This is an archive of the discontinued LLVM Phabricator instance.

Differential D48866

[clang-tidy] Add incorrect-pointer-cast checker
Needs RevisionPublic

Authored by steakhal on Jul 3 2018, 12:24 AM.

Details

Reviewers
aaron.ballman
alexfh
hokein
ilya-biryukov
hgabii
JonasToth
Summary

This checker warns for cases when pointer is cast and the pointed to type is incompatible with allocated memory area type.
This may lead to access memory based on invalid memory layout.

Warn for cases when the pointed to type is wider than the allocated type.
For example char vs integer, long vs char etc.
Also warn for cases when the pointed to type layout is different from the allocated type layout, like different structs, integer vs float/double, different signedness.

Allows pointer casts if the pointed to struct type is "part" of the allocated type.
Which means the allocated type contains the pointed to type member by member.

Diff Detail

Event Timeline

hgabii created this revision.Jul 3 2018, 12:24 AM
Herald added subscribers: cfe-commits, mgorny. · View Herald TranscriptJul 3 2018, 12:24 AM
JonasToth added reviewers: aaron.ballman, alexfh, hokein, ilya-biryukov.Jul 3 2018, 5:34 AM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Jul 3 2018, 8:16 AM

bugprone seems to be proper category for this check.

clang-tidy/misc/IncorrectPointerCastCheck.cpp
35 ↗(On Diff #153866)

const auto * could be used instead.

clang-tidy/misc/IncorrectPointerCastCheck.h
19 ↗(On Diff #153866)

Please make sentence same as in Release Notes.

docs/clang-tidy/checks/misc-incorrect-pointer-cast.rst
6 ↗(On Diff #153866)

Please make this sentence same as in Release Notes.

alexfh added a comment.Jul 4 2018, 9:53 AM

Some patterns are covered by compiler diagnostics: https://godbolt.org/g/HvsjnP. Is there any benefit in re-implementing them?

alexfh added inline comments.Jul 4 2018, 9:53 AM
clang-tidy/misc/IncorrectPointerCastCheck.cpp
60 ↗(On Diff #153866)

The style of the message differs from that of the other checks (and Clang warnings). Messages are not complete sentences and as such should not use capitalization, trailing periods etc. Also I would avoid imperatives and exclamation marks. The message should use neutral tone and state what exactly is wrong with the code and why.

test/clang-tidy/misc-incorrect-pointer-cast.cpp
109 ↗(On Diff #153866)

"No newline at end of file". Please fix.

Eugene.Zelenko added inline comments.Oct 12 2018, 6:42 PM
clang-tidy/misc/IncorrectPointerCastCheck.cpp
80 ↗(On Diff #153866)

Somehow, misc namespace is closed twice.

docs/ReleaseNotes.rst
60 ↗(On Diff #153866)

Will be good idea to rebase from trunk and use alphabetical order.

63 ↗(On Diff #153866)

Warns. Please also use as much as possible from 80 characters.

docs/clang-tidy/checks/misc-incorrect-pointer-cast.rst
10 ↗(On Diff #153866)

Looks like two paragraphs are almost same. Will be good idea to rephrase. Please make sure that lines are no longer then 80 characters.

JonasToth added a subscriber: JonasToth.Oct 13 2018, 2:14 AM
hgabii updated this revision to Diff 170360.Oct 21 2018, 3:32 PM

Warning messages changed.
Tests updated.
Comments changed based on the recommendations.
Documentation refactored and reformatted.

alexfh added a comment.Oct 24 2018, 8:28 AM
In D48866#1270361, @hgabii wrote:

Warning messages changed.
Tests updated.
Comments changed based on the recommendations.
Documentation refactored and reformatted.

Could you mark comments "done" where appropriate?

hgabii marked 9 inline comments as done.EditedNov 20 2018, 12:25 PM

I resolved all comments.
(Sorry, I did not recognize that the done state is updating only when I submit a new comment)

docs/ReleaseNotes.rst
60 ↗(On Diff #153866)

It is rebased. I could not see what should be in an alphabetical order. This is inserted to the top of the document by the add_new_check.py.

lebedev.ri added a subscriber: lebedev.ri.Nov 20 2018, 12:32 PM

Warn for cases when the pointed to type is wider than the allocated type.
What does that mean? Is this talking about the size of the allocation, or the alignment?

Are you aware of the previous attempts, namely D33826?
Please incorporate the tests from there.

Please add tests with casts (that should normally be diagnosed) from types with explicitly specified alignment, that silence the warning.

Eugene.Zelenko added inline comments.Nov 20 2018, 1:00 PM
docs/ReleaseNotes.rst
60 ↗(On Diff #153866)

List of new check should be sorted alphabetically. Unfortunately add_new_check.py doesn't do this, so manual edit is necessary.

gerazo added a subscriber: gerazo.Nov 26 2018, 7:52 AM
gamesh411 added a subscriber: gamesh411.Dec 10 2018, 2:56 AM

In my opinion, after migrating relevant test cases from D33826, this is ready.

