r178371 - Sema: Warn on sizeof on binary ops on decayed arrays.

Benjamin Kramer benny.kra at googlemail.com
Fri Mar 29 14:43:21 PDT 2013 

Author: d0k
Date: Fri Mar 29 16:43:21 2013
New Revision: 178371

URL: http://llvm.org/viewvc/llvm-project?rev=178371&view=rev
Log:
Sema: Warn on sizeof on binary ops on decayed arrays.

The array will decay into a pointer, creating an unexpected result.
sizeof(array + int) is an easy to make typo for sizeof(array) + int.

This was motivated by a NetBSD security bug, used sizeof(key - r) instead of
sizeof(key) - r, reducing entropy in a random number generator.
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/subr_cprng.c.diff?r1=1.14&r2=1.15&only_with_tag=MAIN&f=h

Differential Revision: http://llvm-reviews.chandlerc.com/D571

Added:
    cfe/trunk/test/Sema/warn-sizeof-array-decay.c
Modified:
    cfe/trunk/include/clang/Basic/DiagnosticGroups.td
    cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td
    cfe/trunk/lib/Sema/SemaExpr.cpp
    cfe/trunk/test/Sema/expr-comma-c99.c
    cfe/trunk/test/Sema/expr-comma.c

Modified: cfe/trunk/include/clang/Basic/DiagnosticGroups.td
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Basic/DiagnosticGroups.td?rev=178371&r1=178370&r2=178371&view=diff
==============================================================================
--- cfe/trunk/include/clang/Basic/DiagnosticGroups.td (original)
+++ cfe/trunk/include/clang/Basic/DiagnosticGroups.td Fri Mar 29 16:43:21 2013
@@ -215,6 +215,7 @@ def : DiagGroup<"stack-protector">;
 def : DiagGroup<"switch-default">;
 def : DiagGroup<"synth">;
 def SizeofArrayArgument : DiagGroup<"sizeof-array-argument">;
+def SizeofArrayDecay : DiagGroup<"sizeof-array-decay">;
 def SizeofPointerMemaccess : DiagGroup<"sizeof-pointer-memaccess">;
 def StaticInInline : DiagGroup<"static-in-inline">;
 def GNUStaticFloatInit : DiagGroup<"gnu-static-float-init">;
@@ -421,6 +422,7 @@ def Most : DiagGroup<"most", [
     ReturnType,
     SelfAssignment,
     SizeofArrayArgument,
+    SizeofArrayDecay,
     StringPlusInt,
     Trigraphs,
     Uninitialized,

Modified: cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td?rev=178371&r1=178370&r2=178371&view=diff
==============================================================================
--- cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td (original)
+++ cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td Fri Mar 29 16:43:21 2013
@@ -4033,6 +4033,10 @@ def warn_sizeof_array_param : Warning<
   "sizeof on array function parameter will return size of %0 instead of %1">,
   InGroup<SizeofArrayArgument>;
 
+def warn_sizeof_array_decay : Warning<
+  "sizeof on pointer operation will return size of %0 instead of %1">,
+  InGroup<SizeofArrayDecay>;
+
 def err_sizeof_nonfragile_interface : Error<
   "application of '%select{alignof|sizeof}1' to interface %0 is "
   "not supported on this architecture and platform">;

Modified: cfe/trunk/lib/Sema/SemaExpr.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaExpr.cpp?rev=178371&r1=178370&r2=178371&view=diff
==============================================================================
--- cfe/trunk/lib/Sema/SemaExpr.cpp (original)
+++ cfe/trunk/lib/Sema/SemaExpr.cpp Fri Mar 29 16:43:21 2013
@@ -3089,6 +3089,24 @@ static bool CheckObjCTraitOperandConstra
   return false;
 }
 
