[CHERI_CSA] SubObjectRepresentability: enable notes with updated cheri-compressed-cap

eupharina · resistor · commit b4a0869802d4 · 2025-07-20T23:57:58.000+08:00
diff --git a/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CHERI/SubObjectRepresentabilityChecker.cpp
@@ -86,23 +86,26 @@ reportExposedFields(const FieldDecl *D, ASTContext &ASTCtx, BugReporter &BR,
 }
 
 #if 0
-// FIXME: CC_MORELLO is not set in cheri_compressed_cap
-// FIXME: other targets
-using Handler = CompressedCap128;
-Handler::cap_t getBoundedCap(uint64_t ParentSize, uint64_t Offset,
-                             uint64_t Size) {
-  Handler::addr_t InitLength = Handler ::representable_length(ParentSize);
-  Handler::cap_t MockCap = Handler::make_max_perms_cap(0, 0, InitLength);
-  bool exact = Handler::setbounds(&MockCap, Offset, Offset + Size);
+template <typename Handler>
+typename Handler::cap_t getBoundedCap(uint64_t ParentSize, uint64_t Offset,
+                                      uint64_t Size) {
+  typename Handler::addr_t InitLength =
+      Handler::representable_length(ParentSize);
+  typename Handler::cap_t MockCap =
+      Handler::make_max_perms_cap(0, Offset, InitLength);
+  bool exact = Handler::setbounds(&MockCap, Size);
   assert(!exact);
   return MockCap;
 }
 #endif
 
-} // namespace
+template <typename Handler> uint64_t getRepresentableAlignment(uint64_t Size) {
+  return ~Handler::representable_mask(Size) + 1;
+}
 
-std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
-                                      BugReporter &BR, const BugType &BT) {
+template <llvm::CompressedCapability::CapabilityFormat Handler>
+std::unique_ptr<BugReport> checkFieldImpl(const FieldDecl *D, BugReporter &BR,
+                                          const BugType &BT) {
   QualType T = D->getType();
 
   ASTContext &ASTCtx = BR.getContext();
@@ -126,17 +129,15 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
       OS << " field offset is " << Offset;
       OS << " (aligned to " << CurAlign << ");";
 
-      /*
-       * Print current bounds
-       * TODO: use cheri_compressed_cap correctly
-       *
+#if 0
       const RecordDecl *Parent = D->getParent();
       uint64_t ParentSize = ASTCtx.getTypeSize(Parent->getTypeForDecl()) / 8;
-      auto MockCap = getBoundedCap(ParentSize, Offset, Size);
+      typename Handler::cap_t MockCap =
+          getBoundedCap<Handler>(ParentSize, Offset, Size);
       uint64_t Base = MockCap.base();
       uint64_t Top = MockCap.top();
       OS << " Current bounds: " << Base << "-" << Top;
-       */
+#endif
 
       // Note that this will fire for every translation unit that uses this
       // class.  This is suboptimal, but at least scan-build will merge
@@ -147,11 +148,9 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
       Report->setDeclWithIssue(D);
       Report->addRange(D->getSourceRange());
 
-      /*
-       * Add exposed fields as notes
-       * TODO: use cheri_compressed_cap correctly
+#if 0
       Report = reportExposedFields(D, ASTCtx, BR, Base, Top, std::move(Report));
-       */
+#endif
 
       return Report;
     }
@@ -160,10 +159,27 @@ std::unique_ptr<BugReport> checkField(const FieldDecl *D, AnalysisManager &mgr,
   return nullptr;
 }
 
