"
"Variable '$symbol' is reassigned a value before the old one has been used. Make sure that this variable is not used like a semaphore in a threading environment before simplifying this code.", CWE563, Certainty::inconclusive);
else
reportError(errorPath, Severity::style, "redundantAssignment",
"$symbol:" + var + "\n"
"Variable '$symbol' is reassigned a value before the old one has been used.", CWE563, Certainty::normal);
}
void CheckOther::redundantInitializationError(const Token *tok1, const Token* tok2, const std::string& var, bool inconclusive)
{
const ErrorPath errorPath = { ErrorPathItem(tok1, var + " is initialized"), ErrorPathItem(tok2, var + " is overwritten") };
reportError(errorPath, Severity::style, "redundantInitialization",
"$symbol:" + var + "\nRedundant initialization for '$symbol'. The initialized value is overwritten before it is read.",
CWE563,
inconclusive ? Certainty::inconclusive : Certainty::normal);
}
void CheckOther::redundantAssignmentInSwitchError(const Token *tok1, const Token* tok2, const std::string &var)
{
const ErrorPath errorPath = { ErrorPathItem(tok1, "$symbol is assigned"), ErrorPathItem(tok2, "$symbol is overwritten") };
reportError(errorPath, Severity::style, "redundantAssignInSwitch",
"$symbol:" + var + "\n"
"Variable '$symbol' is reassigned a value before the old one has been used. 'break;' missing?", CWE563, Certainty::normal);
}
//---------------------------------------------------------------------------
// switch (x)
// {
// case 2:
// y = a; // <- this assignment is redundant
// case 3:
// y = b; // <- case 2 falls through and sets y twice
// }
//---------------------------------------------------------------------------
static inline bool isFunctionOrBreakPattern(const Token *tok)
{
if (Token::Match(tok, "%name% (") || Token::Match(tok, "break|continue|return|exit|goto|throw"))
return true;
return false;
}
void CheckOther::checkRedundantAssignmentInSwitch()
{
if (!mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
// Find the beginning of a switch. E.g.:
// switch (var) { ...
for (const Scope &switchScope : symbolDatabase->scopeList) {
if (switchScope.type != Scope::eSwitch || !switchScope.bodyStart)
continue;
// Check the contents of the switch statement
std::map<int, const Token*> varsWithBitsSet;
std::map<int, std::string> bitOperations;
for (const Token *tok2 = switchScope.bodyStart->next(); tok2 != switchScope.bodyEnd; tok2 = tok2->next()) {
if (tok2->str() == "{") {
// Inside a conditional or loop. Don't mark variable accesses as being redundant. E.g.:
// case 3: b = 1;
// case 4: if (a) { b = 2; } // Doesn't make the b=1 redundant because it's conditional
if (Token::Match(tok2->previous(), ")|else {") && tok2->link()) {
const Token* endOfConditional = tok2->link();
for (const Token* tok3 = tok2; tok3 != endOfConditional; tok3 = tok3->next()) {
if (tok3->varId() != 0) {
varsWithBitsSet.erase(tok3->varId());
bitOperations.erase(tok3->varId());
} else if (isFunctionOrBreakPattern(tok3)) {
varsWithBitsSet.clear();
bitOperations.clear();
}
}
tok2 = endOfConditional;
}
}
// Variable assignment. Report an error if it's assigned to twice before a break. E.g.:
// case 3: b = 1; // <== redundant
// case 4: b = 2;
if (Token::Match(tok2->previous(), ";|{|}|: %var% = %any% ;")) {
varsWithBitsSet.erase(tok2->varId());
bitOperations.erase(tok2->varId());
}
// Bitwise operation. Report an error if it's performed twice before a break. E.g.:
// case 3: b |= 1; // <== redundant
// case 4: b |= 1;
else if (Token::Match(tok2->previous(), ";|{|}|: %var% %assign% %num% ;") &&
(tok2->strAt(1) == "|=" || tok2->strAt(1) == "&=") &&
Token::Match(tok2->next()->astOperand2(), "%num%")) {
const std::string bitOp = tok2->strAt(1)[0] + tok2->strAt(2);
const std::map<int, const Token*>::const_iterator i2 = varsWithBitsSet.find(tok2->varId());
// This variable has not had a bit operation performed on it yet, so just make a note of it
if (i2 == varsWithBitsSet.end()) {
varsWithBitsSet[tok2->varId()] = tok2;
bitOperations[tok2->varId()] = bitOp;
}
// The same bit operation has been performed on the same variable twice, so report an error
else if (bitOperations[tok2->varId()] == bitOp)
redundantBitwiseOperationInSwitchError(i2->second, i2->second->str());
// A different bit operation was performed on the variable, so clear it
else {
varsWithBitsSet.erase(tok2->varId());
bitOperations.erase(tok2->varId());
}
}
// Bitwise operation. Report an error if it's performed twice before a break. E.g.:
// case 3: b = b | 1; // <== redundant
// case 4: b = b | 1;
else if (Token::Match(tok2->previous(), ";|{|}|: %var% = %name% %or%|& %num% ;") &&
tok2->varId() == tok2->tokAt(2)->varId()) {
const std::string bitOp = tok2->strAt(3) + tok2->strAt(4);
const std::map<int, const Token*>::const_iterator i2 = varsWithBitsSet.find(tok2->varId());
// This variable has not had a bit operation performed on it yet, so just make a note of it
if (i2 == varsWithBitsSet.end()) {
varsWithBitsSet[tok2->varId()] = tok2;
bitOperations[tok2->varId()] = bitOp;
}
// The same bit operation has been performed on the same variable twice, so report an error
else if (bitOperations[tok2->varId()] == bitOp)
redundantBitwiseOperationInSwitchError(i2->second, i2->second->str());
// A different bit operation was performed on the variable, so clear it
else {
varsWithBitsSet.erase(tok2->varId());
bitOperations.erase(tok2->varId());
}
}
// Not a simple assignment so there may be good reason if this variable is assigned to twice. E.g.:
// case 3: b = 1;
// case 4: b++;
else if (tok2->varId() != 0 && tok2->strAt(1) != "|" && tok2->strAt(1) != "&") {
varsWithBitsSet.erase(tok2->varId());
bitOperations.erase(tok2->varId());
}
// Reset our record of assignments if there is a break or function call. E.g.:
// case 3: b = 1; break;
if (isFunctionOrBreakPattern(tok2)) {
varsWithBitsSet.clear();
bitOperations.clear();
}
}
}
}
void CheckOther::redundantBitwiseOperationInSwitchError(const Token *tok, const std::string &varname)
{
reportError(tok, Severity::style,
"redundantBitwiseOperationInSwitch",
"$symbol:" + varname + "\n"
"Redundant bitwise operation on '$symbol' in 'switch' statement. 'break;' missing?");
}
//---------------------------------------------------------------------------
// Check for statements like case A||B: in switch()
//---------------------------------------------------------------------------
void CheckOther::checkSuspiciousCaseInSwitch()
{
if (!mSettings->certainty.isEnabled(Certainty::inconclusive) || !mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope & scope : symbolDatabase->scopeList) {
if (scope.type != Scope::eSwitch)
continue;
for (const Token* tok = scope.bodyStart->next(); tok != scope.bodyEnd; tok = tok->next()) {
if (tok->str() == "case") {
const Token* finding = nullptr;
for (const Token* tok2 = tok->next(); tok2; tok2 = tok2->next()) {
if (tok2->str() == ":")
break;
if (Token::Match(tok2, "[;}{]"))
break;
if (tok2->str() == "?")
finding = nullptr;
else if (Token::Match(tok2, "&&|%oror%"))
finding = tok2;
}
if (finding)
suspiciousCaseInSwitchError(finding, finding->str());
}
}
}
}
void CheckOther::suspiciousCaseInSwitchError(const Token* tok, const std::string& operatorString)
{
reportError(tok, Severity::warning, "suspiciousCase",
"Found suspicious case label in switch(). Operator '" + operatorString + "' probably doesn't work as intended.\n"
"Using an operator like '" + operatorString + "' in a case label is suspicious. Did you intend to use a bitwise operator, multiple case labels or if/else instead?", CWE398, Certainty::inconclusive);
}
//---------------------------------------------------------------------------
// Find consecutive return, break, continue, goto or throw statements. e.g.:
// break; break;
// Detect dead code, that follows such a statement. e.g.:
// return(0); foo();
//---------------------------------------------------------------------------
void CheckOther::checkUnreachableCode()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const bool printInconclusive = mSettings->certainty.isEnabled(Certainty::inconclusive);
const SymbolDatabase* symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart; tok && tok != scope->bodyEnd; tok = tok->next()) {
const Token* secondBreak = nullptr;
const Token* labelName = nullptr;
if (tok->link() && Token::Match(tok, "(|[|<"))
tok = tok->link();
else if (Token::Match(tok, "break|continue ;"))
secondBreak = tok->tokAt(2);
else if (Token::Match(tok, "[;{}:] return|throw") && tok->next()->isKeyword()) {
if (Token::simpleMatch(tok->astParent(), "?"))
continue;
tok = tok->next(); // tok should point to return or throw
for (const Token *tok2 = tok->next(); tok2; tok2 = tok2->next()) {
if (tok2->str() == "(" || tok2->str() == "{")
tok2 = tok2->link();
if (tok2->str() == ";") {
secondBreak = tok2->next();
break;
}
}
} else if (Token::Match(tok, "goto %any% ;")) {
secondBreak = tok->tokAt(3);
labelName = tok->next();
} else if (Token::Match(tok, "%name% (") && mSettings->library.isnoreturn(tok) && !Token::Match(tok->next()->astParent(), "?|:")) {
if ((!tok->function() || (tok->function()->token != tok && tok->function()->tokenDef != tok)) && tok->linkAt(1)->strAt(1) != "{")
secondBreak = tok->linkAt(1)->tokAt(2);
if (Token::simpleMatch(secondBreak, "return")) {
// clarification for tools that function returns
continue;
}
}
// Statements follow directly, no line between them. (#3383)
// TODO: Try to find a better way to avoid false positives due to preprocessor configurations.
const bool inconclusive = secondBreak && (secondBreak->linenr() - 1 > secondBreak->previous()->linenr());
if (secondBreak && (printInconclusive || !inconclusive)) {
if (Token::Match(secondBreak, "continue|goto|throw|return") && secondBreak->isKeyword()) {
duplicateBreakError(secondBreak, inconclusive);
tok = Token::findmatch(secondBreak, "[}:]");
} else if (secondBreak->str() == "break") { // break inside switch as second break statement should not issue a warning
if (tok->str() == "break") // If the previous was a break, too: Issue warning
duplicateBreakError(secondBreak, inconclusive);
else {
if (tok->scope()->type != Scope::eSwitch) // Check, if the enclosing scope is a switch
duplicateBreakError(secondBreak, inconclusive);
}
tok = Token::findmatch(secondBreak, "[}:]");
} else if (!Token::Match(secondBreak, "return|}|case|default") && secondBreak->strAt(1) != ":") { // TODO: No bailout for unconditional scopes
// If the goto label is followed by a loop construct in which the label is defined it's quite likely
// that the goto jump was intended to skip some code on the first loop iteration.
bool labelInFollowingLoop = false;
if (labelName && Token::Match(secondBreak, "while|do|for")) {
const Token *scope2 = Token::findsimplematch(secondBreak, "{");
if (scope2) {
for (const Token *tokIter = scope2; tokIter != scope2->link() && tokIter; tokIter = tokIter->next()) {
if (Token::Match(tokIter, "[;{}] %any% :") && labelName->str() == tokIter->strAt(1)) {
labelInFollowingLoop = true;
break;
}
}
}
}
// hide FP for statements that just hide compiler warnings about unused function arguments
bool silencedCompilerWarningOnly = false;
const Token *silencedWarning = secondBreak;
for (;;) {
if (Token::Match(silencedWarning, "( void ) %name% ;")) {
silencedWarning = silencedWarning->tokAt(5);
continue;
} else if (silencedWarning && silencedWarning == scope->bodyEnd)
silencedCompilerWarningOnly = true;
break;
}
if (silencedWarning)
secondBreak = silencedWarning;
if (!labelInFollowingLoop && !silencedCompilerWarningOnly)
unreachableCodeError(secondBreak, inconclusive);
tok = Token::findmatch(secondBreak, "[}:]");
} else
tok = secondBreak;
if (!tok)
break;
tok = tok->previous(); // Will be advanced again by for loop
}
}
}
}
void CheckOther::duplicateBreakError(const Token *tok, bool inconclusive)
{
reportError(tok, Severity::style, "duplicateBreak",
"Consecutive return, break, continue, goto or throw statements are unnecessary.\n"
"Consecutive return, break, continue, goto or throw statements are unnecessary. "
"The second statement can never be executed, and so should be removed.", CWE561, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
void CheckOther::unreachableCodeError(const Token *tok, bool inconclusive)
{
reportError(tok, Severity::style, "unreachableCode",
"Statements following return, break, continue, goto or throw will never be executed.", CWE561, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
//---------------------------------------------------------------------------
// Check scope of variables..
//---------------------------------------------------------------------------
void CheckOther::checkVariableScope()
{
if (mSettings->clang)
return;
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
// In C it is common practice to declare local variables at the
// start of functions.
if (mSettings->daca && mTokenizer->isC())
return;
for (const Variable* var : symbolDatabase->variableList()) {
if (!var || !var->isLocal() || (!var->isPointer() && !var->isReference() && !var->typeStartToken()->isStandardType()))
continue;
if (var->isConst())
continue;
if (mTokenizer->hasIfdef(var->nameToken(), var->scope()->bodyEnd))
continue;
// reference of range for loop variable..
if (Token::Match(var->nameToken()->previous(), "& %var% = %var% .")) {
const Token *otherVarToken = var->nameToken()->tokAt(2);
const Variable *otherVar = otherVarToken->variable();
if (otherVar && Token::Match(otherVar->nameToken(), "%var% :") &&
otherVar->nameToken()->next()->astParent() &&
Token::simpleMatch(otherVar->nameToken()->next()->astParent()->previous(), "for ("))
continue;
}
bool forHead = false; // Don't check variables declared in header of a for loop
for (const Token* tok = var->typeStartToken(); tok; tok = tok->previous()) {
if (tok->str() == "(") {
forHead = true;
break;
} else if (Token::Match(tok, "[;{}]"))
break;
}
if (forHead)
continue;
const Token* tok = var->nameToken()->next();
if (Token::Match(tok, "; %varid% = %any% ;", var->declarationId())) {
tok = tok->tokAt(3);
if (!tok->isNumber() && tok->tokType() != Token::eString && tok->tokType() != Token::eChar && !tok->isBoolean())
continue;
}
// bailout if initialized with function call that has possible side effects
if (Token::Match(tok, "[(=]") && Token::simpleMatch(tok->astOperand2(), "("))
continue;
bool reduce = true;
bool used = false; // Don't warn about unused variables
for (; tok && tok != var->scope()->bodyEnd; tok = tok->next()) {
if (tok->str() == "{" && tok->scope() != tok->previous()->scope() && !tok->isExpandedMacro() && tok->scope()->type != Scope::eLambda) {
if (used) {
bool used2 = false;
if (!checkInnerScope(tok, var, used2) || used2) {
reduce = false;
break;
}
} else if (!checkInnerScope(tok, var, used)) {
reduce = false;
break;
}
tok = tok->link();
// parse else if blocks..