+/// \brief Check whether E is a pointer from a decayed array type (the decayed
+/// pointer type is equal to T) and emit a warning if it is.
+static void warnOnSizeofOnArrayDecay(Sema &S, SourceLocation Loc, QualType T,
+                                     Expr *E) {
+  // Don't warn if the operation changed the type.
+  if (T != E->getType())
+    return;
+
+  // Now look for array decays.
+  ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E);
+  if (!ICE || ICE->getCastKind() != CK_ArrayToPointerDecay)
+    return;
+
+  S.Diag(Loc, diag::warn_sizeof_array_decay) << ICE->getSourceRange()
+                                             << ICE->getType()
+                                             << ICE->getSubExpr()->getType();
+}
+
 /// \brief Check the constrains on expression operands to unary type expression
 /// and type traits.
 ///
@@ -3142,6 +3160,16 @@ bool Sema::CheckUnaryExprOrTypeTraitOper
         }
       }
     }
+
+    // Warn on "sizeof(array op x)" and "sizeof(x op array)", where the array
+    // decays into a pointer and returns an unintended result. This is most
+    // likely a typo for "sizeof(array) op x".
+    if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E->IgnoreParens())) {
+      warnOnSizeofOnArrayDecay(*this, BO->getOperatorLoc(), BO->getType(),
+                               BO->getLHS());
+      warnOnSizeofOnArrayDecay(*this, BO->getOperatorLoc(), BO->getType(),
+                               BO->getRHS());
+    }
   }
 
   return false;

Modified: cfe/trunk/test/Sema/expr-comma-c99.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Sema/expr-comma-c99.c?rev=178371&r1=178370&r2=178371&view=diff
==============================================================================
--- cfe/trunk/test/Sema/expr-comma-c99.c (original)
+++ cfe/trunk/test/Sema/expr-comma-c99.c Fri Mar 29 16:43:21 2013
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c99
+// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c99 -Wno-sizeof-array-decay
 // expected-no-diagnostics
 // rdar://6095180
 

Modified: cfe/trunk/test/Sema/expr-comma.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Sema/expr-comma.c?rev=178371&r1=178370&r2=178371&view=diff
==============================================================================
--- cfe/trunk/test/Sema/expr-comma.c (original)
+++ cfe/trunk/test/Sema/expr-comma.c Fri Mar 29 16:43:21 2013
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c89
+// RUN: %clang_cc1 %s -fsyntax-only -verify -std=c89 -Wno-sizeof-array-decay
 // expected-no-diagnostics
 // rdar://6095180
 

Added: cfe/trunk/test/Sema/warn-sizeof-array-decay.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Sema/warn-sizeof-array-decay.c?rev=178371&view=auto
==============================================================================
--- cfe/trunk/test/Sema/warn-sizeof-array-decay.c (added)
+++ cfe/trunk/test/Sema/warn-sizeof-array-decay.c Fri Mar 29 16:43:21 2013
@@ -0,0 +1,18 @@
+// RUN: %clang_cc1 -fsyntax-only -verify %s
+
+void f(int x) {
+  char foo[10];
+  int bar[20];
+  char qux[30];
+
+  (void)sizeof(bar + 10); // expected-warning{{sizeof on pointer operation will return size of 'int *' instead of 'int [20]'}}
+  (void)sizeof(foo - 20); // expected-warning{{sizeof on pointer operation will return size of 'char *' instead of 'char [10]'}}
+  (void)sizeof(bar - x); // expected-warning{{sizeof on pointer operation will return size of 'int *' instead of 'int [20]'}}
+  (void)sizeof(foo + x); // expected-warning{{sizeof on pointer operation will return size of 'char *' instead of 'char [10]'}}
+
+  // This is ptrdiff_t.
+  (void)sizeof(foo - qux); // no-warning
+
+  (void)sizeof(foo, x); // no-warning
+  (void)sizeof(x, foo); // expected-warning{{sizeof on pointer operation will return size of 'char *' instead of 'char [10]'}}
+}

More information about the cfe-commits mailing list