GCC Middle and Back End API Reference
sm.h
Go to the documentation of this file.
1/* Modeling API uses and misuses via state machines.
2 Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
4
5This file is part of GCC.
6
7GCC is free software; you can redistribute it and/or modify it
8under the terms of the GNU General Public License as published by
9the Free Software Foundation; either version 3, or (at your option)
10any later version.
11
12GCC is distributed in the hope that it will be useful, but
13WITHOUT ANY WARRANTY; without even the implied warranty of
14MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15General Public License for more details.
16
17You should have received a copy of the GNU General Public License
18along with GCC; see the file COPYING3. If not see
19<http://www.gnu.org/licenses/>. */
20
21#ifndef GCC_ANALYZER_SM_H
22#define GCC_ANALYZER_SM_H
23
24/* Utility functions for use by state machines. */
25
26namespace ana {
27
28class state_machine;
29class sm_context;
30class pending_diagnostic;
31
32extern bool any_pointer_p (tree expr);
33extern bool any_pointer_p (const svalue *sval);
34
35/* An abstract base class for a state machine describing an API.
36 Manages a set of state objects, and has various virtual functions
37 for pattern-matching on statements. */
38
39class state_machine : public log_user
40{
41public:
42 /* States are represented by immutable objects, owned by the state
43 machine. */
44 class state
45 {
46 public:
47 state (const char *name, unsigned id) : m_name (name), m_id (id) {}
48 virtual ~state () {}
49
50 const char *get_name () const { return m_name; }
51 virtual void dump_to_pp (pretty_printer *pp) const;
52 virtual json::value *to_json () const;
53
54 unsigned get_id () const { return m_id; }
55
56 private:
57 const char *m_name;
58 unsigned m_id;
59 };
60 typedef const state_machine::state *state_t;
61
62 state_machine (const char *name, logger *logger);
63 virtual ~state_machine () {}
64
65 /* Should states be inherited from a parent region to a child region,
66 when first accessing a child region?
67 For example we should inherit the taintedness of a subregion,
68 but we should not inherit the "malloc:non-null" state of a field
69 within a heap-allocated struct. */
70 virtual bool inherited_state_p () const = 0;
71
72 /* A vfunc for more general handling of inheritance. */
73 virtual state_t
74 alt_get_inherited_state (const sm_state_map &,
75 const svalue *,
76 const extrinsic_state &) const
77 {
78 return NULL;
79 }
80
81 virtual bool
82 has_alt_get_inherited_state_p () const
83 {
84 return false;
85 }
86
87 virtual state_machine::state_t get_default_state (const svalue *) const
88 {
89 return m_start;
90 }
91
92 const char *get_name () const { return m_name; }
93
94 state_t get_state_by_name (const char *name) const;
95
96 /* Return true if STMT is a function call recognized by this sm. */
97 virtual bool on_stmt (sm_context *sm_ctxt,
98 const supernode *node,
99 const gimple *stmt) const = 0;
100
101 virtual void on_phi (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
102 const supernode *node ATTRIBUTE_UNUSED,
103 const gphi *phi ATTRIBUTE_UNUSED,
104 tree rhs ATTRIBUTE_UNUSED) const
105 {
106 }
107
108 virtual void on_condition (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
109 const supernode *node ATTRIBUTE_UNUSED,
110 const gimple *stmt ATTRIBUTE_UNUSED,
111 const svalue *lhs ATTRIBUTE_UNUSED,
112 enum tree_code op ATTRIBUTE_UNUSED,
113 const svalue *rhs ATTRIBUTE_UNUSED) const
114 {
115 }
116
117 virtual void
125
126 virtual void
131
132 /* Return true if it safe to discard the given state (to help
133 when simplifying state objects).
134 States that need leak detection should return false. */
135 virtual bool can_purge_p (state_t s) const = 0;
136
137 /* Called when VAR leaks (and !can_purge_p). */
138 virtual std::unique_ptr<pending_diagnostic>
139 on_leak (tree var ATTRIBUTE_UNUSED) const;
140
141 /* Return true if S should be reset to "start" for values passed (or reachable
142 from) calls to unknown functions. IS_MUTABLE is true for pointers as
143 non-const, false if only passed as const-pointers.
144
145 For example, in sm-malloc.cc, an on-stack ptr doesn't stop being
146 stack-allocated when passed to an unknown fn, but a malloc-ed pointer
147 could be freed when passed to an unknown fn (unless passed as "const"). */
148 virtual bool reset_when_passed_to_unknown_fn_p (state_t s ATTRIBUTE_UNUSED,
149 bool is_mutable) const
150 {
151 return is_mutable;
152 }
153
154 /* Attempt to get a state for the merger of STATE_A and STATE_B,
155 or return NULL if merging shouldn't occur, so that differences
156 between sm-state will lead to separate exploded nodes.
157
158 Most state machines will only merge equal states, but can
159 override maybe_get_merged_states_nonequal to support mergers
160 of certain non-equal states. */
168
169 /* Base implementation of hook for maybe_get_merged_state on non-equal
170 states. */
171 virtual state_t
172 maybe_get_merged_states_nonequal (state_t state_a ATTRIBUTE_UNUSED,
173 state_t state_b ATTRIBUTE_UNUSED) const
174 {
175 /* By default, non-equal sm states should inhibit merger of enodes. */
176 return NULL;
177 }
178
179 void validate (state_t s) const;
180
181 void dump_to_pp (pretty_printer *pp) const;
182
183 json::object *to_json () const;
184
185 state_t get_start_state () const { return m_start; }
186
187protected:
188 state_t add_state (const char *name);
189 state_t add_custom_state (state *s)
190 {
191 m_states.safe_push (s);
192 return s;
193 }
194
195 unsigned alloc_state_id () { return m_next_state_id++; }
196
197private:
198 DISABLE_COPY_AND_ASSIGN (state_machine);
199
200 const char *m_name;
201
202 /* States are owned by the state_machine. */
203 auto_delete_vec<state> m_states;
204
205 unsigned m_next_state_id;
206
207protected:
208 /* Must be inited after m_next_state_id. */
209 state_t m_start;
210};
211
212/* Abstract base class for state machines to pass to
213 sm_context::on_custom_transition for handling non-standard transitions
214 (e.g. adding a node and edge to simulate registering a callback and having
215 the callback be called later). */
216
217class custom_transition
218{
219public:
220 virtual ~custom_transition () {}
221 virtual void impl_transition (exploded_graph *eg,
222 exploded_node *src_enode,
223 int sm_idx) = 0;
224};
225
226/* Abstract base class giving an interface for the state machine to call
227 the checker engine, at a particular stmt. */
228
229class sm_context
230{
231public:
232 virtual ~sm_context () {}
233
234 /* Get the fndecl used at call, or NULL_TREE.
235 Use in preference to gimple_call_fndecl (and gimple_call_addr_fndecl),
236 since it can look through function pointer assignments and
237 other callback handling. */
238 virtual tree get_fndecl_for_call (const gcall *call) = 0;
239
240 /* Get the old state of VAR at STMT. */
241 virtual state_machine::state_t get_state (const gimple *stmt,
242 tree var) = 0;
243 virtual state_machine::state_t get_state (const gimple *stmt,
244 const svalue *) = 0;
245 /* Set the next state of VAR to be TO, recording the "origin" of the
246 state as ORIGIN.
247 Use STMT for location information. */
248 virtual void set_next_state (const gimple *stmt,
249 tree var,
250 state_machine::state_t to,
251 tree origin = NULL_TREE) = 0;
252 virtual void set_next_state (const gimple *stmt,
253 const svalue *var,
254 state_machine::state_t to,
255 tree origin = NULL_TREE) = 0;
256
257 /* Called by state_machine in response to pattern matches:
258 if VAR is in state FROM, transition it to state TO, potentially
259 recording the "origin" of the state as ORIGIN.
260 Use NODE and STMT for location information. */
261 void on_transition (const supernode *node ATTRIBUTE_UNUSED,
262 const gimple *stmt,
263 tree var,
264 state_machine::state_t from,
265 state_machine::state_t to,
266 tree origin = NULL_TREE)
267 {
268 state_machine::state_t current = get_state (stmt, var);
269 if (current == from)
270 set_next_state (stmt, var, to, origin);
271 }
272
273 void on_transition (const supernode *node ATTRIBUTE_UNUSED,
274 const gimple *stmt,
275 const svalue *var,
276 state_machine::state_t from,
277 state_machine::state_t to,
278 tree origin = NULL_TREE)
279 {
280 state_machine::state_t current = get_state (stmt, var);
281 if (current == from)
282 set_next_state (stmt, var, to, origin);
283 }
284
285 /* Called by state_machine in response to pattern matches:
286 issue a diagnostic D using NODE and STMT for location information. */
287 virtual void warn (const supernode *node, const gimple *stmt,
288 tree var,
289 std::unique_ptr<pending_diagnostic> d) = 0;
290 virtual void warn (const supernode *node, const gimple *stmt,
291 const svalue *var,
292 std::unique_ptr<pending_diagnostic> d) = 0;
293
294 /* For use when generating trees when creating pending_diagnostics, so that
295 rather than e.g.
296 "double-free of '<unknown>'"
297 we can print:
298 "double-free of 'inbuf.data'". */
299 virtual tree get_diagnostic_tree (tree expr)
300 {
301 return expr;
302 }
303 virtual tree get_diagnostic_tree (const svalue *) = 0;
304
305 virtual state_machine::state_t get_global_state () const = 0;
306 virtual void set_global_state (state_machine::state_t) = 0;
307
308 virtual void clear_all_per_svalue_state () = 0;
309
310 /* A vfunc for handling custom transitions, such as when registering
311 a signal handler. */
312 virtual void on_custom_transition (custom_transition *transition) = 0;
313
314 /* If STMT is an assignment known to assign zero to its LHS, return
315 the LHS.
316 Otherwise return NULL_TREE. */
317 virtual tree is_zero_assignment (const gimple *stmt) = 0;
318
319 virtual path_context *get_path_context () const
320 {
321 return NULL;
322 }
323
324 /* Are we handling an external function with unknown side effects? */
325 virtual bool unknown_side_effects_p () const { return false; }
326
327 virtual const program_state *get_old_program_state () const = 0;
328 virtual const program_state *get_new_program_state () const = 0;
329
330 const region_model *get_old_region_model () const;
331
332protected:
333 sm_context (int sm_idx, const state_machine &sm)
334 : m_sm_idx (sm_idx), m_sm (sm) {}
335
336 int m_sm_idx;
337 const state_machine &m_sm;
338};
339
340
341/* The various state_machine subclasses are hidden in their respective
342 implementation files. */
343
344extern void make_checkers (auto_delete_vec <state_machine> &out,
345 logger *logger);
346
347extern state_machine *make_malloc_state_machine (logger *logger);
348extern state_machine *make_fileptr_state_machine (logger *logger);
349extern state_machine *make_taint_state_machine (logger *logger);
350extern state_machine *make_sensitive_state_machine (logger *logger);
351extern state_machine *make_signal_state_machine (logger *logger);
352extern state_machine *make_pattern_test_state_machine (logger *logger);
353extern state_machine *make_va_list_state_machine (logger *logger);
354extern state_machine *make_fd_state_machine (logger *logger);
355
356} // namespace ana
357
358#endif /* GCC_ANALYZER_SM_H */
ana::custom_transition
Definition sm.h:218
ana::custom_transition::impl_transition
virtual void impl_transition(exploded_graph *eg, exploded_node *src_enode, int sm_idx)=0
ana::custom_transition::~custom_transition
virtual ~custom_transition()
Definition sm.h:220
ana::exploded_graph
Definition exploded-graph.h:791
ana::exploded_node
Definition exploded-graph.h:203
ana::extrinsic_state
Definition program-state.h:29
ana::frame_region
Definition region.h:306
ana::log_user
Definition analyzer-logging.h:147
ana::logger
Definition analyzer-logging.h:34
ana::path_context
Definition analyzer.h:399
ana::program_state
Definition program-state.h:203
ana::region_model
Definition region-model.h:258
ana::sm_context
Definition sm.h:230
ana::sm_context::warn
virtual void warn(const supernode *node, const gimple *stmt, const svalue *var, std::unique_ptr< pending_diagnostic > d)=0
ana::sm_context::m_sm
const state_machine & m_sm
Definition sm.h:337
ana::sm_context::get_state
virtual state_machine::state_t get_state(const gimple *stmt, tree var)=0
ana::sm_context::set_next_state
virtual void set_next_state(const gimple *stmt, const svalue *var, state_machine::state_t to, tree origin=NULL_TREE)=0
ana::sm_context::get_diagnostic_tree
virtual tree get_diagnostic_tree(tree expr)
Definition sm.h:299
ana::sm_context::get_state
virtual state_machine::state_t get_state(const gimple *stmt, const svalue *)=0
ana::sm_context::set_global_state
virtual void set_global_state(state_machine::state_t)=0
ana::sm_context::set_next_state
virtual void set_next_state(const gimple *stmt, tree var, state_machine::state_t to, tree origin=NULL_TREE)=0
