This is an archive of the discontinued LLVM Phabricator instance.

Differential D23508

Improve alpha.core.CastToStruct warn about widening casts of structs also
ClosedPublic

Authored by danielmarjamaki on Aug 15 2016, 6:31 AM.

Details

Reviewers
dcoughlin
zaks.anna
NoQ
Commits
rG13264ebea47b: [analyzer] Improve CastToStruct checker so it can also detect widening casts of…
rC282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts of…
rL282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts…
Summary

The alpha.core.CastToStruct warns when for instance casting a int pointer to a struct pointer. As accessing a field can lead to memory access errors.

This patch improves the checker so it also warns about widening casts of structs.

Diff Detail

Repository
rL LLVM

Event Timeline

danielmarjamaki updated this revision to Diff 68031.Aug 15 2016, 6:31 AM
danielmarjamaki retitled this revision from to Improve alpha.core.CastToStruct warn about widening casts of structs also.
danielmarjamaki updated this object.
danielmarjamaki added reviewers: zaks.anna, NoQ, dcoughlin.
NoQ edited edge metadata.Aug 17 2016, 3:38 AM

Could we re-use some code between the two checks, like obtaining the type of the operands, and throwing the bug report?

P.S. A thing to notice: this checker shouldn't be path-sensitive, it doesn't use any path-sensitive information.

danielmarjamaki added a comment.Aug 18 2016, 4:34 AM

P.S. A thing to notice: this checker shouldn't be path-sensitive, it doesn't use any path-sensitive information.

Yes I do wonder about that.

As the checker is written right now it seems to me it could be moved to clang-tidy.

But I am thinking we could use path-sensitive analysis in this check and see if the cast leads to memory access problems.

NoQ added a comment.Aug 18 2016, 4:46 AM

But I am thinking we could use path-sensitive analysis in this check and see if the cast leads to memory access problems.

Yeah, in particular, we could also see if the suspicious cast is actually a revert of a previous cast. No way it's blocking this review though.

danielmarjamaki updated this revision to Diff 71148.Sep 13 2016, 5:31 AM
danielmarjamaki edited edge metadata.

Reuse code, and use RecursiveASTVisitor.

danielmarjamaki added a comment.Sep 19 2016, 12:29 AM

ping

NoQ added a comment.Sep 19 2016, 1:10 AM

Thanks!! It looks a lot better now.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1 ↗(On Diff #71148)

Ouch, just noticed ^

75 ↗(On Diff #71148)

Could you add a test case for other branches of this code (cast without unary operator, cast with non-& unary operator)?

85 ↗(On Diff #71148)

Could you add a test case for this? It might force you to add a C++ test file. Adding a dedicated file of tests for this checker is anyway a good idea, i think.

You may also want to make this more accurate with CXXRecordDecl::isDerivedFrom() etc. if you like.

danielmarjamaki added inline comments.Sep 19 2016, 3:44 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1 ↗(On Diff #71148)

I am not sure what problem you see with this line. It looks ok to me.

75 ↗(On Diff #71148)

Ok. Maybe the getOpCode is redundant. The ~, !, - operators does not make much sense on pointers and I believe I get compile errors. However imho it's nice for clarity to show that I only look for &var.

85 ↗(On Diff #71148)

I started writing a testcase. But I am now thinking about removing this code. I could not write a sensible test case.

If there is code like:

struct Derived : public Base { .. };
struct Base B = {1,2};
struct Derived *D = (struct Derived *)&B;

Then writing the warning seems ok. It seems to me this is just as dangerous as if there was no inheritance.

danielmarjamaki updated this revision to Diff 71804.Sep 19 2016, 4:14 AM
danielmarjamaki set the repository for this revision to rL LLVM.

Added testfile. Remove code for derived records.

NoQ added inline comments.Sep 19 2016, 4:29 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1 ↗(On Diff #71148)

The description is from another checker.

85 ↗(On Diff #71148)

Then you should exclude dynamic_cast and probably static_cast as well, because they were created for this particular purpose. Even then, i'm afraid many projects still use C-style casts with combination of kind-of custom RTTI (even in C) and have large switches by kind followed by casts to kind everywhere. You should be able to see this if you run the checker on a large codebase - even though the code you posted is clearly invalid, you cannot prove this without proper path-sensitive analysis, and the cast itself isn't necessarily bad.

danielmarjamaki added inline comments.Sep 19 2016, 4:54 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85 ↗(On Diff #71804)

I think you're missing that I am not writing warnings about arbitrary struct pointers.

The dynamic_cast is normally used to cast some kind of pointer variable:

Base *B;
...
Derived *D = dynamic_cast<Derived *>(B);

I do not warn about casting such pointers. Because the check does not know what B points at.

I require that '&' is used, like so:

Base B;
...
Derived *D = dynamic_cast<Derived *>(&Base);

Then the check knows what the pointer points at. It's just a Base. I guess you are telling me that we should not warn here. Well you are right, nothing dangerous happens the cast result will just be 0.

NoQ added a comment.Sep 19 2016, 6:49 AM

Thanks for the tests!