MyDeveloperDay mentioned this in D55508: [clang-tidy] insert release notes for new checkers alphabetically.Dec 10 2018, 6:01 AM
MyDeveloperDay mentioned this in D55523: [clang-tidy] Linting .rst documentation.Dec 10 2018, 10:09 AM
JonasToth mentioned this in rL348793: [clang-tidy] insert release notes for new checkers alphabetically.Dec 10 2018, 11:45 AM
JonasToth mentioned this in rCTE348793: [clang-tidy] insert release notes for new checkers alphabetically.Dec 10 2018, 11:51 AM
hgabii updated this revision to Diff 177810.Dec 11 2018, 6:26 PM
hgabii marked an inline comment as done.
Eugene.Zelenko added inline comments.Dec 11 2018, 6:30 PM
docs/ReleaseNotes.rst
139 ↗(On Diff #177810)

Please wrap up to 80 characters. Same in documentation.

docs/clang-tidy/checks/misc-incorrect-pointer-cast.rst
8 ↗(On Diff #177810)

Integer -> int. Please highlight types with ``.

hgabii added a comment.Dec 11 2018, 6:31 PM

Check for different size and alignment as well.
Tests migrated from D33826.
Warning in case of reinterpret_cast, but options is added to be able to turn it off.

hgabii updated this revision to Diff 177812.Dec 11 2018, 6:38 PM

Highlight type names in documentation.

hgabii marked 4 inline comments as done.Dec 11 2018, 6:40 PM
hgabii added inline comments.
docs/ReleaseNotes.rst
139 ↗(On Diff #177810)

Lines added by me are not longer than 80 characters.
It is also true for the documentation.

docs/clang-tidy/checks/misc-incorrect-pointer-cast.rst
8 ↗(On Diff #177810)

Done.

steakhal added a subscriber: steakhal.Mar 7 2019, 1:52 AM

@hgabii Are you planning on finishing this? If not, I'd happily commandeer if not.

Herald added a project: Restricted Project. · View Herald TranscriptMar 7 2019, 1:52 AM
Herald added a subscriber: jdoerfert. · View Herald Transcript
hgabii marked 2 inline comments as done.Mar 7 2019, 2:31 PM

@steakhal I think it is basically done. If you have any recommendations what needs to be changed, then I welcome your contribution. I can also fix new comments, but I have limited time for this.

Szelethus added a reviewer: JonasToth.Mar 7 2019, 2:35 PM
Szelethus added a subscriber: Szelethus.

Is this patch good to go? :)

alexfh requested changes to this revision.Mar 11 2019, 10:47 AM

As per the very first comment, "bugprone" will be a more suitable category for this check. The rename_check.py script should be able to help here.

This revision now requires changes to proceed.Mar 11 2019, 10:47 AM
alexfh added a comment.Mar 11 2019, 10:51 AM

And one more comment that hasn't yet been addressed: "Some patterns are covered by compiler diagnostics: https://godbolt.org/g/HvsjnP. Is there any benefit in re-implementing them?"

And one more: please update file headers. The license has changed since.

steakhal commandeered this revision.Jun 3 2019, 7:15 AM
steakhal added a reviewer: hgabii.

If you don't mind I will finish the leftover work. This will still be committed under your name.

steakhal updated this revision to Diff 202717.Jun 3 2019, 7:29 AM

Unfortunately the changes that I've made are not available in a diff because I've moved to the monorepo version.
Although, you can see the changes in detail on my llvm-project github fork.

There were only minor changes.

  • Updated the license, as requested
  • Moved the checker to the 'bugprone' category from 'misc'
  • Fixed bug: now using getAsRecordDecl instead of getAsCXXRecordDecl

There is still an open question whether we should relay on the warnings of the -Wcast-align option, but I'm not convinced.

lebedev.ri added a comment.Jun 3 2019, 7:44 AM

Some basic thoughts

clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.cpp
64

this reads weirdly, should be
"new type is wider (%2) than the original type (%3)"

70–71

"*more* strictly aligned" perhaps?
Similarly, specify the actual values.

89

`break;'?

96

Would be better to at least point to first two incompatible fields

99–108

What does this mean?
How can signedness affect memory layout?

clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.h
19

is cast*ed*
s/pointed to/new/

20

How do you know anything about the actual allocated memory area type.
You probably want to talk about the original type before cast.

lebedev.ri added a comment.Jun 3 2019, 7:56 AM

Also, this kinda feels like this shouldn't be a single check.

  1. I'm very much looking forward the alignment part of this, the reinterpret_cast<>() specifically. It would be good to have a switch to also diagnose casts from void* here. But indeed, if it comes from c-style cast, -Wcast-align will already have diagnosed it.
  2. Then there is 'cast increases type width' check, makes sense i suppose.
  3. 'struct layout mismatch', makes sense.
  4. I don't understand the 'different signdness' part.
steakhal added a comment.Jun 3 2019, 8:08 AM

The problem with the -Wcast-align is that it will only fire for C-style bitcast expressions, not for reinterpret_cast ones. example
Does anyone know why is that behavior?

lebedev.ri added a comment.Jun 3 2019, 8:32 AM
In D48866#1527506, @steakhal wrote:

The problem with the -Wcast-align is that it will only fire for C-style bitcast expressions, not for reinterpret_cast ones. example
Does anyone know why is that behavior?

Because reinterpret_cast is by definition allowed to perform these casts, so it is assumed that no warning should be issued.
This part of the check i look forward to.

steakhal marked 8 inline comments as done.Jun 4 2019, 4:53 AM
steakhal added inline comments.
clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.cpp
70–71

Which metrics should I use? Bits or char units? For now I will stick to bits.

99–108

You are right, signess difference is explicitly allowed in bitcasts. It has nothing to do with the actual memory layout. I thought it might be useful for detecting those cases too. It should be in a different checker in the future.
For now I've removed the related code from this checker.

clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.h
19

Casted fixed now.

What do you think about destination type and original type instead of new type?

20

You are right, fixed.

steakhal updated this revision to Diff 202913.Jun 4 2019, 5:11 AM
steakhal marked 4 inline comments as done.
  • Removed different signess related parts.
  • Don't warn for the casts which are already covered by '-Wcast-align' check.
  • Improved the diagnostic messages:
    • Now adds notes for the first incompatible members of structs.
    • Added alignment, size and type information to most of the warning messages.
steakhal added a comment.Jun 4 2019, 5:56 AM
In D48866#1527540, @lebedev.ri wrote:
In D48866#1527506, @steakhal wrote:

The problem with the -Wcast-align is that it will only fire for C-style bitcast expressions, not for reinterpret_cast ones. example
Does anyone know why is that behavior?

