Details
-
Type:
New Feature
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: Rules to specify, Subject: Symbolic execution, Importance: Relevant, Level: Medium
-
Component/s: C, C++, Objective-C, Rules, Symbolic Execution
-
Labels:
Description
Define what cases of function-pointer type casting are safe, and report any caste function pointer that is later invoked with incompatible signature. The signature might be incompatible in the arguments part (have arguments of different types, or different number) as well as in the return type, exception specification, or {{const}}ness.
The rule is a special case of the type-cast abuse with a narrower focus and deeper analysis that aims at discovering not only the cast itself, but the later use that defies language semantics.
Inspiration cases from ITC Toyota benchmark:
long func_pointer_003_func_001 (long a, int b) { return (a + (long)b); } void func_pointer_003 () { float ret; if(1) { float (*func)(long , int); func = (float (*)(long , int ))func_pointer_003_func_001; ret = func(1, 2);/*Tool should detect this line as error*/ /*ERROR:Bad function pointer casting*/ } }
int wrong_arguments_func_pointer_002_func_001(int a) { int i=20; return (i); } void wrong_arguments_func_pointer_002() { char buf[10] = "string"; int (*fptr)(char *); int a; fptr = (int (*)(char *))wrong_arguments_func_pointer_002_func_001; a =fptr(buf);/*Tool should detect this line as error*//*ERROR:Wrong arguments passed to a function pointer*/ }