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85 ↗(On Diff #71804)

Uhm, but the operator-&-heuristic sounds like something extremely restrictive, that should be eventually removed (not even a pair of parentheses is allowed around operator-&).

Some false positives may still appear though, i suspect:

Derived D;
Base &B = D;
Derived *Dptr = (D*)&B; // no-warning

^You can find an example of such code in MallocChecker::checkPreCall, the way they cast CallEvent references. Right now i'm not sure how popular correct and incorrect code patterns of this kind are.

Why i think the heuristic is too restrictive:

Base B;
Base *Bptr = &B;
Derived *Dptr = (D*)B; // expected-warning{{}}
danielmarjamaki updated this revision to Diff 71825.Sep 19 2016, 8:10 AM
danielmarjamaki removed rL LLVM as the repository for this revision.

Handle case between Base/Derived types better.

danielmarjamaki added a comment.Sep 23 2016, 3:59 AM

Ping.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85 ↗(On Diff #71804)

thanks!

yes I agree it's extremely restricted. of course a pair of parentheses should not cause false negatives though.

imho , path-sensitive analysis is needed to warn about "pointers" and "references" as the check must know what it points at / references to avoid false positives.

NoQ accepted this revision.Sep 23 2016, 9:29 AM
NoQ edited edge metadata.

This patch seems to be an improvement for the original checker, and i think it should be ok to commit if your evaluation of the new check shows reasonable true positive rate.

However, if i was to choose, based on this discussion and other experiences, i would have wished this checker go in a different direction: make a single checker for violations of the strict aliasing rule. This should be do-able as a classic path-sensitive checker which would warn if the same object (RegionOffset) is accessed assuming incompatible value types. For symbolic void* or char* pointers, such checker would need to catch two accesses (which forces us to register stuff with program state), while for other pointer symbols and for concrete regions perhaps a single access should be enough to detect the problem. Such checker would probably be improved by finding branches that introduce aliases between pointer symbols, eg.

void foo(int *x, struct S *y) {
  if (x == y) {
    ...
  }
}

which we don't handle very well in the path-sensitive engine, but it's a great place to start looking into this. I wish somebody looked into this, because it sounds like a really good task for the analyzer.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
64 ↗(On Diff #71825)

You can use a single Sr here, the convenient ArrayRef constructor from a single element allows passing a single element instead of a one-element array into EmitBasicReport.

This revision is now accepted and ready to land.Sep 23 2016, 9:29 AM
danielmarjamaki added a comment.Sep 26 2016, 3:35 AM

However, if i was to choose, based on this discussion and other experiences, i would have wished this checker go in a different direction: make a single checker for violations of the strict aliasing rule.

That is reasonable. Ideally everybody would fix all UB.

As far as I know it's common to break the strict aliasing rule. There are users that would rather use -fno-strict-aliasing than fix their code. I want to have a checker that is useful when -fno-strict-aliasing is used and detects access out of bounds.

Closed by commit rL282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts… (authored by danielmarjamaki). · Explain WhySep 26 2016, 8:26 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
87 lines
test/
Analysis/
67 lines
2 lines