Because reinterpret_cast is by definition allowed to perform these casts, so it is assumed that no warning should be issued.
This part of the check i look forward to.

I still don't understand why should -Wcast-align issue warning only for c-style casts. What is the difference in the given example? What are the related paragraphs in the standard?
I assume in the example we violated the basic.lval/11 paragraph, so neither of those pointers are safely dereferencable.

In case we are casting from char* we don't know what is the dynamic type of the object (same with std::byte, void * etc.). From my point of view the style of the cast is not important in this case, only the fact that both are performing bitcasts.
Have I missed something?

steakhal added a comment.Jul 3 2019, 1:12 AM

What do you think, what should I improve in this checker?
Your remarks, @lebedev.ri, were really valuable.

steakhal added a comment.Aug 2 2019, 1:13 AM

Do you have some time @Szelethus to check this change?
Your experience and comments would help a lot to finish this.

Herald added a subscriber: whisperity. · View Herald TranscriptAug 2 2019, 1:13 AM
aaron.ballman added inline comments.Aug 2 2019, 5:47 AM
clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.cpp
41

Should be renamed to meet coding style guidelines (but don't reuse CastExpr please, as that's a type name).

42

Please drop top-level const on non-pointer/reference automatics.

47–50

Can these checks be hoisted into the AST matcher?

56

This one too.

60

Missing full stop at the end of the comment.

65

I'd drop the "lead to" from the diagnostic text.

70–71

I tend to think in terms of bytes rather than bits as that's the allocation unit for storage. Might be worth adding "bytes" into the diagnostic as well, just to be very clear.

74

Missing full stop. This comment suggests that we should not be diagnosing in C mode because it's a duplicate diagnostic, but you're gating it on a config flag rather than then language mode. Is that intentional?

79

Same comments here as above regarding "lead to" and bytes vs bits.

88

Comments should be full sentences with proper capitalization and punctuation.

104

Should this be looking at the canonical types as opposed to whatever types are written? e.g., will this decide that a field of type int and one of type int32_t are different (assuming that int32_t is a typedef to int)?

What if the fields have the same type, but have different bit widths? e.g., int i : 2; vs int i : 4;?

Should this consider qualifiers, like _Atomic() for differences, or is that already covered by the type comparison?

Should structure packing or alignment attributes impact this?

What if the fields are the same but the layout is still different? e.g., struct S { int i; }; vs 'struct S { virtual ~S() = default; int i; };` ?

What if one record is a struct and the other is a union, but their fields are the same? e.g., struct S { int i; double d; }; vs union U { int i; double d; }; ?

111

Do not use auto here as the type is not spelled out in the initialization.

115

Drop "lead to" (same below). I'm not certain "invalid layout" is a good way to phrase it -- I think "incompatible layout" works better.

clang-tools-extra/docs/clang-tidy/checks/bugprone-incorrect-pointer-cast.rst
6

Warns for cases when a pointer is cast

6–11

Can you re-flow this paragraph?

11

I don't think signedness is covered by the check (nor should it be, IMO).

13

I think this could be reworded better in terms of common initial sequence (http://eel.is/c++draft/class.mem#def:common_initial_sequence), WDYT?

17

It is highly recommended

whith -> with

25

to do not warn -> to not warn
(also, remove the extraneous whitespace after warn).

reinterpret cast -> reinterpret_cast (and add backticks)

30

Underlining looks too short here.

JonasToth resigned from this revision.Dec 30 2019, 8:01 AM
alexfh requested changes to this revision.Oct 12 2020, 6:57 AM
This revision now requires changes to proceed.Oct 12 2020, 6:57 AM
Herald added subscribers: martong, Charusso. · View Herald TranscriptOct 12 2020, 6:57 AM

Revision Contents

PathSize
clang-tools-extra/
clang-tidy/
bugprone/
3 lines
1 line
43 lines
142 lines
docs/
7 lines
clang-tidy/
checks/
75 lines
1 line
test/
clang-tidy/
205 lines