+std::unique_ptr<BugReport> checkField(const FieldDecl *D, BugReporter &BR,
+                                      const BugType &BT) {
+  // TODO: other targets
+  return checkFieldImpl<llvm::CompressedCapability::Cheri128>(D, BR, BT);
+}
+
+bool supportedTarget(const ASTContext &C) {
+  const TargetInfo &TI = C.getTargetInfo();
+  return TI.areAllPointersCapabilities() &&
+         TI.getTriple().isAArch64(); // morello
+}
+
+} // namespace
+
 void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
                                                     AnalysisManager &mgr,
                                                     BugReporter &BR) const {
-  if (!R->isCompleteDefinition())
+  if (!supportedTarget(mgr.getASTContext()))
+    return;
+
+  if (!R->isCompleteDefinition() || R->isDependentType())
     return;
 
   if (!R->getLocation().isValid())
@@ -178,7 +194,7 @@ void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
   */
 
   for (FieldDecl *D : R->fields()) {
-    auto Report = checkField(D, mgr, BR, BT_1);
+    auto Report = checkField(D, BR, BT_1);
     if (Report)
       BR.emitReport(std::move(Report));
   }
@@ -187,8 +203,10 @@ void SubObjectRepresentabilityChecker::checkASTDecl(const RecordDecl *R,
 void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D,
                                                         AnalysisManager &mgr,
                                                         BugReporter &BR) const {
-  using namespace ast_matchers;
+  if (!supportedTarget(mgr.getASTContext()))
+    return;
 
+  using namespace ast_matchers;
   auto Member = memberExpr().bind("member");
   auto Decay =
       castExpr(hasCastKind(CK_ArrayToPointerDecay), has(Member)).bind("decay");
@@ -204,7 +222,7 @@ void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D,
       if (const MemberExpr *ME = Match.getNodeAs<MemberExpr>("member")) {
         ValueDecl *VD = ME->getMemberDecl();
         if (FieldDecl *FD = dyn_cast<FieldDecl>(VD)) {
-          auto Report = checkField(FD, mgr, BR, BT_2);
+          auto Report = checkField(FD, BR, BT_2);
           if (Report) {
             PathDiagnosticLocation LN = PathDiagnosticLocation::createBegin(
                 CE, BR.getSourceManager(), mgr.getAnalysisDeclContext(D));
@@ -218,7 +236,7 @@ void SubObjectRepresentabilityChecker::checkASTCodeBody(const Decl *D,
       if (const MemberExpr *ME = Match.getNodeAs<MemberExpr>("member")) {
         ValueDecl *VD = ME->getMemberDecl();
         if (FieldDecl *FD = dyn_cast<FieldDecl>(VD)) {
-          auto Report = checkField(FD, mgr, BR, BT_2);
+          auto Report = checkField(FD, BR, BT_2);
           if (Report) {
             PathDiagnosticLocation LN = PathDiagnosticLocation::createBegin(
                 UO, BR.getSourceManager(), mgr.getAnalysisDeclContext(D));
diff --git a/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c b/clang/test/Analysis/Checkers/CHERI/subobject-representability-morello.c
@@ -11,7 +11,7 @@ struct R1 {
       char a[0x3FFF]; // no warn
     } f1good;
     struct {
-      char c;
+      char c; // expected-note{{}}
       char a[0x4000]; // expected-warning{{Field 'a' of type 'char[16384]' (size 16384) requires 8 byte alignment for precise bounds; field offset is 1}}
     } f2bad;
     struct {
@@ -27,9 +27,9 @@ struct S2 {
 };
 
 struct R2 {
-  char x[0x50];
-  struct S2 s2;
-  char c;
-  char a[0x8000]; // expected-warning{{Field 'a' of type 'char[32768]'}}
-  char y[32];
-};
+  char x[0x50]; // expected-note{{16/80}}
+  struct S2 s2; // expected-note{{32/32 bytes exposed (may expose capability!)}}
+  char c; // expected-note{{1}}
+  char a[0x20000]; // expected-warning{{Field 'a' of type 'char[131072]' (size 131072) requires 64 byte alignment for precise bounds; field offset is 113 (aligned to 1); Current bounds: 64-131200}}
+  char y[32]; // expected-note{{15/32}}
+};
