[CHERI_CSA] AllocationChecker: rework

Author: eupharina

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -18,61 +18,82 @@
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
 
 using namespace clang;
 using namespace ento;
 using namespace cheri;
 
-namespace {
+struct EscapeInfo {
+  PointerEscapeKind Kind;
+  EscapeInfo(PointerEscapeKind K) : Kind(K) {};
+  bool operator==(const EscapeInfo &X) const { return Kind == X.Kind; }
+  void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(Kind); }
+};
+using EscapePair = std::pair<const MemRegion *, EscapeInfo>;
 
-class AllocationChecker : public Checker<check::PostStmt<CastExpr>> {
+namespace {
+class AllocationChecker
+    : public Checker<check::PostStmt<CastExpr>, check::PreCall, check::Bind,
+                     check::EndFunction> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
   BugType BT_KnownReg{this, "Heap or static allocation partitioning",
                       "CHERI portability"};
 
   class AllocPartitionBugVisitor : public BugReporterVisitor {
   public:
-    AllocPartitionBugVisitor(const MemRegion *R) : Reg(R) {}
+    AllocPartitionBugVisitor(const MemRegion *P, const MemRegion *A)
+        : PrevAlloc(P), SubAlloc(A) {}
 
     void Profile(llvm::FoldingSetNodeID &ID) const override {
       static int X = 0;
       ID.AddPointer(&X);
-      ID.AddPointer(Reg);
+      ID.AddPointer(PrevAlloc);
+      ID.AddPointer(SubAlloc);
     }
 
     PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                      BugReporterContext &BRC,
                                      PathSensitiveBugReport &BR) override;
 
   private:
-    const MemRegion *Reg;
+    const MemRegion *PrevAlloc;
+    const MemRegion *SubAlloc;
+    bool PrevReported = false;
   };
 
 public:
   void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
+  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
+  void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
+  void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
 
 private:
-  ExplodedNode *emitAllocationPartitionWarning(const CastExpr *CE,
-                                               CheckerContext &C,
-                                               const MemRegion *R) const;
+  ExplodedNode *emitAllocationPartitionWarning(CheckerContext &C,
+                                               const MemRegion *MR,
+                                               SourceRange SR,
+                                               StringRef Msg) const;
 };
 
 } // namespace
 
 REGISTER_MAP_WITH_PROGRAMSTATE(AllocMap, const MemRegion *, QualType)
 REGISTER_MAP_WITH_PROGRAMSTATE(ShiftMap, const MemRegion *, const MemRegion *)
+REGISTER_SET_WITH_PROGRAMSTATE(SuballocationSet, const MemRegion *)
 
 namespace {
-std::pair<const MemRegion *, bool> getAllocationStart(const MemRegion *R,
-                                                      CheckerContext &C,
+std::pair<const MemRegion *, bool> getAllocationStart(const ASTContext &ASTCtx,
+                                                      const MemRegion *R,
+                                                      ProgramStateRef State,
                                                       bool ZeroShift = true) {
   if (const ElementRegion *ER = R->getAs<ElementRegion>()) {
     const MemRegion *Base = ER->getSuperRegion();
-    return getAllocationStart(Base, C, ER->getIndex().isZeroConstant());
+    return getAllocationStart(ASTCtx, Base, State,
+                              ZeroShift && ER->getIndex().isZeroConstant());
   }
-  if (auto OrigR = C.getState()->get<ShiftMap>(R)) {
+  if (const auto *OrigR = State->get<ShiftMap>(R)) {
     return std::make_pair(*OrigR, false);
   }
   return std::make_pair(R, ZeroShift);
@@ -87,17 +108,22 @@ bool isAllocation(const MemRegion *R) {
   return false;
 }
 
-bool relatedTypes(const Type *Ty1, const Type *Ty2) {
+bool relatedTypes(const ASTContext &ASTCtx, const Type *Ty1, const Type *Ty2) {
   if (Ty1 == Ty2)
     return true;
+  if (Ty1->isIntegerType()) {
+    if (Ty2->isIntegerType())
+      return ASTCtx.getTypeSize(Ty1) == ASTCtx.getTypeSize(Ty2);
+    return false;
+  }
   if (Ty1->isArrayType())
-    return relatedTypes(Ty1->getArrayElementTypeNoTypeQual(), Ty2);
+    return relatedTypes(ASTCtx, Ty1->getArrayElementTypeNoTypeQual(), Ty2);
   if (Ty1->isRecordType()) {
     if (RecordDecl *RD = Ty1->getAs<RecordType>()->getAsRecordDecl()) {
       const RecordDecl::field_iterator &FirstField = RD->field_begin();
       if (FirstField != RD->field_end()) {
         const Type *FFTy = FirstField->getType()->getUnqualifiedDesugaredType();
-        return relatedTypes(FFTy, Ty2);
+        return relatedTypes(ASTCtx, FFTy, Ty2);
       }
     }
   }
@@ -109,8 +135,11 @@ bool reportForType(QualType Ty) {
     return false;
   if (Ty->isPointerType() || Ty->isArrayType()) {
     const Type *PTy = Ty->getPointeeOrArrayElementType();
+    PTy = PTy->getUnqualifiedDesugaredType();
     if (PTy->isCharType())
       return false;
+    if (PTy->isPointerType())
+      return false;
     if (PTy->isStructureTypeWithFlexibleArrayMember())
       return false;
     return true;
@@ -132,17 +161,24 @@ std::optional<QualType> getPrevType(ProgramStateRef State, const MemRegion *R) {
 } // namespace
 
 ExplodedNode *AllocationChecker::emitAllocationPartitionWarning(
-    const CastExpr *CE, CheckerContext &C, const MemRegion *MR) const {
+    CheckerContext &C, const MemRegion *MR, SourceRange SR,
+    StringRef Msg = "") const {
   if (ExplodedNode *ErrNode = C.generateNonFatalErrorNode()) {
-    SmallString<256> Buf;
-    llvm::raw_svector_ostream OS(Buf);
-    OS << "Allocation partition: ";
-    describeCast(OS, CE, C.getASTContext().getLangOpts());
-    const MemSpaceRegion *MemSpace = MR->getMemorySpace();
-    bool KnownReg = isa<HeapSpaceRegion, GlobalsSpaceRegion>(MemSpace);
-    auto R = std::make_unique<PathSensitiveBugReport>(
-        KnownReg ? BT_KnownReg : BT_Default, OS.str(), ErrNode);
-    R->addVisitor(std::make_unique<AllocPartitionBugVisitor>(MR));
+    auto R = std::make_unique<PathSensitiveBugReport>(BT_Default, Msg, ErrNode);
+    R->addRange(SR);
+    R->markInteresting(MR);
+
+    const MemRegion *PrevAlloc =
+        getAllocationStart(C.getASTContext(), MR, C.getState()).first;
+    R->addVisitor(std::make_unique<AllocPartitionBugVisitor>(
+        PrevAlloc == MR ? nullptr : PrevAlloc, MR));
+
+    if (const DeclRegion *PrevDecl = getAllocationDecl(PrevAlloc)) {
+      auto DeclLoc = PathDiagnosticLocation::create(PrevDecl->getDecl(),
+                                                    C.getSourceManager());
+      R->addNote("Original allocation", DeclLoc);
+    }
+
     C.emitReport(std::move(R));
     return ErrNode;
   }
@@ -157,13 +193,16 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
   const MemRegion *MR = SrcVal.getAsRegion();
   if (!MR)
     return;
-  if (MR->getMemorySpace()->getKind() == MemSpaceRegion::CodeSpaceRegionKind)
+  const MemSpaceRegion *MemSpace = MR->getMemorySpace();
+  if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
     return;
 
+  const ASTContext &ASTCtx = C.getASTContext();
   ProgramStateRef State = C.getState();
   bool Updated = false;
 
