Add static analysis for unsafe uint casting (prysmaticlabs#10318)

* Add static analysis for unsafe uint casting * Fix violations of uintcast * go mod tidy * Add exclusion to nogo for darwin build * Add test for math.Int * Move some things to const so they are assured not to exceed int64 * Self review * lint * fix tests * fix test * Add init check for non 64 bit OS * Move new deps from WORKSPACE to deps.bzl * fix bazel build for go analysis runs * Update BUILD.bazel Remove TODO * add math.AddInt method * Add new test casts * Add case where builtin functions and declared functions are covered * Fix new findings * cleanup Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com> Co-authored-by: Nishant Das <[email protected]>
moshe-blox · Mar 11, 2022 · c1197d7 · c1197d7
1 parent 693cc79
commit c1197d7
Show file tree

Hide file tree

Showing 99 changed files with 1,073 additions and 212 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -217,3 +217,6 @@ build:remote --remote_local_fallback
 
 # Ignore GoStdLib with remote caching
 build --modify_execution_info='GoStdlib.*=+no-remote-cache'
+
+# Set bazel gotag
+build --define gotags=bazel
diff --git a/BUILD.bazel b/BUILD.bazel
@@ -16,6 +16,8 @@ exports_files([
 # gazelle:map_kind go_library go_library @prysm//tools/go:def.bzl
 # gazelle:map_kind go_test go_test @prysm//tools/go:def.bzl
 # gazelle:map_kind go_repository go_repository @prysm//tools/go:def.bzl
+# gazelle:build_tags bazel
+# gazelle:exclude tools/analyzers/**/testdata/**
 gazelle(
     name = "gazelle",
     prefix = prefix,
@@ -125,6 +127,7 @@ nogo(
         "//tools/analyzers/ineffassign:go_default_library",
         "//tools/analyzers/properpermissions:go_default_library",
         "//tools/analyzers/recursivelock:go_default_library",
+        "//tools/analyzers/uintcast:go_default_library",
     ] + select({
         # nogo checks that fail with coverage enabled.
         ":coverage_enabled": [],

diff --git a/beacon-chain/blockchain/service.go b/beacon-chain/blockchain/service.go
@@ -166,7 +166,7 @@ func (s *Service) Status() error {
 
 func (s *Service) startFromSavedState(saved state.BeaconState) error {
 	log.Info("Blockchain data already exists in DB, initializing...")
-	s.genesisTime = time.Unix(int64(saved.GenesisTime()), 0)
+	s.genesisTime = time.Unix(int64(saved.GenesisTime()), 0) // lint:ignore uintcast -- Genesis time will not exceed int64 in your lifetime.
 	s.cfg.AttService.SetGenesisTime(saved.GenesisTime())
 
 	originRoot, err := s.originRootFromSavedState(s.ctx)

diff --git a/beacon-chain/cache/active_balance.go b/beacon-chain/cache/active_balance.go
@@ -1,3 +1,4 @@
+//go:build !fuzz
 // +build !fuzz
 
 package cache
@@ -17,10 +18,12 @@ import (
 	"github.com/prysmaticlabs/prysm/config/params"
 )
 
-var (
+const (
 	// maxBalanceCacheSize defines the max number of active balances can cache.
-	maxBalanceCacheSize = uint64(4)
+	maxBalanceCacheSize = int(4)
+)
 
+var (
 	// BalanceCacheMiss tracks the number of balance requests that aren't present in the cache.
 	balanceCacheMiss = promauto.NewCounter(prometheus.CounterOpts{
 		Name: "total_effective_balance_cache_miss",
@@ -42,7 +45,7 @@ type BalanceCache struct {
 // NewEffectiveBalanceCache creates a new effective balance cache for storing/accessing total balance by epoch.
 func NewEffectiveBalanceCache() *BalanceCache {
 	return &BalanceCache{
-		cache: lruwrpr.New(int(maxBalanceCacheSize)),
+		cache: lruwrpr.New(maxBalanceCacheSize),
 	}
 }
 

diff --git a/beacon-chain/cache/committee.go b/beacon-chain/cache/committee.go
@@ -1,3 +1,4 @@
+//go:build !fuzz
 // +build !fuzz
 
 package cache
@@ -19,11 +20,13 @@ import (
 	mathutil "github.com/prysmaticlabs/prysm/math"
 )
 
-var (
+const (
 	// maxCommitteesCacheSize defines the max number of shuffled committees on per randao basis can cache.
 	// Due to reorgs and long finality, it's good to keep the old cache around for quickly switch over.
-	maxCommitteesCacheSize = uint64(32)
+	maxCommitteesCacheSize = int(32)
+)
 