Diff 72489

cfe/trunk/lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

//=== CastToStructChecker.cpp - Fixed address usage checker ----*- C++ -*--===// //=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This files defines CastToStructChecker, a builtin checker that checks for // This files defines CastToStructChecker, a builtin checker that checks for
// cast from non-struct pointer to struct pointer. // cast from non-struct pointer to struct pointer and widening struct data cast.
// This check corresponds to CWE-588. // This check corresponds to CWE-588.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class CastToStructChecker : public Checker< check::PreStmt<CastExpr> > { class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
mutable std::unique_ptr<BuiltinBug> BT; BugReporter &BR;
const CheckerBase *Checker;
AnalysisDeclContext *AC;
public: public:
void checkPreStmt(const CastExpr *CE, CheckerContext &C) const; explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
AnalysisDeclContext *A)
: BR(B), Checker(Checker), AC(A) {}
bool VisitCastExpr(const CastExpr *CE);
}; };
} }
void CastToStructChecker::checkPreStmt(const CastExpr *CE, bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
CheckerContext &C) const {
const Expr *E = CE->getSubExpr(); const Expr *E = CE->getSubExpr();
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = AC->getASTContext();
QualType OrigTy = Ctx.getCanonicalType(E->getType()); QualType OrigTy = Ctx.getCanonicalType(E->getType());
QualType ToTy = Ctx.getCanonicalType(CE->getType()); QualType ToTy = Ctx.getCanonicalType(CE->getType());
const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr()); const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr()); const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
if (!ToPTy || !OrigPTy) if (!ToPTy || !OrigPTy)
return; return true;
QualType OrigPointeeTy = OrigPTy->getPointeeType(); QualType OrigPointeeTy = OrigPTy->getPointeeType();
QualType ToPointeeTy = ToPTy->getPointeeType(); QualType ToPointeeTy = ToPTy->getPointeeType();
if (!ToPointeeTy->isStructureOrClassType()) if (!ToPointeeTy->isStructureOrClassType())
return; return true;
// We allow cast from void*. // We allow cast from void*.
if (OrigPointeeTy->isVoidType()) if (OrigPointeeTy->isVoidType())
return; return true;
// Now the cast-to-type is struct pointer, the original type is not void*. // Now the cast-to-type is struct pointer, the original type is not void*.
if (!OrigPointeeTy->isRecordType()) { if (!OrigPointeeTy->isRecordType()) {
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { SourceRange Sr[1] = {CE->getSourceRange()};
if (!BT) PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
BT.reset( BR.EmitBasicReport(
new BuiltinBug(this, "Cast from non-struct type to struct type", AC->getDecl(), Checker, "Cast from non-struct type to struct type",
"Casting a non-structure type to a structure type " categories::LogicError, "Casting a non-structure type to a structure "
"and accessing a field can lead to memory access " "type and accessing a field can lead to memory "
"errors or data corruption.")); "access errors or data corruption.",
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); Loc, Sr);
R->addRange(CE->getSourceRange()); } else {
C.emitReport(std::move(R)); // Don't warn when size of data is unknown.
const auto *U = dyn_cast<UnaryOperator>(E);
if (!U || U->getOpcode() != UO_AddrOf)
return true;
// Don't warn for references
const ValueDecl *VD = nullptr;
if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
VD = dyn_cast<ValueDecl>(SE->getDecl());
else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
VD = SE->getMemberDecl();
if (!VD || VD->getType()->isReferenceType())
return true;
// Warn when there is widening cast.
unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
if (ToWidth <= OrigWidth)
return true;
PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
categories::LogicError,
"Casting data to a larger structure type and accessing "
"a field can lead to memory access errors or data "
"corruption.",
Loc, CE->getSourceRange());
} }
return true;
} }
namespace {
class CastToStructChecker : public Checker<check::ASTCodeBody> {
public:
void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
BugReporter &BR) const {
CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
Visitor.TraverseDecl(const_cast<Decl *>(D));
} }
};
} // end anonymous namespace
void ento::registerCastToStructChecker(CheckerManager &mgr) { void ento::registerCastToStructChecker(CheckerManager &mgr) {
mgr.registerChecker<CastToStructChecker>(); mgr.registerChecker<CastToStructChecker>();
} }

cfe/trunk/test/Analysis/cast-to-struct.cpp

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.core.CastToStruct,core -verify %s
struct AB {
int A;
int B;
};
struct ABC {
int A;
int B;
int C;
};
struct Base {
Base() : A(0), B(0) {}
virtual ~Base() {}
int A;
int B;
};
struct Derived : public Base {
Derived() : Base(), C(0) {}
int C;
};
void structToStruct(struct AB *P) {
struct AB Ab;
struct ABC *Abc;
Abc = (struct ABC *)&Ab; // expected-warning {{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
Abc = (struct ABC *)P; // No warning; It is not known what data P points at.
Abc = (struct ABC *)&*P;
// Don't warn when the cast is not widening.
P = (struct AB *)&Ab; // struct AB * => struct AB *
struct ABC Abc2;
P = (struct AB *)&Abc2; // struct ABC * => struct AB *
// True negatives when casting from Base to Derived.
Derived D1, *D2;
Base &B1 = D1;
D2 = (Derived *)&B1;
D2 = dynamic_cast<Derived *>(&B1);
D2 = static_cast<Derived *>(&B1);
// True positives when casting from Base to Derived.
Base B2;
D2 = (Derived *)&B2;// expected-warning {{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
D2 = dynamic_cast<Derived *>(&B2);// expected-warning {{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
D2 = static_cast<Derived *>(&B2);// expected-warning {{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
// False negatives, cast from Base to Derived. With path sensitive analysis
// these false negatives could be fixed.
Base *B3 = &B2;
D2 = (Derived *)B3;
D2 = dynamic_cast<Derived *>(B3);
D2 = static_cast<Derived *>(B3);
}
void intToStruct(int *P) {
struct ABC *Abc;
Abc = (struct ABC *)P; // expected-warning {{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
// Cast from void *.
void *VP = P;
Abc = (struct ABC *)VP;
}

cfe/trunk/test/Analysis/casts.c

Show All 12 Lines
typedef __darwin_socklen_t socklen_t; typedef __darwin_socklen_t socklen_t;
struct sockaddr { sa_family_t sa_family; }; struct sockaddr { sa_family_t sa_family; };
struct sockaddr_storage {}; struct sockaddr_storage {};
void getsockname(); void getsockname();
void f(int sock) { void f(int sock) {
struct sockaddr_storage storage; struct sockaddr_storage storage;
struct sockaddr* sockaddr = (struct sockaddr*)&storage; struct sockaddr* sockaddr = (struct sockaddr*)&storage; // expected-warning{{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
socklen_t addrlen = sizeof(storage); socklen_t addrlen = sizeof(storage);
getsockname(sock, sockaddr, &addrlen); getsockname(sock, sockaddr, &addrlen);
switch (sockaddr->sa_family) { // no-warning switch (sockaddr->sa_family) { // no-warning
default: default:
; ;
} }
} }
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines