Merge CHERI clang static analyzers from rems-project/llvm-project

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

@@ -124,6 +124,9 @@ def FuchsiaAlpha : Package<"fuchsia">, ParentPackage<Alpha>;
 def WebKit : Package<"webkit">;
 def WebKitAlpha : Package<"webkit">, ParentPackage<Alpha>;
 
+def CHERI : Package<"cheri">;
+def CHERIAlpha : Package<"cheri">, ParentPackage<Alpha>;
+
 //===----------------------------------------------------------------------===//
 // Core Checkers.
 //===----------------------------------------------------------------------===//
@@ -1671,6 +1674,10 @@ def UnixAPIPortabilityChecker : Checker<"UnixAPI">,
   HelpText<"Finds implementation-defined behavior in UNIX/Posix functions">,
   Documentation<NotDocumented>;
 
+def PointerAlignmentChecker : Checker<"PointerAlignment">,
+                              HelpText<"Check underaligned pointers.">,
+                              Documentation<NotDocumented>;
+
 } // end optin.portability
 
 
@@ -1780,3 +1787,66 @@ def UncheckedLocalVarsChecker : Checker<"UncheckedLocalVarsChecker">,
   Documentation<HasDocumentation>;
 
 } // end alpha.webkit
+
+//===----------------------------------------------------------------------===//
+// CHERI checkers.
+//===----------------------------------------------------------------------===//
+
+let ParentPackage = CHERI in {
+
+  def CheriAPIModelling : Checker<"CheriAPIModelling">,
+                          HelpText<"Model CheriAPI">,
+                          Documentation<NotDocumented>;
+
+  def ProvenanceSourceChecker
+      : Checker<"ProvenanceSource">,
+        HelpText<"Check expressions with ambiguous provenance source.">,
+        CheckerOptions<
+            [CmdLineOption<Boolean, "ShowFixIts",
+                           "Enable fix-it hints for this checker", "false",
+                           InAlpha>,
+             CmdLineOption<
+                 Boolean, "ReportForAmbiguousProvenance",
+                 "Report for binary operations with ambiguous provenance "
+                 "for which the default capability derivation from LHS is "
+                 "fine. "
+                 "Disabled if [-Wcheri-provenance] is disabled.",
+                 "true", Released>]>,
+        Documentation<NotDocumented>;
+
+  def CapabilityCopyChecker
+      : Checker<"CapabilityCopy">,
+        HelpText<"Check tag-stripping memory copy.">,
+        CheckerOptions<[CmdLineOption<
+            Boolean, "ReportForCharPtr",
+            "Report tag-stripping copy for char* function parameters. "
+            "Suppression of warnings for C-strings is used to reduce "
+            "the number of false alarms, but it's not very reliable.",
+            "false", Released>]>,
+        Documentation<NotDocumented>;
+
+  def PointerSizeAssumptionsChecker
+      : Checker<"PointerSizeAssumptions">,
+        HelpText<"Detect hardcoded expectations on pointer sizes">,
+        Documentation<NotDocumented>;
+
+  def SubObjectRepresentabilityChecker
+      : Checker<"SubObjectRepresentability">,
+        HelpText<
+            "Check for record fields with unrepresentable subobject bounds">,
+        Documentation<NotDocumented>;
+
+} // end cheri
+
+let ParentPackage = CHERIAlpha in {
+
+  def AllocationChecker
+      : Checker<"Allocation">,
+        HelpText<
+            "Suggest narrowing bounds for escaping suballocation capabilities">,
+        CheckerOptions<[CmdLineOption<
+            Boolean, "ReportForUnknownAllocations",
+            "Report for pointers with untracked origin", "true", Released>]>,
+        Documentation<NotDocumented>;
+
+} // end alpha.cheri

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

@@ -776,9 +776,11 @@ inline SVal ProgramState::getLValue(const ObjCIvarDecl *D, SVal Base) const {
   return getStateManager().StoreMgr->getLValueIvar(D, Base);
 }
 
-inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
+inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx,
+                                    SVal Base) const {
   if (std::optional<NonLoc> N = Idx.getAs<NonLoc>())
-    return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
+    return getStateManager().StoreMgr->getLValueElement(this, ElementType, *N,
+                                                        Base);
   return UnknownVal();
 }
 

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

@@ -324,7 +324,10 @@ class SValBuilder {
     return nonloc::ConcreteInt(BasicVals.getValue(integer, ptrType));
   }
 
-  NonLoc makeLocAsInteger(Loc loc, unsigned bits) {
+  NonLoc makeLocAsInteger(Loc loc, unsigned bits, bool hasProvenance) {
+    assert((bits & ~255) == 0);
+    if (hasProvenance)
+      bits |= 256;
     return nonloc::LocAsInteger(BasicVals.getPersistentSValWithData(loc, bits));
   }
 

