[CHERI_CSA] AllocationChecker: suppress for ptr to first field

eupharina · resistor · commit 403db5a6ed2b · 2025-07-20T23:58:19.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp
@@ -92,21 +92,32 @@ bool relatedTypes(const Type *Ty1, const Type *Ty2) {
     return true;
   if (Ty1->isArrayType())
     return relatedTypes(Ty1->getArrayElementTypeNoTypeQual(), Ty2);
+  if (Ty1->isRecordType()) {
+    if (RecordDecl *RD = Ty1->getAs<RecordType>()->getAsRecordDecl()) {
+      const RecordDecl::field_iterator &FirstField = RD->field_begin();
+      if (FirstField != RD->field_end()) {
+        const Type *FFTy = FirstField->getType()->getUnqualifiedDesugaredType();
+        return relatedTypes(FFTy, Ty2);
+      }
+    }
+  }
   return false;
 }
 
-bool isGenPtrType(QualType Ty) {
-  return Ty->isVoidPointerType() ||
-         ((Ty->isPointerType() || Ty->isArrayType()) &&
-          Ty->getPointeeOrArrayElementType()->isCharType());
+bool reportForType(QualType Ty) {
+  if (Ty->isVoidPointerType())
+    return false;
+  if (Ty->isPointerType() || Ty->isArrayType())
+    return !Ty->getPointeeOrArrayElementType()->isCharType();
+  return false;
 }
 
 std::optional<QualType> getPrevType(ProgramStateRef State, const MemRegion *R) {
   if (const QualType *PrevTy = State->get<AllocMap>(R))
     return *PrevTy;
   if (const TypedValueRegion *TR = R->getAs<TypedValueRegion>()) {
     QualType Ty = TR->getValueType();
-    if ((Ty->isPointerType() || Ty->isArrayType()) && !isGenPtrType(Ty))
+    if (reportForType(Ty))
       return Ty;
   }
   return std::nullopt;
@@ -169,9 +180,7 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
   }
 
   QualType DstTy = CE->getType().getUnqualifiedType();
-  if (!DstTy->isPointerType())
-    return;
-  if (DstTy->isVoidPointerType() || DstTy->getPointeeType()->isCharType())
+  if (!reportForType(DstTy))
     return;
 
   std::optional<QualType> PrevTy = getPrevType(State, SR);
diff --git a/clang/test/Analysis/Checkers/CHERI/allocation.c b/clang/test/Analysis/Checkers/CHERI/allocation.c
@@ -28,11 +28,10 @@ struct S2 * test_2(int n1) {
   return p2;
 }
 
-int * test_3(int n1, int n2) {
-  void *p1 = malloc(sizeof(struct S1)*n1 + sizeof(struct S2)*n2);
-  struct S2 *p2 = (struct S2 *)(p1+n1);
-  int *p3 = (int*)(p2 + n2); // expected-warning{{Allocation partition}}
-  return p3;
+struct S2 * test_3(int n1, int n2) {
+  struct S1 *p1 = malloc(sizeof(struct S1)*n1 + sizeof(struct S2)*n2);
+  struct S2 *p2 = (struct S2 *)(p1+n1); // expected-warning{{Allocation partition}}
+  return p2;
 }
 
 void array(int i, int j) {
@@ -41,3 +40,14 @@ void array(int i, int j) {
   int *p2 = p1[j]; // no warn
   *p2 = 42;
 }
+
+struct S3 {
+  struct S2 s2;
+  int y;
+};
+
+struct S2 * first_field(void *p, int n1) {
+  struct S3 *p3 = p;
+  struct S2 *p2 = (struct S2 *)(p3+n1); // no warn
+  return p2;
+}
