[CHERI_CSA] AllocationChecker: add ReportForUnknownAllocations option

Author: eupharina

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

@@ -1844,6 +1844,9 @@ let ParentPackage = CHERIAlpha in {
       : Checker<"Allocation">,
         HelpText<
             "Suggest narrowing bounds for escaping suballocation capabilities">,
+        CheckerOptions<[CmdLineOption<
+            Boolean, "ReportForUnknownAllocations",
+            "Report for pointers with untracked origin", "true", Released>]>,
         Documentation<NotDocumented>;
 
 } // end alpha.cheri

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -40,8 +40,8 @@ class AllocationChecker
     : public Checker<check::PostStmt<CastExpr>, check::PreCall, check::PostCall,
                      check::Bind, check::EndFunction> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
-  BugType BT_KnownReg{this, "Heap or static allocation partitioning",
-                      "CHERI portability"};
+  BugType BT_UnknownReg{this, "Unknown allocation partitioning",
+                        "CHERI portability"};
 
   const CallDescriptionSet IgnoreFnSet = {
       {CDM::SimpleFunc, {"free"}, 1},
@@ -81,6 +81,8 @@ class AllocationChecker
   void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
   void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
 
+  bool ReportForUnknownAllocations;
+
 private:
   ExplodedNode *emitAllocationPartitionWarning(CheckerContext &C,
                                                const MemRegion *MR,
@@ -111,7 +113,13 @@ std::pair<const MemRegion *, bool> getAllocationStart(const ASTContext &ASTCtx,
   return std::make_pair(R, ZeroShift);
 }
 
-bool isAllocation(const MemRegion *R) {
+bool isAllocation(const MemRegion *R, const AllocationChecker *Chk) {
+  if (!Chk->ReportForUnknownAllocations) {
+    const MemSpaceRegion *MemSpace = R->getMemorySpace();
+    if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
+      return false;
+  }
+
   if (R->getAs<SymbolicRegion>())
     return true;
   if (const TypedValueRegion *TR = R->getAs<TypedValueRegion>()) {
@@ -176,12 +184,19 @@ ExplodedNode *AllocationChecker::emitAllocationPartitionWarning(
     CheckerContext &C, const MemRegion *MR, SourceRange SR,
     StringRef Msg = "") const {
   if (ExplodedNode *ErrNode = C.generateNonFatalErrorNode()) {
-    auto R = std::make_unique<PathSensitiveBugReport>(BT_Default, Msg, ErrNode);
-    R->addRange(SR);
-    R->markInteresting(MR);
 
     const MemRegion *PrevAlloc =
         getAllocationStart(C.getASTContext(), MR, C.getState()).first;
+    const MemSpaceRegion *MS =
+        PrevAlloc ? PrevAlloc->getMemorySpace() : MR->getMemorySpace();
+    const BugType &BT =
+        isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MS)
+            ? BT_Default
+            : BT_UnknownReg;
+    auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, ErrNode);
+    R->addRange(SR);
+    R->markInteresting(MR);
+
     R->addVisitor(std::make_unique<AllocPartitionBugVisitor>(
         PrevAlloc == MR ? nullptr : PrevAlloc, MR));
 
@@ -216,14 +231,10 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
       getAllocationStart(ASTCtx, MR, State);
 
   const MemRegion *SR = StartPair.first;
-  if (!isAllocation(SR))
+  if (!isAllocation(SR, this))
     return;
   bool ZeroShift = StartPair.second;
 
-  const MemSpaceRegion *MemSpace = SR->getMemorySpace();
-  if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
-    return;
-
   SVal DstVal = C.getSVal(CE);
   const MemRegion *DMR = DstVal.getAsRegion();
   if (MR->getAs<ElementRegion>() && (!DMR || !DMR->getAs<ElementRegion>())) {
@@ -252,10 +263,14 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
                             ->getUnqualifiedDesugaredType();
       const Type *Ty2 = DstTy->getPointeeType()->getUnqualifiedDesugaredType();
       if (!relatedTypes(ASTCtx, Ty1, Ty2)) {
-        State = State->add<SuballocationSet>(SR);
-        if (DMR)
+        if (!State->contains<SuballocationSet>(SR)) {
+          State = State->add<SuballocationSet>(SR);
+          Updated = true;
+        }
+        if (DMR && !State->contains<SuballocationSet>(DMR)) {
           State = State->add<SuballocationSet>(DMR);
-        Updated = true;
+          Updated = true;
+        }
       } // else OK
     } // else ??? (ignore for now)
   } else {
@@ -419,7 +434,10 @@ PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
 //===----------------------------------------------------------------------===//
 
 void ento::registerAllocationChecker(CheckerManager &Mgr) {
-  Mgr.registerChecker<AllocationChecker>();
+  auto *Checker = Mgr.registerChecker<AllocationChecker>();
+  Checker->ReportForUnknownAllocations =
+      Mgr.getAnalyzerOptions().getCheckerBooleanOption(
+          Checker, "ReportForUnknownAllocations");
 }
 
 bool ento::shouldRegisterAllocationChecker(const CheckerManager &Mgr) {

clang/test/Analysis/analyzer-config.c

@@ -4,6 +4,7 @@
 // CHECK:      [config]
 // CHECK-NEXT: add-pop-up-notes = true
 // CHECK-NEXT: aggressive-binary-operation-simplification = false
+// CHECK-NEXT: alpha.cheri.Allocation:ReportForUnknownAllocations = true
 // CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""
 // CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50
 // CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true