[CHERI_CSA] SubObjectRepresentability: support other CHERI targets

eupharina · resistor · commit 11ff3c007cfc · 2025-07-20T21:57:03.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp
@@ -30,6 +30,12 @@ using namespace clang;
 using namespace ento;
 
 namespace {
+
+template <llvm::CompressedCapability::CapabilityFormat>
+std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D,
+                                          BugReporter &BR,
+                                          const BugType &BT);
+
 class SubObjectRepresentabilityChecker
     : public Checker<check::ASTDecl<RecordDecl>, check::ASTCodeBody> {
   BugType BT_1{this, "Field with imprecise subobject bounds",
@@ -42,6 +48,21 @@ class SubObjectRepresentabilityChecker
                     BugReporter &BR) const;
   void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
                         BugReporter &BR) const;
+
+private:
+
+  using CheckFieldFn = std::function<std::unique_ptr<BugReport>(
+      const FieldDecl *D, BugReporter &BR, const BugType &BT)>;
+
+  const std::map<llvm::Triple::ArchType, CheckFieldFn> CheckFieldFnMap = {
+      //{llvm::Triple::aarch64, &checkFieldImpl<CompressedCap128m>},
+      {llvm::Triple::mips, &checkFieldImpl<llvm::CompressedCapability::Cheri64>},
+      {llvm::Triple::mips64, &checkFieldImpl<llvm::CompressedCapability::Cheri128>},
+      {llvm::Triple::riscv32, &checkFieldImpl<llvm::CompressedCapability::Cheri64>},
+      {llvm::Triple::riscv64, &checkFieldImpl<llvm::CompressedCapability::Cheri128>}
+  };
+
+  CheckFieldFn getCheckFieldFn(ASTContext &ASTCtx) const;
 };
 
 } //namespace
@@ -116,8 +137,8 @@ std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D,
   uint64_t Offset = ASTCtx.getFieldOffset(D) / 8;
   if (Offset > 0) {
     uint64_t Size = ASTCtx.getTypeSize(T) / 8;
-    uint64_t ReqAlign = llvm::CompressedCapability::GetRequiredAlignment(
-        Size, llvm::CompressedCapability::Cheri128).value();
+    uint64_t ReqAlign =
+        llvm::CompressedCapability::GetRequiredAlignment(Size, Handler).value();
     uint64_t CurAlign = 1 << llvm::countr_zero(Offset);
     if (CurAlign < ReqAlign) {
       /* Emit warning */
@@ -132,15 +153,14 @@ std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D,
       OS << " field offset is " << Offset;
       OS << " (aligned to " << CurAlign << ");";
 
-#if 0
-      const RecordDecl *Parent = D->getParent();
-      uint64_t ParentSize = ASTCtx.getTypeSize(Parent->getTypeForDecl()) / 8;
-      typename Handler::cap_t MockCap =
-          getBoundedCap<Handler>(ParentSize, Offset, Size);
-      uint64_t Base = MockCap.base();
-      uint64_t Top = MockCap.top();
+      uint64_t OffsetToAlign = Offset % ReqAlign;
+      uint64_t Base = Offset - OffsetToAlign;
+      uint64_t AlignedSize = Size + OffsetToAlign;
+      uint64_t TailPadding = static_cast<uint64_t>(
+          llvm::CompressedCapability::GetRequiredTailPadding(AlignedSize,
+                                                             Handler));
+      uint64_t Top = Base + AlignedSize + TailPadding;
       OS << " Current bounds: " << Base << "-" << Top;
-#endif
 
       // Note that this will fire for every translation unit that uses this
       // class.  This is suboptimal, but at least scan-build will merge
@@ -151,53 +171,41 @@ std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D,
       Report->setDeclWithIssue(D);
       Report->addRange(D->getSourceRange());
 
