[CHERI_CSA] AllocationChecker: suppress for bounded suballocations

eupharina · resistor · commit 264aa7aa39aa · 2025-07-19T22:04:05.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp
@@ -44,14 +44,20 @@ using EscapePair = std::pair<const MemRegion*, EscapeInfo>;
 namespace {
 class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
                                          check::PreCall,
+                                         check::PostCall,
                                          check::Bind,
                                          check::EndFunction> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
   BugType BT_KnownReg{this, "Heap or static allocation partitioning",
                       "CHERI portability"};
 
   const CallDescriptionSet IgnoreFnSet = {
-      {{CDM::SimpleFunc, {"free"}, 1}},
+      {CDM::SimpleFunc, {"free"}, 1},
+  };
+
+  const CallDescriptionSet CheriBoundsFnSet = {
+    {CDM::SimpleFunc, {"cheri_bounds_set"}, 2},
+    {CDM::SimpleFunc, {"cheri_bounds_set_exact"}, 2},
   };
 
 
@@ -81,6 +87,7 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
 public:
   void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
+  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
   void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
   void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
 
@@ -96,6 +103,8 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
 REGISTER_MAP_WITH_PROGRAMSTATE(AllocMap, const MemRegion *, QualType)
 REGISTER_MAP_WITH_PROGRAMSTATE(ShiftMap, const MemRegion *, const MemRegion *)
 REGISTER_SET_WITH_PROGRAMSTATE(SuballocationSet, const MemRegion *)
+REGISTER_SET_WITH_PROGRAMSTATE(BoundedSet, const MemRegion *)
+
 
 namespace {
 std::pair<const MemRegion *, bool> getAllocationStart(const ASTContext &ASTCtx,
@@ -207,21 +216,25 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
   const MemRegion *MR = SrcVal.getAsRegion();
   if (!MR)
     return;
-  const MemSpaceRegion *MemSpace = MR->getMemorySpace();
-  if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
+
+  ProgramStateRef State = C.getState();
+  if (State->contains<BoundedSet>(MR))
     return;
 
   const ASTContext &ASTCtx = C.getASTContext();
-  ProgramStateRef State = C.getState();
   bool Updated = false;
-
   std::pair<const MemRegion *, bool> StartPair =
       getAllocationStart(ASTCtx, MR, State);
+
   const MemRegion *SR = StartPair.first;
   if (!isAllocation(SR))
     return;
   bool ZeroShift = StartPair.second;
 
+  const MemSpaceRegion *MemSpace = SR->getMemorySpace();
+  if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
+    return;
+
   SVal DstVal = C.getSVal(CE);
   const MemRegion *DMR = DstVal.getAsRegion();
   if (MR->getAs<ElementRegion>() && (!DMR || !DMR->getAs<ElementRegion>())) {
@@ -267,9 +280,9 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
 
 void AllocationChecker::checkPreCall(const CallEvent &Call,
                                      CheckerContext &C) const {
-  if (IgnoreFnSet.contains(Call))
+  if (IgnoreFnSet.contains(Call) || CheriBoundsFnSet.contains(Call))
     return;
-  
+
   ProgramStateRef State = C.getState();
   ExplodedNode *N = nullptr;
   bool Updated  = false;
@@ -305,6 +318,25 @@ void AllocationChecker::checkPreCall(const CallEvent &Call,
     C.addTransition(State, N ? N : C.getPredecessor());
 }
 
+void AllocationChecker::checkPostCall(const CallEvent &Call,
+                                      CheckerContext &C) const {
+  if (!CheriBoundsFnSet.contains(Call))
+    return;
+  const MemRegion *MR = C.getSVal(Call.getArgExpr(0)).getAsRegion();
+  const MemRegion *ResMR = C.getSVal(Call.getOriginExpr()).getAsRegion();
+  if (!MR || !ResMR)
+    return;
+
+  ProgramStateRef State = C.getState();
+  if (!State->contains<SuballocationSet>(MR) ||
+      !State->contains<SuballocationSet>(ResMR))
+    return;
+
+  State = State->remove<SuballocationSet>(ResMR);
+  State = State->add<BoundedSet>(ResMR);
+  C.addTransition(State);
+}
+
 void AllocationChecker::checkBind(SVal L, SVal V, const Stmt *S,
                                   CheckerContext &C) const {
   const MemRegion *Dst = L.getAsRegion();
diff --git a/clang/test/Analysis/Checkers/CHERI/allocation.c b/clang/test/Analysis/Checkers/CHERI/allocation.c
@@ -1,5 +1,5 @@
 // RUN: %cheri_purecap_cc1 -analyze -verify %s \
-// RUN:   -analyzer-checker=core,unix,alpha.cheri.Allocation
+// RUN:   -analyzer-checker=core,unix,alpha.cheri.Allocation,cheri.CheriAPIModelling
 
 typedef __typeof__(sizeof(int)) size_t;
 extern void * malloc(size_t);
@@ -81,3 +81,11 @@ void test_6(int n1, int n2) {
   struct S2 **p2 = (struct S2 **)(p1+n1);
   foo(p2); // no warn
 }
+
+void *cheri_bounds_set(void *c, size_t x);
+void test_7(int n1, int n2) {
+  struct S1 *p1 = malloc(sizeof(struct S1)*n1 + sizeof(struct S2)*n2);
+  struct S2 *p2 = (struct S2 *)(p1+n1);
+  struct S2 *p3 = cheri_bounds_set(p2, sizeof(struct S2)*n2);
+  foo(p3); // no-warn
+}