} else if (Token::simpleMatch(tok, "else { if (") && Token::simpleMatch(tok->linkAt(3), ") {")) {
const Token *endif = tok->linkAt(3)->linkAt(1);
bool elseif = false;
if (Token::simpleMatch(endif, "} }"))
elseif = true;
else if (Token::simpleMatch(endif, "} else {") && Token::simpleMatch(endif->linkAt(2),"} }"))
elseif = true;
if (elseif && Token::findmatch(tok->next(), "%varid%", tok->linkAt(1), var->declarationId())) {
reduce = false;
break;
}
} else if (tok->varId() == var->declarationId() || tok->str() == "goto") {
reduce = false;
break;
}
}
if (reduce && used)
variableScopeError(var->nameToken(), var->name());
}
}
bool CheckOther::checkInnerScope(const Token *tok, const Variable* var, bool& used)
{
const Scope* scope = tok->next()->scope();
bool loopVariable = scope->isLoopScope();
bool noContinue = true;
const Token* forHeadEnd = nullptr;
const Token* end = tok->link();
if (scope->type == Scope::eUnconditional && (tok->strAt(-1) == ")" || tok->previous()->isName())) // Might be an unknown macro like BOOST_FOREACH
loopVariable = true;
if (scope->type == Scope::eDo) {
end = end->linkAt(2);
} else if (loopVariable && tok->strAt(-1) == ")") {
tok = tok->linkAt(-1); // Jump to opening ( of for/while statement
} else if (scope->type == Scope::eSwitch) {
for (const Scope* innerScope : scope->nestedList) {
if (used) {
bool used2 = false;
if (!checkInnerScope(innerScope->bodyStart, var, used2) || used2) {
return false;
}
} else if (!checkInnerScope(innerScope->bodyStart, var, used)) {
return false;
}
}
}
bool bFirstAssignment=false;
for (; tok && tok != end; tok = tok->next()) {
if (tok->str() == "goto")
return false;
if (tok->str() == "continue")
noContinue = false;
if (Token::simpleMatch(tok, "for ("))
forHeadEnd = tok->linkAt(1);
if (tok == forHeadEnd)
forHeadEnd = nullptr;
if (loopVariable && noContinue && tok->scope() == scope && !forHeadEnd && scope->type != Scope::eSwitch && Token::Match(tok, "%varid% =", var->declarationId())) { // Assigned in outer scope.
loopVariable = false;
int indent = 0;
for (const Token* tok2 = tok->tokAt(2); tok2; tok2 = tok2->next()) { // Ensure that variable isn't used on right side of =, too
if (tok2->str() == "(")
indent++;
else if (tok2->str() == ")") {
if (indent == 0)
break;
indent--;
} else if (tok2->str() == ";")
break;
else if (tok2->varId() == var->declarationId()) {
loopVariable = true;
break;
}
}
}
if (loopVariable && Token::Match(tok, "%varid% !!=", var->declarationId())) // Variable used in loop
return false;
if (Token::Match(tok, "& %varid%", var->declarationId())) // Taking address of variable
return false;
if (Token::Match(tok, "%varid% =", var->declarationId()))
bFirstAssignment = true;
if (!bFirstAssignment && Token::Match(tok, "* %varid%", var->declarationId())) // dereferencing means access to previous content
return false;
if (Token::Match(tok, "= %varid%", var->declarationId()) && (var->isArray() || var->isPointer())) // Create a copy of array/pointer. Bailout, because the memory it points to might be necessary in outer scope
return false;
if (tok->varId() == var->declarationId()) {
used = true;
if (scope == tok->scope()) {
if (scope->type == Scope::eSwitch)
return false; // Used in outer switch scope - unsafe or impossible to reduce scope
if (scope->bodyStart && scope->bodyStart->isSimplifiedScope())
return false; // simplified if/for/switch init statement
}
}
}
return true;
}
void CheckOther::variableScopeError(const Token *tok, const std::string &varname)
{
reportError(tok,
Severity::style,
"variableScope",
"$symbol:" + varname + "\n"
"The scope of the variable '$symbol' can be reduced.\n"
"The scope of the variable '$symbol' can be reduced. Warning: Be careful "
"when fixing this message, especially when there are inner loops. Here is an "
"example where cppcheck will write that the scope for 'i' can be reduced:\n"
"void f(int x)\n"
"{\n"
" int i = 0;\n"
" if (x) {\n"
" // it's safe to move 'int i = 0;' here\n"
" for (int n = 0; n < 10; ++n) {\n"
" // it is possible but not safe to move 'int i = 0;' here\n"
" do_something(&i);\n"
" }\n"
" }\n"
"}\n"
"When you see this message it is always safe to reduce the variable scope 1 level.", CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// Comma in return statement: return a+1, b++;. (experimental)
//---------------------------------------------------------------------------
void CheckOther::checkCommaSeparatedReturn()
{
// This is experimental for now. See #5076
if (!mSettings->certainty.isEnabled(Certainty::experimental))
return;
if (!mSettings->severity.isEnabled(Severity::style))
return;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (tok->str() == "return") {
tok = tok->next();
while (tok && tok->str() != ";") {
if (tok->link() && Token::Match(tok, "[([{<]"))
tok = tok->link();
if (!tok->isExpandedMacro() && tok->str() == "," && tok->linenr() != tok->next()->linenr())
commaSeparatedReturnError(tok);
tok = tok->next();
}
// bailout: missing semicolon (invalid code / bad tokenizer)
if (!tok)
break;
}
}
}
void CheckOther::commaSeparatedReturnError(const Token *tok)
{
reportError(tok,
Severity::style,
"commaSeparatedReturn",
"Comma is used in return statement. The comma can easily be misread as a ';'.\n"
"Comma is used in return statement. When comma is used in a return statement it can "
"easily be misread as a semicolon. For example in the code below the value "
"of 'b' is returned if the condition is true, but it is easy to think that 'a+1' is "
"returned:\n"
" if (x)\n"
" return a + 1,\n"
" b++;\n"
"However it can be useful to use comma in macros. Cppcheck does not warn when such a "
"macro is then used in a return statement, it is less likely such code is misunderstood.", CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// Check for function parameters that should be passed by const reference
//---------------------------------------------------------------------------
static int estimateSize(const Type* type, const Settings* settings, const SymbolDatabase* symbolDatabase, int recursionDepth = 0)
{
if (recursionDepth > 20)
return 0;
int cumulatedSize = 0;
const bool isUnion = type->classScope->type == Scope::ScopeType::eUnion;
// cppcheck-suppress varid0
const auto accumulateSize = [](int& cumulatedSize, int size, bool isUnion) -> void {
if (isUnion)
cumulatedSize = std::max(cumulatedSize, size);
else
cumulatedSize += size;
};
for (const Variable&var : type->classScope->varlist) {
int size = 0;
if (var.isStatic())
continue;
if (var.isPointer() || var.isReference())
size = settings->sizeof_pointer;
else if (var.type() && var.type()->classScope)
size = estimateSize(var.type(), settings, symbolDatabase, recursionDepth+1);
else if (var.valueType()->type == ValueType::Type::CONTAINER)
size = 3 * settings->sizeof_pointer; // Just guess
else
size = symbolDatabase->sizeOfType(var.typeStartToken());
if (var.isArray())
size *= std::accumulate(var.dimensions().begin(), var.dimensions().end(), 1, [](int v, const Dimension& d) {
return v *= d.num;
});
accumulateSize(cumulatedSize, size, isUnion);
}
for (const Type::BaseInfo &baseInfo : type->derivedFrom) {
if (baseInfo.type && baseInfo.type->classScope)
cumulatedSize += estimateSize(baseInfo.type, settings, symbolDatabase, recursionDepth+1);
}
return cumulatedSize;
}
static bool canBeConst(const Variable *var, const Settings* settings)
{
{
// check initializer list. If variable is moved from it can't be const.
const Function* func_scope = var->scope()->function;
if (func_scope->type == Function::Type::eConstructor) {
//could be initialized in initializer list
if (func_scope->arg->link()->next()->str() == ":") {
for (const Token* tok2 = func_scope->arg->link()->next()->next(); tok2 != var->scope()->bodyStart; tok2 = tok2->next()) {
if (tok2->varId() != var->declarationId())
continue;
const Token* parent = tok2->astParent();
if (parent && Token::simpleMatch(parent->previous(), "move ("))
return false;
}
}
}
}
for (const Token* tok2 = var->scope()->bodyStart; tok2 != var->scope()->bodyEnd; tok2 = tok2->next()) {
if (tok2->varId() != var->declarationId())
continue;
const Token* parent = tok2->astParent();
if (!parent)
continue;
if (parent->str() == "<<" || isLikelyStreamRead(true, parent)) {
if (parent->str() == "<<" && parent->astOperand1() == tok2)
return false;
if (parent->str() == ">>" && parent->astOperand2() == tok2)
return false;
} else if (parent->str() == "," || parent->str() == "(") { // function argument
const Token* tok3 = tok2->previous();
int argNr = 0;
while (tok3 && tok3->str() != "(") {
if (tok3->link() && Token::Match(tok3, ")|]|}|>"))
tok3 = tok3->link();
else if (tok3->link())
break;
else if (tok3->str() == ";")
break;
else if (tok3->str() == ",")
argNr++;
tok3 = tok3->previous();
}
if (!tok3 || tok3->str() != "(")
return false;
const Token* functionTok = tok3->astOperand1();
if (!functionTok)
return false;
const Function* tokFunction = functionTok->function();
if (!tokFunction && functionTok->str() == "." && (functionTok = functionTok->astOperand2()))
tokFunction = functionTok->function();
if (tokFunction) {
const Variable* argVar = tokFunction->getArgumentVar(argNr);
if (!argVar || (!argVar->isConst() && argVar->isReference()))
return false;
}
else if (!settings->library.isFunctionConst(functionTok))
return false;
} else if (parent->isUnaryOp("&")) {
// TODO: check how pointer is used
return false;
} else if (parent->isConstOp() ||
(parent->astOperand2() && settings->library.isFunctionConst(parent->astOperand2())))
continue;
else if (parent->isAssignmentOp()) {
if (parent->astOperand1() == tok2)
return false;
const Variable* assignedVar = parent->astOperand1() ? parent->astOperand1()->variable() : nullptr;
if (assignedVar &&
!assignedVar->isConst() &&
assignedVar->isReference() &&
assignedVar->nameToken() == parent->astOperand1())
return false;
} else if (Token::Match(tok2, "%var% . %name% (")) {
const Function* func = tok2->tokAt(2)->function();
if (func && (func->isConst() || func->isStatic()))
continue;
else
return false;
} else
return false;
}
return true;
}
void CheckOther::checkPassByReference()
{
if (!mSettings->severity.isEnabled(Severity::performance) || mTokenizer->isC())
return;
const SymbolDatabase * const symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Variable* var : symbolDatabase->variableList()) {
if (!var || !var->isArgument() || !var->isClass() || var->isPointer() || var->isArray() || var->isReference() || var->isEnumType())
continue;
if (var->scope() && var->scope()->function->arg->link()->strAt(-1) == "...")
continue; // references could not be used as va_start parameters (#5824)
if ((var->declEndToken() && var->declEndToken()->isExternC()) ||
(var->scope() && var->scope()->function && var->scope()->function->tokenDef && var->scope()->function->tokenDef->isExternC()))
continue; // references cannot be used in functions in extern "C" blocks
bool inconclusive = false;
const bool isContainer = var->valueType() && var->valueType()->type == ValueType::Type::CONTAINER && var->valueType()->container && !var->valueType()->container->view;
if (!isContainer) {
if (var->type() && !var->type()->isEnumType()) { // Check if type is a struct or class.
// Ensure that it is a large object.
if (!var->type()->classScope)
inconclusive = true;
else if (estimateSize(var->type(), mSettings, symbolDatabase) <= 2 * mSettings->sizeof_pointer)
continue;
}
else
continue;
}
if (inconclusive && !mSettings->certainty.isEnabled(Certainty::inconclusive))
continue;
const bool isConst = var->isConst();
if (isConst) {
passedByValueError(var->nameToken(), var->name(), inconclusive);
continue;
}
// Check if variable could be const
if (!var->scope() || var->scope()->function->hasVirtualSpecifier())
continue;
if (canBeConst(var, mSettings)) {
passedByValueError(var->nameToken(), var->name(), inconclusive);
}
}
}
void CheckOther::passedByValueError(const Token *tok, const std::string &parname, bool inconclusive)
{
reportError(tok, Severity::performance, "passedByValue",
"$symbol:" + parname + "\n"
"Function parameter '$symbol' should be passed by const reference.\n"
"Parameter '$symbol' is passed by value. It could be passed "
"as a const reference which is usually faster and recommended in C++.", CWE398, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
static bool isUnusedVariable(const Variable *var)
{
if (!var)
return false;
if (!var->scope())
return false;
const Token *start = var->declEndToken();
if (!start)
return false;
if (Token::Match(start, "; %varid% =", var->declarationId()))
start = start->tokAt(2);
return !Token::findmatch(start->next(), "%varid%", var->scope()->bodyEnd, var->declarationId());
}
static bool isVariableMutableInInitializer(const Token* start, const Token * end, nonneg int varid)
{
if (!start)
return false;
if (!end)
return false;
for (const Token *tok = start; tok != end; tok = tok->next()) {
if (tok->varId() != varid)
continue;
if (tok->astParent()) {
const Token * memberTok = tok->astParent()->previous();
if (Token::Match(memberTok, "%var% (") && memberTok->variable()) {
const Variable * memberVar = memberTok->variable();
if (memberVar->isClass())
//TODO: check if the called constructor could live with a const variable
// pending that, assume the worst (that it can't)
return true;
if (!memberVar->isReference())
continue;
if (memberVar->isConst())
continue;
}
return true;
} else {
return true;
}
}
return false;
}
void CheckOther::checkConstVariable()
{
if (!mSettings->severity.isEnabled(Severity::style) || mTokenizer->isC())
return;
const SymbolDatabase *const symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Variable *var : symbolDatabase->variableList()) {
if (!var)
continue;
if (!var->isReference())
continue;
if (var->isRValueReference())
continue;
if (var->isPointer())
continue;
if (var->isConst())
continue;
if (!var->scope())
continue;
const Scope *scope = var->scope();
if (!scope->function)
continue;
const Function *function = scope->function;
if (var->isArgument()) {
if (function->isImplicitlyVirtual() || function->templateDef)
continue;
if (isUnusedVariable(var))
continue;
if (function->isConstructor() && isVariableMutableInInitializer(function->constructorMemberInitialization(), scope->bodyStart, var->declarationId()))
continue;
}
if (var->isGlobal())
continue;
if (var->isStatic())
continue;
if (var->isArray())
continue;
if (var->isEnumType())
continue;
if (var->isVolatile())
continue;
if (isAliased(var))
continue;
if (isVariableChanged(var, mSettings, mTokenizer->isCPP()))
continue;
if (Function::returnsReference(function) && !Function::returnsConst(function)) {
std::vector<const Token*> returns = Function::findReturns(function);
if (std::any_of(returns.begin(), returns.end(), [&](const Token* retTok) {
if (retTok->varId() == var->declarationId())
return true;
while (retTok && retTok->isCast())
retTok = retTok->astOperand2();
while (Token::simpleMatch(retTok, "."))