Diff 202913

clang-tools-extra/clang-tidy/bugprone/BugproneTidyModule.cpp

Show All 15 Lines
#include "BranchCloneCheck.h" #include "BranchCloneCheck.h"
#include "CopyConstructorInitCheck.h" #include "CopyConstructorInitCheck.h"
#include "DanglingHandleCheck.h" #include "DanglingHandleCheck.h"
#include "ExceptionEscapeCheck.h" #include "ExceptionEscapeCheck.h"
#include "FoldInitTypeCheck.h" #include "FoldInitTypeCheck.h"
#include "ForwardDeclarationNamespaceCheck.h" #include "ForwardDeclarationNamespaceCheck.h"
#include "ForwardingReferenceOverloadCheck.h" #include "ForwardingReferenceOverloadCheck.h"
#include "InaccurateEraseCheck.h" #include "InaccurateEraseCheck.h"
#include "IncorrectPointerCastCheck.h"
#include "IncorrectRoundingsCheck.h" #include "IncorrectRoundingsCheck.h"
#include "IntegerDivisionCheck.h" #include "IntegerDivisionCheck.h"
#include "LambdaFunctionNameCheck.h" #include "LambdaFunctionNameCheck.h"
#include "MacroParenthesesCheck.h" #include "MacroParenthesesCheck.h"
#include "MacroRepeatedSideEffectsCheck.h" #include "MacroRepeatedSideEffectsCheck.h"
#include "MisplacedOperatorInStrlenInAllocCheck.h" #include "MisplacedOperatorInStrlenInAllocCheck.h"
#include "MisplacedWideningCastCheck.h" #include "MisplacedWideningCastCheck.h"
#include "MoveForwardingReferenceCheck.h" #include "MoveForwardingReferenceCheck.h"
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<FoldInitTypeCheck>( CheckFactories.registerCheck<FoldInitTypeCheck>(
"bugprone-fold-init-type"); "bugprone-fold-init-type");
CheckFactories.registerCheck<ForwardDeclarationNamespaceCheck>( CheckFactories.registerCheck<ForwardDeclarationNamespaceCheck>(
"bugprone-forward-declaration-namespace"); "bugprone-forward-declaration-namespace");
CheckFactories.registerCheck<ForwardingReferenceOverloadCheck>( CheckFactories.registerCheck<ForwardingReferenceOverloadCheck>(
"bugprone-forwarding-reference-overload"); "bugprone-forwarding-reference-overload");
CheckFactories.registerCheck<InaccurateEraseCheck>( CheckFactories.registerCheck<InaccurateEraseCheck>(
"bugprone-inaccurate-erase"); "bugprone-inaccurate-erase");
CheckFactories.registerCheck<IncorrectPointerCastCheck>(
"bugprone-incorrect-pointer-cast");
CheckFactories.registerCheck<IncorrectRoundingsCheck>( CheckFactories.registerCheck<IncorrectRoundingsCheck>(
"bugprone-incorrect-roundings"); "bugprone-incorrect-roundings");
CheckFactories.registerCheck<IntegerDivisionCheck>( CheckFactories.registerCheck<IntegerDivisionCheck>(
"bugprone-integer-division"); "bugprone-integer-division");
CheckFactories.registerCheck<LambdaFunctionNameCheck>( CheckFactories.registerCheck<LambdaFunctionNameCheck>(
"bugprone-lambda-function-name"); "bugprone-lambda-function-name");
CheckFactories.registerCheck<MacroParenthesesCheck>( CheckFactories.registerCheck<MacroParenthesesCheck>(
"bugprone-macro-parentheses"); "bugprone-macro-parentheses");
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

clang-tools-extra/clang-tidy/bugprone/CMakeLists.txt

set(LLVM_LINK_COMPONENTS support) set(LLVM_LINK_COMPONENTS support)
add_clang_library(clangTidyBugproneModule add_clang_library(clangTidyBugproneModule
ArgumentCommentCheck.cpp ArgumentCommentCheck.cpp
AssertSideEffectCheck.cpp AssertSideEffectCheck.cpp
BoolPointerImplicitConversionCheck.cpp BoolPointerImplicitConversionCheck.cpp
BranchCloneCheck.cpp BranchCloneCheck.cpp
BugproneTidyModule.cpp BugproneTidyModule.cpp
CopyConstructorInitCheck.cpp CopyConstructorInitCheck.cpp
DanglingHandleCheck.cpp DanglingHandleCheck.cpp
ExceptionEscapeCheck.cpp ExceptionEscapeCheck.cpp
FoldInitTypeCheck.cpp FoldInitTypeCheck.cpp
ForwardDeclarationNamespaceCheck.cpp ForwardDeclarationNamespaceCheck.cpp
ForwardingReferenceOverloadCheck.cpp ForwardingReferenceOverloadCheck.cpp
InaccurateEraseCheck.cpp InaccurateEraseCheck.cpp
IncorrectPointerCastCheck.cpp
IncorrectRoundingsCheck.cpp IncorrectRoundingsCheck.cpp
IntegerDivisionCheck.cpp IntegerDivisionCheck.cpp
LambdaFunctionNameCheck.cpp LambdaFunctionNameCheck.cpp
MacroParenthesesCheck.cpp MacroParenthesesCheck.cpp
MacroRepeatedSideEffectsCheck.cpp MacroRepeatedSideEffectsCheck.cpp
MisplacedOperatorInStrlenInAllocCheck.cpp MisplacedOperatorInStrlenInAllocCheck.cpp
MisplacedWideningCastCheck.cpp MisplacedWideningCastCheck.cpp
MoveForwardingReferenceCheck.cpp MoveForwardingReferenceCheck.cpp
Show All 35 Lines

clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.h

  • This file was added.
//===--- IncorrectPointerCastCheck.h - clang-tidy ---------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_INCORRECTPOINTERCASTCHECK_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_INCORRECTPOINTERCASTCHECK_H
#include "../ClangTidy.h"
namespace clang {
namespace tidy {
namespace bugprone {
/// Warns for cases when pointer is casted and the destination type is
/// incompatible with the original type. This may lead to access memory based on
lebedev.riUnsubmitted
Done
ReplyInline Actions

is cast*ed*
s/pointed to/new/

lebedev.ri: is cast*ed* s/pointed to/new/
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

Casted fixed now.

What do you think about destination type and original type instead of new type?

steakhal: Casted fixed now. What do you think about **destination type** and **original type** instead…
/// invalid memory layout.
lebedev.riUnsubmitted
Done
ReplyInline Actions

How do you know anything about the actual allocated memory area type.
You probably want to talk about the original type before cast.

lebedev.ri: How do you know anything about the actual `allocated memory area type`. You probably want to…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

You are right, fixed.