-  std::pair<const MemRegion *, bool> StartPair = getAllocationStart(MR, C);
+  std::pair<const MemRegion *, bool> StartPair =
+      getAllocationStart(ASTCtx, MR, State);
   const MemRegion *SR = StartPair.first;
   if (!isAllocation(SR))
     return;
@@ -196,9 +235,11 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
                             ->getPointeeOrArrayElementType()
                             ->getUnqualifiedDesugaredType();
       const Type *Ty2 = DstTy->getPointeeType()->getUnqualifiedDesugaredType();
-      if (!relatedTypes(Ty1, Ty2)) {
-        emitAllocationPartitionWarning(CE, C, SR);
-        return;
+      if (!relatedTypes(ASTCtx, Ty1, Ty2)) {
+        State = State->add<SuballocationSet>(SR);
+        if (DMR)
+          State = State->add<SuballocationSet>(DMR);
+        Updated = true;
       } // else OK
     } // else ??? (ignore for now)
   } else {
@@ -210,29 +251,129 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
     C.addTransition(State);
 }
 
+void AllocationChecker::checkPreCall(const CallEvent &Call,
+                                     CheckerContext &C) const {
+  ProgramStateRef State = C.getState();
+  ExplodedNode *N = nullptr;
+  bool Updated = false;
+  for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
+    const Expr *ArgExpr = Call.getArgExpr(Arg);
+    if (const MemRegion *MR = C.getSVal(ArgExpr).getAsRegion()) {
+      if (State->contains<SuballocationSet>(MR)) {
+        SmallString<256> Buf;
+        llvm::raw_svector_ostream OS(Buf);
+        OS << "Pointer to suballocation passed to function as " << (Arg + 1);
+        if (Arg + 1 < 11) {
+          switch (Arg + 1) {
+          case 1:
+            OS << "st";
+            break;
+          case 2:
+            OS << "nd";
+            break;
+          case 3:
+            OS << "rd";
+            break;
+          default:
+            OS << "th";
+            break;
+          }
+        }
+
+        OS << " argument";
+        OS << " (consider narrowing the bounds for suballocation)";
+        N = emitAllocationPartitionWarning(C, MR, ArgExpr->getSourceRange(),
+                                           OS.str());
+        if (N) {
+          State = State->remove<SuballocationSet>(MR);
+          Updated = true;
+        }
+      }
+    }
+  }
+  if (Updated)
+    C.addTransition(State, N ? N : C.getPredecessor());
+}
+
+void AllocationChecker::checkBind(SVal L, SVal V, const Stmt *S,
+                                  CheckerContext &C) const {
+  const MemRegion *Dst = L.getAsRegion();
+  if (!Dst || !isa<FieldRegion>(Dst))
+    return;
+
+  ProgramStateRef State = C.getState();
+  const MemRegion *Val = V.getAsRegion();
+  if (Val && State->contains<SuballocationSet>(Val)) {
+    ExplodedNode *N = emitAllocationPartitionWarning(
+        C, Val, S->getSourceRange(),
+        "Pointer to suballocation escaped on assign"
+        " (consider narrowing the bounds for suballocation)");
+    if (N) {
+      State = State->remove<SuballocationSet>(Val);
+      C.addTransition(State, N);
+    }
+    return;
+  }
+}
+
+void AllocationChecker::checkEndFunction(const ReturnStmt *RS,
+                                         CheckerContext &C) const {
+  if (!RS)
+    return;
+  const Expr *RV = RS->getRetValue();
+  if (!RV)
+    return;
+
+  llvm::SmallVector<EscapePair, 2> Escaped;
+  if (const MemRegion *MR = C.getSVal(RV).getAsRegion()) {
+    if (C.getState()->contains<SuballocationSet>(MR)) {
+      ExplodedNode *N = emitAllocationPartitionWarning(
+          C, MR, RS->getSourceRange(),
+          "Pointer to suballocation returned from function"
+          " (consider narrowing the bounds for suballocation)");
+      if (N) {
+        ProgramStateRef State = N->getState()->remove<SuballocationSet>(MR);
+        C.addTransition(State, N);
+      }
+      return;
+    }
+  }
+}
+
 PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
     const ExplodedNode *N, BugReporterContext &BRC,
     PathSensitiveBugReport &BR) {
   const Stmt *S = N->getStmtForDiagnostics();
   if (!S)
     return nullptr;
 