+var (
 	// CommitteeCacheMiss tracks the number of committee requests that aren't present in the cache.
 	CommitteeCacheMiss = promauto.NewCounter(prometheus.CounterOpts{
 		Name: "committee_cache_miss",
@@ -55,7 +58,7 @@ func committeeKeyFn(obj interface{}) (string, error) {
 // NewCommitteesCache creates a new committee cache for storing/accessing shuffled indices of a committee.
 func NewCommitteesCache() *CommitteeCache {
 	return &CommitteeCache{
-		CommitteeCache: lruwrpr.New(int(maxCommitteesCacheSize)),
+		CommitteeCache: lruwrpr.New(maxCommitteesCacheSize),
 		inProgress:     make(map[string]bool),
 	}
 }

diff --git a/beacon-chain/cache/committee_fuzz_test.go b/beacon-chain/cache/committee_fuzz_test.go
@@ -33,7 +33,7 @@ func TestCommitteeCache_FuzzCommitteesByEpoch(t *testing.T) {
 		require.NoError(t, err)
 	}
 
-	assert.Equal(t, maxCommitteesCacheSize, uint64(len(cache.CommitteeCache.Keys())), "Incorrect key size")
+	assert.Equal(t, maxCommitteesCacheSize, len(cache.CommitteeCache.Keys()), "Incorrect key size")
 }
 
 func TestCommitteeCache_FuzzActiveIndices(t *testing.T) {
@@ -50,5 +50,5 @@ func TestCommitteeCache_FuzzActiveIndices(t *testing.T) {
 		assert.DeepEqual(t, c.SortedIndices, indices)
 	}
 
-	assert.Equal(t, maxCommitteesCacheSize, uint64(len(cache.CommitteeCache.Keys())), "Incorrect key size")
+	assert.Equal(t, maxCommitteesCacheSize, len(cache.CommitteeCache.Keys()), "Incorrect key size")
 }
diff --git a/beacon-chain/cache/committee_test.go b/beacon-chain/cache/committee_test.go
@@ -102,7 +102,7 @@ func TestCommitteeCache_CanRotate(t *testing.T) {
 	}
 
 	k := cache.CommitteeCache.Keys()
-	assert.Equal(t, maxCommitteesCacheSize, uint64(len(k)))
+	assert.Equal(t, maxCommitteesCacheSize, len(k))
 
 	sort.Slice(k, func(i, j int) bool {
 		return k[i].(string) < k[j].(string)

diff --git a/beacon-chain/cache/subnet_ids.go b/beacon-chain/cache/subnet_ids.go
@@ -27,7 +27,7 @@ var SubnetIDs = newSubnetIDs()
 func newSubnetIDs() *subnetIDs {
 	// Given a node can calculate committee assignments of current epoch and next epoch.
 	// Max size is set to 2 epoch length.
-	cacheSize := int(params.BeaconConfig().SlotsPerEpoch.Mul(params.BeaconConfig().MaxCommitteesPerSlot * 2))
+	cacheSize := int(params.BeaconConfig().SlotsPerEpoch.Mul(params.BeaconConfig().MaxCommitteesPerSlot * 2)) // lint:ignore uintcast -- constant values that would panic on startup if negative.
 	attesterCache := lruwrpr.New(cacheSize)
 	aggregatorCache := lruwrpr.New(cacheSize)
 	epochDuration := time.Duration(params.BeaconConfig().SlotsPerEpoch.Mul(params.BeaconConfig().SecondsPerSlot))

diff --git a/beacon-chain/core/blocks/deposit.go b/beacon-chain/core/blocks/deposit.go
@@ -225,7 +225,7 @@ func verifyDeposit(beaconState state.ReadOnlyBeaconState, deposit *ethpb.Deposit
 	if ok := trie.VerifyMerkleProofWithDepth(
 		receiptRoot,
 		leaf[:],
-		int(beaconState.Eth1DepositIndex()),
+		beaconState.Eth1DepositIndex(),
 		deposit.Proof,
 		params.BeaconConfig().DepositContractTreeDepth,
 	); !ok {

diff --git a/beacon-chain/core/transition/transition.go b/beacon-chain/core/transition/transition.go
@@ -92,7 +92,7 @@ func ExecuteStateTransition(
 func ProcessSlot(ctx context.Context, state state.BeaconState) (state.BeaconState, error) {
 	ctx, span := trace.StartSpan(ctx, "core.state.ProcessSlot")
 	defer span.End()
-	span.AddAttributes(trace.Int64Attribute("slot", int64(state.Slot())))
+	span.AddAttributes(trace.Int64Attribute("slot", int64(state.Slot()))) // lint:ignore uintcast -- This is OK for tracing.
 
