[PATCH] D91055: [clang-tidy] Introduce misc No Integer To Pointer Cast check
Alexander Richardson via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Mon Nov 9 03:45:03 PST 2020
arichardson added a comment.
Nice! I wonder if this could be an off-by-default (maybe enabled by -Wpedantic) warning in clang instead?
Diagnostics like this could be very useful for CHERI since our capabilities are in some way tracking provenance in hardware: we have bounds, permissions and a validity bit for all pointers.
All pointers must be derived from another valid pointer (CHERI capability) otherwise the validity bit is cleared.
Casting from an integer to a pointer always results in a value without provenance (lacking a tag bit in hardware) and will result in traps when dereferenced.
We do however treat uintptr_t as carrying provenance (casts retain the same permissions+bounds+validity bit in hardware as the original pointer).
Out compiler has some diagnostics to flag int -> pointer casts, so we warn about the example code when using long as the intermediate value (since that will cause run-time crashes if the value is dereferenced), but we do not warn for uintptr_t:
CHERI compiler explorer <https://cheri-compiler-explorer.cl.cam.ac.uk/#g:!((g:!((g:!((h:codeEditor,i:(fontScale:14,j:1,lang:___c,selection:(endColumn:2,endLineNumber:23,positionColumn:2,positionLineNumber:23,selectionStartColumn:2,selectionStartLineNumber:23,startColumn:2,startLineNumber:23),source:'%23include+%3Cstdint.h%3E%0A%0Avoid+*explicit(long+long+int+x)+%7B%0A++return+(void+*)x%3B%0A%7D%0A%0Avoid+*implicit(long+long+int+x)+%7B%0A++return+x%3B%0A%7D%0A%0Achar*+src_long(char*+maybe_underbiased_ptr)+%7B%0A++++long+maybe_underbiased_intptr+%3D+(long)maybe_underbiased_ptr%3B%0A++++long+aligned_biased_intptr+%3D+maybe_underbiased_intptr+%2B+15%3B%0A++++long+aligned_intptr+%3D+aligned_biased_intptr+%26+(~15)%3B%0A++++return+(char*)aligned_intptr%3B+//+warning:+avoid+integer+to+pointer+casts+%5Bmisc-no-inttoptr%5D%0A%7D%0A%0Achar*+src_uintptr_t(char*+maybe_underbiased_ptr)+%7B%0A++++uintptr_t+maybe_underbiased_intptr+%3D+(uintptr_t)maybe_underbiased_ptr%3B%0A++++uintptr_t+aligned_biased_intptr+%3D+maybe_underbiased_intptr+%2B+15%3B%0A++++uintptr_t+aligned_intptr+%3D+aligned_biased_intptr+%26+(~15)%3B%0A++++return+(char*)aligned_intptr%3B+//+warning:+avoid+integer+to+pointer+casts+%5Bmisc-no-inttoptr%5D%0A%7D'),l:'5',n:'0',o:'C+source+%231',t:'0')),k:54.870530209617755,l:'4',m:100,n:'0',o:'',s:0,t:'0'),(g:!((h:output,i:(compiler:2,editor:1,fontScale:14,wrap:'1'),l:'5',n:'0',o:'%232+with+Purecap+CHERI-RISCV64',t:'0'),(h:compiler,i:(compiler:cheri-riscv64-purecap,filters:(b:'0',binary:'1',commentOnly:'0',demangle:'0',directives:'0',execute:'1',intel:'0',libraryCode:'1',trim:'1'),fontScale:14,j:2,lang:___c,libs:!(),options:'-Wall+-Wcheri',selection:(endColumn:1,endLineNumber:1,positionColumn:1,positionLineNumber:1,selectionStartColumn:1,selectionStartLineNumber:1,startColumn:1,startLineNumber:1),source:1),l:'5',n:'0',o:'Purecap+CHERI-RISCV64+(Editor+%231,+Compiler+%232)+C',t:'0')),k:45.129469790382245,l:'4',m:100,n:'0',o:'',s:0,t:'0')),l:'2',n:'0',o:'',t:'0')),version:4>
I just checked whether we emit diagnotics for the testscases here and discovered that we only diagnose explicit casts from (non-uintptr_t) int -> pointer as lacking provenance, but are missing warnings for the -Wint-conversion case. <https://github.com/CTSRD-CHERI/llvm-project/issues/487>
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D91055/new/
https://reviews.llvm.org/D91055
More information about the cfe-commits
mailing list