steakhal: You are right, fixed.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/bugprone-incorrect-pointer-cast.html
class IncorrectPointerCastCheck : public ClangTidyCheck {
public:
IncorrectPointerCastCheck(StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context),
IgnoreReinterpretCast(Options.get("IgnoreReinterpretCast", false)) {}
void storeOptions(ClangTidyOptions::OptionMap &Opts) override;
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
private:
/// This option can be configured to do not warn when reinterpret cast is
/// used. The default is false.
const bool IgnoreReinterpretCast;
};
} // namespace bugprone
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_INCORRECTPOINTERCASTCHECK_H

clang-tools-extra/clang-tidy/bugprone/IncorrectPointerCastCheck.cpp

  • This file was added.
//===--- IncorrectPointerCastCheck.cpp - clang-tidy -------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "IncorrectPointerCastCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/AST/RecordLayout.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace bugprone {
void IncorrectPointerCastCheck::storeOptions(
ClangTidyOptions::OptionMap &Opts) {
Options.store(Opts, "IgnoreReinterpretCast", IgnoreReinterpretCast);
}
void IncorrectPointerCastCheck::registerMatchers(MatchFinder *Finder) {
Finder->addMatcher(cStyleCastExpr(hasCastKind(CK_BitCast),
unless(isInTemplateInstantiation()))
.bind("cast"),
this);
if (!IgnoreReinterpretCast) {
Finder->addMatcher(
cxxReinterpretCastExpr(hasCastKind(CK_BitCast),
unless(isInTemplateInstantiation()))
.bind("cast"),
this);
}
}
void IncorrectPointerCastCheck::check(const MatchFinder::MatchResult &Result) {
const ASTContext &Context = *Result.Context;
const auto *castExpr = Result.Nodes.getNodeAs<CastExpr>("cast");
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Should be renamed to meet coding style guidelines (but don't reuse CastExpr please, as that's a type name).

aaron.ballman: Should be renamed to meet coding style guidelines (but don't reuse `CastExpr` please, as that's…
const bool HasCXXStyle = isa<CXXReinterpretCastExpr>(castExpr);
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Please drop top-level const on non-pointer/reference automatics.

aaron.ballman: Please drop top-level `const` on non-pointer/reference automatics.
const QualType SrcType = castExpr->getSubExpr()->getType();
const QualType DestType = castExpr->getType();
if (!SrcType->isPointerType() || !DestType->isPointerType())
return;
if (SrcType->isDependentType() || DestType->isDependentType())
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Can these checks be hoisted into the AST matcher?

aaron.ballman: Can these checks be hoisted into the AST matcher?
return;
const QualType SrcPointedType = SrcType->getPointeeType();
const QualType DestPointedType = DestType->getPointeeType();
if (SrcPointedType->isIncompleteType() || DestPointedType->isIncompleteType())
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

This one too.

aaron.ballman: This one too.
return;
// -Wcast-align already warns for C-style casts increasing alignment
// requirements
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Missing full stop at the end of the comment.

aaron.ballman: Missing full stop at the end of the comment.
const CharUnits SrcWidth = Context.getTypeSizeInChars(SrcPointedType);
const CharUnits DestWidth = Context.getTypeSizeInChars(DestPointedType);
if (SrcWidth < DestWidth && HasCXXStyle) {
diag(castExpr->getBeginLoc(),
lebedev.riUnsubmitted
Done
ReplyInline Actions

this reads weirdly, should be
"new type is wider (%2) than the original type (%3)"

lebedev.ri: this reads weirdly, should be "new type is wider (%2) than the original type (%3)"
"cast from %0 to %1 may lead to access memory based on invalid memory "
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'd drop the "lead to" from the diagnostic text.

aaron.ballman: I'd drop the "lead to" from the diagnostic text.
"layout; new type is wider (%2) than the original type (%3)")
<< SrcPointedType << DestPointedType
<< static_cast<unsigned>(SrcWidth.getQuantity())
<< static_cast<unsigned>(DestWidth.getQuantity());
return;
}
lebedev.riUnsubmitted
Done
ReplyInline Actions

"*more* strictly aligned" perhaps?
Similarly, specify the actual values.

lebedev.ri: "*more* strictly aligned" perhaps? Similarly, specify the actual values.
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

Which metrics should I use? Bits or char units? For now I will stick to bits.

steakhal: Which metrics should I use? Bits or char units? For now I will stick to bits.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I tend to think in terms of bytes rather than bits as that's the allocation unit for storage. Might be worth adding "bytes" into the diagnostic as well, just to be very clear.

aaron.ballman: I tend to think in terms of bytes rather than bits as that's the allocation unit for storage.
// -Wcast-align already warns for C-style casts increasing alignment
// requirements
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Missing full stop. This comment suggests that we should not be diagnosing in C mode because it's a duplicate diagnostic, but you're gating it on a config flag rather than then language mode. Is that intentional?

aaron.ballman: Missing full stop. This comment suggests that we should not be diagnosing in C mode because…
const CharUnits SrcAlign = Context.getTypeAlignInChars(SrcPointedType);
const CharUnits DestAlign = Context.getTypeAlignInChars(DestPointedType);
if (SrcAlign < DestAlign && HasCXXStyle) {
diag(castExpr->getBeginLoc(),
"cast from %0 to %1 may lead to access memory based on invalid "
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Same comments here as above regarding "lead to" and bytes vs bits.

aaron.ballman: Same comments here as above regarding "lead to" and bytes vs bits.
"memory layout; new type is more strictly aligned (%2) than the "
"original type (%3)")
<< SrcPointedType << DestPointedType
<< static_cast<unsigned>(SrcAlign.getQuantity())
<< static_cast<unsigned>(DestAlign.getQuantity());
return;
}
// make sure both pointee are structs
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Comments should be full sentences with proper capitalization and punctuation.

aaron.ballman: Comments should be full sentences with proper capitalization and punctuation.
if (!SrcPointedType->isStructureType() || !DestPointedType->isStructureType())
lebedev.riUnsubmitted
Done
ReplyInline Actions

`break;'?