retTok = retTok->astOperand2();
return hasLifetimeToken(getParentLifetime(retTok), var->nameToken());
}))
continue;
}
// Skip if address is taken
if (Token::findmatch(var->nameToken(), "& %varid%", scope->bodyEnd, var->declarationId()))
continue;
// Skip if another non-const variable is initialized with this variable
{
//Is it the right side of an initialization of a non-const reference
bool usedInAssignment = false;
for (const Token* tok = var->nameToken(); tok != scope->bodyEnd && tok != nullptr; tok = tok->next()) {
if (Token::Match(tok, "& %var% = %varid%", var->declarationId())) {
const Variable* refvar = tok->next()->variable();
if (refvar && !refvar->isConst() && refvar->nameToken() == tok->next()) {
usedInAssignment = true;
break;
}
}
}
if (usedInAssignment)
continue;
}
// Skip if we ever cast this variable to a pointer/reference to a non-const type
{
bool castToNonConst = false;
for (const Token* tok = var->nameToken(); tok != scope->bodyEnd && tok != nullptr; tok = tok->next()) {
if (tok->isCast()) {
if (!tok->valueType()) {
castToNonConst = true; // safe guess
break;
}
bool isConst = 0 != (tok->valueType()->constness & (1 << tok->valueType()->pointer));
if (!isConst) {
castToNonConst = true;
break;
}
}
}
if (castToNonConst)
continue;
}
// Do not warn if struct data is changed
{
bool changeStructData = false;
for (const Token* tok = var->nameToken(); tok != scope->bodyEnd && tok != nullptr; tok = tok->next()) {
if (tok->variable() == var && Token::Match(tok, "%var% .")) {
const Token *parent = tok;
while (Token::simpleMatch(parent->astParent(), ".") && parent == parent->astParent()->astOperand1())
parent = parent->astParent();
if (parent->valueType() &&
parent->valueType()->pointer > 0 &&
parent->valueType()->constness == 0 &&
isVariableChanged(parent, 1, mSettings, mTokenizer->isCPP())) {
changeStructData = true;
break;
}
}
}
if (changeStructData)
continue;
}
// Calling non-const method using non-const reference
if (var->isReference()) {
bool callNonConstMethod = false;
for (const Token* tok = var->nameToken(); tok != scope->bodyEnd && tok != nullptr; tok = tok->next()) {
if (tok->variable() == var) {
if (Token::Match(tok, "%var% . * ( & %name% ::")) {
const Token* ftok = tok->linkAt(3)->previous();
if (!ftok->function() || !ftok->function()->isConst())
callNonConstMethod = true;
break;
}
if (var->isStlType() && Token::Match(tok, "%var% [")) { // containers whose operator[] is non-const
const Token* typeTok = var->typeStartToken() ? var->typeStartToken()->tokAt(2) : nullptr;
const auto& notConst = CheckClass::stl_containers_not_const;
if (typeTok && notConst.find(typeTok->str()) != notConst.end()) {
callNonConstMethod = true;
break;
}
}
}
}
if (callNonConstMethod)
continue;
}
constVariableError(var, function);
}
}
void CheckOther::checkConstPointer()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
std::set<const Variable *> pointers;
std::set<const Variable *> nonConstPointers;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (!tok->variable())
continue;
if (!tok->variable()->isLocal() && !tok->variable()->isArgument())
continue;
if (tok == tok->variable()->nameToken())
continue;
if (!tok->valueType())
continue;
if (tok->valueType()->pointer == 0 || tok->valueType()->constness > 0)
continue;
if (nonConstPointers.find(tok->variable()) != nonConstPointers.end())
continue;
pointers.insert(tok->variable());
const Token *parent = tok->astParent();
bool deref = false;
if (parent && parent->isUnaryOp("*"))
deref = true;
else if (Token::simpleMatch(parent, "[") && parent->astOperand1() == tok)
deref = true;
if (deref) {
if (Token::Match(parent->astParent(), "%cop%") && !parent->astParent()->isUnaryOp("&") && !parent->astParent()->isUnaryOp("*"))
continue;
if (Token::simpleMatch(parent->astParent(), "return"))
continue;
else if (Token::Match(parent->astParent(), "%assign%") && parent == parent->astParent()->astOperand2()) {
bool takingRef = false;
const Token *lhs = parent->astParent()->astOperand1();
if (lhs && lhs->variable() && lhs->variable()->isReference() && lhs->variable()->nameToken() == lhs)
takingRef = true;
if (!takingRef)
continue;
} else if (Token::simpleMatch(parent->astParent(), "[") && parent->astParent()->astOperand2() == parent)
continue;
} else {
if (Token::Match(parent, "%oror%|%comp%|&&|?|!|-"))
continue;
else if (Token::simpleMatch(parent, "(") && Token::Match(parent->astOperand1(), "if|while"))
continue;
}
nonConstPointers.insert(tok->variable());
}
for (const Variable *p: pointers) {
if (p->isArgument()) {
if (!p->scope() || !p->scope()->function || p->scope()->function->isImplicitlyVirtual(true) || p->scope()->function->hasVirtualSpecifier())
continue;
}
if (nonConstPointers.find(p) == nonConstPointers.end()) {
const Token *start = (p->isArgument()) ? p->scope()->bodyStart : p->nameToken()->next();
const int indirect = p->isArray() ? p->dimensions().size() : 1;
if (isVariableChanged(start, p->scope()->bodyEnd, indirect, p->declarationId(), false, mSettings, mTokenizer->isCPP()))
continue;
constVariableError(p, nullptr);
}
}
}
void CheckOther::constVariableError(const Variable *var, const Function *function)
{
if (!var) {
reportError(nullptr, Severity::style, "constParameter", "Parameter 'x' can be declared with const");
reportError(nullptr, Severity::style, "constVariable", "Variable 'x' can be declared with const");
reportError(nullptr, Severity::style, "constParameterCallback", "Parameter 'x' can be declared with const, however it seems that 'f' is a callback function.");
return;
}
const std::string vartype(var->isArgument() ? "Parameter" : "Variable");
const std::string varname(var->name());
ErrorPath errorPath;
std::string id = "const" + vartype;
std::string message = "$symbol:" + varname + "\n" + vartype + " '$symbol' can be declared with const";
errorPath.push_back(ErrorPathItem(var ? var->nameToken() : nullptr, message));
if (var && var->isArgument() && function && function->functionPointerUsage) {
errorPath.push_front(ErrorPathItem(function->functionPointerUsage, "You might need to cast the function pointer here"));
id += "Callback";
message += ". However it seems that '" + function->name() + "' is a callback function, if '$symbol' is declared with const you might also need to cast function pointer(s).";
}
reportError(errorPath, Severity::style, id.c_str(), message, CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// Check usage of char variables..
//---------------------------------------------------------------------------
void CheckOther::checkCharVariable()
{
const bool warning = mSettings->severity.isEnabled(Severity::warning);
const bool portability = mSettings->severity.isEnabled(Severity::portability);
if (!warning && !portability)
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart; tok != scope->bodyEnd; tok = tok->next()) {
if (Token::Match(tok, "%var% [")) {
if (!tok->variable())
continue;
if (!tok->variable()->isArray() && !tok->variable()->isPointer())
continue;
const Token *index = tok->next()->astOperand2();
if (warning && tok->variable()->isArray() && astIsSignedChar(index) && index->getValueGE(0x80, mSettings))
signedCharArrayIndexError(tok);
if (portability && astIsUnknownSignChar(index) && index->getValueGE(0x80, mSettings))
unknownSignCharArrayIndexError(tok);
} else if (warning && Token::Match(tok, "[&|^]") && tok->isBinaryOp()) {
bool warn = false;
if (astIsSignedChar(tok->astOperand1())) {
const ValueFlow::Value *v1 = tok->astOperand1()->getValueLE(-1, mSettings);
const ValueFlow::Value *v2 = tok->astOperand2()->getMaxValue(false);
if (!v1)
v1 = tok->astOperand1()->getValueGE(0x80, mSettings);
if (v1 && !(tok->str() == "&" && v2 && v2->isKnown() && v2->intvalue >= 0 && v2->intvalue < 0x100))
warn = true;
} else if (astIsSignedChar(tok->astOperand2())) {
const ValueFlow::Value *v1 = tok->astOperand2()->getValueLE(-1, mSettings);
const ValueFlow::Value *v2 = tok->astOperand1()->getMaxValue(false);
if (!v1)
v1 = tok->astOperand2()->getValueGE(0x80, mSettings);
if (v1 && !(tok->str() == "&" && v2 && v2->isKnown() && v2->intvalue >= 0 && v2->intvalue < 0x100))
warn = true;
}
// is the result stored in a short|int|long?
if (warn && Token::simpleMatch(tok->astParent(), "=")) {
const Token *lhs = tok->astParent()->astOperand1();
if (lhs && lhs->valueType() && lhs->valueType()->type >= ValueType::Type::SHORT)
charBitOpError(tok); // This is an error..
}
}
}
}
}
void CheckOther::signedCharArrayIndexError(const Token *tok)
{
reportError(tok,
Severity::warning,
"signedCharArrayIndex",
"Signed 'char' type used as array index.\n"
"Signed 'char' type used as array index. If the value "
"can be greater than 127 there will be a buffer underflow "
"because of sign extension.", CWE128, Certainty::normal);
}
void CheckOther::unknownSignCharArrayIndexError(const Token *tok)
{
reportError(tok,
Severity::portability,
"unknownSignCharArrayIndex",
"'char' type used as array index.\n"
"'char' type used as array index. Values greater than 127 will be "
"treated depending on whether 'char' is signed or unsigned on target platform.", CWE758, Certainty::normal);
}
void CheckOther::charBitOpError(const Token *tok)
{
reportError(tok,
Severity::warning,
"charBitOp",
"When using 'char' variables in bit operations, sign extension can generate unexpected results.\n"
"When using 'char' variables in bit operations, sign extension can generate unexpected results. For example:\n"
" char c = 0x80;\n"
" int i = 0 | c;\n"
" if (i & 0x8000)\n"
" printf(\"not expected\");\n"
"The \"not expected\" will be printed on the screen.", CWE398, Certainty::normal);
}
//---------------------------------------------------------------------------
// Incomplete statement..
