[PATCH] Sema: Warn on sizeof on binary ops on decayed arrays.

Benjamin Kramer benny.kra at gmail.com
Sat Mar 23 05:37:32 PDT 2013 

The array will decay into a pointer, creating an unexpected result.
sizeof(array + int) is an easy to make typo for sizeof(array) + int.

This was motivated by a NetBSD security bug.
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/subr_cprng.c.diff?r1=1.14&r2=1.15&only_with_tag=MAIN&f=h

http://llvm-reviews.chandlerc.com/D571

Files:
  include/clang/Basic/DiagnosticGroups.td
  include/clang/Basic/DiagnosticSemaKinds.td
  lib/Sema/SemaExpr.cpp
  test/Sema/expr-comma-c99.c
  test/Sema/expr-comma.c
  test/Sema/warn-sizeof-array-decay.c

Index: include/clang/Basic/DiagnosticGroups.td
===================================================================
--- include/clang/Basic/DiagnosticGroups.td
+++ include/clang/Basic/DiagnosticGroups.td
@@ -214,6 +214,7 @@
 def : DiagGroup<"switch-default">;
 def : DiagGroup<"synth">;
 def SizeofArrayArgument : DiagGroup<"sizeof-array-argument">;
+def SizeofArrayDecay : DiagGroup<"sizeof-array-decay">;
 def SizeofPointerMemaccess : DiagGroup<"sizeof-pointer-memaccess">;
 def StaticInInline : DiagGroup<"static-in-inline">;
 def GNUStaticFloatInit : DiagGroup<"gnu-static-float-init">;
@@ -420,6 +421,7 @@
     ReturnType,
     SelfAssignment,
     SizeofArrayArgument,
+    SizeofArrayDecay,
     StringPlusInt,
     Trigraphs,
     Uninitialized,
Index: include/clang/Basic/DiagnosticSemaKinds.td
===================================================================
--- include/clang/Basic/DiagnosticSemaKinds.td
+++ include/clang/Basic/DiagnosticSemaKinds.td
@@ -4033,6 +4033,10 @@
   "sizeof on array function parameter will return size of %0 instead of %1">,
   InGroup<SizeofArrayArgument>;
 
+def warn_sizeof_array_decay : Warning<
+  "sizeof on pointer operation will return size of %0 instead of %1">,
+  InGroup<SizeofArrayDecay>;
+
 def err_sizeof_nonfragile_interface : Error<
   "application of '%select{alignof|sizeof}1' to interface %0 is "
   "not supported on this architecture and platform">;
Index: lib/Sema/SemaExpr.cpp
===================================================================
--- lib/Sema/SemaExpr.cpp
+++ lib/Sema/SemaExpr.cpp
@@ -3098,6 +3098,25 @@
         }
       }
     }
+
+    // Warn on "sizeof(array op x)", where the array decays into a pointer and
+    // returns an unintended result. This is most likely a typo for
+    // "sizeof(array) op x"
+    if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E->IgnoreParens())) {
+      ImplicitCastExpr *LHSICE = dyn_cast<ImplicitCastExpr>(BO->getLHS());
+      ImplicitCastExpr *RHSICE = dyn_cast<ImplicitCastExpr>(BO->getRHS());
+      bool LHSDecay = LHSICE && LHSICE->getCastKind() == CK_ArrayToPointerDecay;
+      bool RHSDecay = RHSICE && RHSICE->getCastKind() == CK_ArrayToPointerDecay;
+
+      if (LHSDecay && !RHSDecay)
+        Diag(BO->getOperatorLoc(), diag::warn_sizeof_array_decay)
+          << BO->getLHS()->getSourceRange()
+          << BO->getLHS()->getType() << LHSICE->getSubExpr()->getType();
+      else if (!LHSDecay && RHSDecay)
+        Diag(BO->getOperatorLoc(), diag::warn_sizeof_array_decay)
+          << BO->getRHS()->getSourceRange()
+          << BO->getRHS()->getType() << RHSICE->getSubExpr()->getType();
+    }
   }
 
   return false;
Index: test/Sema/expr-comma-c99.c
===================================================================
--- test/Sema/expr-comma-c99.c
+++ test/Sema/expr-comma-c99.c
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c99
+// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c99 -Wno-sizeof-array-decay
 // expected-no-diagnostics
 // rdar://6095180
 
Index: test/Sema/expr-comma.c
===================================================================
--- test/Sema/expr-comma.c
+++ test/Sema/expr-comma.c
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c89
+// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c89 -Wno-sizeof-array-decay
 // expected-no-diagnostics
 // rdar://6095180
 
Index: test/Sema/warn-sizeof-array-decay.c
===================================================================
--- /dev/null
+++ test/Sema/warn-sizeof-array-decay.c
@@ -0,0 +1,15 @@
+// RUN: %clang_cc1 -fsyntax-only -verify %s
+
+void f(int x) {
+  char foo[10];
+  int bar[20];
+  char qux[30];
+
+  (void)sizeof(bar + 10); // expected-warning{{sizeof on pointer operation will return size of 'int *' instead of 'int [20]'}}
+  (void)sizeof(foo - 20); // expected-warning{{sizeof on pointer operation will return size of 'char *' instead of 'char [10]'}}
+  (void)sizeof(bar - x); // expected-warning{{sizeof on pointer operation will return size of 'int *' instead of 'int [20]'}}
+  (void)sizeof(foo + x); // expected-warning{{sizeof on pointer operation will return size of 'char *' instead of 'char [10]'}}
+
+  // This is ptrdiff_t.
+  (void)sizeof(foo - qux); // no-warning
+}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D571.1.patch
Type: text/x-patch
Size: 4258 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20130323/e9440144/attachment.bin>

More information about the cfe-commits mailing list