 	prevStateRoot, err := state.HashTreeRoot(ctx)
 	if err != nil {
@@ -190,7 +190,7 @@ func ProcessSlots(ctx context.Context, state state.BeaconState, slot types.Slot)
 	if state == nil || state.IsNil() {
 		return nil, errors.New("nil state")
 	}
-	span.AddAttributes(trace.Int64Attribute("slots", int64(slot)-int64(state.Slot())))
+	span.AddAttributes(trace.Int64Attribute("slots", int64(slot)-int64(state.Slot()))) // lint:ignore uintcast -- This is OK for tracing.
 
 	// The block must have a higher slot than parent state.
 	if state.Slot() >= slot {
@@ -354,7 +354,7 @@ func VerifyOperationLengths(_ context.Context, state state.BeaconState, b block.
 func ProcessEpochPrecompute(ctx context.Context, state state.BeaconState) (state.BeaconState, error) {
 	ctx, span := trace.StartSpan(ctx, "core.state.ProcessEpochPrecompute")
 	defer span.End()
-	span.AddAttributes(trace.Int64Attribute("epoch", int64(time.CurrentEpoch(state))))
+	span.AddAttributes(trace.Int64Attribute("epoch", int64(time.CurrentEpoch(state)))) // lint:ignore uintcast -- This is OK for tracing.
 
 	if state == nil || state.IsNil() {
 		return nil, errors.New("nil state")

diff --git a/beacon-chain/forkchoice/protoarray/BUILD.bazel b/beacon-chain/forkchoice/protoarray/BUILD.bazel
@@ -21,6 +21,7 @@ go_library(
     deps = [
         "//config/fieldparams:go_default_library",
         "//config/params:go_default_library",
+        "//math:go_default_library",
         "//proto/prysm/v1alpha1:go_default_library",
         "//time/slots:go_default_library",
         "@com_github_pkg_errors//:go_default_library",

diff --git a/beacon-chain/forkchoice/protoarray/helpers.go b/beacon-chain/forkchoice/protoarray/helpers.go
@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/prysmaticlabs/prysm/config/params"
+	pmath "github.com/prysmaticlabs/prysm/math"
 	"go.opencensus.io/trace"
 )
 
@@ -46,19 +47,27 @@ func computeDeltas(
 			if ok {
 				// Protection against out of bound, the `nextDeltaIndex` which defines
 				// the block location in the dag can not exceed the total `delta` length.
-				if int(nextDeltaIndex) >= len(deltas) {
+				if nextDeltaIndex >= uint64(len(deltas)) {
 					return nil, nil, errInvalidNodeDelta
 				}
-				deltas[nextDeltaIndex] += int(newBalance)
+				delta, err := pmath.Int(newBalance)
+				if err != nil {
+					return nil, nil, err
+				}
+				deltas[nextDeltaIndex] += delta
 			}
 
 			currentDeltaIndex, ok := blockIndices[vote.currentRoot]
 			if ok {
 				// Protection against out of bound (same as above)
-				if int(currentDeltaIndex) >= len(deltas) {
+				if currentDeltaIndex >= uint64(len(deltas)) {
 					return nil, nil, errInvalidNodeDelta
 				}
-				deltas[currentDeltaIndex] -= int(oldBalance)
+				delta, err := pmath.Int(oldBalance)
+				if err != nil {
+					return nil, nil, err
+				}
+				deltas[currentDeltaIndex] -= delta
 			}
 		}
 

diff --git a/beacon-chain/forkchoice/protoarray/store.go b/beacon-chain/forkchoice/protoarray/store.go
@@ -9,6 +9,7 @@ import (
 	types "github.com/prysmaticlabs/eth2-types"
 	fieldparams "github.com/prysmaticlabs/prysm/config/fieldparams"
 	"github.com/prysmaticlabs/prysm/config/params"
+	pmath "github.com/prysmaticlabs/prysm/math"
 	pbrpc "github.com/prysmaticlabs/prysm/proto/prysm/v1alpha1"
 	"go.opencensus.io/trace"
 )
@@ -446,7 +447,11 @@ func (s *Store) applyWeightChanges(
 				s.proposerBoostLock.Unlock()
 				return err
 			}
-			nodeDelta = nodeDelta + int(proposerScore)
+			iProposerScore, err := pmath.Int(proposerScore)
+			if err != nil {
+				return err
+			}
+			nodeDelta = nodeDelta + iProposerScore
 		}
 		s.proposerBoostLock.Unlock()
 

diff --git a/beacon-chain/node/config.go b/beacon-chain/node/config.go
@@ -35,7 +35,7 @@ func configureHistoricalSlasher(cliCtx *cli.Context) {
 		params.OverrideBeaconConfig(c)
 		cmdConfig := cmd.Get()
 		// Allow up to 4096 attestations at a time to be requested from the beacon nde.
-		cmdConfig.MaxRPCPageSize = int(params.BeaconConfig().SlotsPerEpoch.Mul(params.BeaconConfig().MaxAttestations))
+		cmdConfig.MaxRPCPageSize = int(params.BeaconConfig().SlotsPerEpoch.Mul(params.BeaconConfig().MaxAttestations)) // lint:ignore uintcast -- Page size should not exceed int64 with these constants.
 		cmd.Init(cmdConfig)
 		log.Warnf(
 			"Setting %d slots per archive point and %d max RPC page size for historical slasher usage. This requires additional storage",

diff --git a/beacon-chain/p2p/broadcaster.go b/beacon-chain/p2p/broadcaster.go
@@ -104,8 +104,8 @@ func (s *Service) broadcastAttestation(ctx context.Context, subnet uint64, att *
 
 	span.AddAttributes(
 		trace.BoolAttribute("hasPeer", hasPeer),
-		trace.Int64Attribute("slot", int64(att.Data.Slot)),
-		trace.Int64Attribute("subnet", int64(subnet)),
+		trace.Int64Attribute("slot", int64(att.Data.Slot)), // lint:ignore uintcast -- It's safe to do this for tracing.
+		trace.Int64Attribute("subnet", int64(subnet)),      // lint:ignore uintcast -- It's safe to do this for tracing.
 	)
 
 	if !hasPeer {
@@ -160,8 +160,8 @@ func (s *Service) broadcastSyncCommittee(ctx context.Context, subnet uint64, sMs
 
 	span.AddAttributes(
 		trace.BoolAttribute("hasPeer", hasPeer),
-		trace.Int64Attribute("slot", int64(sMsg.Slot)),
-		trace.Int64Attribute("subnet", int64(subnet)),
+		trace.Int64Attribute("slot", int64(sMsg.Slot)), // lint:ignore uintcast -- It's safe to do this for tracing.
+		trace.Int64Attribute("subnet", int64(subnet)),  // lint:ignore uintcast -- It's safe to do this for tracing.
 	)
 
 	if !hasPeer {
@@ -213,7 +213,9 @@ func (s *Service) broadcastObject(ctx context.Context, obj ssz.Marshaler, topic
 	if span.IsRecordingEvents() {
 		id := hash.FastSum64(buf.Bytes())
 		messageLen := int64(buf.Len())
-		span.AddMessageSendEvent(int64(id), messageLen /*uncompressed*/, messageLen /*compressed*/)
+		// lint:ignore uintcast -- It's safe to do this for tracing.
+		iid := int64(id)
+		span.AddMessageSendEvent(iid, messageLen /*uncompressed*/, messageLen /*compressed*/)
 	}
 	if err := s.PublishToTopic(ctx, topic+s.Encoding().ProtocolSuffix(), buf.Bytes()); err != nil {
 		err := errors.Wrap(err, "could not publish message")

diff --git a/beacon-chain/p2p/encoder/BUILD.bazel b/beacon-chain/p2p/encoder/BUILD.bazel
@@ -14,6 +14,7 @@ go_library(
     ],
     deps = [
         "//config/params:go_default_library",
+        "//math:go_default_library",
         "@com_github_ferranbt_fastssz//:go_default_library",
         "@com_github_gogo_protobuf//proto:go_default_library",
         "@com_github_golang_snappy//:go_default_library",

diff --git a/beacon-chain/p2p/encoder/ssz.go b/beacon-chain/p2p/encoder/ssz.go
@@ -3,14 +3,14 @@ package encoder
 import (
 	"fmt"
 	"io"
-	"math"
 	"sync"
 
 	fastssz "github.com/ferranbt/fastssz"
 	"github.com/gogo/protobuf/proto"
 	"github.com/golang/snappy"
 	"github.com/pkg/errors"
 	"github.com/prysmaticlabs/prysm/config/params"
+	"github.com/prysmaticlabs/prysm/math"
 )
 
