[CHERI_CSA] Refactoring state cleanup for dead symbols & regions

Author: eupharina

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -38,7 +38,7 @@ using EscapePair = std::pair<const MemRegion *, EscapeInfo>;
 namespace {
 class AllocationChecker
     : public Checker<check::PostStmt<CastExpr>, check::PreCall, check::PostCall,
-                     check::Bind, check::EndFunction> {
+                     check::Bind, check::EndFunction, check::DeadSymbols> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
   BugType BT_UnknownReg{this, "Unknown allocation partitioning",
                         "CHERI portability"};
@@ -80,6 +80,7 @@ class AllocationChecker
   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
   void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
   void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
+  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
 
   bool ReportForUnknownAllocations;
 
@@ -409,6 +410,22 @@ void AllocationChecker::checkEndFunction(const ReturnStmt *RS,
   }
 }
 
+void AllocationChecker::checkDeadSymbols(SymbolReaper &SymReaper,
+                                         CheckerContext &C) const {
+  if (!isPureCapMode(C.getASTContext()))
+    return;
+
+  ProgramStateRef State = C.getState();
+  bool Removed = false;
+  State = cleanDead<AllocMap>(State, SymReaper, Removed);
+  State = cleanDead<ShiftMap>(State, SymReaper, Removed);
+  State = cleanDead<SuballocationSet>(State, SymReaper, Removed);
+  State = cleanDead<BoundedSet>(State, SymReaper, Removed);
+
+  if (Removed)
+    C.addTransition(State);
+}
+
 PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
     const ExplodedNode *N, BugReporterContext &BRC,
     PathSensitiveBugReport &BR) {

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.cpp

@@ -7,6 +7,9 @@
 //===----------------------------------------------------------------------===//
 
 #include "CHERIUtils.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h>
+
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
 
 namespace clang {
 namespace ento {

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.h

@@ -10,6 +10,8 @@
 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_CHERI_CHERIUTILS_H
 
 #include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h>
 
 namespace clang {
 namespace ento {
@@ -33,6 +35,42 @@ void describeCast(raw_ostream &OS, const CastExpr *CE,
 const DeclRegion *getAllocationDecl(const MemRegion *MR);
 
 } // namespace cheri
+
+template <typename C>
+inline typename ProgramStateTrait<C>::key_type
+getKey(const std::pair<typename ProgramStateTrait<C>::key_type,
+                       typename ProgramStateTrait<C>::value_type> &P) {
+  return P.first;
+}
+
+template <typename C>
+inline typename ProgramStateTrait<C>::key_type
+getKey(const typename ProgramStateTrait<C>::key_type &K) {
+  return K;
+}
+
+inline bool isLive(SymbolReaper &SymReaper, const MemRegion *MR) {
+  return SymReaper.isLiveRegion(MR);
+}
+
+inline bool isLive(SymbolReaper &SymReaper, SymbolRef Sym) {
+  return SymReaper.isLive(Sym);
+}
+
+template <typename M>
+ProgramStateRef cleanDead(ProgramStateRef State, SymbolReaper &SymReaper,
+                          bool &Removed) {
+  const typename ProgramStateTrait<M>::data_type &Map = State->get<M>();
+  for (const auto &E : Map) {
+    const typename ProgramStateTrait<M>::key_type &K = getKey<M>(E);
+    if (isLive(SymReaper, K))
+      continue;
+    State = State->remove<M>(K);
+    Removed = true;
+  }
+  return State;
+}
+
 } // namespace ento
 } // namespace clang
 

clang/lib/StaticAnalyzer/Checkers/CHERI/CapabilityCopyChecker.cpp

@@ -49,10 +49,10 @@ struct CHERITagState {
 };
 
 class CapabilityCopyChecker
-    : public Checker<check::Location, check::Bind,
-                     check::PostStmt<BinaryOperator>,
-                     check::PostStmt<ArraySubscriptExpr>,
-                     check::BranchCondition, check::PreCall> {
+    : public Checker<
+          check::Location, check::Bind, check::PostStmt<BinaryOperator>,
+          check::PostStmt<ArraySubscriptExpr>, check::BranchCondition,
+          check::PreCall, check::DeadSymbols> {
 
   BugType UseCapAsNonCap{this,
                          "Part of capability value used in binary operator",
@@ -76,6 +76,7 @@ class CapabilityCopyChecker
   void checkPostStmt(const ArraySubscriptExpr *E, CheckerContext &C) const;
   void checkBranchCondition(const Stmt *Cond, CheckerContext &C) const;
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
+  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
 
   bool ReportForCharPtr = false;
 
@@ -87,7 +88,7 @@ class CapabilityCopyChecker
 REGISTER_SET_WITH_PROGRAMSTATE(VoidPtrArgDeref, const MemRegion *)
 REGISTER_SET_WITH_PROGRAMSTATE(UnalignedPtr, const MemRegion *)
 REGISTER_SET_WITH_PROGRAMSTATE(CString, const MemRegion *)
-REGISTER_LIST_WITH_PROGRAMSTATE(WhileBoundVar, SymbolRef)
+REGISTER_SET_WITH_PROGRAMSTATE(WhileBoundVar, SymbolRef)
 
 namespace {
 
@@ -251,8 +252,8 @@ bool isInsideSmallConstantBoundLoop(const Stmt *S, CheckerContext &C, long N) {
   SValBuilder &SVB = C.getSValBuilder();
   const NonLoc &ItVal = SVB.makeIntVal(N, true);
 
-  auto BoundVarList = C.getState()->get<WhileBoundVar>();
-  for (auto &&V : BoundVarList) {
+  auto BoundVarSet = C.getState()->get<WhileBoundVar>();
+  for (auto &&V : BoundVarSet) {
     auto SmallLoop =
         SVB.evalBinOpNN(C.getState(), clang::BO_GE, nonloc::SymbolVal(V), ItVal,
                         SVB.getConditionType());
@@ -473,8 +474,6 @@ bool checkForWhileBoundVar(const Stmt *Condition, CheckerContext &C,
     if (SymbolRef ISym = C.getSVal(L).getAsSymbol()) {
       if (ThenSt)
         ThenSt = ThenSt->add<WhileBoundVar>(ISym);
-      if (ElseSt)
-        ElseSt = ElseSt->set<WhileBoundVar>(llvm::ImmutableList<SymbolRef>());
     } else
       return false;
   }
@@ -616,6 +615,23 @@ void CapabilityCopyChecker::checkPreCall(const CallEvent &Call,
   C.addTransition(State);
 }
 
+void CapabilityCopyChecker::checkDeadSymbols(SymbolReaper &SymReaper,
+                                             CheckerContext &C) const {
+  if (!isPureCapMode(C.getASTContext()))
+    return;
+
+  ProgramStateRef State = C.getState();
+  bool Removed = false;
+
+  State = cleanDead<VoidPtrArgDeref>(State, SymReaper, Removed);
+  State = cleanDead<UnalignedPtr>(State, SymReaper, Removed);
+  State = cleanDead<CString>(State, SymReaper, Removed);
+  State = cleanDead<WhileBoundVar>(State, SymReaper, Removed);
+
+  if (Removed)
+    C.addTransition(State);
+}
+
 void ento::registerCapabilityCopyChecker(CheckerManager &mgr) {
   auto *Checker = mgr.registerChecker<CapabilityCopyChecker>();
   Checker->ReportForCharPtr = mgr.getAnalyzerOptions().getCheckerBooleanOption(

clang/lib/StaticAnalyzer/Checkers/CHERI/ProvenanceSourceChecker.cpp

@@ -510,23 +510,10 @@ void ProvenanceSourceChecker::checkDeadSymbols(SymbolReaper &SymReaper,
     return;
 
   ProgramStateRef State = C.getState();
-
   bool Removed = false;
-  const InvalidCapTy &Set = State->get<InvalidCap>();
-  for (const auto &Sym : Set) {
-    if (!SymReaper.isDead(Sym))
-      continue;
-    State = State->remove<InvalidCap>(Sym);
-    Removed = true;
-  }
-
-  const AmbiguousProvenanceSymTy &Set2 = State->get<AmbiguousProvenanceSym>();
-  for (const auto &Sym : Set2) {
-    if (!SymReaper.isDead(Sym))
-      continue;
-    State = State->remove<AmbiguousProvenanceSym>(Sym);
-    Removed = true;
-  }
+  State = cleanDead<InvalidCap>(State, SymReaper, Removed);
+  State = cleanDead<AmbiguousProvenanceSym>(State, SymReaper, Removed);
+  State = cleanDead<AmbiguousProvenanceReg>(State, SymReaper, Removed);
 
   if (Removed)
     C.addTransition(State);

clang/lib/StaticAnalyzer/Checkers/PointerAlignmentChecker.cpp

@@ -918,17 +918,11 @@ void PointerAlignmentChecker::checkPostStmt(const BinaryOperator *BO,
 
 void PointerAlignmentChecker::checkDeadSymbols(SymbolReaper &SymReaper,
                                                CheckerContext &C) const {
-  bool Updated = false;
   ProgramStateRef State = C.getState();
+  bool Updated = false;
 
-  TrailingZerosMapTy TZMap = State->get<TrailingZerosMap>();
-  for (TrailingZerosMapTy::iterator I = TZMap.begin(), E = TZMap.end(); I != E;
-       ++I) {
-    if (SymReaper.isDead(I->first)) {
-      State = State->remove<TrailingZerosMap>(I->first);
-      Updated = true;
-    }
-  }
+  State = cleanDead<TrailingZerosMap>(State, SymReaper, Updated);
+  State = cleanDead<CapStorageSet>(State, SymReaper, Updated);
 
   if (Updated)
     C.addTransition(State);