[Bug debug/20229] New: -Wcast-qual option is easily evaded

[Bug debug/20229] New: -Wcast-qual option is easily evaded

[kmk at ssl dot org]

The -Wcast-qual option in GCC can easily be evaded by "clever" hacks, which
seriously reduces the utility of this feature in catching dangerous behavior
intentionally hidden by programmers from unit testers.

Here is code for a test case (which is extremely simple, and includes no
headers, so I am sending the source rather than the virtually-identical
intermediate file, which lacks comments):
-------------------

void evil_string_modifier(char *s) { s[0] = 0; }

int main(void) {

// This warns, as expected:
  evil_string_modifier("Test string one.");

// This also warns, as expected:
  evil_string_modifier((char *)"Test string two.");

// This, however, does not warn...but should:
  evil_string_modifier((char *)(int)"Test string three.");

}

---------------------------
The compiler output for the code given above:

Using built-in specs.
Configured with: ./configure --prefix=/usr --host=i386-just-dragonflybsd
Thread model: posix
gcc version 3.4.3 [DragonFly] (propolice, visibility)
 /usr/libexec/gcc34/cc1 -E -quiet -v -iprefix
/usr/libexec/gcc34/../gcc34//3.4.1/ bug.c -march=pentium3 -W -Wall
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized
-Wall -W -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type
-Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wchar-subscripts
-Winline -Wnested-externs -Wredundant-decls -O -o bug.i
ignoring nonexistent directory "/usr/libexec/gcc34/../gcc34//3.4.1/include"
ignoring nonexistent directory "/usr/libexec/gcc34/../gcc34//3.4.1/libdata/gcc34"
#include "..." search starts here:
#include <...> search starts here:
 /usr/include
 /usr/libdata/gcc34
End of search list.
 /usr/libexec/gcc34/cc1 -fpreprocessed bug.i -quiet -dumpbase bug.c
-march=pentium3 -auxbase bug -O -W -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -Wall -W
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type
-Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wchar-subscripts
-Winline -Wnested-externs -Wredundant-decls -version -o bug.s
GNU C version 3.4.3 (i386-just-dragonflybsd)
        compiled by GNU C version 2.95.4 20020320 [DragonFly].
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
bug.c:2: warning: no previous prototype for 'evil_string_modifier'
bug.c: In function `main':
bug.c:7: warning: passing arg 1 of `evil_string_modifier' discards qualifiers
from pointer target type
bug.c:10: warning: cast discards qualifiers from pointer target type
bug.c:15: warning: control reaches end of non-void function
 as -o bug.o bug.s
 ld -V -dynamic-linker /usr/libexec/ld-elf.so.1 -o bug /usr/lib/crt1.o
/usr/lib/crti.o /usr/lib/crtbegin.o -L/usr/lib/gcc34 bug.o -lgcc -lc -lgcc
/usr/lib/crtend.o /usr/lib/crtn.o
GNU ld version 2.15 [DragonFly] 2004-05-17
  Supported emulations:
   elf_i386

-- 
           Summary: -Wcast-qual option is easily evaded
           Product: gcc
           Version: 3.4.3
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: debug
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: kmk at ssl dot org
                CC: gcc-bugs at gcc dot gnu dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2005-02-27 05:02 -------
Nope the following cannot be warned about because you first change the pointer to an integer and then 
cast it to a char pointer which is only defined iff int is the same size as the pointer (which is warned 
about on 64bit targets):
// This, however, does not warn...but should:
  evil_string_modifier((char *)(int)"Test string three.");

Not warning is correct as there is a cast inbetween.
the docs are clear:
Warn whenever a pointer is cast so as to remove a type qualifier from the target type. For example, 
warn if a const char * is cast to an ordinary char *. 

Since the cast to int is inbetween there, the warning does not makes sense any more.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
          Component|debug                       |c
         Resolution|                            |INVALID


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[kmk at ssl dot org]

------- Additional Comments From kmk at ssl dot org  2005-02-27 05:40 -------
Actually, the documentation clearly claims:

"Warn WHENEVER a pointer is cast so as to remove a type qualifier from the
target type."

It does not say:

"Warn whenever a pointer is cast to ANOTHER POINTER in such a way that it
removes a type qualifier from the target type."

Casting a const pointer to any non-pointer object will remove the const
qualifier from the pointer, no matter how you look at it. To not flag this abuse
is not only in obvious contradiction with the documentation, it makes the option
utterly useless for detecting intentionally dangerous behavior by programmers.


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
         Resolution|INVALID                     |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[schwab at suse dot de]

------- Additional Comments From schwab at suse dot de  2005-02-27 14:54 -------
Casting to an integer does not remove the qualifier from the target type, it 
removes the target type completely.  Since an integer is not a pointer, there 
cannot be a target type any more.  So the documentation is correct. 

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |INVALID


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[joseph at codesourcery dot com]

------- Additional Comments From joseph at codesourcery dot com  2005-02-27 14:59 -------
Subject: Re:  -Wcast-qual option is easily evaded

On Sun, 27 Feb 2005, schwab at suse dot de wrote:

> Casting to an integer does not remove the qualifier from the target type, it 
> removes the target type completely.  Since an integer is not a pointer, there 
> cannot be a target type any more.  So the documentation is correct. 

I would add that it is *useful* for programmers to be able to avoid the 
warning in cases where they know what they are doing.  That is, it's a 
*feature* that one can define

#define remove_const(x, type) ((type)(size_t)(x))

and so avoid the warnings.



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[kmk at ssl dot org]

------- Additional Comments From kmk at ssl dot org  2005-02-27 21:55 -------
It is precisely because it is "useful" to programmers in the manner described
that a check is needed on it so that persons charged with the task of code
validation or modification do not have to read 250,000 lines of code to find
"clever" little hacks that have been inserted to "fix" otherwise "inconvenient"
problems.

If you want to pick nits about casting to a pointer removing the target type
completely: fine. That is a perfectly reasonable technicality. However, in that
event, I would suggest that a separate option be added that exhibits the
behavior I describe by flagging ALL cases where a qualifier is discarded. Such
an option would be significantly more useful to code maintainers (as opposed to
the original authors of the code) in uncovering places where things go "boom"
when code is extended or modified.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229

[Bug c/20229] -Wcast-qual option is easily evaded

[kmk at ssl dot org]

------- Additional Comments From kmk at ssl dot org  2005-02-27 22:03 -------
And furthermore, if it is so "useful" to be able to hide this behavior, why have
this option at all? Why force programmers to undertake the two-step bomb-arming
instead of just letting them do it in one step by casting away the const
directly? What is the purpose of this option if you can evade it with "a little
extra effort"?

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20229