//---------------------------------------------------------------------------
static bool isType(const Token * tok, bool unknown)
{
if (Token::Match(tok, "%type%"))
return true;
if (Token::simpleMatch(tok, "::"))
return isType(tok->astOperand2(), unknown);
if (Token::simpleMatch(tok, "<") && tok->link())
return true;
if (unknown && Token::Match(tok, "%name% !!("))
return true;
return false;
}
static bool isVarDeclOp(const Token* tok)
{
if (!tok)
return false;
const Token * vartok = tok->astOperand2();
if (vartok && vartok->variable() && vartok->variable()->nameToken() == vartok)
return true;
const Token * typetok = tok->astOperand1();
return isType(typetok, Token::Match(vartok, "%var%"));
}
static bool isConstStatement(const Token *tok, bool cpp)
{
if (!tok)
return false;
if (tok->isExpandedMacro())
return false;
if (Token::Match(tok, "%bool%|%num%|%str%|%char%|nullptr|NULL"))
return true;
if (Token::Match(tok, "%var%"))
return true;
if (Token::Match(tok, "*|&|&&") &&
(Token::Match(tok->previous(), "::|.|const|volatile|restrict") || isVarDeclOp(tok)))
return false;
if (Token::Match(tok, "<<|>>") && !astIsIntegral(tok, false))
return false;
if (Token::Match(tok, "!|~|%cop%") && (tok->astOperand1() || tok->astOperand2()))
return true;
if (Token::simpleMatch(tok->previous(), "sizeof ("))
return true;
if (isCPPCast(tok))
return isWithoutSideEffects(cpp, tok) && isConstStatement(tok->astOperand2(), cpp);
else if (tok->isCast())
return isWithoutSideEffects(cpp, tok->astOperand1()) && isConstStatement(tok->astOperand1(), cpp);
if (Token::Match(tok, "( %type%"))
return isConstStatement(tok->astOperand1(), cpp);
if (Token::simpleMatch(tok, ","))
return isConstStatement(tok->astOperand2(), cpp);
return false;
}
static bool isVoidStmt(const Token *tok)
{
if (Token::simpleMatch(tok, "( void"))
return true;
if (isCPPCast(tok) && tok->astOperand1() && Token::Match(tok->astOperand1()->next(), "< void *| >"))
return true;
const Token *tok2 = tok;
while (tok2->astOperand1())
tok2 = tok2->astOperand1();
if (Token::simpleMatch(tok2->previous(), ")") && Token::simpleMatch(tok2->previous()->link(), "( void"))
return true;
if (Token::simpleMatch(tok2, "( void"))
return true;
return Token::Match(tok2->previous(), "delete|throw|return");
}
static bool isConstTop(const Token *tok)
{
if (!tok)
return false;
if (!tok->astParent())
return true;
if (Token::simpleMatch(tok->astParent(), ";") &&
Token::Match(tok->astTop()->previous(), "for|if (") && Token::simpleMatch(tok->astTop()->astOperand2(), ";")) {
if (Token::simpleMatch(tok->astParent()->astParent(), ";"))
return tok->astParent()->astOperand2() == tok;
else
return tok->astParent()->astOperand1() == tok;
}
return false;
}
void CheckOther::checkIncompleteStatement()
{
if (!mSettings->severity.isEnabled(Severity::warning))
return;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
const Scope *scope = tok->scope();
if (scope && !scope->isExecutable())
continue;
if (!isConstTop(tok))
continue;
if (tok->str() == "," && Token::simpleMatch(tok->astTop()->previous(), "for ("))
continue;
// Do not warn for statement when both lhs and rhs has side effects:
// dostuff() || x=213;
if (Token::Match(tok, "%oror%|&&")) {
bool warn = false;
visitAstNodes(tok, [&warn](const Token *child) {
if (Token::Match(child, "%oror%|&&"))
return ChildrenToVisit::op1_and_op2;
if (child->isAssignmentOp())
return ChildrenToVisit::none;
if (child->tokType() == Token::Type::eIncDecOp)
return ChildrenToVisit::none;
if (Token::Match(child->previous(), "%name% ("))
return ChildrenToVisit::none;
warn = true;
return ChildrenToVisit::done;
});
if (!warn)
continue;
}
const Token *rtok = nextAfterAstRightmostLeaf(tok);
if (!Token::simpleMatch(tok->astParent(), ";") && !Token::simpleMatch(rtok, ";") &&
!Token::Match(tok->previous(), ";|}|{ %any% ;") && !(mTokenizer->isCPP() && tok->isCast() && !tok->astParent()))
continue;
// Skip statement expressions
if (Token::simpleMatch(rtok, "; } )"))
continue;
if (!isConstStatement(tok, mTokenizer->isCPP()))
continue;
if (isVoidStmt(tok))
continue;
if (mTokenizer->isCPP() && tok->str() == "&" && !(tok->astOperand1()->valueType() && tok->astOperand1()->valueType()->isIntegral()))
// Possible archive
continue;
bool inconclusive = Token::Match(tok, "%cop%");
if (mSettings->certainty.isEnabled(Certainty::inconclusive) || !inconclusive)
constStatementError(tok, tok->isNumber() ? "numeric" : "string", inconclusive);
}
}
void CheckOther::constStatementError(const Token *tok, const std::string &type, bool inconclusive)
{
const Token *valueTok = tok;
while (valueTok && valueTok->isCast())
valueTok = valueTok->astOperand2() ? valueTok->astOperand2() : valueTok->astOperand1();
std::string msg;
if (Token::simpleMatch(tok, "=="))
msg = "Found suspicious equality comparison. Did you intend to assign a value instead?";
else if (Token::Match(tok, ",|!|~|%cop%"))
msg = "Found suspicious operator '" + tok->str() + "'";
else if (Token::Match(tok, "%var%"))
msg = "Unused variable value '" + tok->str() + "'";
else if (Token::Match(valueTok, "%str%|%num%|%bool%")) {
std::string typeStr("string");
if (valueTok->isNumber())
typeStr = "numeric";
else if (valueTok->isBoolean())
typeStr = "bool";
msg = "Redundant code: Found a statement that begins with " + typeStr + " constant.";
}
else if (!tok)
msg = "Redundant code: Found a statement that begins with " + type + " constant.";
else if (tok->isCast() && tok->tokType() == Token::Type::eExtendedOp) {
msg = "Found unused cast ";
msg += valueTok ? "of expression '" + valueTok->expressionString() + "'." : "expression.";
}
else {
reportError(tok, Severity::debug, "debug", "constStatementError not handled.");
return;
}
reportError(tok, Severity::warning, "constStatement", msg, CWE398, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
//---------------------------------------------------------------------------
// Detect division by zero.
//---------------------------------------------------------------------------
void CheckOther::checkZeroDivision()
{
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (!tok->astOperand2() || !tok->astOperand1())
continue;
if (tok->str() != "%" && tok->str() != "/" && tok->str() != "%=" && tok->str() != "/=")
continue;
if (!tok->valueType() || !tok->valueType()->isIntegral())
continue;
// Value flow..
const ValueFlow::Value *value = tok->astOperand2()->getValue(0LL);
if (value && mSettings->isEnabled(value, false))
zerodivError(tok, value);
}
}
void CheckOther::zerodivError(const Token *tok, const ValueFlow::Value *value)
{
if (!tok && !value) {
reportError(tok, Severity::error, "zerodiv", "Division by zero.", CWE369, Certainty::normal);
reportError(tok, Severity::error, "zerodivcond", ValueFlow::eitherTheConditionIsRedundant(nullptr) + " or there is division by zero.", CWE369, Certainty::normal);
return;
}
const ErrorPath errorPath = getErrorPath(tok, value, "Division by zero");
std::ostringstream errmsg;
if (value->condition) {
const int line = tok ? tok->linenr() : 0;
errmsg << ValueFlow::eitherTheConditionIsRedundant(value->condition)
<< " or there is division by zero at line " << line << ".";
} else
errmsg << "Division by zero.";
reportError(errorPath,
value->errorSeverity() ? Severity::error : Severity::warning,
value->condition ? "zerodivcond" : "zerodiv",
errmsg.str(), CWE369, value->isInconclusive() ? Certainty::inconclusive : Certainty::normal);
}
//---------------------------------------------------------------------------
// Check for NaN (not-a-number) in an arithmetic expression, e.g.
// double d = 1.0 / 0.0 + 100.0;
//---------------------------------------------------------------------------
void CheckOther::checkNanInArithmeticExpression()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (tok->str() != "/")
continue;
if (!Token::Match(tok->astParent(), "[+-]"))
continue;
if (Token::simpleMatch(tok->astOperand2(), "0.0"))
nanInArithmeticExpressionError(tok);
}
}
void CheckOther::nanInArithmeticExpressionError(const Token *tok)
{
reportError(tok, Severity::style, "nanInArithmeticExpression",
"Using NaN/Inf in a computation.\n"
"Using NaN/Inf in a computation. "
"Although nothing bad really happens, it is suspicious.", CWE369, Certainty::normal);
}
//---------------------------------------------------------------------------
// Creating instance of classes which are destroyed immediately
//---------------------------------------------------------------------------
void CheckOther::checkMisusedScopedObject()
{
// Skip this check for .c files
if (mTokenizer->isC())
return;
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase * const symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token *tok = scope->bodyStart; tok && tok != scope->bodyEnd; tok = tok->next()) {
if ((tok->next()->type() || (tok->next()->function() && tok->next()->function()->isConstructor())) // TODO: The rhs of || should be removed; It is a workaround for a symboldatabase bug
&& Token::Match(tok, "[;{}] %name% (")
&& Token::Match(tok->linkAt(2), ") ; !!}")
&& (!tok->next()->function() || // is not a function on this scope
tok->next()->function()->isConstructor())) { // or is function in this scope and it's a ctor
tok = tok->next();
misusedScopeObjectError(tok, tok->str());
tok = tok->next();
}
}
}
}
void CheckOther::misusedScopeObjectError(const Token *tok, const std::string& varname)
{
reportError(tok, Severity::style,
"unusedScopedObject",
"$symbol:" + varname + "\n"
"Instance of '$symbol' object is destroyed immediately.", CWE563, Certainty::normal);
}
static const Token * getSingleExpressionInBlock(const Token * tok)
{
if (!tok)
return nullptr;
const Token * top = tok->astTop();
if (!top)
return nullptr;
const Token * nextExpression = nextAfterAstRightmostLeaf(top);
if (!Token::simpleMatch(nextExpression, "; }"))
return nullptr;
return top;
}
//-----------------------------------------------------------------------------
// check for duplicate code in if and else branches
// if (a) { b = true; } else { b = true; }
//-----------------------------------------------------------------------------
void CheckOther::checkDuplicateBranch()
{
// This is inconclusive since in practice most warnings are noise:
// * There can be unfixed low-priority todos. The code is fine as it
// is but it could be possible to enhance it. Writing a warning
// here is noise since the code is fine (see cppcheck, abiword, ..)
// * There can be overspecified code so some conditions can't be true
// and their conditional code is a duplicate of the condition that
// is always true just in case it would be false. See for instance
// abiword.
if (!mSettings->severity.isEnabled(Severity::style) || !mSettings->certainty.isEnabled(Certainty::inconclusive))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope & scope : symbolDatabase->scopeList) {
if (scope.type != Scope::eIf)
continue;
// check all the code in the function for if (..) else
if (Token::simpleMatch(scope.bodyEnd, "} else {")) {
// Make sure there are no macros (different macros might be expanded
// to the same code)
bool macro = false;
for (const Token *tok = scope.bodyStart; tok != scope.bodyEnd->linkAt(2); tok = tok->next()) {
if (tok->isExpandedMacro()) {
macro = true;
break;
}
}
if (macro)
continue;
// save if branch code
const std::string branch1 = scope.bodyStart->next()->stringifyList(scope.bodyEnd);
if (branch1.empty())
continue;
// save else branch code
const std::string branch2 = scope.bodyEnd->tokAt(3)->stringifyList(scope.bodyEnd->linkAt(2));
ErrorPath errorPath;
// check for duplicates
if (branch1 == branch2) {
duplicateBranchError(scope.classDef, scope.bodyEnd->next(), errorPath);
continue;
}
// check for duplicates using isSameExpression
const Token * branchTop1 = getSingleExpressionInBlock(scope.bodyStart->next());
const Token * branchTop2 = getSingleExpressionInBlock(scope.bodyEnd->tokAt(3));
if (!branchTop1 || !branchTop2)
continue;
if (branchTop1->str() != branchTop2->str())
continue;
if (isSameExpression(mTokenizer->isCPP(), false, branchTop1->astOperand1(), branchTop2->astOperand1(), mSettings->library, true, true, &errorPath) &&
isSameExpression(mTokenizer->isCPP(), false, branchTop1->astOperand2(), branchTop2->astOperand2(), mSettings->library, true, true, &errorPath))
duplicateBranchError(scope.classDef, scope.bodyEnd->next(), errorPath);
}
}
}
void CheckOther::duplicateBranchError(const Token *tok1, const Token *tok2, ErrorPath errors)
{
errors.emplace_back(tok2, "");
errors.emplace_back(tok1, "");
reportError(errors, Severity::style, "duplicateBranch", "Found duplicate branches for 'if' and 'else'.\n"
"Finding the same code in an 'if' and related 'else' branch is suspicious and "
"might indicate a cut and paste or logic error. Please examine this code "
"carefully to determine if it is correct.", CWE398, Certainty::inconclusive);
}
//-----------------------------------------------------------------------------
// Check for a free() of an invalid address
// char* p = malloc(100);
// free(p + 10);
//-----------------------------------------------------------------------------
void CheckOther::checkInvalidFree()
{
std::map<int, bool> inconclusive;
std::map<int, std::string> allocation;
const bool printInconclusive = mSettings->certainty.isEnabled(Certainty::inconclusive);
const SymbolDatabase* symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
// Keep track of which variables were assigned addresses to newly-allocated memory
if (Token::Match(tok, "%var% = malloc|g_malloc|new")) {
allocation.insert(std::make_pair(tok->varId(), tok->strAt(2)));
inconclusive.insert(std::make_pair(tok->varId(), false));
}
// If a previously-allocated pointer is incremented or decremented, any subsequent
// free involving pointer arithmetic may or may not be invalid, so we should only
// report an inconclusive result.
else if (Token::Match(tok, "%var% = %name% +|-") &&
tok->varId() == tok->tokAt(2)->varId() &&
allocation.find(tok->varId()) != allocation.end()) {
if (printInconclusive)
inconclusive[tok->varId()] = true;
else {
allocation.erase(tok->varId());
inconclusive.erase(tok->varId());
}
}
// If a previously-allocated pointer is assigned a completely new value,
// we can't know if any subsequent free() on that pointer is valid or not.
else if (Token::Match(tok, "%var% =")) {
allocation.erase(tok->varId());
inconclusive.erase(tok->varId());
}
// If a variable that was previously assigned a newly-allocated memory location is
// added or subtracted from when used to free the memory, report an error.
else if (Token::Match(tok, "free|g_free|delete ( %any% +|-") ||
Token::Match(tok, "delete [ ] ( %any% +|-") ||
Token::Match(tok, "delete %any% +|- %any%")) {
const int varIndex = tok->strAt(1) == "(" ? 2 :
tok->strAt(3) == "(" ? 4 : 1;
const int var1 = tok->tokAt(varIndex)->varId();
const int var2 = tok->tokAt(varIndex + 2)->varId();
const std::map<int, bool>::const_iterator alloc1 = inconclusive.find(var1);
const std::map<int, bool>::const_iterator alloc2 = inconclusive.find(var2);
if (alloc1 != inconclusive.end()) {
invalidFreeError(tok, allocation[var1], alloc1->second);
} else if (alloc2 != inconclusive.end()) {
invalidFreeError(tok, allocation[var2], alloc2->second);
}
}
// If the previously-allocated variable is passed in to another function
// as a parameter, it might be modified, so we shouldn't report an error
// if it is later used to free memory
else if (Token::Match(tok, "%name% (") && !mSettings->library.isFunctionConst(tok->str(), true)) {
const Token* tok2 = Token::findmatch(tok->next(), "%var%", tok->linkAt(1));
while (tok2 != nullptr) {
allocation.erase(tok->varId());
inconclusive.erase(tok2->varId());
tok2 = Token::findmatch(tok2->next(), "%var%", tok->linkAt(1));
}
}
}
}
}
void CheckOther::invalidFreeError(const Token *tok, const std::string &allocation, bool inconclusive)
{
std::string alloc = allocation;
if (alloc != "new")
alloc += "()";
std::string deallocated = (alloc == "new") ? "deleted" : "freed";
reportError(tok, Severity::error, "invalidFree", "Mismatching address is " + deallocated + ". The address you get from " + alloc + " must be " + deallocated + " without offset.", CWE(0U), inconclusive ? Certainty::inconclusive : Certainty::normal);
}
//---------------------------------------------------------------------------
// check for the same expression on both sides of an operator
// (x == x), (x && x), (x || x)
// (x.y == x.y), (x.y && x.y), (x.y || x.y)
//---------------------------------------------------------------------------
namespace {
bool notconst(const Function* func)
{
return !func->isConst();
}
void getConstFunctions(const SymbolDatabase *symbolDatabase, std::list<const Function*> &constFunctions)
{
for (const Scope &scope : symbolDatabase->scopeList) {
// only add const functions that do not have a non-const overloaded version
// since it is pretty much impossible to tell which is being called.
using StringFunctionMap = std::map<std::string, std::list<const Function*>>;
StringFunctionMap functionsByName;
for (const Function &func : scope.functionList) {
functionsByName[func.tokenDef->str()].push_back(&func);
}
for (std::pair<const std::string, std::list<const Function*>>& it : functionsByName) {
const std::list<const Function*>::const_iterator nc = std::find_if(it.second.begin(), it.second.end(), notconst);
if (nc == it.second.end()) {
// ok to add all of them
constFunctions.splice(constFunctions.end(), it.second);
}
}
}
}
}
void CheckOther::checkDuplicateExpression()
{
const bool styleEnabled = mSettings->severity.isEnabled(Severity::style);
const bool warningEnabled = mSettings->severity.isEnabled(Severity::warning);
if (!styleEnabled && !warningEnabled)
return;
// Parse all executing scopes..
