[CHERI_CSA] SubObjectRepresentability: enable notes with updated cheri-compressed-cap

eupharina · resistor · commit 46c91d7dea58 · 2025-07-19T21:42:40.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp
@@ -15,9 +15,9 @@
 //===----------------------------------------------------------------------===//
 
 #include "CHERIUtils.h"
-#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/AST/StmtVisitor.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
@@ -44,12 +44,14 @@ class SubObjectRepresentabilityChecker
                         BugReporter &BR) const;
 };
 
-}
+} //namespace
 
 namespace {
 
-std::unique_ptr<BasicBugReport> reportExposedFields(const FieldDecl *D, ASTContext &ASTCtx, BugReporter &BR,
-                         uint64_t Base, uint64_t Top, std::unique_ptr<BasicBugReport> Report) {
+std::unique_ptr<BasicBugReport>
+reportExposedFields(const FieldDecl *D, ASTContext &ASTCtx, BugReporter &BR,
+                    uint64_t Base, uint64_t Top,
+                    std::unique_ptr<BasicBugReport> Report) {
   const RecordDecl *Parent = D->getParent();
   auto FI = Parent->field_begin();
   while (FI != Parent->field_end() &&
@@ -86,23 +88,28 @@ std::unique_ptr<BasicBugReport> reportExposedFields(const FieldDecl *D, ASTConte
 }
 
 #if 0
-// FIXME: CC_MORELLO is not set in cheri_compressed_cap
-// FIXME: other targets
-using Handler = CompressedCap128;
-Handler::cap_t getBoundedCap(uint64_t ParentSize, uint64_t Offset,
-                             uint64_t Size) {
-  Handler::addr_t InitLength = Handler ::representable_length(ParentSize);
-  Handler::cap_t MockCap = Handler::make_max_perms_cap(0, 0, InitLength);
-  bool exact = Handler::setbounds(&MockCap, Offset, Offset + Size);
+template <typename Handler>
+typename Handler::cap_t getBoundedCap(uint64_t ParentSize, uint64_t Offset,
+                                      uint64_t Size) {
+  typename Handler::addr_t InitLength =
+      Handler::representable_length(ParentSize);
+  typename Handler::cap_t MockCap =
+      Handler::make_max_perms_cap(0, Offset, InitLength);
+  bool exact = Handler::setbounds(&MockCap, Size);
   assert(!exact);
   return MockCap;
 }
 #endif
 
-} // namespace
+template<typename Handler>
+uint64_t getRepresentableAlignment(uint64_t Size) {
+  return ~Handler::representable_mask(Size) + 1;
+}
 
-std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
-                                      BugReporter &BR, const BugType &BT) {
+template <llvm::CompressedCapability::CapabilityFormat Handler>
+std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D,
+                                          BugReporter &BR,
+                                          const BugType &BT) {
   QualType T = D->getType();
 
   ASTContext &ASTCtx = BR.getContext();
@@ -125,17 +132,15 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
       OS << " field offset is " << Offset;
       OS << " (aligned to " << CurAlign << ");";
 
-      /*
-       * Print current bounds
-       * TODO: use cheri_compressed_cap correctly
-       *
+#if 0
       const RecordDecl *Parent = D->getParent();
       uint64_t ParentSize = ASTCtx.getTypeSize(Parent->getTypeForDecl()) / 8;
-      auto MockCap = getBoundedCap(ParentSize, Offset, Size);
+      typename Handler::cap_t MockCap =
+          getBoundedCap<Handler>(ParentSize, Offset, Size);
       uint64_t Base = MockCap.base();
       uint64_t Top = MockCap.top();
       OS << " Current bounds: " << Base << "-" << Top;
-       */
+#endif
 
       // Note that this will fire for every translation unit that uses this
       // class.  This is suboptimal, but at least scan-build will merge
@@ -146,11 +151,9 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
       Report->setDeclWithIssue(D);
       Report->addRange(D->getSourceRange());
 
-      /*
-       * Add exposed fields as notes
-       * TODO: use cheri_compressed_cap correctly
+#if 0
       Report = reportExposedFields(D, ASTCtx, BR, Base, Top, std::move(Report));
-       */
+#endif
 
       return Report;
     }
@@ -159,10 +162,29 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
   return nullptr;
 }
 