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

@@ -326,7 +326,13 @@ class LocAsInteger : public NonLoc {
   }
 
   unsigned getNumBits() const {
-    return castDataAs<std::pair<SVal, uintptr_t>>()->second;
+    return castDataAs<std::pair<SVal, uintptr_t>>()->second & 255;
+  }
+
+  bool hasProvenance() const {
+    const std::pair<SVal, uintptr_t> *D =
+        castDataAs<std::pair<SVal, uintptr_t>>();
+    return D->second & 256;
   }
 
   static bool classof(SVal V) { return V.getKind() == LocAsIntegerKind; }

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

@@ -147,7 +147,8 @@ class StoreManager {
     return getLValueFieldOrIvar(D, Base);
   }
 
-  virtual SVal getLValueElement(QualType elementType, NonLoc offset, SVal Base);
+  virtual SVal getLValueElement(ProgramStateRef State, QualType elementType,
+                                NonLoc offset, SVal Base);
 
   /// ArrayToPointer - Used by ExprEngine::VistCast to handle implicit
   ///  conversions between arrays and pointers.

clang/lib/AST/ASTContext.cpp

@@ -12112,6 +12112,9 @@ unsigned ASTContext::getIntWidth(QualType T) const {
   if (Target->SupportsCapabilities()) {
     if (T->isPointerType() && T->getAs<PointerType>()->isCHERICapability())
       return Target->getPointerRangeForCHERICapability();
+    if (T->isReferenceType() && T->getAs<ReferenceType>()->isCHERICapability()) {
+      return Target->getPointerRangeForCHERICapability();
+    }
     if (T->isIntCapType())
       return Target->getPointerRangeForCHERICapability();
     // This assertion is correct but breaks some static analyser code paths

clang/lib/Driver/ToolChains/Clang.cpp

@@ -66,6 +66,7 @@
 #include "llvm/TargetParser/RISCVISAInfo.h"
 #include "llvm/TargetParser/RISCVTargetParser.h"
 #include <cctype>
+#include <clang/Basic/DiagnosticSema.h>
 
 using namespace clang::driver;
 using namespace clang::driver::tools;
@@ -3570,7 +3571,8 @@ static void RenderFloatingPointOptions(const ToolChain &TC, const Driver &D,
 
 static void RenderAnalyzerOptions(const ArgList &Args, ArgStringList &CmdArgs,
                                   const llvm::Triple &Triple,
-                                  const InputInfo &Input) {
+                                  const InputInfo &Input,
+                                  DiagnosticsEngine &Diags) {
   // Add default argument set.
   if (!Args.hasArg(options::OPT__analyzer_no_default_checks)) {
     CmdArgs.push_back("-analyzer-checker=core");
@@ -3616,6 +3618,26 @@ static void RenderAnalyzerOptions(const ArgList &Args, ArgStringList &CmdArgs,
       CmdArgs.push_back("-analyzer-checker=security.insecureAPI.vfork");
     }
 
+    if (Triple.getEnvironment() == llvm::Triple::CheriPurecap ||
+        // FIXME: checks below should eventually become unreachable when
+        // Triple is updated to purecap in ToolChain constructor
+        (Triple.isMIPS() && tools::mips::hasMipsAbiArg(Args, "purecap")) ||
+        (Triple.isRISCV() && tools::riscv::isCheriPurecap(Args, Triple))) {
+      CmdArgs.push_back("-analyzer-checker=cheri");
+
+      // disable AmbiguousProvenance war if [-Wcheri-provenance] is disabled
+      if (Diags.getDiagnosticLevel(
+              diag::warn_ambiguous_provenance_capability_binop,
+              SourceLocation()) < DiagnosticsEngine::Warning) {
+        CmdArgs.push_back("-analyzer-config");
+        CmdArgs.push_back(
+            "cheri.ProvenanceSource:ReportForAmbiguousProvenance=false");
+      }
+
+      CmdArgs.push_back("-analyzer-checker=optin.portability.PointerAlignment");
+      CmdArgs.push_back("-analyzer-checker=alpha.core.PointerSub");
+    }
+
     // Default nullability checks.
     CmdArgs.push_back("-analyzer-checker=nullability.NullPassedToNonnull");
     CmdArgs.push_back("-analyzer-checker=nullability.NullReturnedFromNonnull");
@@ -5705,7 +5727,7 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
     CmdArgs.push_back("-DUNICODE");
 
   if (isa<AnalyzeJobAction>(JA))
-    RenderAnalyzerOptions(Args, CmdArgs, Triple, Input);
+    RenderAnalyzerOptions(Args, CmdArgs, Triple, Input, D.getDiags());
 
   if (isa<AnalyzeJobAction>(JA) ||
       (isa<PreprocessJobAction>(JA) && Args.hasArg(options::OPT__analyze)))