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
std::list<const Function*> constFunctions;
getConstFunctions(symbolDatabase, constFunctions);
for (const Scope *scope : symbolDatabase->functionScopes) {
for (const Token *tok = scope->bodyStart; tok != scope->bodyEnd; tok = tok->next()) {
if (tok->str() == "=" && Token::Match(tok->astOperand1(), "%var%")) {
const Token * endStatement = Token::findsimplematch(tok, ";");
if (Token::Match(endStatement, "; %type% %var% ;")) {
endStatement = endStatement->tokAt(4);
}
if (Token::Match(endStatement, "%var% %assign%")) {
const Token * nextAssign = endStatement->tokAt(1);
const Token * var1 = tok->astOperand1();
const Token * var2 = nextAssign->astOperand1();
if (var1 && var2 &&
Token::Match(var1->previous(), ";|{|} %var%") &&
Token::Match(var2->previous(), ";|{|} %var%") &&
var2->valueType() && var1->valueType() &&
var2->valueType()->originalTypeName == var1->valueType()->originalTypeName &&
var2->valueType()->pointer == var1->valueType()->pointer &&
var2->valueType()->constness == var1->valueType()->constness &&
var2->varId() != var1->varId() && (
tok->astOperand2()->isArithmeticalOp() ||
tok->astOperand2()->str() == "." ||
Token::Match(tok->astOperand2()->previous(), "%name% (")
) &&
tok->next()->tokType() != Token::eType &&
isSameExpression(mTokenizer->isCPP(), true, tok->next(), nextAssign->next(), mSettings->library, true, false) &&
isSameExpression(mTokenizer->isCPP(), true, tok->astOperand2(), nextAssign->astOperand2(), mSettings->library, true, false) &&
tok->astOperand2()->expressionString() == nextAssign->astOperand2()->expressionString()) {
bool differentDomain = false;
const Scope * varScope = var1->scope() ? var1->scope() : scope;
for (const Token *assignTok = Token::findsimplematch(var2, ";"); assignTok && assignTok != varScope->bodyEnd; assignTok = assignTok->next()) {
if (!Token::Match(assignTok, "%assign%|%comp%"))
continue;
if (!assignTok->astOperand1())
continue;
if (!assignTok->astOperand2())
continue;
if (assignTok->astOperand1()->varId() != var1->varId() &&
assignTok->astOperand1()->varId() != var2->varId() &&
!isSameExpression(mTokenizer->isCPP(),
true,
tok->astOperand2(),
assignTok->astOperand1(),
mSettings->library,
true,
true))
continue;
if (assignTok->astOperand2()->varId() != var1->varId() &&
assignTok->astOperand2()->varId() != var2->varId() &&
!isSameExpression(mTokenizer->isCPP(),
true,
tok->astOperand2(),
assignTok->astOperand2(),
mSettings->library,
true,
true))
continue;
differentDomain = true;
break;
}
if (!differentDomain && !isUniqueExpression(tok->astOperand2()))
duplicateAssignExpressionError(var1, var2, false);
else if (mSettings->certainty.isEnabled(Certainty::inconclusive))
duplicateAssignExpressionError(var1, var2, true);
}
}
}
ErrorPath errorPath;
if (tok->isOp() && tok->astOperand1() && !Token::Match(tok, "+|*|<<|>>|+=|*=|<<=|>>=")) {
if (Token::Match(tok, "==|!=|-") && astIsFloat(tok->astOperand1(), true))
continue;
const bool pointerDereference = (tok->astOperand1() && tok->astOperand1()->isUnaryOp("*")) ||
(tok->astOperand2() && tok->astOperand2()->isUnaryOp("*"));
const bool followVar = (!isConstVarExpression(tok) || Token::Match(tok, "%comp%|%oror%|&&")) && !pointerDereference;
if (isSameExpression(mTokenizer->isCPP(),
true,
tok->astOperand1(),
tok->astOperand2(),
mSettings->library,
true,
followVar,
&errorPath)) {
if (isWithoutSideEffects(mTokenizer->isCPP(), tok->astOperand1())) {
const bool assignment = tok->str() == "=";
if (assignment && warningEnabled)
selfAssignmentError(tok, tok->astOperand1()->expressionString());
else if (styleEnabled) {
if (mTokenizer->isCPP() && mSettings->standards.cpp >= Standards::CPP11 && tok->str() == "==") {
const Token* parent = tok->astParent();
while (parent && parent->astParent()) {
parent = parent->astParent();
}
if (parent && parent->previous() && parent->previous()->str() == "static_assert") {
continue;
}
}
duplicateExpressionError(tok->astOperand1(), tok->astOperand2(), tok, errorPath);
}
}
} else if (tok->str() == "=" && Token::simpleMatch(tok->astOperand2(), "=") &&
isSameExpression(mTokenizer->isCPP(),
false,
tok->astOperand1(),
tok->astOperand2()->astOperand1(),
mSettings->library,
true,
false)) {
if (warningEnabled && isWithoutSideEffects(mTokenizer->isCPP(), tok->astOperand1())) {
selfAssignmentError(tok, tok->astOperand1()->expressionString());
}
} else if (styleEnabled &&
isOppositeExpression(mTokenizer->isCPP(),
tok->astOperand1(),
tok->astOperand2(),
mSettings->library,
false,
true,
&errorPath) &&
!Token::Match(tok, "=|-|-=|/|/=") &&
isWithoutSideEffects(mTokenizer->isCPP(), tok->astOperand1())) {
oppositeExpressionError(tok, errorPath);
} else if (!Token::Match(tok, "[-/%]")) { // These operators are not associative
if (styleEnabled && tok->astOperand2() && tok->str() == tok->astOperand1()->str() &&
isSameExpression(mTokenizer->isCPP(),
true,
tok->astOperand2(),
tok->astOperand1()->astOperand2(),
mSettings->library,
true,
followVar,
&errorPath) &&
isWithoutSideEffects(mTokenizer->isCPP(), tok->astOperand2()))
duplicateExpressionError(tok->astOperand2(), tok->astOperand1()->astOperand2(), tok, errorPath);
else if (tok->astOperand2() && isConstExpression(tok->astOperand1(), mSettings->library, true, mTokenizer->isCPP())) {
const Token *ast1 = tok->astOperand1();
while (ast1 && tok->str() == ast1->str()) {
if (isSameExpression(mTokenizer->isCPP(), true, ast1->astOperand1(), tok->astOperand2(), mSettings->library, true, true, &errorPath) &&
isWithoutSideEffects(mTokenizer->isCPP(), ast1->astOperand1()) &&
isWithoutSideEffects(mTokenizer->isCPP(), ast1->astOperand2()))
// Probably the message should be changed to 'duplicate expressions X in condition or something like that'.
duplicateExpressionError(ast1->astOperand1(), tok->astOperand2(), tok, errorPath);
ast1 = ast1->astOperand1();
}
}
}
} else if (styleEnabled && tok->astOperand1() && tok->astOperand2() && tok->str() == ":" && tok->astParent() && tok->astParent()->str() == "?") {
if (!isVariableChanged(tok->astParent(), /*indirect*/ 0, mSettings, mTokenizer->isCPP()) && !tok->astOperand1()->values().empty() && !tok->astOperand2()->values().empty() && isEqualKnownValue(tok->astOperand1(), tok->astOperand2()))
duplicateValueTernaryError(tok);
else if (isSameExpression(mTokenizer->isCPP(), true, tok->astOperand1(), tok->astOperand2(), mSettings->library, false, true, &errorPath))
duplicateExpressionTernaryError(tok, errorPath);
}
}
}
}
void CheckOther::oppositeExpressionError(const Token *opTok, ErrorPath errors)
{
errors.emplace_back(opTok, "");
const std::string& op = opTok ? opTok->str() : "&&";
reportError(errors, Severity::style, "oppositeExpression", "Opposite expression on both sides of \'" + op + "\'.\n"
"Finding the opposite expression on both sides of an operator is suspicious and might "
"indicate a cut and paste or logic error. Please examine this code carefully to "
"determine if it is correct.", CWE398, Certainty::normal);
}
void CheckOther::duplicateExpressionError(const Token *tok1, const Token *tok2, const Token *opTok, ErrorPath errors)
{
errors.emplace_back(opTok, "");
const std::string& expr1 = tok1 ? tok1->expressionString() : "x";
const std::string& expr2 = tok2 ? tok2->expressionString() : "x";
const std::string& op = opTok ? opTok->str() : "&&";
std::string msg = "Same expression on both sides of \'" + op + "\'";
const char *id = "duplicateExpression";
if (expr1 != expr2 && (!opTok || !opTok->isArithmeticalOp())) {
id = "knownConditionTrueFalse";
std::string exprMsg = "The comparison \'" + expr1 + " " + op + " " + expr2 + "\' is always ";
if (Token::Match(opTok, "==|>=|<="))
msg = exprMsg + "true";
else if (Token::Match(opTok, "!=|>|<"))
msg = exprMsg + "false";
if (!Token::Match(tok1, "%num%|NULL|nullptr") && !Token::Match(tok2, "%num%|NULL|nullptr"))
msg += " because '" + expr1 + "' and '" + expr2 + "' represent the same value";
}
reportError(errors, Severity::style, id, msg + ".\n"
"Finding the same expression on both sides of an operator is suspicious and might "
"indicate a cut and paste or logic error. Please examine this code carefully to "
"determine if it is correct.", CWE398, Certainty::normal);
}
void CheckOther::duplicateAssignExpressionError(const Token *tok1, const Token *tok2, bool inconclusive)
{
const std::list<const Token *> toks = { tok2, tok1 };
const std::string& var1 = tok1 ? tok1->str() : "x";
const std::string& var2 = tok2 ? tok2->str() : "x";
reportError(toks, Severity::style, "duplicateAssignExpression",
"Same expression used in consecutive assignments of '" + var1 + "' and '" + var2 + "'.\n"
"Finding variables '" + var1 + "' and '" + var2 + "' that are assigned the same expression "
"is suspicious and might indicate a cut and paste or logic error. Please examine this code carefully to "
"determine if it is correct.", CWE398, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
void CheckOther::duplicateExpressionTernaryError(const Token *tok, ErrorPath errors)
{
errors.emplace_back(tok, "");
reportError(errors, Severity::style, "duplicateExpressionTernary", "Same expression in both branches of ternary operator.\n"
"Finding the same expression in both branches of ternary operator is suspicious as "
"the same code is executed regardless of the condition.", CWE398, Certainty::normal);
}
void CheckOther::duplicateValueTernaryError(const Token *tok)
{
reportError(tok, Severity::style, "duplicateValueTernary", "Same value in both branches of ternary operator.\n"
"Finding the same value in both branches of ternary operator is suspicious as "
"the same code is executed regardless of the condition.", CWE398, Certainty::normal);
}
void CheckOther::selfAssignmentError(const Token *tok, const std::string &varname)
{
reportError(tok, Severity::warning,
"selfAssignment",
"$symbol:" + varname + "\n"
"Redundant assignment of '$symbol' to itself.", CWE398, Certainty::normal);
}
//-----------------------------------------------------------------------------
// Check is a comparison of two variables leads to condition, which is
// always true or false.
// For instance: int a = 1; if(isless(a,a)){...}
// In this case isless(a,a) always evaluates to false.
//
// Reference:
// - http://www.cplusplus.com/reference/cmath/
//-----------------------------------------------------------------------------
void CheckOther::checkComparisonFunctionIsAlwaysTrueOrFalse()
{
if (!mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
if (tok->isName() && Token::Match(tok, "isgreater|isless|islessgreater|isgreaterequal|islessequal ( %var% , %var% )")) {
const int varidLeft = tok->tokAt(2)->varId();// get the left varid
const int varidRight = tok->tokAt(4)->varId();// get the right varid
// compare varids: if they are not zero but equal
// --> the comparison function is called with the same variables
if (varidLeft == varidRight) {
const std::string& functionName = tok->str(); // store function name
const std::string& varNameLeft = tok->strAt(2); // get the left variable name
if (functionName == "isgreater" || functionName == "isless" || functionName == "islessgreater") {
// e.g.: isgreater(x,x) --> (x)>(x) --> false
checkComparisonFunctionIsAlwaysTrueOrFalseError(tok, functionName, varNameLeft, false);
} else { // functionName == "isgreaterequal" || functionName == "islessequal"
// e.g.: isgreaterequal(x,x) --> (x)>=(x) --> true
checkComparisonFunctionIsAlwaysTrueOrFalseError(tok, functionName, varNameLeft, true);
}
}
}
}
}
}
void CheckOther::checkComparisonFunctionIsAlwaysTrueOrFalseError(const Token* tok, const std::string &functionName, const std::string &varName, const bool result)
{
const std::string strResult = result ? "true" : "false";
const struct CWE cweResult = result ? CWE571 : CWE570;
reportError(tok, Severity::warning, "comparisonFunctionIsAlwaysTrueOrFalse",
"$symbol:" + functionName + "\n"
"Comparison of two identical variables with $symbol(" + varName + "," + varName + ") always evaluates to " + strResult + ".\n"
"The function $symbol is designed to compare two variables. Calling this function with one variable (" + varName + ") "
"for both parameters leads to a statement which is always " + strResult + ".", cweResult, Certainty::normal);
}
//---------------------------------------------------------------------------
// Check testing sign of unsigned variables and pointers.