lebedev.ri: `break;'?
return;
bool FieldsAreSame = true;
const auto *SrcTypeRecordDecl = SrcPointedType->getAsRecordDecl();
const auto *DestTypeRecordDecl = DestPointedType->getAsRecordDecl();
auto SrcIterator = SrcTypeRecordDecl->field_begin();
auto DestIterator = DestTypeRecordDecl->field_begin();
lebedev.riUnsubmitted
Done
ReplyInline Actions

Would be better to at least point to first two incompatible fields

lebedev.ri: Would be better to at least point to first two incompatible fields
for (RecordDecl::field_iterator SrcEnd = SrcTypeRecordDecl->field_end(),
DestEnd = DestTypeRecordDecl->field_end();
SrcIterator != SrcEnd && DestIterator != DestEnd;
++SrcIterator, ++DestIterator) {
const FieldDecl &SrcField = **SrcIterator;
const FieldDecl &DestField = **DestIterator;
if (SrcField.getType() != DestField.getType()) {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Should this be looking at the canonical types as opposed to whatever types are written? e.g., will this decide that a field of type int and one of type int32_t are different (assuming that int32_t is a typedef to int)?

What if the fields have the same type, but have different bit widths? e.g., int i : 2; vs int i : 4;?

Should this consider qualifiers, like _Atomic() for differences, or is that already covered by the type comparison?

Should structure packing or alignment attributes impact this?

What if the fields are the same but the layout is still different? e.g., struct S { int i; }; vs 'struct S { virtual ~S() = default; int i; };` ?

What if one record is a struct and the other is a union, but their fields are the same? e.g., struct S { int i; double d; }; vs union U { int i; double d; }; ?

aaron.ballman: Should this be looking at the canonical types as opposed to whatever types are written? e.g.
FieldsAreSame = false;
break;
}
}
lebedev.riUnsubmitted
Done
ReplyInline Actions

What does this mean?
How can signedness affect memory layout?

lebedev.ri: What does this mean? How can signedness affect memory layout?
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

You are right, signess difference is explicitly allowed in bitcasts. It has nothing to do with the actual memory layout. I thought it might be useful for detecting those cases too. It should be in a different checker in the future.
For now I've removed the related code from this checker.

steakhal: You are right, signess difference is **explicitly** allowed in bitcasts. It has nothing to do…
if (!FieldsAreSame) {
const auto *SrcRecDecl = (*SrcIterator)->getParent();
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Do not use auto here as the type is not spelled out in the initialization.

aaron.ballman: Do not use `auto` here as the type is not spelled out in the initialization.
const auto *DestRecDecl = (*DestIterator)->getParent();
diag(castExpr->getBeginLoc(),
"cast from %0 to %1 may lead to access memory based on invalid "
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Drop "lead to" (same below). I'm not certain "invalid layout" is a good way to phrase it -- I think "incompatible layout" works better.

aaron.ballman: Drop "lead to" (same below). I'm not certain "invalid layout" is a good way to phrase it -- I…
"memory layout; struct members are incompatible")
<< SrcPointedType << DestPointedType;
diag((*SrcIterator)->getBeginLoc(),
"first incompatible member of %0 is declared here; at %1 bit offset "
"with %2 bit width",
DiagnosticIDs::Note)
<< SrcRecDecl->getName()
<< static_cast<unsigned>(
Context.getASTRecordLayout(SrcRecDecl)
.getFieldOffset(SrcIterator->getFieldIndex()))
<< static_cast<unsigned>(SrcWidth.getQuantity());
diag((*DestIterator)->getBeginLoc(),
"first incompatible member of %0 is declared here; at %1 bit offset "
"with %2 bit width",
DiagnosticIDs::Note)
<< DestRecDecl->getName()
<< static_cast<unsigned>(
Context.getASTRecordLayout(DestRecDecl)
.getFieldOffset(DestIterator->getFieldIndex()))
<< static_cast<unsigned>(DestWidth.getQuantity());
return;
}
}
} // namespace bugprone
} // namespace tidy
} // namespace clang

clang-tools-extra/docs/ReleaseNotes.rst

Show First 20 LinesShow All 71 Lines▼ Show 20 Lines- New OpenMP module.
For checks specific to `OpenMP <https://www.openmp.org/>`_ API. For checks specific to `OpenMP <https://www.openmp.org/>`_ API.
- New :doc:`abseil-duration-addition - New :doc:`abseil-duration-addition
<clang-tidy/checks/abseil-duration-addition>` check. <clang-tidy/checks/abseil-duration-addition>` check.
Checks for cases where addition should be performed in the ``absl::Time`` Checks for cases where addition should be performed in the ``absl::Time``
domain. domain.
- New :doc:`bugprone-incorrect-pointer-cast
<clang-tidy/checks/bugprone-incorrect-pointer-cast>` check
Warns for cases when pointer is casted and the destination type is
incompatible with the original type. This may lead to access memory
based on invalid memory layout.
- New :doc:`abseil-duration-conversion-cast - New :doc:`abseil-duration-conversion-cast
<clang-tidy/checks/abseil-duration-conversion-cast>` check. <clang-tidy/checks/abseil-duration-conversion-cast>` check.
Checks for casts of ``absl::Duration`` conversion functions, and recommends Checks for casts of ``absl::Duration`` conversion functions, and recommends
the right conversion function instead. the right conversion function instead.
- New :doc:`abseil-duration-unnecessary-conversion - New :doc:`abseil-duration-unnecessary-conversion
<clang-tidy/checks/abseil-duration-unnecessary-conversion>` check. <clang-tidy/checks/abseil-duration-unnecessary-conversion>` check.
▲ Show 20 LinesShow All 137 LinesShow Last 20 Lines

clang-tools-extra/docs/clang-tidy/checks/bugprone-incorrect-pointer-cast.rst

  • This file was added.
.. title:: clang-tidy - bugprone-incorrect-pointer-cast
bugprone-incorrect-pointer-cast
===============================
Warns for cases when pointer is casted and the destination type is wider than the
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Warns for cases when a pointer is cast

aaron.ballman: Warns for cases when a pointer is cast
original type.
For example `char` vs `int`, `long` vs `char` etc.
Also warns for cases when the layout of the destination type is different from the
original one, like different structs, `int` vs `float`/`double`,
different signedness.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Can you re-flow this paragraph?