+std::unique_ptr<BugReport> checkField(const FieldDecl *D,
+                                      BugReporter &BR,
+                                      const BugType &BT) {
+  // TODO: other targets
+  return checkFieldImpl<llvm::CompressedCapability::Cheri128>(D, BR, BT);
+}
+
+bool supportedTarget(const ASTContext &C) {
+  const TargetInfo &TI = C.getTargetInfo();
+  return TI.areAllPointersCapabilities()
+         && TI.getTriple().isAArch64(); // morello
+}
+
+} // namespace
+
+
 void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
                                                     AnalysisManager &mgr,
                                                     BugReporter &BR) const {
-  if (!R->isCompleteDefinition())
+  if (!supportedTarget(mgr.getASTContext()))
+    return;
+
+  if (!R->isCompleteDefinition() || R->isDependentType())
     return;
 
   if (!R->getLocation().isValid())
@@ -177,16 +199,19 @@ void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
   */
 
   for (FieldDecl *D : R->fields()) {
-    auto Report = checkField(D, mgr, BR, BT_1);
+    auto Report = checkField(D, BR, BT_1);
     if (Report)
       BR.emitReport(std::move(Report));
   }
 }
 
-void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
-                      BugReporter &BR) const {
-  using namespace ast_matchers;
+void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D,
+                                                        AnalysisManager &mgr,
+                                                        BugReporter &BR) const {
+  if (!supportedTarget(mgr.getASTContext()))
+    return;
 
+  using namespace ast_matchers;
   auto Member = memberExpr().bind("member");
   auto Decay =
       castExpr(hasCastKind(CK_ArrayToPointerDecay), has(Member)).bind("decay");
@@ -202,7 +227,7 @@ void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D, AnalysisM
       if (const MemberExpr *ME = Match.getNodeAs<MemberExpr>("member")) {
         ValueDecl *VD = ME->getMemberDecl();
         if (FieldDecl *FD = dyn_cast<FieldDecl>(VD)) {
-          auto Report = checkField(FD, mgr, BR, BT_2);
+          auto Report = checkField(FD, BR, BT_2);
           if (Report) {
             PathDiagnosticLocation LN = PathDiagnosticLocation::createBegin(
                 CE, BR.getSourceManager(), mgr.getAnalysisDeclContext(D));
@@ -216,7 +241,7 @@ void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D, AnalysisM
       if (const MemberExpr *ME = Match.getNodeAs<MemberExpr>("member")) {
         ValueDecl *VD = ME->getMemberDecl();
         if (FieldDecl *FD = dyn_cast<FieldDecl>(VD)) {
-          auto Report = checkField(FD, mgr, BR, BT_2);
+          auto Report = checkField(FD, BR, BT_2);
           if (Report) {
             PathDiagnosticLocation LN = PathDiagnosticLocation::createBegin(
                 UO, BR.getSourceManager(), mgr.getAnalysisDeclContext(D));
diff --git a/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c b/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c
@@ -11,7 +11,7 @@ struct R1 {
       char a[0x3FFF]; // no warn
     } f1good;
     struct {
-      char c;
+      char c; // expected-note{{}}
       char a[0x4000]; // expected-warning{{Field 'a' of type 'char[16384]' (size 16384) requires 8 byte alignment for precise bounds; field offset is 1}}
     } f2bad;
     struct {
@@ -27,9 +27,9 @@ struct S2 {
 };
 
 struct R2 {
-  char x[0x50];
-  struct S2 s2;
-  char c;
-  char a[0x8000]; // expected-warning{{Field 'a' of type 'char[32768]'}}
-  char y[32];
-};
+  char x[0x50]; // expected-note{{16/80}}
+  struct S2 s2; // expected-note{{32/32 bytes exposed (may expose capability!)}}
+  char c; // expected-note{{1}}
+  char a[0x20000]; // expected-warning{{Field 'a' of type 'char[131072]' (size 131072) requires 64 byte alignment for precise bounds; field offset is 113 (aligned to 1); Current bounds: 64-131200}}
+  char y[32]; // expected-note{{15/32}}
+};
