This is an archive of the discontinued LLVM Phabricator instance.

Differential D23508

Improve alpha.core.CastToStruct warn about widening casts of structs also
ClosedPublic

Authored by danielmarjamaki on Aug 15 2016, 6:31 AM.

Details

Reviewers
dcoughlin
zaks.anna
NoQ
Commits
rG13264ebea47b: [analyzer] Improve CastToStruct checker so it can also detect widening casts of…
rC282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts of…
rL282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts…
Summary

The alpha.core.CastToStruct warns when for instance casting a int pointer to a struct pointer. As accessing a field can lead to memory access errors.

This patch improves the checker so it also warns about widening casts of structs.

Diff Detail

Repository
rL LLVM

Event Timeline

danielmarjamaki updated this revision to Diff 68031.Aug 15 2016, 6:31 AM
danielmarjamaki retitled this revision from to Improve alpha.core.CastToStruct warn about widening casts of structs also.
danielmarjamaki updated this object.
danielmarjamaki added reviewers: zaks.anna, NoQ, dcoughlin.
NoQ edited edge metadata.Aug 17 2016, 3:38 AM

Could we re-use some code between the two checks, like obtaining the type of the operands, and throwing the bug report?

P.S. A thing to notice: this checker shouldn't be path-sensitive, it doesn't use any path-sensitive information.

danielmarjamaki added a comment.Aug 18 2016, 4:34 AM

P.S. A thing to notice: this checker shouldn't be path-sensitive, it doesn't use any path-sensitive information.

Yes I do wonder about that.

As the checker is written right now it seems to me it could be moved to clang-tidy.

But I am thinking we could use path-sensitive analysis in this check and see if the cast leads to memory access problems.

NoQ added a comment.Aug 18 2016, 4:46 AM

But I am thinking we could use path-sensitive analysis in this check and see if the cast leads to memory access problems.

Yeah, in particular, we could also see if the suspicious cast is actually a revert of a previous cast. No way it's blocking this review though.

danielmarjamaki updated this revision to Diff 71148.Sep 13 2016, 5:31 AM
danielmarjamaki edited edge metadata.

Reuse code, and use RecursiveASTVisitor.

danielmarjamaki added a comment.Sep 19 2016, 12:29 AM

ping

NoQ added a comment.Sep 19 2016, 1:10 AM

Thanks!! It looks a lot better now.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1

Ouch, just noticed ^

75

Could you add a test case for other branches of this code (cast without unary operator, cast with non-& unary operator)?

85

Could you add a test case for this? It might force you to add a C++ test file. Adding a dedicated file of tests for this checker is anyway a good idea, i think.

You may also want to make this more accurate with CXXRecordDecl::isDerivedFrom() etc. if you like.

danielmarjamaki added inline comments.Sep 19 2016, 3:44 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1

I am not sure what problem you see with this line. It looks ok to me.

75

Ok. Maybe the getOpCode is redundant. The ~, !, - operators does not make much sense on pointers and I believe I get compile errors. However imho it's nice for clarity to show that I only look for &var.

85

I started writing a testcase. But I am now thinking about removing this code. I could not write a sensible test case.

If there is code like:

struct Derived : public Base { .. };
struct Base B = {1,2};
struct Derived *D = (struct Derived *)&B;

Then writing the warning seems ok. It seems to me this is just as dangerous as if there was no inheritance.

danielmarjamaki updated this revision to Diff 71804.Sep 19 2016, 4:14 AM
danielmarjamaki set the repository for this revision to rL LLVM.

Added testfile. Remove code for derived records.

NoQ added inline comments.Sep 19 2016, 4:29 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
1

The description is from another checker.

85

Then you should exclude dynamic_cast and probably static_cast as well, because they were created for this particular purpose. Even then, i'm afraid many projects still use C-style casts with combination of kind-of custom RTTI (even in C) and have large switches by kind followed by casts to kind everywhere. You should be able to see this if you run the checker on a large codebase - even though the code you posted is clearly invalid, you cannot prove this without proper path-sensitive analysis, and the cast itself isn't necessarily bad.

danielmarjamaki added inline comments.Sep 19 2016, 4:54 AM
lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85

I think you're missing that I am not writing warnings about arbitrary struct pointers.

The dynamic_cast is normally used to cast some kind of pointer variable:

Base *B;
...
Derived *D = dynamic_cast<Derived *>(B);

I do not warn about casting such pointers. Because the check does not know what B points at.

I require that '&' is used, like so:

Base B;
...
Derived *D = dynamic_cast<Derived *>(&Base);

Then the check knows what the pointer points at. It's just a Base. I guess you are telling me that we should not warn here. Well you are right, nothing dangerous happens the cast result will just be 0.

