Feature: G602 Slice Bound Checking

[morgenm]

This PR addresses this issue: #954

This adds a new rule which checks slice bounds access (reslicing and indexing) to ensure that slices are not accessed out of bounds. This only works for slice bounds defined by a make([]..., len) or make([]..., len, capacity) where len/capacity is defined as a literal integer. For example it works for:

s := make([]float, 10, 20)

But not for:

s := make([]float, 10*3)

Since we don't evaluate expressions. It also will calculate and validate slice capacities for new slices made by reslicing when possible, such as:

s := make([]float, 10)
x := s[5:]

The capacity for the new slice, x, will be validated in any subsequent usage. In addition, slices passed to functions are validated when possible by storing function-call-specific capacities. For example:

func main() {
	s := make([]int, 0, 30)
	doStuff(s)
	x := make([]int, 20)
	y := x[10:]
	doStuff(y)
	z := y[5:]
	doStuff(z)
}

func doStuff(x []int) {
	newSlice := x[:10]
	fmt.Println(newSlice)
	newSlice2 := x[:6]
	fmt.Println(newSlice2)
}`

will cause an error on creation of newSlice and newSlice2, since when z is passed to it, it is accessed out of bounds.

[houndci-bot]

comment on exported function NewSliceBoundCheck should be of the form "NewSliceBoundCheck ..."

[ccojocar]

Could you please fix the function name in the comment?

[codecov-commenter]

Codecov Report

Patch coverage: 73.60% and project coverage change: +0.24 🎉

Comparison is base (abeab10) 71.84% compared to head (a7356c2) 72.08%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #973      +/-   ##
==========================================
+ Coverage   71.84%   72.08%   +0.24%     
==========================================
  Files          50       51       +1     
  Lines        3317     3586     +269     
==========================================
+ Hits         2383     2585     +202     
- Misses        868      911      +43     
- Partials       66       90      +24     

Impacted Files	Coverage Δ
issue/issue.go	0.00% <ø> (ø)
rules/slice_bounds.go	73.50% <73.50%> (ø)
rules/rulelist.go	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[morgenm]

Note: This solution is complex since it stores the constant capacities of all the slices made with make(). I am thinking of adding in a simple check for non-constant capacities (or capacities evaluated from expressions such as make([]int, 5*5)) by making sure the user adds in a bounds check such as if index < cap(slice). If it is better to simplify the whole check by only validating that the user has checked bounds, without storing the actual constant capacities in the map as I did in this PR, I can change the code.

Let me know your thoughts.

[ccojocar]

Thank you for this great contribution. I left a few comments. It would be great if you could fix them before we merge this rule. Thanks again!

[ccojocar]

I would check Name[0] that is not nil before accessing the Name filed.

[morgenm]

Okay, I added that check.

[ccojocar]

method name prefix in the comment

[ccojocar]

function name prefix missing in the comment

[ccojocar]

I would wrap the err with some more context before returning.

[morgenm]

Okay I wrapped it using fmt.Errorf.

[ccojocar]

Could you please fix the function name in the comment?

[ccojocar]

Note: This solution is complex since it stores the constant capacities of all the slices made with make(). I am thinking of adding in a simple check for non-constant capacities (or capacities evaluated from expressions such as make([]int, 5*5)) by making sure the user adds in a bounds check such as if index < cap(slice). If it is better to simplify the whole check by only validating that the user has checked bounds, without storing the actual constant capacities in the map as I did in this PR, I can change the code.

I think the current solution which checks the constant bounds looks fine to me. It is non intrusive comparing with a bound check which is more enforced on user.

My impression is, that one will really check the bounds at runtime if she wants to be defensive but most of people won't do it. This will cause a lot of warnings which most likely will get ignored.

[morgenm]

I believe I addressed all the reviews.

I think the current solution which checks the constant bounds looks fine to me. It is non intrusive comparing with a bound check which is more enforced on user.

My impression is, that one will really check the bounds at runtime if she wants to be defensive but most of people won't do it. This will cause a lot of warnings which most likely will get ignored.

Yes, thinking on it some more I agree with you.

[razor-1]

It would be nice if this didn't fire when it was protected by something like if len(slice) >= x

[franchb]

Yes, this rule fires a lot of false positives on code protected with something like if len(slice) >= x