Index: lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp +++ lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp @@ -23,8 +23,13 @@ using namespace ento; namespace { -class CastToStructChecker : public Checker< check::PreStmt > { - mutable std::unique_ptr BT; +class CastToStructChecker : public Checker> { + mutable std::unique_ptr BTNonStruct; + mutable std::unique_ptr BTWidening; + + bool nonStructPointerToStructPointerCast(const CastExpr *CE, + CheckerContext &C) const; + bool wideningStructPointerCast(const CastExpr *CE, CheckerContext &C) const; public: void checkPreStmt(const CastExpr *CE, CheckerContext &C) const; @@ -33,6 +38,12 @@ void CastToStructChecker::checkPreStmt(const CastExpr *CE, CheckerContext &C) const { + if (!nonStructPointerToStructPointerCast(CE, C)) + wideningStructPointerCast(CE, C); +} + +bool CastToStructChecker::nonStructPointerToStructPointerCast( + const CastExpr *CE, CheckerContext &C) const { const Expr *E = CE->getSubExpr(); ASTContext &Ctx = C.getASTContext(); QualType OrigTy = Ctx.getCanonicalType(E->getType()); @@ -42,32 +53,85 @@ const PointerType *ToPTy = dyn_cast(ToTy.getTypePtr()); if (!ToPTy || !OrigPTy) - return; + return false; QualType OrigPointeeTy = OrigPTy->getPointeeType(); QualType ToPointeeTy = ToPTy->getPointeeType(); if (!ToPointeeTy->isStructureOrClassType()) - return; + return false; // We allow cast from void*. if (OrigPointeeTy->isVoidType()) - return; + return false; // Now the cast-to-type is struct pointer, the original type is not void*. - if (!OrigPointeeTy->isRecordType()) { - if (ExplodedNode *N = C.generateNonFatalErrorNode()) { - if (!BT) - BT.reset( - new BuiltinBug(this, "Cast from non-struct type to struct type", - "Casting a non-structure type to a structure type " - "and accessing a field can lead to memory access " - "errors or data corruption.")); - auto R = llvm::make_unique(*BT, BT->getDescription(), N); - R->addRange(CE->getSourceRange()); - C.emitReport(std::move(R)); - } + if (OrigPointeeTy->isRecordType()) + return false; + + if (ExplodedNode *N = C.generateNonFatalErrorNode()) { + if (!BTNonStruct) + BTNonStruct.reset( + new BuiltinBug(this, "Cast from non-struct type to struct type", + "Casting a non-structure type to a structure type " + "and accessing a field can lead to memory access " + "errors or data corruption.")); + auto R = llvm::make_unique(*BTNonStruct, + BTNonStruct->getDescription(), N); + R->addRange(CE->getSourceRange()); + C.emitReport(std::move(R)); + } + return true; +} + +bool CastToStructChecker::wideningStructPointerCast(const CastExpr *Cast, + CheckerContext &C) const { + const UnaryOperator *SourceExpr = + dyn_cast(Cast->IgnoreParenCasts()); + if (!SourceExpr || SourceExpr->getOpcode() != UO_AddrOf) + return false; + + QualType CastType = Cast->getType(); + if (!CastType->isPointerType() || !CastType->getPointeeType()->isRecordType()) + return false; + QualType SourceExprType = Cast->IgnoreParenCasts()->getType(); + if (!SourceExprType->isPointerType() || + !SourceExprType->getPointeeType()->isRecordType()) + return false; + + ASTContext &Context = C.getASTContext(); + + unsigned CastTypeWidth = + Context.getTypeInfo(CastType->getPointeeType()).Width; + unsigned SubTypeWidth = + Context.getTypeInfo(SourceExprType->getPointeeType()).Width; + + if (CastTypeWidth <= SubTypeWidth) + return false; + + const RecordType *R = CastType->getPointeeType()->getAsStructureType(); + if (!R) + return false; + + // Don't warn when resulting struct type has base class. + if (const auto *D = dyn_cast(R->getDecl())) { + if (D->bases_begin() != D->bases_end()) + return false; + } + + if (ExplodedNode *N = C.generateNonFatalErrorNode()) { + if (!BTWidening) + BTWidening.reset( + new BuiltinBug(this, "Cast to struct type", + "Casting data to a larger structure type " + "and accessing a field can lead to memory access " + "errors or data corruption.")); + auto R = llvm::make_unique(*BTWidening, + BTWidening->getDescription(), N); + R->addRange(Cast->getSourceRange()); + C.emitReport(std::move(R)); } + return true; } void ento::registerCastToStructChecker(CheckerManager &mgr) { Index: test/Analysis/casts.c =================================================================== --- test/Analysis/casts.c +++ test/Analysis/casts.c @@ -18,7 +18,7 @@ void f(int sock) { struct sockaddr_storage storage; - struct sockaddr* sockaddr = (struct sockaddr*)&storage; + struct sockaddr* sockaddr = (struct sockaddr*)&storage; // expected-warning{{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}} socklen_t addrlen = sizeof(storage); getsockname(sock, sockaddr, &addrlen); switch (sockaddr->sa_family) { // no-warning Index: test/Analysis/struct-struct.c =================================================================== --- test/Analysis/struct-struct.c +++ test/Analysis/struct-struct.c @@ -0,0 +1,21 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core -verify %s + +struct A { + int a; +}; + +struct AB { + int a; + int b; +}; + +void f() { + struct A a; + struct AB *ab = (struct AB *)&a; // expected-warning{{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}} +} + +// Do not warn about casting a pointer variable. The data it points at might +// be large enough. +void dontwarn(struct A *a) { + struct AB *ab = (struct AB *)a; +}