NoQ added a comment.Sep 19 2016, 6:49 AM

Thanks for the tests!

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85

Uhm, but the operator-&-heuristic sounds like something extremely restrictive, that should be eventually removed (not even a pair of parentheses is allowed around operator-&).

Some false positives may still appear though, i suspect:

Derived D;
Base &B = D;
Derived *Dptr = (D*)&B; // no-warning

^You can find an example of such code in MallocChecker::checkPreCall, the way they cast CallEvent references. Right now i'm not sure how popular correct and incorrect code patterns of this kind are.

Why i think the heuristic is too restrictive:

Base B;
Base *Bptr = &B;
Derived *Dptr = (D*)B; // expected-warning{{}}
danielmarjamaki updated this revision to Diff 71825.Sep 19 2016, 8:10 AM
danielmarjamaki removed rL LLVM as the repository for this revision.

Handle case between Base/Derived types better.

danielmarjamaki added a comment.Sep 23 2016, 3:59 AM

Ping.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
85

thanks!

yes I agree it's extremely restricted. of course a pair of parentheses should not cause false negatives though.

imho , path-sensitive analysis is needed to warn about "pointers" and "references" as the check must know what it points at / references to avoid false positives.

NoQ accepted this revision.Sep 23 2016, 9:29 AM
NoQ edited edge metadata.

This patch seems to be an improvement for the original checker, and i think it should be ok to commit if your evaluation of the new check shows reasonable true positive rate.

However, if i was to choose, based on this discussion and other experiences, i would have wished this checker go in a different direction: make a single checker for violations of the strict aliasing rule. This should be do-able as a classic path-sensitive checker which would warn if the same object (RegionOffset) is accessed assuming incompatible value types. For symbolic void* or char* pointers, such checker would need to catch two accesses (which forces us to register stuff with program state), while for other pointer symbols and for concrete regions perhaps a single access should be enough to detect the problem. Such checker would probably be improved by finding branches that introduce aliases between pointer symbols, eg.

void foo(int *x, struct S *y) {
  if (x == y) {
    ...
  }
}

which we don't handle very well in the path-sensitive engine, but it's a great place to start looking into this. I wish somebody looked into this, because it sounds like a really good task for the analyzer.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
64–91

You can use a single Sr here, the convenient ArrayRef constructor from a single element allows passing a single element instead of a one-element array into EmitBasicReport.

This revision is now accepted and ready to land.Sep 23 2016, 9:29 AM
danielmarjamaki added a comment.Sep 26 2016, 3:35 AM

However, if i was to choose, based on this discussion and other experiences, i would have wished this checker go in a different direction: make a single checker for violations of the strict aliasing rule.

That is reasonable. Ideally everybody would fix all UB.

As far as I know it's common to break the strict aliasing rule. There are users that would rather use -fno-strict-aliasing than fix their code. I want to have a checker that is useful when -fno-strict-aliasing is used and detects access out of bounds.

Closed by commit rL282411: [analyzer] Improve CastToStruct checker so it can also detect widening casts… (authored by danielmarjamaki). · Explain WhySep 26 2016, 8:26 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
77 lines
test/
Analysis/
33 lines
2 lines

Diff 71804

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

//=== CastToStructChecker.cpp - Fixed address usage checker ----*- C++ -*--===// //=== CastToStructChecker.cpp - Fixed address usage checker ----*- C++ -*--===//
NoQUnsubmitted
Not Done
ReplyInline Actions

Ouch, just noticed ^

NoQ: Ouch, just noticed ^
danielmarjamakiAuthorUnsubmitted
Not Done
ReplyInline Actions

I am not sure what problem you see with this line. It looks ok to me.

danielmarjamaki: I am not sure what problem you see with this line. It looks ok to me.
NoQUnsubmitted
Not Done
ReplyInline Actions

The description is from another checker.