-#if 0
       Report = reportExposedFields(D, ASTCtx, BR, Base, Top, std::move(Report));
-#endif
-
       return Report;
     }
   }
 
   return nullptr;
 }
 
-std::unique_ptr<BugReport> checkField(const FieldDecl *D,
-                                      BugReporter &BR,
-                                      const BugType &BT) {
-  // TODO: other targets
-  return checkFieldImpl<llvm::CompressedCapability::Cheri128>(D, BR, BT);
-}
-
-bool supportedTarget(const ASTContext &C) {
-  const TargetInfo &TI = C.getTargetInfo();
-  return TI.areAllPointersCapabilities()
-         && TI.getTriple().isAArch64(); // morello
-}
-
 } // namespace
 
+SubObjectRepresentabilityChecker::CheckFieldFn
+SubObjectRepresentabilityChecker::getCheckFieldFn(ASTContext &ASTCtx) const {
+  const TargetInfo &TI = ASTCtx.getTargetInfo();
+  if (!TI.areAllPointersCapabilities())
+    return nullptr;
+
+  auto It = CheckFieldFnMap.find(TI.getTriple().getArch());
+  if (It == CheckFieldFnMap.end())
+    return nullptr;
+  return It->second;
+}
 
 void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
                                                     AnalysisManager &mgr,
                                                     BugReporter &BR) const {
-  if (!supportedTarget(mgr.getASTContext()))
-    return;
+  CheckFieldFn checkField = getCheckFieldFn(mgr.getASTContext());
+  if (!checkField)
+    return; // skip this target
 
   if (!R->isCompleteDefinition() || R->isDependentType())
     return;
 
   if (!R->getLocation().isValid())
     return;
-
-  /*
-  SrcMgr::CharacteristicKind Kind =
-      BR.getSourceManager().getFileCharacteristic(Location);
-  // Ignore records in system headers
-  if (Kind != SrcMgr::C_User)
-    return;
-  */
-
+  
   for (FieldDecl *D : R->fields()) {
     auto Report = checkField(D, BR, BT_1);
     if (Report)
@@ -208,8 +216,9 @@ void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
 void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D,
                                                         AnalysisManager &mgr,
                                                         BugReporter &BR) const {
-  if (!supportedTarget(mgr.getASTContext()))
-    return;
+  CheckFieldFn checkField = getCheckFieldFn(mgr.getASTContext());
+  if (!checkField)
+    return; // skip this target
 
   using namespace ast_matchers;
   auto Member = memberExpr().bind("member");
diff --git a/clang/test/Analysis/Checkers/CHERI/subobject-representability-mips64.c b/clang/test/Analysis/Checkers/CHERI/subobject-representability-mips64.c
@@ -0,0 +1,32 @@
+// RUN: %cheri_purecap_cc1 -analyze -verify %s \
+// RUN:   -analyzer-checker=core,cheri.SubObjectRepresentability
+
+struct R1 {
+  struct {
+    struct {
+      char c;
+      char a[0x9FF]; // no warn
+    } f1good;
+    struct {
+      char c; // expected-note{{}}
+      char a[0x1000]; // expected-warning{{Field 'a' of type 'char[4096]' (size 4096) requires 8 byte alignment for precise bounds; field offset is 1}}
+    } f2bad;
+    struct {
+      int c[2];
+      char a[0x1000]; // no warn
+    } f3good __attribute__((aligned(8)));
+  } s2;
+} s1;
+
+struct S2 {
+  int x[3];
+  int *px;
+};
+
+struct R2 {
+  char x[0x50]; // expected-note{{16/80}}
+  struct S2 s2; // expected-note{{32/32 bytes exposed (may expose capability!)}}
+  char c; // expected-note{{1}}
+  char a[0x8000]; // expected-warning{{Field 'a' of type 'char[32768]' (size 32768) requires 64 byte alignment for precise bounds; field offset is 113 (aligned to 1); Current bounds: 64-32896}}
+  char y[32]; // expected-note{{15/32}}
+};
