[CHERI_CSA] New alpha.cheri.SubObjectRepresentability checker

eupharina · resistor · commit ab517d3bb931 · 2025-07-20T23:57:40.000+08:00
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -1828,4 +1828,10 @@ let ParentPackage = CHERI in {
 
 } // end cheri
 
-let ParentPackage = CHERIAlpha in {} // end alpha.cheri
+let ParentPackage = CHERIAlpha in {
+
+  def SubObjectRepresentabilityChecker : Checker<"SubObjectRepresentability">,
+                                         HelpText<"TODO: help">,
+                                         Documentation<NotDocumented>;
+
+} // end alpha.cheri
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp
@@ -0,0 +1,99 @@
+// ==-- PointerSizeAssumptionsChecker.cpp -------------------------*- C++ -*-=//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This checker detects record fields that will not have precise bounds when
+// compiled with
+//      -cheri-bounds=subobject-safe
+// due to big size and underaligned offset, as narrowed capability will not
+// be representable
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/AST/StmtVisitor.h"
+#include "clang/ASTMatchers/ASTMatchFinder.h"
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/CHERI/CompressedCapability.h"
+#include "llvm/Support/raw_ostream.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class SubObjectRepresentabilityChecker
+    : public Checker<check::ASTDecl<RecordDecl>> {
+public:
+  void checkASTDecl(const RecordDecl *R, AnalysisManager &mgr,
+                    BugReporter &BR) const;
+};
+
+} // namespace
+
+void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
+                                                    AnalysisManager &mgr,
+                                                    BugReporter &BR) const {
+  if (!R->isCompleteDefinition())
+    return;
+
+  if (!R->getLocation().isValid())
+    return;
+
+  /*
+  SrcMgr::CharacteristicKind Kind =
+      BR.getSourceManager().getFileCharacteristic(Location);
+  // Ignore records in system headers
+  if (Kind != SrcMgr::C_User)
+    return;
+  */
+
+  for (FieldDecl *D : R->fields()) {
+    QualType T = D->getType();
+
+    ASTContext &ASTCtx = BR.getContext();
+    uint64_t Offset = ASTCtx.getFieldOffset(D) / 8;
+    if (Offset > 0) {
+      uint64_t Size = ASTCtx.getTypeSize(T) / 8;
+      uint64_t ReqAlign = llvm::CompressedCapability::GetRequiredAlignment(
+                              Size, llvm::CompressedCapability::Cheri128)
+                              .value();
+      if (1 << llvm::countr_zero(Offset) < ReqAlign) {
+        /* Emit warning */
+        SmallString<1024> Err;
+        llvm::raw_svector_ostream OS(Err);
+        const PrintingPolicy &PP = ASTCtx.getPrintingPolicy();
+        OS << "Field '";
+        D->getNameForDiagnostic(OS, PP, false);
+        OS << "' of type '" << T.getAsString(PP) << "'";
+        OS << " (size " << Size << ")";
+        OS << " requires " << ReqAlign << " byte alignment for precise bounds;";
+        OS << " field offset is " << Offset;
+
+        // Note that this will fire for every translation unit that uses this
+        // class.  This is suboptimal, but at least scan-build will merge
+        // duplicate HTML reports.
+        PathDiagnosticLocation L =
+            PathDiagnosticLocation::createBegin(D, BR.getSourceManager());
+        BR.EmitBasicReport(R, this, "Field with imprecise subobject bounds",
+                           "CHERI portability", OS.str(), L);
+      }
+    }
+  }
+}
+
+void ento::registerSubObjectRepresentabilityChecker(CheckerManager &mgr) {
+  mgr.registerChecker<SubObjectRepresentabilityChecker>();
+}
+
+bool ento::shouldRegisterSubObjectRepresentabilityChecker(
+    const CheckerManager &mgr) {
+  return true;
+}
diff --git a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -29,6 +29,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   CHERI/PointerSizeAssumptionsChecker.cpp
   CHERI/ProvenanceSourceChecker.cpp
   CHERI/CapabilityCopyChecker.cpp
+  CHERI/SubObjectRepresentabilityChecker.cpp
   ChrootChecker.cpp
   CloneChecker.cpp
   ContainerModeling.cpp
diff --git a/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c b/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c
@@ -0,0 +1,22 @@
+// Test for Morello
+
+// XFAIL: *
+// RUN: %clang_cc1 -triple aarch64-none-elf -target-feature +morello -target-feature +c64 -target-abi purecap \
+// RUN:            -analyze -analyzer-checker=core,alpha.cheri.SubObjectRepresentability -verify %s
+
+struct R1 {
+  struct {
+    struct {
+      char c;
+      char a[0x3FFF]; // no warn
+    } f1good;
+    struct {
+      char c;
+      char a[0x4000]; // expected-warning{{Field 'a' of type 'char[16384]' (size 16384) requires 8 byte alignment for precise bounds; field offset is 1}}
+    } f2bad;
+    struct {
+      int c[2];
+      char a[0x4000]; // no warn
+    } f3good __attribute__((aligned(8)));
+  } s2;
+} s1;