-  const CastExpr *CE = dyn_cast<CastExpr>(S);
-  if (!CE || CE->getCastKind() != CK_BitCast)
-    return nullptr;
-
-  if (Reg != N->getSVal(CE->getSubExpr()).getAsRegion())
-    return nullptr;
+  if (const CastExpr *CE = dyn_cast<CastExpr>(S)) {
+    if (CE->getCastKind() != CK_BitCast)
+      return nullptr;
 
-  SmallString<256> Buf;
-  llvm::raw_svector_ostream OS(Buf);
-  OS << "Previous partition: ";
-  describeCast(OS, CE, BRC.getASTContext().getLangOpts());
+    SmallString<256> Buf;
+    llvm::raw_svector_ostream OS(Buf);
 
-  // Generate the extra diagnostic.
-  PathDiagnosticLocation const Pos(S, BRC.getSourceManager(),
-                                   N->getLocationContext());
-  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
+    if (!PrevReported && PrevAlloc &&
+        PrevAlloc == N->getSVal(CE->getSubExpr()).getAsRegion()) {
+      OS << "Previous partition: ";
+      PrevReported = true;
+    } else if (SubAlloc == N->getSVal(CE).getAsRegion() &&
+               N->getState()->contains<SuballocationSet>(SubAlloc) &&
+               !N->getFirstPred()->getState()->contains<SuballocationSet>(
+                   SubAlloc)) {
+      OS << "Allocation partition: ";
+    } else
+      return nullptr;
+
+    describeCast(OS, CE, BRC.getASTContext().getLangOpts());
+    PathDiagnosticLocation const Pos(S, BRC.getSourceManager(),
+                                     N->getLocationContext());
+    auto Ev = std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
+    Ev->setPrunable(false);
+    return Ev;
+  }
+  return nullptr;
 }
 
 //===----------------------------------------------------------------------===//

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.cpp

@@ -53,17 +53,16 @@ bool hasCapability(const QualType OrigTy, ASTContext &Ctx) {
 }
 
 namespace {
+
 void printType(raw_ostream &OS, const QualType &Ty, const PrintingPolicy &PP) {
-  OS << "'";
-  Ty.print(OS, PP);
-  OS << "'";
-  const QualType &CanTy = Ty.getCanonicalType();
-  if (CanTy != Ty) {
-    OS << " (aka '";
-    CanTy.print(OS, PP);
-    OS << "')";
+  std::string TyStr = Ty.getAsString(PP);
+  OS << "'" << TyStr << "'";
+  std::string CanTyStr = Ty.getCanonicalType().getAsString(PP);
+  if (CanTyStr != TyStr) {
+    OS << " (aka '" << CanTyStr << "')";
   }
 }
+
 } // namespace
 
 void describeCast(raw_ostream &OS, const CastExpr *CE,
@@ -76,6 +75,14 @@ void describeCast(raw_ostream &OS, const CastExpr *CE,
   printType(OS, CE->getType(), PP);
 }
 
+const DeclRegion *getAllocationDecl(const MemRegion *MR) {
+  if (const DeclRegion *DR = MR->getAs<DeclRegion>())
+    return DR;
+  if (const ElementRegion *ER = MR->getAs<ElementRegion>())
+    return getAllocationDecl(ER->getSuperRegion());
+  return nullptr;
+}
+
 } // namespace cheri
 } // namespace ento
 } // namespace clang

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.h

@@ -30,6 +30,8 @@ bool hasCapability(const QualType OrigTy, ASTContext &Ctx);
 void describeCast(raw_ostream &OS, const CastExpr *CE,
                   const LangOptions &LangOpts);
 
+const DeclRegion *getAllocationDecl(const MemRegion *MR);
+
 } // namespace cheri
 } // namespace ento
 } // namespace clang