NoQ: The description is from another checker.
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This files defines CastToStructChecker, a builtin checker that checks for // This files defines CastToStructChecker, a builtin checker that checks for
// cast from non-struct pointer to struct pointer. // cast from non-struct pointer to struct pointer and widening struct data cast.
// This check corresponds to CWE-588. // This check corresponds to CWE-588.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class CastToStructChecker : public Checker< check::PreStmt<CastExpr> > { class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
mutable std::unique_ptr<BuiltinBug> BT; BugReporter &BR;
const CheckerBase *Checker;
AnalysisDeclContext *AC;
public: public:
void checkPreStmt(const CastExpr *CE, CheckerContext &C) const; explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
AnalysisDeclContext *A)
: BR(B), Checker(Checker), AC(A) {}
bool VisitCastExpr(const CastExpr *CE);
}; };
} }
void CastToStructChecker::checkPreStmt(const CastExpr *CE, bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
CheckerContext &C) const {
const Expr *E = CE->getSubExpr(); const Expr *E = CE->getSubExpr();
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = AC->getASTContext();
QualType OrigTy = Ctx.getCanonicalType(E->getType()); QualType OrigTy = Ctx.getCanonicalType(E->getType());
QualType ToTy = Ctx.getCanonicalType(CE->getType()); QualType ToTy = Ctx.getCanonicalType(CE->getType());
const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr()); const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr()); const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
if (!ToPTy || !OrigPTy) if (!ToPTy || !OrigPTy)
return; return true;
QualType OrigPointeeTy = OrigPTy->getPointeeType(); QualType OrigPointeeTy = OrigPTy->getPointeeType();
QualType ToPointeeTy = ToPTy->getPointeeType(); QualType ToPointeeTy = ToPTy->getPointeeType();
if (!ToPointeeTy->isStructureOrClassType()) if (!ToPointeeTy->isStructureOrClassType())
return; return true;
// We allow cast from void*. // We allow cast from void*.
if (OrigPointeeTy->isVoidType()) if (OrigPointeeTy->isVoidType())
return; return true;
// Now the cast-to-type is struct pointer, the original type is not void*. // Now the cast-to-type is struct pointer, the original type is not void*.
if (!OrigPointeeTy->isRecordType()) { if (!OrigPointeeTy->isRecordType()) {
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { SourceRange Sr[1] = {CE->getSourceRange()};
if (!BT) PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
BT.reset( BR.EmitBasicReport(
new BuiltinBug(this, "Cast from non-struct type to struct type", AC->getDecl(), Checker, "Cast from non-struct type to struct type",
"Casting a non-structure type to a structure type " categories::LogicError, "Casting a non-structure type to a structure "
"and accessing a field can lead to memory access " "type and accessing a field can lead to memory "
"errors or data corruption.")); "access errors or data corruption.",
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); Loc, Sr);
R->addRange(CE->getSourceRange()); } else {
C.emitReport(std::move(R)); // Don't warn when size of data is unknown.
const auto *U = dyn_cast<UnaryOperator>(E);
if (!U || U->getOpcode() != UO_AddrOf)
NoQUnsubmitted
Not Done
ReplyInline Actions

Could you add a test case for other branches of this code (cast without unary operator, cast with non-& unary operator)?

NoQ: Could you add a test case for other branches of this code (cast without unary operator, cast…
danielmarjamakiAuthorUnsubmitted
Not Done
ReplyInline Actions

Ok. Maybe the getOpCode is redundant. The ~, !, - operators does not make much sense on pointers and I believe I get compile errors. However imho it's nice for clarity to show that I only look for &var.

danielmarjamaki: Ok. Maybe the getOpCode is redundant. The ~, !, - operators does not make much sense on…
return true;
// Warn when there is widening cast.
unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
if (ToWidth <= OrigWidth)
return true;
SourceRange Sr[1] = {CE->getSourceRange()};
PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
NoQUnsubmitted
Not Done
ReplyInline Actions

Could you add a test case for this? It might force you to add a C++ test file. Adding a dedicated file of tests for this checker is anyway a good idea, i think.

You may also want to make this more accurate with CXXRecordDecl::isDerivedFrom() etc. if you like.

NoQ: Could you add a test case for this? It might force you to add a C++ test file. Adding a…
danielmarjamakiAuthorUnsubmitted
Not Done
ReplyInline Actions

I started writing a testcase. But I am now thinking about removing this code. I could not write a sensible test case.

If there is code like:

struct Derived : public Base { .. };
struct Base B = {1,2};
struct Derived *D = (struct Derived *)&B;

Then writing the warning seems ok. It seems to me this is just as dangerous as if there was no inheritance.

danielmarjamaki: I started writing a testcase. But I am now thinking about removing this code. I could not write…
NoQUnsubmitted
Not Done
ReplyInline Actions

Then you should exclude dynamic_cast and probably static_cast as well, because they were created for this particular purpose. Even then, i'm afraid many projects still use C-style casts with combination of kind-of custom RTTI (even in C) and have large switches by kind followed by casts to kind everywhere. You should be able to see this if you run the checker on a large codebase - even though the code you posted is clearly invalid, you cannot prove this without proper path-sensitive analysis, and the cast itself isn't necessarily bad.

NoQ: Then you should exclude `dynamic_cast` and probably `static_cast` as well, because they were…
danielmarjamakiAuthorUnsubmitted
Not Done
ReplyInline Actions

I think you're missing that I am not writing warnings about arbitrary struct pointers.