//---------------------------------------------------------------------------
void CheckOther::checkSignOfUnsignedVariable()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
// check all the code in the function
for (const Token *tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
const ValueFlow::Value *zeroValue = nullptr;
const Token *nonZeroExpr = nullptr;
if (comparisonNonZeroExpressionLessThanZero(tok, &zeroValue, &nonZeroExpr)) {
const ValueType* vt = nonZeroExpr->valueType();
if (vt->pointer)
pointerLessThanZeroError(tok, zeroValue);
else
unsignedLessThanZeroError(tok, zeroValue, nonZeroExpr->expressionString());
} else if (testIfNonZeroExpressionIsPositive(tok, &zeroValue, &nonZeroExpr)) {
const ValueType* vt = nonZeroExpr->valueType();
if (vt->pointer)
pointerPositiveError(tok, zeroValue);
else
unsignedPositiveError(tok, zeroValue, nonZeroExpr->expressionString());
}
}
}
}
bool CheckOther::comparisonNonZeroExpressionLessThanZero(const Token *tok, const ValueFlow::Value **zeroValue, const Token **nonZeroExpr)
{
if (!tok->isComparisonOp() || !tok->astOperand1() || !tok->astOperand2())
return false;
const ValueFlow::Value *v1 = tok->astOperand1()->getValue(0);
const ValueFlow::Value *v2 = tok->astOperand2()->getValue(0);
if (Token::Match(tok, "<|<=") && v2 && v2->isKnown()) {
*zeroValue = v2;
*nonZeroExpr = tok->astOperand1();
} else if (Token::Match(tok, ">|>=") && v1 && v1->isKnown()) {
*zeroValue = v1;
*nonZeroExpr = tok->astOperand2();
} else {
return false;
}
const ValueType* vt = (*nonZeroExpr)->valueType();
return vt && (vt->pointer || vt->sign == ValueType::UNSIGNED);
}
bool CheckOther::testIfNonZeroExpressionIsPositive(const Token *tok, const ValueFlow::Value **zeroValue, const Token **nonZeroExpr)
{
if (!tok->isComparisonOp() || !tok->astOperand1() || !tok->astOperand2())
return false;
const ValueFlow::Value *v1 = tok->astOperand1()->getValue(0);
const ValueFlow::Value *v2 = tok->astOperand2()->getValue(0);
if (Token::simpleMatch(tok, ">=") && v2 && v2->isKnown()) {
*zeroValue = v2;
*nonZeroExpr = tok->astOperand1();
} else if (Token::simpleMatch(tok, "<=") && v1 && v1->isKnown()) {
*zeroValue = v1;
*nonZeroExpr = tok->astOperand2();
} else {
return false;
}
const ValueType* vt = (*nonZeroExpr)->valueType();
return vt && (vt->pointer || vt->sign == ValueType::UNSIGNED);
}
void CheckOther::unsignedLessThanZeroError(const Token *tok, const ValueFlow::Value * v, const std::string &varname)
{
reportError(getErrorPath(tok, v, "Unsigned less than zero"), Severity::style, "unsignedLessThanZero",
"$symbol:" + varname + "\n"
"Checking if unsigned expression '$symbol' is less than zero.\n"
"The unsigned expression '$symbol' will never be negative so it "
"is either pointless or an error to check if it is.", CWE570, Certainty::normal);
}
void CheckOther::pointerLessThanZeroError(const Token *tok, const ValueFlow::Value *v)
{
reportError(getErrorPath(tok, v, "Pointer less than zero"), Severity::style, "pointerLessThanZero",
"A pointer can not be negative so it is either pointless or an error to check if it is.", CWE570, Certainty::normal);
}
void CheckOther::unsignedPositiveError(const Token *tok, const ValueFlow::Value * v, const std::string &varname)
{
reportError(getErrorPath(tok, v, "Unsigned positive"), Severity::style, "unsignedPositive",
"$symbol:" + varname + "\n"
"Unsigned expression '$symbol' can't be negative so it is unnecessary to test it.", CWE570, Certainty::normal);
}
void CheckOther::pointerPositiveError(const Token *tok, const ValueFlow::Value * v)
{
reportError(getErrorPath(tok, v, "Pointer positive"), Severity::style, "pointerPositive",
"A pointer can not be negative so it is either pointless or an error to check if it is not.", CWE570, Certainty::normal);
}
/* check if a constructor in given class scope takes a reference */
static bool constructorTakesReference(const Scope * const classScope)
{
for (const Function &constructor : classScope->functionList) {
if (constructor.isConstructor()) {
for (int argnr = 0U; argnr < constructor.argCount(); argnr++) {
const Variable * const argVar = constructor.getArgumentVar(argnr);
if (argVar && argVar->isReference()) {
return true;
}
}
}
}
return false;
}
//---------------------------------------------------------------------------
// This check rule works for checking the "const A a = getA()" usage when getA() returns "const A &" or "A &".
// In most scenarios, "const A & a = getA()" will be more efficient.
//---------------------------------------------------------------------------
void CheckOther::checkRedundantCopy()
{
if (!mSettings->severity.isEnabled(Severity::performance) || mTokenizer->isC() || !mSettings->certainty.isEnabled(Certainty::inconclusive))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Variable* var : symbolDatabase->variableList()) {
if (!var || var->isReference() || !var->isConst() || var->isPointer() || (!var->type() && !var->isStlType())) // bailout if var is of standard type, if it is a pointer or non-const
continue;
const Token* startTok = var->nameToken();
if (startTok->strAt(1) == "=") // %type% %name% = ... ;
;
else if (startTok->strAt(1) == "(" && var->isClass() && var->typeScope()) {
// Object is instantiated. Warn if constructor takes arguments by value.
if (constructorTakesReference(var->typeScope()))
continue;
} else
continue;
const Token* tok = startTok->next()->astOperand2();
if (!tok)
continue;
if (!Token::Match(tok->previous(), "%name% ("))
continue;
if (!Token::Match(tok->link(), ") )| ;")) // bailout for usage like "const A a = getA()+3"
continue;
const Function* func = tok->previous()->function();
if (func && func->tokenDef->strAt(-1) == "&") {
redundantCopyError(startTok, startTok->str());
}
}
}
void CheckOther::redundantCopyError(const Token *tok,const std::string& varname)
{
reportError(tok, Severity::performance, "redundantCopyLocalConst",
"$symbol:" + varname + "\n"
"Use const reference for '$symbol' to avoid unnecessary data copying.\n"
"The const variable '$symbol' is assigned a copy of the data. You can avoid "
"the unnecessary data copying by converting '$symbol' to const reference.",
CWE398,
Certainty::inconclusive); // since #5618 that check became inconclusive
}
//---------------------------------------------------------------------------
// Checking for shift by negative values
//---------------------------------------------------------------------------
static bool isNegative(const Token *tok, const Settings *settings)
{
return tok->valueType() && tok->valueType()->sign == ValueType::SIGNED && tok->getValueLE(-1LL, settings);
}
void CheckOther::checkNegativeBitwiseShift()
{
const bool portability = mSettings->severity.isEnabled(Severity::portability);
for (const Token* tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (!tok->astOperand1() || !tok->astOperand2())
continue;
if (!Token::Match(tok, "<<|>>|<<=|>>="))
continue;
// don't warn if lhs is a class. this is an overloaded operator then
if (mTokenizer->isCPP()) {
const ValueType * lhsType = tok->astOperand1()->valueType();
if (!lhsType || !lhsType->isIntegral())
continue;
}
// bailout if operation is protected by ?:
bool ternary = false;
for (const Token *parent = tok; parent; parent = parent->astParent()) {
if (Token::Match(parent, "?|:")) {
ternary = true;
break;
}
}
if (ternary)
continue;
// Get negative rhs value. preferably a value which doesn't have 'condition'.
if (portability && isNegative(tok->astOperand1(), mSettings))
negativeBitwiseShiftError(tok, 1);
else if (isNegative(tok->astOperand2(), mSettings))
negativeBitwiseShiftError(tok, 2);
}
}
void CheckOther::negativeBitwiseShiftError(const Token *tok, int op)
{
if (op == 1)
// LHS - this is used by intention in various software, if it
// is used often in a project and works as expected then this is
// a portability issue
reportError(tok, Severity::portability, "shiftNegativeLHS", "Shifting a negative value is technically undefined behaviour", CWE758, Certainty::normal);
else // RHS
reportError(tok, Severity::error, "shiftNegative", "Shifting by a negative value is undefined behaviour", CWE758, Certainty::normal);
}
//---------------------------------------------------------------------------
// Check for incompletely filled buffers.
//---------------------------------------------------------------------------
void CheckOther::checkIncompleteArrayFill()
{
if (!mSettings->certainty.isEnabled(Certainty::inconclusive))
return;
const bool printWarning = mSettings->severity.isEnabled(Severity::warning);
const bool printPortability = mSettings->severity.isEnabled(Severity::portability);
if (!printPortability && !printWarning)
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
if (Token::Match(tok, "memset|memcpy|memmove ( %var% ,") && Token::Match(tok->linkAt(1)->tokAt(-2), ", %num% )")) {
const Variable *var = tok->tokAt(2)->variable();
if (!var || !var->isArray() || var->dimensions().empty() || !var->dimension(0))
continue;
if (MathLib::toLongNumber(tok->linkAt(1)->strAt(-1)) == var->dimension(0)) {
int size = mTokenizer->sizeOfType(var->typeStartToken());
if (size == 0 && var->valueType()->pointer)
size = mSettings->sizeof_pointer;
else if (size == 0 && var->type())
size = estimateSize(var->type(), mSettings, symbolDatabase);
if ((size != 1 && size != 100 && size != 0) || var->isPointer()) {
if (printWarning)
incompleteArrayFillError(tok, var->name(), tok->str(), false);
} else if (var->valueType()->type == ValueType::Type::BOOL && printPortability) // sizeof(bool) is not 1 on all platforms
incompleteArrayFillError(tok, var->name(), tok->str(), true);
}
}
}
}
}
void CheckOther::incompleteArrayFillError(const Token* tok, const std::string& buffer, const std::string& function, bool boolean)
{
if (boolean)
reportError(tok, Severity::portability, "incompleteArrayFill",
"$symbol:" + buffer + "\n"
"$symbol:" + function + "\n"
"Array '" + buffer + "' might be filled incompletely. Did you forget to multiply the size given to '" + function + "()' with 'sizeof(*" + buffer + ")'?\n"
"The array '" + buffer + "' is filled incompletely. The function '" + function + "()' needs the size given in bytes, but the type 'bool' is larger than 1 on some platforms. Did you forget to multiply the size with 'sizeof(*" + buffer + ")'?", CWE131, Certainty::inconclusive);
else
reportError(tok, Severity::warning, "incompleteArrayFill",
"$symbol:" + buffer + "\n"
"$symbol:" + function + "\n"
"Array '" + buffer + "' is filled incompletely. Did you forget to multiply the size given to '" + function + "()' with 'sizeof(*" + buffer + ")'?\n"
"The array '" + buffer + "' is filled incompletely. The function '" + function + "()' needs the size given in bytes, but an element of the given array is larger than one byte. Did you forget to multiply the size with 'sizeof(*" + buffer + ")'?", CWE131, Certainty::inconclusive);
}
//---------------------------------------------------------------------------
// Detect NULL being passed to variadic function.
//---------------------------------------------------------------------------
void CheckOther::checkVarFuncNullUB()
{
if (!mSettings->severity.isEnabled(Severity::portability))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
for (const Token* tok = scope->bodyStart; tok != scope->bodyEnd; tok = tok->next()) {
// Is NULL passed to a function?
if (Token::Match(tok,"[(,] NULL [,)]")) {
// Locate function name in this function call.
const Token *ftok = tok;
int argnr = 1;
while (ftok && ftok->str() != "(") {
if (ftok->str() == ")")
ftok = ftok->link();
else if (ftok->str() == ",")
++argnr;
ftok = ftok->previous();
}
ftok = ftok ? ftok->previous() : nullptr;
if (ftok && ftok->isName()) {
// If this is a variadic function then report error
const Function *f = ftok->function();
if (f && f->argCount() <= argnr) {
const Token *tok2 = f->argDef;
tok2 = tok2 ? tok2->link() : nullptr; // goto ')'
if (tok2 && Token::simpleMatch(tok2->tokAt(-1), "..."))
varFuncNullUBError(tok);
}
}
}
}
}
}
void CheckOther::varFuncNullUBError(const Token *tok)
{
reportError(tok,
Severity::portability,
"varFuncNullUB",
"Passing NULL after the last typed argument to a variadic function leads to undefined behaviour.\n"
"Passing NULL after the last typed argument to a variadic function leads to undefined behaviour.\n"
"The C99 standard, in section 7.15.1.1, states that if the type used by va_arg() is not compatible with the type of the actual next argument (as promoted according to the default argument promotions), the behavior is undefined.\n"
"The value of the NULL macro is an implementation-defined null pointer constant (7.17), which can be any integer constant expression with the value 0, or such an expression casted to (void*) (6.3.2.3). This includes values like 0, 0L, or even 0LL.\n"
"In practice on common architectures, this will cause real crashes if sizeof(int) != sizeof(void*), and NULL is defined to 0 or any other null pointer constant that promotes to int.\n"
"To reproduce you might be able to use this little code example on 64bit platforms. If the output includes \"ERROR\", the sentinel had only 4 out of 8 bytes initialized to zero and was not detected as the final argument to stop argument processing via va_arg(). Changing the 0 to (void*)0 or 0L will make the \"ERROR\" output go away.\n"
"#include <stdarg.h>\n"
"#include <stdio.h>\n"
"\n"
"void f(char *s, ...) {\n"
" va_list ap;\n"
" va_start(ap,s);\n"
" for (;;) {\n"
" char *p = va_arg(ap,char*);\n"
" printf(\"%018p, %s\\n\", p, (long)p & 255 ? p : \"\");\n"
" if(!p) break;\n"
" }\n"
" va_end(ap);\n"
"}\n"
"\n"
"void g() {\n"
" char *s2 = \"x\";\n"
" char *s3 = \"ERROR\";\n"
"\n"
" // changing 0 to 0L for the 7th argument (which is intended to act as sentinel) makes the error go away on x86_64\n"
" f(\"first\", s2, s2, s2, s2, s2, 0, s3, (char*)0);\n"
"}\n"
"\n"
"void h() {\n"
" int i;\n"
" volatile unsigned char a[1000];\n"
" for (i = 0; i<sizeof(a); i++)\n"
" a[i] = -1;\n"
"}\n"
"\n"
"int main() {\n"
" h();\n"
" g();\n"
" return 0;\n"
"}", CWE475, Certainty::normal);
}
void CheckOther::checkRedundantPointerOp()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (tok->isExpandedMacro() && tok->str() == "(")
tok = tok->link();
if (!tok->isUnaryOp("&") || !tok->astOperand1()->isUnaryOp("*"))
continue;
// variable
const Token *varTok = tok->astOperand1()->astOperand1();
if (!varTok || varTok->isExpandedMacro())
continue;
const Variable *var = varTok->variable();
if (!var || !var->isPointer())
continue;
redundantPointerOpError(tok, var->name(), false);
}
}
void CheckOther::redundantPointerOpError(const Token* tok, const std::string &varname, bool inconclusive)
{
reportError(tok, Severity::style, "redundantPointerOp",
"$symbol:" + varname + "\n"
"Redundant pointer operation on '$symbol' - it's already a pointer.", CWE398, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
void CheckOther::checkInterlockedDecrement()
{
if (!mSettings->isWindowsPlatform()) {
return;
}
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (tok->isName() && Token::Match(tok, "InterlockedDecrement ( & %name% ) ; if ( %name%|!|0")) {
const Token* interlockedVarTok = tok->tokAt(3);
const Token* checkStartTok = interlockedVarTok->tokAt(5);
if ((Token::Match(checkStartTok, "0 %comp% %name% )") && checkStartTok->strAt(2) == interlockedVarTok->str()) ||
(Token::Match(checkStartTok, "! %name% )") && checkStartTok->strAt(1) == interlockedVarTok->str()) ||
(Token::Match(checkStartTok, "%name% )") && checkStartTok->str() == interlockedVarTok->str()) ||
(Token::Match(checkStartTok, "%name% %comp% 0 )") && checkStartTok->str() == interlockedVarTok->str())) {
raceAfterInterlockedDecrementError(checkStartTok);
}
} else if (Token::Match(tok, "if ( ::| InterlockedDecrement ( & %name%")) {
const Token* condEnd = tok->next()->link();
const Token* funcTok = tok->tokAt(2);
const Token* firstAccessTok = funcTok->str() == "::" ? funcTok->tokAt(4) : funcTok->tokAt(3);
if (condEnd && condEnd->next() && condEnd->next()->link()) {
const Token* ifEndTok = condEnd->next()->link();
if (Token::Match(ifEndTok, "} return %name%")) {
const Token* secondAccessTok = ifEndTok->tokAt(2);
if (secondAccessTok->str() == firstAccessTok->str()) {
raceAfterInterlockedDecrementError(secondAccessTok);
}
} else if (Token::Match(ifEndTok, "} else { return %name%")) {
const Token* secondAccessTok = ifEndTok->tokAt(4);
if (secondAccessTok->str() == firstAccessTok->str()) {
raceAfterInterlockedDecrementError(secondAccessTok);
}
}
}
}
}
}
void CheckOther::raceAfterInterlockedDecrementError(const Token* tok)
{
reportError(tok, Severity::error, "raceAfterInterlockedDecrement",
"Race condition: non-interlocked access after InterlockedDecrement(). Use InterlockedDecrement() return value instead.", CWE362, Certainty::normal);
}
void CheckOther::checkUnusedLabel()
{
if (!mSettings->severity.isEnabled(Severity::style) && !mSettings->severity.isEnabled(Severity::warning))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
const bool hasIfdef = mTokenizer->hasIfdef(scope->bodyStart, scope->bodyEnd);
for (const Token* tok = scope->bodyStart; tok != scope->bodyEnd; tok = tok->next()) {
if (!tok->scope()->isExecutable())
tok = tok->scope()->bodyEnd;
if (Token::Match(tok, "{|}|; %name% :") && tok->strAt(1) != "default") {
const std::string tmp("goto " + tok->strAt(1));
if (!Token::findsimplematch(scope->bodyStart->next(), tmp.c_str(), tmp.size(), scope->bodyEnd->previous()))
unusedLabelError(tok->next(), tok->next()->scope()->type == Scope::eSwitch, hasIfdef);
}
}
}
}
void CheckOther::unusedLabelError(const Token* tok, bool inSwitch, bool hasIfdef)
{
if (tok && !mSettings->severity.isEnabled(inSwitch ? Severity::warning : Severity::style))
return;
std::string id = "unusedLabel";
if (inSwitch)
id += "Switch";
if (hasIfdef)
id += "Configuration";
std::string msg = "$symbol:" + (tok ? tok->str() : emptyString) + "\nLabel '$symbol' is not used.";
if (hasIfdef)
msg += " There is #if in function body so the label might be used in code that is removed by the preprocessor.";
if (inSwitch)
msg += " Should this be a 'case' of the enclosing switch()?";
reportError(tok,
inSwitch ? Severity::warning : Severity::style,
id,
msg,
CWE398,
Certainty::normal);
}
void CheckOther::checkEvaluationOrder()
{
// This checker is not written according to C++11 sequencing rules
if (mTokenizer->isCPP() && mSettings->standards.cpp >= Standards::CPP11)
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * functionScope : symbolDatabase->functionScopes) {
for (const Token* tok = functionScope->bodyStart; tok != functionScope->bodyEnd; tok = tok->next()) {
if (!Token::Match(tok, "++|--") && !tok->isAssignmentOp())
continue;
if (!tok->astOperand1())
continue;
for (const Token *tok2 = tok;; tok2 = tok2->astParent()) {
// If ast parent is a sequence point then break
const Token * const parent = tok2->astParent();
if (!parent)
break;
if (Token::Match(parent, "%oror%|&&|?|:|;"))
break;
if (parent->str() == ",") {
const Token *par = parent;
while (Token::simpleMatch(par,","))
par = par->astParent();
// not function or in a while clause => break
if (!(par && par->str() == "(" && par->astOperand2() && par->strAt(-1) != "while"))
break;
// control flow (if|while|etc) => break
if (Token::simpleMatch(par->link(),") {"))
break;
// sequence point in function argument: dostuff((1,2),3) => break
par = par->next();
while (par && (par->previous() != parent))
par = par->nextArgument();
if (!par)
break;
}
if (parent->str() == "(" && parent->astOperand2())
break;
// self assignment..
if (tok2 == tok &&
tok->str() == "=" &&
parent->str() == "=" &&
isSameExpression(mTokenizer->isCPP(), false, tok->astOperand1(), parent->astOperand1(), mSettings->library, true, false)) {
if (mSettings->severity.isEnabled(Severity::warning) &&
isSameExpression(mTokenizer->isCPP(), true, tok->astOperand1(), parent->astOperand1(), mSettings->library, true, false))
selfAssignmentError(parent, tok->astOperand1()->expressionString());
break;
}
// Is expression used?
bool foundError = false;
visitAstNodes((parent->astOperand1() != tok2) ? parent->astOperand1() : parent->astOperand2(),
[&](const Token *tok3) {
if (tok3->str() == "&" && !tok3->astOperand2())
return ChildrenToVisit::none; // don't handle address-of for now
if (tok3->str() == "(" && Token::simpleMatch(tok3->previous(), "sizeof"))
return ChildrenToVisit::none; // don't care about sizeof usage
if (isSameExpression(mTokenizer->isCPP(), false, tok->astOperand1(), tok3, mSettings->library, true, false))
foundError = true;
return foundError ? ChildrenToVisit::done : ChildrenToVisit::op1_and_op2;
});
if (foundError) {
unknownEvaluationOrder(parent);
break;
}
}
}
}
}
void CheckOther::unknownEvaluationOrder(const Token* tok)
{
reportError(tok, Severity::error, "unknownEvaluationOrder",
"Expression '" + (tok ? tok->expressionString() : std::string("x = x++;")) + "' depends on order of evaluation of side effects", CWE768, Certainty::normal);
}
void CheckOther::checkAccessOfMovedVariable()
{
if (!mTokenizer->isCPP() || mSettings->standards.cpp < Standards::CPP11 || !mSettings->severity.isEnabled(Severity::warning))
return;
CheckUninitVar checkUninitVar(mTokenizer, mSettings, mErrorLogger);
const bool reportInconclusive = mSettings->certainty.isEnabled(Certainty::inconclusive);
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope * scope : symbolDatabase->functionScopes) {
const Token * scopeStart = scope->bodyStart;
if (scope->function) {
const Token * memberInitializationStart = scope->function->constructorMemberInitialization();
if (memberInitializationStart)
scopeStart = memberInitializationStart;
}
for (const Token* tok = scopeStart->next(); tok != scope->bodyEnd; tok = tok->next()) {
const ValueFlow::Value * movedValue = tok->getMovedValue();
if (!movedValue || movedValue->moveKind == ValueFlow::Value::MoveKind::NonMovedVariable)
continue;
if (movedValue->isInconclusive() && !reportInconclusive)
continue;
bool inconclusive = false;
bool accessOfMoved = false;
if (tok->strAt(1) == ".") {
if (tok->next()->originalName() == "->")
accessOfMoved = true;
else
inconclusive = true;
} else {
const bool variableChanged = isVariableChangedByFunctionCall(tok, 0, mSettings, &inconclusive);
accessOfMoved = !variableChanged && checkUninitVar.isVariableUsage(tok, false, CheckUninitVar::NO_ALLOC);
if (inconclusive) {
accessOfMoved = !isMovedParameterAllowedForInconclusiveFunction(tok);
if (accessOfMoved)
inconclusive = false;
}
}
if (accessOfMoved || (inconclusive && reportInconclusive))
accessMovedError(tok, tok->str(), movedValue, inconclusive || movedValue->isInconclusive());
}
}
}
bool CheckOther::isMovedParameterAllowedForInconclusiveFunction(const Token * tok)
{
if (Token::simpleMatch(tok->tokAt(-4), "std :: move ("))
return false;
const Token * tokAtM2 = tok->tokAt(-2);
if (Token::simpleMatch(tokAtM2, "> (") && tokAtM2->link()) {
const Token * leftAngle = tokAtM2->link();
if (Token::simpleMatch(leftAngle->tokAt(-3), "std :: forward <"))
return false;
}
return true;
}
void CheckOther::accessMovedError(const Token *tok, const std::string &varname, const ValueFlow::Value *value, bool inconclusive)
{
if (!tok) {
reportError(tok, Severity::warning, "accessMoved", "Access of moved variable 'v'.", CWE672, Certainty::normal);
reportError(tok, Severity::warning, "accessForwarded", "Access of forwarded variable 'v'.", CWE672, Certainty::normal);
return;
}
const char * errorId = nullptr;
std::string kindString;
switch (value->moveKind) {
case ValueFlow::Value::MoveKind::MovedVariable:
errorId = "accessMoved";
kindString = "moved";
break;
case ValueFlow::Value::MoveKind::ForwardedVariable:
errorId = "accessForwarded";
kindString = "forwarded";
break;
default:
return;
}
const std::string errmsg("$symbol:" + varname + "\nAccess of " + kindString + " variable '$symbol'.");
const ErrorPath errorPath = getErrorPath(tok, value, errmsg);
reportError(errorPath, Severity::warning, errorId, errmsg, CWE672, inconclusive ? Certainty::inconclusive : Certainty::normal);
}
void CheckOther::checkFuncArgNamesDifferent()
{
const bool style = mSettings->severity.isEnabled(Severity::style);
const bool inconclusive = mSettings->certainty.isEnabled(Certainty::inconclusive);
const bool warning = mSettings->severity.isEnabled(Severity::warning);
if (!(warning || (style && inconclusive)))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
// check every function
for (const Scope *scope : symbolDatabase->functionScopes) {
const Function * function = scope->function;
// only check functions with arguments
if (!function || function->argCount() == 0)
continue;
// only check functions with separate declarations and definitions
if (function->argDef == function->arg)
continue;
// get the function argument name tokens
std::vector<const Token *> declarations(function->argCount());
std::vector<const Token *> definitions(function->argCount());
const Token * decl = function->argDef->next();
for (int j = 0; j < function->argCount(); ++j) {
declarations[j] = nullptr;
definitions[j] = nullptr;
// get the definition
const Variable * variable = function->getArgumentVar(j);
if (variable) {
definitions[j] = variable->nameToken();
}
// get the declaration (search for first token with varId)
while (decl && !Token::Match(decl, ",|)|;")) {
// skip everything after the assignment because
// it could also have a varId or be the first
// token with a varId if there is no name token
if (decl->str() == "=") {
decl = decl->nextArgument();
break;
}
// skip over template
if (decl->link())
decl = decl->link();
else if (decl->varId())
declarations[j] = decl;
decl = decl->next();
}
if (Token::simpleMatch(decl, ","))
decl = decl->next();
}
// check for different argument order
if (warning) {
bool order_different = false;
for (int j = 0; j < function->argCount(); ++j) {
if (!declarations[j] || !definitions[j] || declarations[j]->str() == definitions[j]->str())
continue;
for (int k = 0; k < function->argCount(); ++k) {
if (j != k && definitions[k] && declarations[j]->str() == definitions[k]->str()) {
order_different = true;
break;
}
}
}
if (order_different) {
funcArgOrderDifferent(function->name(), function->argDef->next(), function->arg->next(), declarations, definitions);
continue;
}
}
// check for different argument names
if (style && inconclusive) {
for (int j = 0; j < function->argCount(); ++j) {
if (declarations[j] && definitions[j] && declarations[j]->str() != definitions[j]->str())
funcArgNamesDifferent(function->name(), j, declarations[j], definitions[j]);
}
}
}
}
void CheckOther::funcArgNamesDifferent(const std::string & functionName, nonneg int index,
const Token* declaration, const Token* definition)
{
std::list<const Token *> tokens = { declaration,definition };
reportError(tokens, Severity::style, "funcArgNamesDifferent",
"$symbol:" + functionName + "\n"
"Function '$symbol' argument " + MathLib::toString(index + 1) + " names different: declaration '" +
(declaration ? declaration->str() : std::string("A")) + "' definition '" +
(definition ? definition->str() : std::string("B")) + "'.", CWE628, Certainty::inconclusive);
}
void CheckOther::funcArgOrderDifferent(const std::string & functionName,
const Token* declaration, const Token* definition,
const std::vector<const Token *> & declarations,
const std::vector<const Token *> & definitions)
{
std::list<const Token *> tokens = {
declarations.size() ? declarations[0] ? declarations[0] : declaration : nullptr,
definitions.size() ? definitions[0] ? definitions[0] : definition : nullptr
};
std::string msg = "$symbol:" + functionName + "\nFunction '$symbol' argument order different: declaration '";
for (int i = 0; i < declarations.size(); ++i) {
if (i != 0)
msg += ", ";
if (declarations[i])
msg += declarations[i]->str();
}
msg += "' definition '";
for (int i = 0; i < definitions.size(); ++i) {
if (i != 0)
msg += ", ";
if (definitions[i])
msg += definitions[i]->str();
}
msg += "'";
reportError(tokens, Severity::warning, "funcArgOrderDifferent", msg, CWE683, Certainty::normal);
}
static const Token *findShadowed(const Scope *scope, const std::string &varname, int linenr)
{
if (!scope)
return nullptr;
for (const Variable &var : scope->varlist) {
if (scope->isExecutable() && var.nameToken()->linenr() > linenr)
continue;
if (var.name() == varname)
return var.nameToken();
}
for (const Function &f : scope->functionList) {
if (f.type == Function::Type::eFunction && f.name() == varname)
return f.tokenDef;
}
if (scope->type == Scope::eLambda)
return nullptr;
const Token* shadowed = findShadowed(scope->nestedIn, varname, linenr);
if (!shadowed)
shadowed = findShadowed(scope->functionOf, varname, linenr);
return shadowed;
}
void CheckOther::checkShadowVariables()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope & scope : symbolDatabase->scopeList) {
if (!scope.isExecutable() || scope.type == Scope::eLambda)
continue;
const Scope *functionScope = &scope;
while (functionScope && functionScope->type != Scope::ScopeType::eFunction && functionScope->type != Scope::ScopeType::eLambda)
functionScope = functionScope->nestedIn;
for (const Variable &var : scope.varlist) {
if (var.nameToken() && var.nameToken()->isExpandedMacro()) // #8903
continue;
if (functionScope && functionScope->type == Scope::ScopeType::eFunction && functionScope->function) {
bool shadowArg = false;
for (const Variable &arg : functionScope->function->argumentList) {
if (arg.nameToken() && var.name() == arg.name()) {
shadowError(var.nameToken(), arg.nameToken(), "argument");
shadowArg = true;
break;
}
}
if (shadowArg)
continue;
}
const Token *shadowed = findShadowed(scope.nestedIn, var.name(), var.nameToken()->linenr());
if (!shadowed)
shadowed = findShadowed(scope.functionOf, var.name(), var.nameToken()->linenr());
if (!shadowed)
continue;
if (scope.type == Scope::eFunction && scope.className == var.name())
continue;
if (functionScope->function && functionScope->function->isStatic() && shadowed->variable() && !shadowed->variable()->isLocal())
continue;
shadowError(var.nameToken(), shadowed, (shadowed->varId() != 0) ? "variable" : "function");
}
}
}
void CheckOther::shadowError(const Token *var, const Token *shadowed, std::string type)
{
ErrorPath errorPath;
errorPath.push_back(ErrorPathItem(shadowed, "Shadowed declaration"));
errorPath.push_back(ErrorPathItem(var, "Shadow variable"));
const std::string &varname = var ? var->str() : type;
const std::string Type = char(std::toupper(type[0])) + type.substr(1);
const std::string id = "shadow" + Type;
const std::string message = "$symbol:" + varname + "\nLocal variable \'$symbol\' shadows outer " + type;
reportError(errorPath, Severity::style, id.c_str(), message, CWE398, Certainty::normal);
}
static bool isVariableExpression(const Token* tok)
{
if (Token::Match(tok, "%var%"))
return true;
if (Token::simpleMatch(tok, "."))