 var _ NetworkEncoding = (*SszNetworkEncoder)(nil)
@@ -145,11 +145,11 @@ func (_ SszNetworkEncoder) ProtocolSuffix() string {
 // MaxLength specifies the maximum possible length of an encoded
 // chunk of data.
 func (_ SszNetworkEncoder) MaxLength(length uint64) (int, error) {
-	// Defensive check to prevent potential issues when casting to int64.
-	if length > math.MaxInt64 {
-		return 0, errors.Errorf("invalid length provided: %d", length)
+	il, err := math.Int(length)
+	if err != nil {
+		return 0, errors.Wrap(err, "invalid length provided")
 	}
-	maxLen := snappy.MaxEncodedLen(int(length))
+	maxLen := snappy.MaxEncodedLen(il)
 	if maxLen < 0 {
 		return 0, errors.Errorf("max encoded length is negative: %d", maxLen)
 	}

diff --git a/beacon-chain/p2p/message_id.go b/beacon-chain/p2p/message_id.go
@@ -7,6 +7,7 @@ import (
 	"github.com/prysmaticlabs/prysm/config/params"
 	"github.com/prysmaticlabs/prysm/crypto/hash"
 	"github.com/prysmaticlabs/prysm/encoding/bytesutil"
+	"github.com/prysmaticlabs/prysm/math"
 	"github.com/prysmaticlabs/prysm/network/forks"
 )
 
@@ -72,8 +73,8 @@ func MsgID(genesisValidatorsRoot []byte, pmsg *pubsub_pb.Message) string {
 // the topic byte string, and the raw message data: i.e. SHA256(MESSAGE_DOMAIN_INVALID_SNAPPY + uint_to_bytes(uint64(len(message.topic))) + message.topic + message.data)[:20].
 func postAltairMsgID(pmsg *pubsub_pb.Message, fEpoch types.Epoch) string {
 	topic := *pmsg.Topic
-	topicLen := uint64(len(topic))
-	topicLenBytes := bytesutil.Uint64ToBytesLittleEndian(topicLen)
+	topicLen := len(topic)
+	topicLenBytes := bytesutil.Uint64ToBytesLittleEndian(uint64(topicLen)) // topicLen cannot be negative
 
 	// beyond Bellatrix epoch, allow 10 Mib gossip data size
 	gossipPubSubSize := params.BeaconNetworkConfig().GossipMaxSize
@@ -83,7 +84,25 @@ func postAltairMsgID(pmsg *pubsub_pb.Message, fEpoch types.Epoch) string {
 
 	decodedData, err := encoder.DecodeSnappy(pmsg.Data, gossipPubSubSize)
 	if err != nil {
-		totalLength := len(params.BeaconNetworkConfig().MessageDomainInvalidSnappy) + len(topicLenBytes) + int(topicLen) + len(pmsg.Data)
+		totalLength, err := math.AddInt(
+			len(params.BeaconNetworkConfig().MessageDomainValidSnappy),
+			len(topicLenBytes),
+			topicLen,
+			len(pmsg.Data),
+		)
+		if err != nil {
+			log.WithError(err).Error("Failed to sum lengths of message domain and topic")
+			// should never happen
+			msg := make([]byte, 20)
+			copy(msg, "invalid")
+			return string(msg)
+		}
+		if uint64(totalLength) > gossipPubSubSize {
+			// this should never happen
+			msg := make([]byte, 20)
+			copy(msg, "invalid")
+			return string(msg)
+		}
 		combinedData := make([]byte, 0, totalLength)
 		combinedData = append(combinedData, params.BeaconNetworkConfig().MessageDomainInvalidSnappy[:]...)
 		combinedData = append(combinedData, topicLenBytes...)
@@ -92,7 +111,19 @@ func postAltairMsgID(pmsg *pubsub_pb.Message, fEpoch types.Epoch) string {
 		h := hash.Hash(combinedData)
 		return string(h[:20])
 	}
-	totalLength := len(params.BeaconNetworkConfig().MessageDomainValidSnappy) + len(topicLenBytes) + int(topicLen) + len(decodedData)
+	totalLength, err := math.AddInt(
+		len(params.BeaconNetworkConfig().MessageDomainValidSnappy),
+		len(topicLenBytes),
+		topicLen,
+		len(decodedData),
+	)
+	if err != nil {
+		log.WithError(err).Error("Failed to sum lengths of message domain and topic")
+		// should never happen
+		msg := make([]byte, 20)
+		copy(msg, "invalid")
+		return string(msg)
+	}
 	combinedData := make([]byte, 0, totalLength)
 	combinedData = append(combinedData, params.BeaconNetworkConfig().MessageDomainValidSnappy[:]...)
 	combinedData = append(combinedData, topicLenBytes...)