[CHERI_CSA] AllocationChecker: add ReportForUnknownAllocations option

Author: eupharina

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

@@ -1818,15 +1818,15 @@ def ProvenanceSourceChecker : Checker<"ProvenanceSource">,
 
 def CapabilityCopyChecker : Checker<"CapabilityCopy">,
   HelpText<"Check tag-stripping memory copy.">,
-    CheckerOptions<[
-      CmdLineOption<Boolean,
-                    "ReportForCharPtr",
-                    "Report tag-stripping copy for char* function parameters. "
-                    "Suppression of warnings for C-strings is used to reduce "
-                    "the number of false alarms, but it's not very reliable.",
-                    "false",
-                    Released>
-    ]>,
+  CheckerOptions<[
+    CmdLineOption<Boolean,
+                  "ReportForCharPtr",
+                  "Report tag-stripping copy for char* function parameters. "
+                  "Suppression of warnings for C-strings is used to reduce "
+                  "the number of false alarms, but it's not very reliable.",
+                  "false",
+                  Released>
+  ]>,
   Documentation<NotDocumented>;
 
 def PointerSizeAssumptionsChecker : Checker<"PointerSizeAssumptions">,
@@ -1843,6 +1843,13 @@ let ParentPackage = CHERIAlpha in {
 
 def AllocationChecker : Checker<"Allocation">,
   HelpText<"Suggest narrowing bounds for escaping suballocation capabilities">,
+  CheckerOptions<[
+    CmdLineOption<Boolean,
+                  "ReportForUnknownAllocations",
+                  "Report for pointers with untracked origin",
+                  "true",
+                  Released>
+  ]>,
   Documentation<NotDocumented>;
 
 } // end alpha.cheri

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -48,7 +48,7 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
                                          check::Bind,
                                          check::EndFunction> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
-  BugType BT_KnownReg{this, "Heap or static allocation partitioning",
+  BugType BT_UnknownReg{this, "Unknown allocation partitioning",
                       "CHERI portability"};
 
   const CallDescriptionSet IgnoreFnSet = {
@@ -91,6 +91,8 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
   void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
   void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
 
+  bool ReportForUnknownAllocations;
+
 private:
   ExplodedNode *emitAllocationPartitionWarning(CheckerContext &C,
                                                const MemRegion *MR,
@@ -122,7 +124,13 @@ std::pair<const MemRegion *, bool> getAllocationStart(const ASTContext &ASTCtx,
   return std::make_pair(R, ZeroShift);
 }
 
-bool isAllocation(const MemRegion *R) {
+bool isAllocation(const MemRegion *R, const AllocationChecker* Chk) {
+  if (!Chk->ReportForUnknownAllocations) {
+    const MemSpaceRegion *MemSpace = R->getMemorySpace();
+    if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
+      return false;
+  }
+
   if (R->getAs<SymbolicRegion>())
     return true;
   if (const TypedValueRegion *TR = R->getAs<TypedValueRegion>()) {
@@ -187,12 +195,19 @@ ExplodedNode *AllocationChecker::emitAllocationPartitionWarning(
     CheckerContext &C, const MemRegion *MR, SourceRange SR,
     StringRef Msg = "") const {
   if (ExplodedNode *ErrNode = C.generateNonFatalErrorNode()) {
-    auto R = std::make_unique<PathSensitiveBugReport>(BT_Default, Msg, ErrNode);
-    R->addRange(SR);
-    R->markInteresting(MR);
 
     const MemRegion *PrevAlloc =
         getAllocationStart(C.getASTContext(), MR, C.getState()).first;
+    const MemSpaceRegion *MS =
+        PrevAlloc ? PrevAlloc->getMemorySpace() : MR->getMemorySpace();
+    const BugType &BT =
+        isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MS)
+            ? BT_Default
+            : BT_UnknownReg;
+    auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, ErrNode);
+    R->addRange(SR);
+    R->markInteresting(MR);
+
     R->addVisitor(std::make_unique<AllocPartitionBugVisitor>(
         PrevAlloc == MR ? nullptr : PrevAlloc, MR));
 
@@ -227,14 +242,10 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
       getAllocationStart(ASTCtx, MR, State);
 
   const MemRegion *SR = StartPair.first;
-  if (!isAllocation(SR))
+  if (!isAllocation(SR, this))
     return;
   bool ZeroShift = StartPair.second;
 
-  const MemSpaceRegion *MemSpace = SR->getMemorySpace();
-  if (!isa<HeapSpaceRegion, GlobalsSpaceRegion, StackSpaceRegion>(MemSpace))
-    return;
-
   SVal DstVal = C.getSVal(CE);
   const MemRegion *DMR = DstVal.getAsRegion();
   if (MR->getAs<ElementRegion>() && (!DMR || !DMR->getAs<ElementRegion>())) {
@@ -263,10 +274,14 @@ void AllocationChecker::checkPostStmt(const CastExpr *CE,
                             ->getUnqualifiedDesugaredType();
       const Type *Ty2 = DstTy->getPointeeType()->getUnqualifiedDesugaredType();
       if (!relatedTypes(ASTCtx, Ty1, Ty2)) {
-        State = State->add<SuballocationSet>(SR);
-        if (DMR)
+        if (!State->contains<SuballocationSet>(SR)) {
+          State = State->add<SuballocationSet>(SR);
+          Updated = true;
+        }
+        if (DMR && !State->contains<SuballocationSet>(DMR)) {
           State = State->add<SuballocationSet>(DMR);
-        Updated = true;
+          Updated = true;
+        }
       } // else OK
     } // else ??? (ignore for now)
   } else {
@@ -423,7 +438,10 @@ PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
 //===----------------------------------------------------------------------===//
 
 void ento::registerAllocationChecker(CheckerManager &Mgr) {
-  Mgr.registerChecker<AllocationChecker>();
+  auto *Checker = Mgr.registerChecker<AllocationChecker>();
+  Checker->ReportForUnknownAllocations =
+      Mgr.getAnalyzerOptions().getCheckerBooleanOption(
+          Checker, "ReportForUnknownAllocations");
 }
 
 bool ento::shouldRegisterAllocationChecker(const CheckerManager &Mgr) {

clang/test/Analysis/analyzer-config.c

@@ -4,6 +4,7 @@
 // CHECK:      [config]
 // CHECK-NEXT: add-pop-up-notes = true
 // CHECK-NEXT: aggressive-binary-operation-simplification = false
+// CHECK-NEXT: alpha.cheri.Allocation:ReportForUnknownAllocations = true
 // CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""
 // CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50
 // CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true