return isVariableExpression(tok->astOperand1()) &&
isVariableExpression(tok->astOperand2());
if (Token::simpleMatch(tok, "["))
return isVariableExpression(tok->astOperand1()) &&
tok->astOperand2() && tok->astOperand2()->hasKnownIntValue();
return false;
}
void CheckOther::checkKnownArgument()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope *functionScope : symbolDatabase->functionScopes) {
for (const Token *tok = functionScope->bodyStart; tok != functionScope->bodyEnd; tok = tok->next()) {
if (!Token::simpleMatch(tok->astParent(), "("))
continue;
if (!Token::Match(tok->astParent()->previous(), "%name%"))
continue;
if (Token::Match(tok->astParent()->previous(), "if|while|switch|sizeof"))
continue;
if (tok == tok->astParent()->previous())
continue;
if (!tok->hasKnownIntValue())
continue;
if (Token::Match(tok, "++|--"))
continue;
if (isConstVarExpression(tok))
continue;
const Token * tok2 = tok;
if (isCPPCast(tok2))
tok2 = tok2->astOperand2();
if (isVariableExpression(tok2))
continue;
// ensure that there is a integer variable in expression with unknown value
std::string varexpr;
bool isVariableExprHidden = false; // Is variable expression explicitly hidden
auto setVarExpr = [&varexpr, &isVariableExprHidden](const Token *child) {
if (Token::Match(child, "%var%|.|[")) {
if (child->valueType() && child->valueType()->pointer == 0 && child->valueType()->isIntegral() && child->values().empty()) {
varexpr = child->expressionString();
return ChildrenToVisit::done;
}
return ChildrenToVisit::none;
}
if (Token::simpleMatch(child->previous(), "sizeof ("))
return ChildrenToVisit::none;
// hide variable explicitly with 'x * 0' etc
if (!isVariableExprHidden) {
if (Token::simpleMatch(child, "*") && (Token::simpleMatch(child->astOperand1(), "0") || Token::simpleMatch(child->astOperand2(), "0")))
return ChildrenToVisit::none;
if (Token::simpleMatch(child, "&&") && (Token::simpleMatch(child->astOperand1(), "false") || Token::simpleMatch(child->astOperand2(), "false")))
return ChildrenToVisit::none;
if (Token::simpleMatch(child, "||") && (Token::simpleMatch(child->astOperand1(), "true") || Token::simpleMatch(child->astOperand2(), "true")))
return ChildrenToVisit::none;
}
return ChildrenToVisit::op1_and_op2;
};
visitAstNodes(tok, setVarExpr);
if (varexpr.empty()) {
isVariableExprHidden = true;
visitAstNodes(tok, setVarExpr);
}
if (varexpr.empty())
continue;
// ensure that function name does not contain "assert"
std::string funcname = tok->astParent()->previous()->str();
std::transform(funcname.begin(), funcname.end(), funcname.begin(), [](int c) {
return std::tolower(c);
});
if (funcname.find("assert") != std::string::npos)
continue;
knownArgumentError(tok, tok->astParent()->previous(), &tok->values().front(), varexpr, isVariableExprHidden);
}
}
}
void CheckOther::knownArgumentError(const Token *tok, const Token *ftok, const ValueFlow::Value *value, const std::string &varexpr, bool isVariableExpressionHidden)
{
if (!tok) {
reportError(tok, Severity::style, "knownArgument", "Argument 'x-x' to function 'func' is always 0. It does not matter what value 'x' has.");
reportError(tok, Severity::style, "knownArgumentHiddenVariableExpression", "Argument 'x*0' to function 'func' is always 0. Constant literal calculation disable/hide variable expression 'x'.");
return;
}
const MathLib::bigint intvalue = value->intvalue;
const std::string &expr = tok->expressionString();
const std::string &fun = ftok->str();
const char *id;
std::string errmsg = "Argument '" + expr + "' to function " + fun + " is always " + std::to_string(intvalue) + ". ";
if (!isVariableExpressionHidden) {
id = "knownArgument";
errmsg += "It does not matter what value '" + varexpr + "' has.";
} else {
id = "knownArgumentHiddenVariableExpression";
errmsg += "Constant literal calculation disable/hide variable expression '" + varexpr + "'.";
}
const ErrorPath errorPath = getErrorPath(tok, value, errmsg);
reportError(errorPath, Severity::style, id, errmsg, CWE570, Certainty::normal);
}
void CheckOther::checkComparePointers()
{
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope *functionScope : symbolDatabase->functionScopes) {
for (const Token *tok = functionScope->bodyStart; tok != functionScope->bodyEnd; tok = tok->next()) {
if (!Token::Match(tok, "<|>|<=|>=|-"))
continue;
const Token *tok1 = tok->astOperand1();
const Token *tok2 = tok->astOperand2();
if (!astIsPointer(tok1) || !astIsPointer(tok2))
continue;
ValueFlow::Value v1 = getLifetimeObjValue(tok1);
ValueFlow::Value v2 = getLifetimeObjValue(tok2);
if (!v1.isLocalLifetimeValue() || !v2.isLocalLifetimeValue())
continue;
const Variable *var1 = v1.tokvalue->variable();
const Variable *var2 = v2.tokvalue->variable();
if (!var1 || !var2)
continue;
if (v1.tokvalue->varId() == v2.tokvalue->varId())
continue;
if (var1->isReference() || var2->isReference())
continue;
if (var1->isRValueReference() || var2->isRValueReference())
continue;
comparePointersError(tok, &v1, &v2);
}
}
}
void CheckOther::comparePointersError(const Token *tok, const ValueFlow::Value *v1, const ValueFlow::Value *v2)
{
ErrorPath errorPath;
std::string verb = "Comparing";
if (Token::simpleMatch(tok, "-"))
verb = "Subtracting";
if (v1) {
errorPath.emplace_back(v1->tokvalue->variable()->nameToken(), "Variable declared here.");
errorPath.insert(errorPath.end(), v1->errorPath.begin(), v1->errorPath.end());
}
if (v2) {
errorPath.emplace_back(v2->tokvalue->variable()->nameToken(), "Variable declared here.");
errorPath.insert(errorPath.end(), v2->errorPath.begin(), v2->errorPath.end());
}
errorPath.emplace_back(tok, "");
reportError(
errorPath, Severity::error, "comparePointers", verb + " pointers that point to different objects", CWE570, Certainty::normal);
}
void CheckOther::checkModuloOfOne()
{
if (!mSettings->severity.isEnabled(Severity::style))
return;
for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
if (!tok->astOperand2() || !tok->astOperand1())
continue;
if (tok->str() != "%")
continue;
if (!tok->valueType() || !tok->valueType()->isIntegral())
continue;
// Value flow..
const ValueFlow::Value *value = tok->astOperand2()->getValue(1LL);
if (value && value->isKnown())
checkModuloOfOneError(tok);
}
}
void CheckOther::checkModuloOfOneError(const Token *tok)
{
reportError(tok, Severity::style, "moduloofone", "Modulo of one is always equal to zero");
}
//-----------------------------------------------------------------------------
// Overlapping write (undefined behavior)
//-----------------------------------------------------------------------------
static bool getBufAndOffset(const Token *expr, const Token **buf, MathLib::bigint *offset)
{
if (!expr)
return false;
const Token *bufToken, *offsetToken;
if (expr->isUnaryOp("&") && Token::simpleMatch(expr->astOperand1(), "[")) {
bufToken = expr->astOperand1()->astOperand1();
offsetToken = expr->astOperand1()->astOperand2();
} else if (Token::Match(expr, "+|-") && expr->isBinaryOp()) {
const bool pointer1 = (expr->astOperand1()->valueType() && expr->astOperand1()->valueType()->pointer > 0);
const bool pointer2 = (expr->astOperand2()->valueType() && expr->astOperand2()->valueType()->pointer > 0);
if (pointer1 && !pointer2) {
bufToken = expr->astOperand1();
offsetToken = expr->astOperand2();
} else if (!pointer1 && pointer2) {
bufToken = expr->astOperand2();
offsetToken = expr->astOperand1();
} else {
return false;
}
} else if (expr->valueType() && expr->valueType()->pointer > 0) {
*buf = expr;
*offset = 0;
return true;
} else {
return false;
}
if (!bufToken->valueType() || !bufToken->valueType()->pointer)
return false;
if (!offsetToken->hasKnownIntValue())
return false;
*buf = bufToken;
*offset = offsetToken->getKnownIntValue();
return true;
}
void CheckOther::checkOverlappingWrite()
{
const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
for (const Scope *functionScope : symbolDatabase->functionScopes) {
for (const Token *tok = functionScope->bodyStart; tok != functionScope->bodyEnd; tok = tok->next()) {
if (tok->isAssignmentOp()) {
// check if LHS is a union member..
const Token * const lhs = tok->astOperand1();
if (!Token::simpleMatch(lhs, ".") || !lhs->isBinaryOp())
continue;
const Variable * const lhsvar = lhs->astOperand1()->variable();
if (!lhsvar || !lhsvar->typeScope() || lhsvar->typeScope()->type != Scope::ScopeType::eUnion)
continue;
const Token* const lhsmember = lhs->astOperand2();
if (!lhsmember)
continue;
// Is other union member used in RHS?
const Token *errorToken = nullptr;
visitAstNodes(tok->astOperand2(), [lhsvar, lhsmember, &errorToken](const Token *rhs) {
if (!Token::simpleMatch(rhs, "."))
return ChildrenToVisit::op1_and_op2;
if (!rhs->isBinaryOp() || rhs->astOperand1()->variable() != lhsvar)
return ChildrenToVisit::none;
if (lhsmember->str() == rhs->astOperand2()->str())
return ChildrenToVisit::none;
errorToken = rhs->astOperand2();
return ChildrenToVisit::done;
});
if (errorToken)
overlappingWriteUnion(tok);
} else if (Token::Match(tok, "%name% (")) {
const Library::NonOverlappingData *nonOverlappingData = mSettings->library.getNonOverlappingData(tok);
if (!nonOverlappingData)
continue;
const std::vector<const Token *> args = getArguments(tok);
if (nonOverlappingData->ptr1Arg <= 0 || nonOverlappingData->ptr1Arg > args.size())
continue;
if (nonOverlappingData->ptr2Arg <= 0 || nonOverlappingData->ptr2Arg > args.size())
continue;
const Token *ptr1 = args[nonOverlappingData->ptr1Arg - 1];
if (ptr1->hasKnownIntValue() && ptr1->getKnownIntValue() == 0)
continue;
const Token *ptr2 = args[nonOverlappingData->ptr2Arg - 1];
if (ptr2->hasKnownIntValue() && ptr2->getKnownIntValue() == 0)
continue;
// TODO: nonOverlappingData->strlenArg
if (nonOverlappingData->sizeArg <= 0 || nonOverlappingData->sizeArg > args.size()) {
if (nonOverlappingData->sizeArg == -1) {
ErrorPath errorPath;
const bool macro = true;
const bool pure = true;
const bool follow = true;
if (!isSameExpression(mTokenizer->isCPP(), macro, ptr1, ptr2, mSettings->library, pure, follow, &errorPath))
continue;
overlappingWriteFunction(tok);
}
continue;
}
if (!args[nonOverlappingData->sizeArg-1]->hasKnownIntValue())
continue;
const MathLib::bigint sizeValue = args[nonOverlappingData->sizeArg-1]->getKnownIntValue();
const Token *buf1, *buf2;
MathLib::bigint offset1, offset2;
if (!getBufAndOffset(ptr1, &buf1, &offset1))
continue;
if (!getBufAndOffset(ptr2, &buf2, &offset2))
continue;
if (offset1 < offset2 && offset1 + sizeValue <= offset2)
continue;
if (offset2 < offset1 && offset2 + sizeValue <= offset1)
continue;
ErrorPath errorPath;
const bool macro = true;
const bool pure = true;
const bool follow = true;
if (!isSameExpression(mTokenizer->isCPP(), macro, buf1, buf2, mSettings->library, pure, follow, &errorPath))
continue;
overlappingWriteFunction(tok);
}
}
}
}
void CheckOther::overlappingWriteUnion(const Token *tok)
{
reportError(tok, Severity::error, "overlappingWriteUnion", "Overlapping read/write of union is undefined behavior");
}
void CheckOther::overlappingWriteFunction(const Token *tok)
{
const std::string funcname = tok ? tok->str() : "";
reportError(tok, Severity::error, "overlappingWriteFunction", "Overlapping read/write in " + funcname + "() is undefined behavior");
}