aaron.ballman: Can you re-flow this paragraph?
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I don't think signedness is covered by the check (nor should it be, IMO).

aaron.ballman: I don't think signedness is covered by the check (nor should it be, IMO).
Allows pointer casts if the destination type is "part" of the original type.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I think this could be reworded better in terms of common initial sequence (http://eel.is/c++draft/class.mem#def:common_initial_sequence), WDYT?

aaron.ballman: I think this could be reworded better in terms of common initial sequence (http://eel.
Which means the original type contains the members of the destination type
strictly in order.
Highly recommended to use `-Wcast-align` whith this check which will cover some
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

It is highly recommended

whith -> with

aaron.ballman: It is highly recommended whith -> with
other cases of alignment requirement violations via casts.
Options
-------
.. option:: IgnoreReinterpretCast
This option can be configured to do not warn when reinterpret cast is used.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

to do not warn -> to not warn
(also, remove the extraneous whitespace after warn).

reinterpret cast -> reinterpret_cast (and add backticks)

aaron.ballman: to do not warn -> to not warn (also, remove the extraneous whitespace after `warn`).
Disabled by default but this option might be useful on code bases where
`reinterpret_cast` is used carefully.
Examples
-------
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Underlining looks too short here.

aaron.ballman: Underlining looks too short here.
Cast char pointer to integer pointer.
Check will warn because of cast to a wider type.
.. code-block:: c++
char c = 'a';
int *i = reinterpret_cast<int *>(&c);
i = (int *)&c; // It won't warn becouse '-Wcast-align' warns instead.
Cast between structs.
Check will allow to cast to a narrower struct if it is part of the source struct
member by member.
.. code-block:: c++
struct S1 {
int a;
};
struct S2 {
int a;
double b;
};
struct S3 {
double y;
long x;
};
struct S2 s2;
struct S1 *s1 = (struct S1 *)&s2; // Won't warn. Struct "S2" contains struct
// "S2" member by member.
struct S3 *s3 = (struct S3 *)&s2; // Warning because of different type
// layout.
Cast with `reinterpret_cast`.
If the `IgnoreReinterpretCast` option is `0`, check will warn for these
kind of casts.
.. code-block:: c++
char c = 'x';
int *i = reinterpret_cast<int *>(&c);

clang-tools-extra/docs/clang-tidy/checks/list.rst

Show All 40 Lines.. toctree::
bugprone-branch-clone bugprone-branch-clone
bugprone-copy-constructor-init bugprone-copy-constructor-init
bugprone-dangling-handle bugprone-dangling-handle
bugprone-exception-escape bugprone-exception-escape
bugprone-fold-init-type bugprone-fold-init-type
bugprone-forward-declaration-namespace bugprone-forward-declaration-namespace
bugprone-forwarding-reference-overload bugprone-forwarding-reference-overload
bugprone-inaccurate-erase bugprone-inaccurate-erase
bugprone-incorrect-pointer-cast
bugprone-incorrect-roundings bugprone-incorrect-roundings
bugprone-integer-division bugprone-integer-division
bugprone-lambda-function-name bugprone-lambda-function-name
bugprone-macro-parentheses bugprone-macro-parentheses
bugprone-macro-repeated-side-effects bugprone-macro-repeated-side-effects
bugprone-misplaced-operator-in-strlen-in-alloc bugprone-misplaced-operator-in-strlen-in-alloc
bugprone-misplaced-widening-cast bugprone-misplaced-widening-cast
bugprone-move-forwarding-reference bugprone-move-forwarding-reference
▲ Show 20 LinesShow All 228 LinesShow Last 20 Lines