The dynamic_cast is normally used to cast some kind of pointer variable:

Base *B;
...
Derived *D = dynamic_cast<Derived *>(B);

I do not warn about casting such pointers. Because the check does not know what B points at.

I require that '&' is used, like so:

Base B;
...
Derived *D = dynamic_cast<Derived *>(&Base);

Then the check knows what the pointer points at. It's just a Base. I guess you are telling me that we should not warn here. Well you are right, nothing dangerous happens the cast result will just be 0.

danielmarjamaki: I think you're missing that I am not writing warnings about arbitrary struct pointers. The…
NoQUnsubmitted
Not Done
ReplyInline Actions

Uhm, but the operator-&-heuristic sounds like something extremely restrictive, that should be eventually removed (not even a pair of parentheses is allowed around operator-&).

Some false positives may still appear though, i suspect:

Derived D;
Base &B = D;
Derived *Dptr = (D*)&B; // no-warning

^You can find an example of such code in MallocChecker::checkPreCall, the way they cast CallEvent references. Right now i'm not sure how popular correct and incorrect code patterns of this kind are.

Why i think the heuristic is too restrictive:

Base B;
Base *Bptr = &B;
Derived *Dptr = (D*)B; // expected-warning{{}}
NoQ: Uhm, but the operator-&-heuristic sounds like something extremely restrictive, that should be…
danielmarjamakiAuthorUnsubmitted
Not Done
ReplyInline Actions

thanks!

yes I agree it's extremely restricted. of course a pair of parentheses should not cause false negatives though.

imho , path-sensitive analysis is needed to warn about "pointers" and "references" as the check must know what it points at / references to avoid false positives.

danielmarjamaki: thanks! yes I agree it's extremely restricted. of course a pair of parentheses should not…
BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
categories::LogicError,
"Casting data to a larger structure type and accessing "
"a field can lead to memory access errors or data "
"corruption.",
Loc, Sr);
NoQUnsubmitted
Not Done
ReplyInline Actions

You can use a single Sr here, the convenient ArrayRef constructor from a single element allows passing a single element instead of a one-element array into EmitBasicReport.

NoQ: You can use a single `Sr` here, the convenient `ArrayRef` constructor from a single element…
} }
return true;
} }
namespace {
class CastToStructChecker : public Checker<check::ASTCodeBody> {
public:
void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
BugReporter &BR) const {
CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
Visitor.TraverseDecl(const_cast<Decl *>(D));
} }
};
} // end anonymous namespace
void ento::registerCastToStructChecker(CheckerManager &mgr) { void ento::registerCastToStructChecker(CheckerManager &mgr) {
mgr.registerChecker<CastToStructChecker>(); mgr.registerChecker<CastToStructChecker>();
} }

test/Analysis/cast-to-struct.c

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha,core -verify %s
struct AB {
int A;
int B;
};
struct ABC {
int A;
int B;
int C;
};
void structToStruct(struct AB *P) {
struct AB Ab;
struct ABC *Abc;
Abc = (struct ABC *)&Ab; // expected-warning {{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
Abc = (struct ABC *)P; // No warning; It is not known what data P points at.
// Don't warn when the cast is not widening.
P = (struct AB *)&Ab; // struct AB * => struct AB *
struct ABC Abc2;
P = (struct AB *)&Abc2; // struct ABC * => struct AB *
}
void intToStruct(int *P) {
struct ABC *Abc;
Abc = (struct ABC *)P; // expected-warning {{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
// Cast from void *.
void *VP = P;
Abc = (struct ABC *)VP;
}

test/Analysis/casts.c

Show All 12 Lines
typedef __darwin_socklen_t socklen_t; typedef __darwin_socklen_t socklen_t;
struct sockaddr { sa_family_t sa_family; }; struct sockaddr { sa_family_t sa_family; };
struct sockaddr_storage {}; struct sockaddr_storage {};
void getsockname(); void getsockname();
void f(int sock) { void f(int sock) {
struct sockaddr_storage storage; struct sockaddr_storage storage;
struct sockaddr* sockaddr = (struct sockaddr*)&storage; struct sockaddr* sockaddr = (struct sockaddr*)&storage; // expected-warning{{Casting data to a larger structure type and accessing a field can lead to memory access errors or data corruption}}
socklen_t addrlen = sizeof(storage); socklen_t addrlen = sizeof(storage);
getsockname(sock, sockaddr, &addrlen); getsockname(sock, sockaddr, &addrlen);
switch (sockaddr->sa_family) { // no-warning switch (sockaddr->sa_family) { // no-warning
default: default:
; ;
} }
} }
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines