[CHERI_CSA] New cheri.Allocation checker

Author: eupharina

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

@@ -1837,4 +1837,8 @@ def SubObjectRepresentabilityChecker : Checker<"SubObjectRepresentability">,
 
 let ParentPackage = CHERIAlpha in {
 
+def AllocationChecker : Checker<"Allocation">,
+  HelpText<"Suggest narrowing bounds for escaping suballocation capabilities">,
+  Documentation<NotDocumented>;
+
 } // end alpha.cheri

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -0,0 +1,230 @@
+//===-- AllocationChecker.cpp - Allocation Checker -*- C++ -*--------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines checker that detects unrelated objects being allocated as
+// adjacent suballocations of the bigger memory allocation. It reports
+// situations when an address of such object escapes the function and
+// suggests narrowing the bounds of the escaping capability, so it covers only
+// the current suballocation, following the principle of least privilege.
+//
+//===----------------------------------------------------------------------===//
+#include "CHERIUtils.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+
+
+using namespace clang;
+using namespace ento;
+using namespace cheri;
+
+namespace {
+
+class AllocationChecker : public Checker<check::PostStmt<CastExpr>> {
+  BugType BT_1{this, "Allocation partitioning", "CHERI portability"};
+
+  class AllocPartitionBugVisitor : public BugReporterVisitor {
+  public:
+    AllocPartitionBugVisitor(const MemRegion *R) : Reg(R) {}
+
+    void Profile(llvm::FoldingSetNodeID &ID) const override {
+      static int X = 0;
+      ID.AddPointer(&X);
+      ID.AddPointer(Reg);
+    }
+
+    PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
+                                     BugReporterContext &BRC,
+                                     PathSensitiveBugReport &BR) override;
+
+  private:
+    const MemRegion *Reg;
+  };
+
+public:
+  void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
+
+private:
+  ExplodedNode *emitAllocationPartitionWarning(const CastExpr *CE,
+                                               CheckerContext &C,
+                                               const MemRegion *R) const;
+};
+
+} // namespace
+
+REGISTER_MAP_WITH_PROGRAMSTATE(AllocMap, const MemRegion *, QualType)
+REGISTER_MAP_WITH_PROGRAMSTATE(ShiftMap, const MemRegion *, const MemRegion *)
+
+namespace {
+std::pair<const MemRegion *, bool> getAllocationStart(const MemRegion *R,
+                                                      CheckerContext &C,
+                                                      bool ZeroShift = true) {
+  if (const ElementRegion *ER = R->getAs<ElementRegion>()) {
+    const MemRegion *Base = ER->getSuperRegion();
+    return getAllocationStart(Base, C, ER->getIndex().isZeroConstant());
+  }
+  if (auto OrigR = C.getState()->get<ShiftMap>(R)) {
+    return std::make_pair(*OrigR, false);
+  }
+  return std::make_pair(R, ZeroShift);
+}
+
+bool isAllocation(const MemRegion *R) {
+  if (R->getAs<SymbolicRegion>())
+    return true;
+  if (const TypedValueRegion *TR = R->getAs<TypedValueRegion>()) {
+    return TR->getValueType()->isArrayType();
+  }
+  return false;
+}
+
+bool relatedTypes(const Type *Ty1, const Type *Ty2) {
+  if (Ty1 == Ty2)
+    return true;
+  if (Ty1->isArrayType())
+    return relatedTypes(Ty1->getArrayElementTypeNoTypeQual(), Ty2);
+  return false;
+}
+
+bool isGenPtrType(QualType Ty) {
+  return Ty->isVoidPointerType() ||
+         ((Ty->isPointerType() || Ty->isArrayType()) &&
+          Ty->getPointeeOrArrayElementType()->isCharType());
+}
+
+std::optional<QualType> getPrevType(ProgramStateRef State, const MemRegion *R) {
+  if (const QualType *PrevTy = State->get<AllocMap>(R))
+    return *PrevTy;
+  if (const TypedValueRegion *TR = R->getAs<TypedValueRegion>()) {
+    QualType Ty = TR->getValueType();
+    if ((Ty->isPointerType() || Ty->isArrayType()) && !isGenPtrType(Ty))
+      return Ty;
+  }
+  return std::nullopt;
+}
+
+} // namespace
+
+ExplodedNode *AllocationChecker::emitAllocationPartitionWarning(
+    const CastExpr *CE, CheckerContext &C, const MemRegion *MR) const {
+  if (ExplodedNode *ErrNode = C.generateNonFatalErrorNode()) {
+    SmallString<256> Buf;
+    llvm::raw_svector_ostream OS(Buf);
+    OS << "Allocation partition: ";
+    describeCast(OS, CE, C.getASTContext().getLangOpts());
+    auto R = std::make_unique<PathSensitiveBugReport>(
+        BT_1, OS.str(), ErrNode);
+    R->addVisitor(std::make_unique<AllocPartitionBugVisitor>(MR));
+    C.emitReport(std::move(R));
+    return ErrNode;
+  }
+  return nullptr;
+}
+
+void AllocationChecker::checkPostStmt(const CastExpr *CE,
+                                      CheckerContext &C) const {
+  if (CE->getCastKind() != CK_BitCast)
+    return;
+  SVal SrcVal = C.getSVal(CE->getSubExpr());
+  const MemRegion *MR = SrcVal.getAsRegion();
+  if (!MR)
+    return;
+  if (MR->getMemorySpace()->getKind() == MemSpaceRegion::CodeSpaceRegionKind)
+    return;
+
+  ProgramStateRef State = C.getState();
+  bool Updated = false;
+
+  std::pair<const MemRegion *, bool> StartPair = getAllocationStart(MR, C);
+  const MemRegion *SR = StartPair.first;
+  if (!isAllocation(SR))
+    return;
+  bool ZeroShift = StartPair.second;
+
+  SVal DstVal = C.getSVal(CE);
+  const MemRegion *DMR = DstVal.getAsRegion();
+  if (MR->getAs<ElementRegion>() && (!DMR || !DMR->getAs<ElementRegion>())) {
+    if (DstVal.isUnknown()) {
+      const LocationContext *LCtx = C.getLocationContext();
+      DstVal = C.getSValBuilder().conjureSymbolVal(
+          nullptr, CE, LCtx, CE->getType(), C.blockCount());
+      State = State->BindExpr(CE, LCtx, DstVal);
+      DMR = DstVal.getAsRegion();
+    }
+    if (DMR) {
+      State = State->set<ShiftMap>(DMR, SR);
+      Updated = true;
+    }
+  }
+
+  QualType DstTy = CE->getType().getUnqualifiedType();
+  if (!DstTy->isPointerType())
+    return;
+  if (DstTy->isVoidPointerType() || DstTy->getPointeeType()->isCharType())
+    return;
+
+  std::optional<QualType> PrevTy = getPrevType(State, SR);
+  if (PrevTy) {
+    if (SR != MR && !ZeroShift) {
+      const Type *Ty1 = PrevTy->getTypePtr()
+                            ->getPointeeOrArrayElementType()
+                            ->getUnqualifiedDesugaredType();
+      const Type *Ty2 = DstTy->getPointeeType()->getUnqualifiedDesugaredType();
+      if (!relatedTypes(Ty1, Ty2)) {
+        emitAllocationPartitionWarning(CE, C, SR);
+        return;
+      } // else OK
+    } // else ??? (ignore for now)
+  } else {
+    State = State->set<AllocMap>(SR, DstTy);
+    Updated = true;
+  }
+
+  if (Updated)
+    C.addTransition(State);
+}
+
+PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
+    const ExplodedNode *N, BugReporterContext &BRC,
+    PathSensitiveBugReport &BR) {
+  const Stmt *S = N->getStmtForDiagnostics();
+  if (!S)
+    return nullptr;
+
+  const CastExpr *CE = dyn_cast<CastExpr>(S);
+  if (!CE || CE->getCastKind() != CK_BitCast)
+    return nullptr;
+
+  if (Reg != N->getSVal(CE->getSubExpr()).getAsRegion())
+    return nullptr;
+
+  SmallString<256> Buf;
+  llvm::raw_svector_ostream OS(Buf);
+  OS << "Previous partition: ";
+  describeCast(OS, CE, BRC.getASTContext().getLangOpts());
+
+  // Generate the extra diagnostic.
+  PathDiagnosticLocation const Pos(S, BRC.getSourceManager(),
+                                   N->getLocationContext());
+  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
+}
+
+//===----------------------------------------------------------------------===//
+// Checker registration.
+//===----------------------------------------------------------------------===//
+
+void ento::registerAllocationChecker(CheckerManager &Mgr) {
+  Mgr.registerChecker<AllocationChecker>();
+}
+
+bool ento::shouldRegisterAllocationChecker(const CheckerManager &Mgr) {
+  return true;
+}

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.cpp

@@ -52,6 +52,17 @@ bool hasCapability(const QualType OrigTy, ASTContext &Ctx) {
   return false;
 }
 
+void describeCast(raw_ostream &OS, const CastExpr *CE,
+                         const LangOptions &LangOpts) {
+  OS << (dyn_cast<ImplicitCastExpr>(CE) ? "implicit" : "explicit");
+  OS << " cast from '";
+  CE->getSubExpr()->getType().print(OS, PrintingPolicy(LangOpts));
+  OS << "' to '";
+  CE->getType().print(OS, PrintingPolicy(LangOpts));
+  OS << "'";
+}
+
+
 } // end of namespace: cheri
 } // end of namespace: ento
 } // end of namespace: clang

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.h

@@ -27,6 +27,9 @@ bool isGenericPointerType(const QualType T, bool AcceptCharPtr = true);
 
 bool hasCapability(const QualType OrigTy, ASTContext &Ctx);
 
+void describeCast(raw_ostream &OS, const CastExpr *CE,
+                  const LangOptions &LangOpts);
+
 } // end of namespace: cheri
 } // end of namespace: ento
 } // end of namespace: clang

clang/lib/StaticAnalyzer/Checkers/CHERI/ProvenanceSourceChecker.cpp

@@ -537,20 +537,6 @@ void ProvenanceSourceChecker::checkDeadSymbols(SymbolReaper &SymReaper,
     C.addTransition(State);
 }
 
-namespace {
-
-static void describeCast(raw_ostream &OS, const CastExpr *CE,
-                         const LangOptions &LangOpts) {
-  OS << (dyn_cast<ImplicitCastExpr>(CE) ? "implicit" : "explicit");
-  OS << " cast from '";
-  CE->getSubExpr()->getType().print(OS, PrintingPolicy(LangOpts));
-  OS << "' to '";
-  CE->getType().print(OS, PrintingPolicy(LangOpts));
-  OS << "'";
-}
-
-} // namespace
-
 PathDiagnosticPieceRef
 ProvenanceSourceChecker::InvalidCapBugVisitor::VisitNode(
     const ExplodedNode *N, BugReporterContext &BRC,

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

@@ -25,10 +25,11 @@ add_clang_library(clangStaticAnalyzerCheckers
   CheckPlacementNew.cpp
   CheckSecuritySyntaxOnly.cpp
   CheckerDocumentation.cpp
+  CHERI/AllocationChecker.cpp
+  CHERI/CapabilityCopyChecker.cpp
   CHERI/CHERIUtils.cpp
   CHERI/PointerSizeAssumptionsChecker.cpp
   CHERI/ProvenanceSourceChecker.cpp
-  CHERI/CapabilityCopyChecker.cpp
   CHERI/SubObjectRepresentabilityChecker.cpp
   ChrootChecker.cpp
   CloneChecker.cpp

clang/test/Analysis/Checkers/CHERI/allocation.c

@@ -0,0 +1,43 @@
+// RUN: %cheri_purecap_cc1 -analyze -verify %s \
+// RUN:   -analyzer-checker=core,unix,alpha.cheri.Allocation
+
+typedef __typeof__(sizeof(int)) size_t;
+extern void * malloc(size_t);
+
+
+struct S1 {
+  int *a[3];
+  int *d[1];
+};
+
+struct S2 {
+  int x[3];
+  int *px;
+};
+
+struct S2 * test_1(int n1, int n2) {
+  struct S1 *p1 = malloc(sizeof(struct S1)*n1 + sizeof(struct S2)*n2);
+  struct S2 *p2 = (struct S2 *)(p1+n1); // expected-warning{{Allocation partition}}
+  return p2;
+}
+
+double buf[100] __attribute__((aligned(_Alignof(void*))));
+struct S2 * test_2(int n1) {
+  struct S1 *p1 = (struct S1 *)buf; // ?
+  struct S2 *p2 = (struct S2 *)(p1+n1); // expected-warning{{Allocation partition}}
+  return p2;
+}
+
+int * test_3(int n1, int n2) {
+  void *p1 = malloc(sizeof(struct S1)*n1 + sizeof(struct S2)*n2);
+  struct S2 *p2 = (struct S2 *)(p1+n1);
+  int *p3 = (int*)(p2 + n2); // expected-warning{{Allocation partition}}
+  return p3;
+}
+
+void array(int i, int j) {
+  int a[100][200];
+  int (*p1)[200] = &a[i];
+  int *p2 = p1[j]; // no warn
+  *p2 = 42;
+}