ana::sm_context::warn
virtual void warn(const supernode *node, const gimple *stmt, tree var, std::unique_ptr< pending_diagnostic > d)=0
ana::sm_context::get_fndecl_for_call
virtual tree get_fndecl_for_call(const gcall *call)=0
ana::sm_context::get_old_program_state
virtual const program_state * get_old_program_state() const =0
ana::sm_context::~sm_context
virtual ~sm_context()
Definition sm.h:232
ana::sm_context::get_global_state
virtual state_machine::state_t get_global_state() const =0
ana::sm_context::is_zero_assignment
virtual tree is_zero_assignment(const gimple *stmt)=0
ana::sm_context::clear_all_per_svalue_state
virtual void clear_all_per_svalue_state()=0
ana::sm_context::get_new_program_state
virtual const program_state * get_new_program_state() const =0
ana::sm_context::get_old_region_model
const region_model * get_old_region_model() const
ana::sm_context::get_path_context
virtual path_context * get_path_context() const
Definition sm.h:319
ana::sm_context::m_sm_idx
int m_sm_idx
Definition sm.h:336
ana::sm_context::unknown_side_effects_p
virtual bool unknown_side_effects_p() const
Definition sm.h:325
ana::sm_context::sm_context
sm_context(int sm_idx, const state_machine &sm)
Definition sm.h:333
ana::sm_context::get_diagnostic_tree
virtual tree get_diagnostic_tree(const svalue *)=0
ana::sm_context::on_transition
void on_transition(const supernode *node, const gimple *stmt, const svalue *var, state_machine::state_t from, state_machine::state_t to, tree origin=NULL_TREE)
Definition sm.h:273
ana::sm_context::on_transition
void on_transition(const supernode *node, const gimple *stmt, tree var, state_machine::state_t from, state_machine::state_t to, tree origin=NULL_TREE)
Definition sm.h:261
ana::sm_context::on_custom_transition
virtual void on_custom_transition(custom_transition *transition)=0
ana::sm_state_map
Definition program-state.h:75
ana::state_machine::state
Definition sm.h:45
ana::state_machine::state::dump_to_pp
virtual void dump_to_pp(pretty_printer *pp) const
ana::state_machine::state::m_id
unsigned m_id
Definition sm.h:58
ana::state_machine::state::to_json
virtual json::value * to_json() const
ana::state_machine::state::get_id
unsigned get_id() const
Definition sm.h:54
ana::state_machine::state::state
state(const char *name, unsigned id)
Definition sm.h:47
ana::state_machine::state::~state
virtual ~state()
Definition sm.h:48
ana::state_machine::state::m_name
const char * m_name
Definition sm.h:57
ana::state_machine::state::get_name
const char * get_name() const
Definition sm.h:50
ana::state_machine
Definition sm.h:40
ana::state_machine::get_name
const char * get_name() const
Definition sm.h:92
ana::state_machine::on_leak
virtual std::unique_ptr< pending_diagnostic > on_leak(tree var) const
ana::state_machine::maybe_get_merged_states_nonequal
virtual state_t maybe_get_merged_states_nonequal(state_t state_a, state_t state_b) const
Definition sm.h:172
ana::state_machine::on_stmt
virtual bool on_stmt(sm_context *sm_ctxt, const supernode *node, const gimple *stmt) const =0
ana::state_machine::validate
void validate(state_t s) const
ana::state_machine::~state_machine
virtual ~state_machine()
Definition sm.h:63
ana::state_machine::inherited_state_p
virtual bool inherited_state_p() const =0
ana::state_machine::on_bounded_ranges
virtual void on_bounded_ranges(sm_context *sm_ctxt, const supernode *node, const gimple *stmt, const svalue &sval, const bounded_ranges &ranges) const
Definition sm.h:118
ana::state_machine::get_default_state
virtual state_machine::state_t get_default_state(const svalue *) const
Definition sm.h:87
ana::state_machine::m_states
auto_delete_vec< state > m_states
Definition sm.h:203
ana::state_machine::maybe_get_merged_state
state_t maybe_get_merged_state(state_t state_a, state_t state_b) const
Definition sm.h:161
ana::state_machine::reset_when_passed_to_unknown_fn_p
virtual bool reset_when_passed_to_unknown_fn_p(state_t s, bool is_mutable) const
Definition sm.h:148
ana::state_machine::add_custom_state
state_t add_custom_state(state *s)
Definition sm.h:189
ana::state_machine::on_pop_frame
virtual void on_pop_frame(sm_state_map *smap, const frame_region *frame_reg) const
Definition sm.h:127
ana::state_machine::m_next_state_id
unsigned m_next_state_id
Definition sm.h:205
ana::state_machine::get_start_state
state_t get_start_state() const
Definition sm.h:185
ana::state_machine::m_name
const char * m_name
Definition sm.h:200
ana::state_machine::state_machine
state_machine(const char *name, logger *logger)
ana::state_machine::on_phi
virtual void on_phi(sm_context *sm_ctxt, const supernode *node, const gphi *phi, tree rhs) const
Definition sm.h:101
ana::state_machine::has_alt_get_inherited_state_p
virtual bool has_alt_get_inherited_state_p() const
Definition sm.h:82
ana::state_machine::alt_get_inherited_state
virtual state_t alt_get_inherited_state(const sm_state_map &, const svalue *, const extrinsic_state &) const
Definition sm.h:74
ana::state_machine::state_t
const state_machine::state * state_t
Definition sm.h:60
ana::state_machine::dump_to_pp
void dump_to_pp(pretty_printer *pp) const
ana::state_machine::alloc_state_id
unsigned alloc_state_id()
Definition sm.h:195
ana::state_machine::get_state_by_name
state_t get_state_by_name(const char *name) const
ana::state_machine::m_start
state_t m_start
Definition sm.h:209
ana::state_machine::DISABLE_COPY_AND_ASSIGN
DISABLE_COPY_AND_ASSIGN(state_machine)
ana::state_machine::on_condition
virtual void on_condition(sm_context *sm_ctxt, const supernode *node, const gimple *stmt, const svalue *lhs, enum tree_code op, const svalue *rhs) const
Definition sm.h:108
ana::state_machine::add_state
state_t add_state(const char *name)
ana::state_machine::to_json
json::object * to_json() const
ana::state_machine::can_purge_p
virtual bool can_purge_p(state_t s) const =0
ana::supernode
Definition supergraph.h:235
ana::svalue
Definition svalue.h:90
auto_delete_vec
Definition vec.h:1802
expr
Definition genmatch.cc:845
json::object
Definition json.h:95
json::value
Definition json.h:79
pretty_printer
Definition pretty-print.h:244
transition
Definition genrecog.cc:1504
tree
union tree_node * tree
Definition coretypes.h:97
tree_code
tree_code
Definition genmatch.cc:347
ggc_alloc
T * ggc_alloc(ALONE_CXX_MEM_STAT_INFO)
Definition ggc.h:184
ana
Definition access-diagram.h:30
ana::make_fileptr_state_machine
state_machine * make_fileptr_state_machine(logger *logger)
ana::make_va_list_state_machine
state_machine * make_va_list_state_machine(logger *logger)
ana::make_taint_state_machine
state_machine * make_taint_state_machine(logger *logger)
ana::make_signal_state_machine
state_machine * make_signal_state_machine(logger *logger)
ana::make_sensitive_state_machine
state_machine * make_sensitive_state_machine(logger *logger)
ana::make_checkers
void make_checkers(auto_delete_vec< state_machine > &out, logger *logger)
ana::make_fd_state_machine
state_machine * make_fd_state_machine(logger *logger)
ana::make_pattern_test_state_machine
state_machine * make_pattern_test_state_machine(logger *logger)
ana::any_pointer_p
bool any_pointer_p(tree expr)
ana::make_malloc_state_machine
state_machine * make_malloc_state_machine(logger *logger)
expr
rtx expr
Definition postreload.cc:697
ana::bounded_ranges
Definition constraint-manager.h:120
gcall
Definition gimple.h:353
gimple
Definition gimple.h:225
gphi
Definition gimple.h:462
id
Definition collect2.cc:168
state
Definition genautomata.cc:669
NULL
#define NULL
Definition system.h:50
NULL_TREE
#define NULL_TREE
Definition tree.h:317