clang-tools-extra/test/clang-tidy/bugprone-incorrect-pointer-cast.cpp

  • This file was added.
// RUN: %check_clang_tidy %s bugprone-incorrect-pointer-cast %t -- \
// RUN: -config="{CheckOptions: [{key: bugprone-incorrect-pointer-cast.WarnForDifferentSignedness, value: 1}]}" --
bool b;
char __attribute__((aligned(4))) a[16];
struct S0 {
char a[16];
};
struct S01 {
char __attribute__((aligned(4))) a[16];
struct S0 __attribute__((aligned(4))) s0;
};
struct S1 {
int a;
int b;
};
struct S2 {
int a;
};
struct S3 {
int a;
double b;
};
struct S4 {
int x;
double y;
};
struct S5 {
double y;
int x;
};
struct __attribute__((aligned(16))) SAligned {
char buffer[16];
};
void initDouble(double *d) {
*d = 0.5;
}
void castCharToInt(void) {
char c = 'x';
b = (int *)&c; // -Wcast-align already warns for this
b = reinterpret_cast<int *>(&c); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'char' to 'int' may lead to access memory based on invalid memory layout; new type is wider (1) than the original type (4) [bugprone-incorrect-pointer-cast]
}
void castCharToSort(char c) {
b = (short *)&c; // -Wcast-align already warns for this
b = reinterpret_cast<short *>(&c); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'char' to 'short' may lead to access memory based on invalid memory layout; new type is wider (1) than the original type (2) [bugprone-incorrect-pointer-cast]
}
void castShortToInt(short s) {
b = (int *)&s; // -Wcast-align already warns for this
b = reinterpret_cast<int *>(&s); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'short' to 'int' may lead to access memory based on invalid memory layout; new type is wider (2) than the original type (4) [bugprone-incorrect-pointer-cast]
}
void castWideCharToLong(wchar_t wc) {
b = (long *)&wc; // -Wcast-align already warns for this
b = reinterpret_cast<long *>(&wc); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'wchar_t' to 'long' may lead to access memory based on invalid memory layout; new type is wider (4) than the original type (8) [bugprone-incorrect-pointer-cast]
}
void castFloatToDouble(float f) {
initDouble((double *)&f); // -Wcast-align already warns for this
initDouble(reinterpret_cast<double *>(&f)); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:14: warning: cast from 'float' to 'double' may lead to access memory based on invalid memory layout; new type is wider (4) than the original type (8) [bugprone-incorrect-pointer-cast]
}
void castToS2(char *data, unsigned offset) {
b = (struct S2 *)(data + offset); // -Wcast-align already warns for this
b = reinterpret_cast<struct S2 *>(data + offset); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'char' to 'struct S2' may lead to access memory based on invalid memory layout; new type is wider (1) than the original type (4) [bugprone-incorrect-pointer-cast]
}
void castS3ToS1(struct S3 s3) {
b = (struct S1 *)&s3;
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'struct S3' to 'struct S1' may lead to access memory based on invalid memory layout; struct members are incompatible [bugprone-incorrect-pointer-cast]
// CHECK-MESSAGES: :27:3: note: first incompatible member of S3 is declared here; at 64 bit offset with 16 bit width
// CHECK-MESSAGES: :18:3: note: first incompatible member of S1 is declared here; at 32 bit offset with 8 bit width
b = reinterpret_cast<struct S1 *>(&s3);
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'struct S3' to 'struct S1' may lead to access memory based on invalid memory layout; struct members are incompatible [bugprone-incorrect-pointer-cast]
// CHECK-MESSAGES: :27:3: note: first incompatible member of S3 is declared here; at 64 bit offset with 16 bit width
// CHECK-MESSAGES: :18:3: note: first incompatible member of S1 is declared here; at 32 bit offset with 8 bit width
}
void castS4ToS5(struct S4 s4) {
b = (struct S5 *)&s4;
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'struct S4' to 'struct S5' may lead to access memory based on invalid memory layout; struct members are incompatible [bugprone-incorrect-pointer-cast]
// CHECK-MESSAGES: :31:3: note: first incompatible member of S4 is declared here; at 0 bit offset with 16 bit width
// CHECK-MESSAGES: :36:3: note: first incompatible member of S5 is declared here; at 0 bit offset with 16 bit width
b = reinterpret_cast<struct S5 *>(&s4);
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'struct S4' to 'struct S5' may lead to access memory based on invalid memory layout; struct members are incompatible [bugprone-incorrect-pointer-cast]
// CHECK-MESSAGES: :31:3: note: first incompatible member of S4 is declared here; at 0 bit offset with 16 bit width
// CHECK-MESSAGES: :36:3: note: first incompatible member of S5 is declared here; at 0 bit offset with 16 bit width
}
void castULongToLong(unsigned long ul) {
b = (long *)&ul;
b = reinterpret_cast<long *>(&ul);
}
void castIntToUInt(int i) {
b = (unsigned int *)&i;
b = reinterpret_cast<unsigned int *>(&i);
}
void castToAlignedStruct(char *P) {
b = (struct SAligned *)P; // -Wcast-align already warns for this
b = reinterpret_cast<struct SAligned *>(P); // -Wcast-align does NOT warn for this
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'char' to 'struct SAligned' may lead to access memory based on invalid memory layout; new type is wider (1) than the original type (16) [bugprone-incorrect-pointer-cast]
}
void castCharToIntWithReinterpretCast(void) {
char c = 'x';
b = reinterpret_cast<int *>(&c);
// CHECK-MESSAGES: :[[@LINE-1]]:7: warning: cast from 'char' to 'int' may lead to access memory based on invalid memory layout; new type is wider (1) than the original type (4) [bugprone-incorrect-pointer-cast]
}
void TestDifferentAlignment() {
struct S01 s;
int *i = (int *)s.a; // ok, s.a is aligned to 4 bytes just like and 'int *'
i = (int *)&s.s0; // same
i = (int *)a; // same
}
// negatives
void castIntToFloat(int i) {
float *f = (float *)&i;
}
void castCharToChar(char *p) {
char *c = (char *)p;
}
void castShortToChar(short s) {
char *c = (char *)&s;
}
void initInt(int *i) {
*i = 1;
}
void castIntToInt() {
int i;
initInt(&i);
}
void castS1ToS2() {
struct S1 s1;
struct S2 *s2 = (struct S2 *)&s1;
}
void castS4ToS3() {
struct S4 s4;
struct S3 *s3 = (struct S3 *)&s4;
}
void IncompleteType(char *P) {
struct B *b = (struct B *)P;
}
// Casts from void* are a special case.
void CastFromVoidPointer(void *P) {
char *a = (char *)P;
short *b = (short *)P;
int *c = (int *)P;
const volatile void *P2 = P;
char *d = (char *)P2;
short *e = (short *)P2;
int *f = (int *)P2;
const char *g = (const char *)P2;
const short *h = (const short *)P2;
const int *i = (const int *)P2;
const volatile char *j = (const volatile char *)P2;
const volatile short *k = (const volatile short *)P2;
const volatile int *l = (const volatile int *)P2;
}
typedef int (*FnTy)(void);
unsigned int func(void);
FnTy testFunc(void) {
return (FnTy)&func;
}
struct W;
void function3(struct W *v) {
int *i = (int *)v;
struct W *u = (struct W *)i;
}