Branch data Line data Source code
1 : : /* Modeling API uses and misuses via state machines.
2 : : Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 : : Contributed by David Malcolm <dmalcolm@redhat.com>.
4 : :
5 : : This file is part of GCC.
6 : :
7 : : GCC is free software; you can redistribute it and/or modify it
8 : : under the terms of the GNU General Public License as published by
9 : : the Free Software Foundation; either version 3, or (at your option)
10 : : any later version.
11 : :
12 : : GCC is distributed in the hope that it will be useful, but
13 : : WITHOUT ANY WARRANTY; without even the implied warranty of
14 : : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 : : General Public License for more details.
16 : :
17 : : You should have received a copy of the GNU General Public License
18 : : along with GCC; see the file COPYING3. If not see
19 : : <http://www.gnu.org/licenses/>. */
20 : :
21 : : #ifndef GCC_ANALYZER_SM_H
22 : : #define GCC_ANALYZER_SM_H
23 : :
24 : : /* Utility functions for use by state machines. */
25 : :
26 : : namespace ana {
27 : :
28 : : class state_machine;
29 : : class sm_context;
30 : : class pending_diagnostic;
31 : :
32 : : extern bool any_pointer_p (tree expr);
33 : : extern bool any_pointer_p (const svalue *sval);
34 : :
35 : : /* An abstract base class for a state machine describing an API.
36 : : Manages a set of state objects, and has various virtual functions
37 : : for pattern-matching on statements. */
38 : :
39 : : class state_machine : public log_user
40 : : {
41 : : public:
42 : : /* States are represented by immutable objects, owned by the state
43 : : machine. */
44 : : class state
45 : : {
46 : : public:
47 : 205526 : state (const char *name, unsigned id) : m_name (name), m_id (id) {}
48 : 152620 : virtual ~state () {}
49 : :
50 : 7433 : const char *get_name () const { return m_name; }
51 : : virtual void dump_to_pp (pretty_printer *pp) const;
52 : : virtual json::value *to_json () const;
53 : :
54 : 12905561 : unsigned get_id () const { return m_id; }
55 : :
56 : : private:
57 : : const char *m_name;
58 : : unsigned m_id;
59 : : };
60 : : typedef const state_machine::state *state_t;
61 : :
62 : : state_machine (const char *name, logger *logger);
63 : 26080 : virtual ~state_machine () {}
64 : :
65 : : /* Should states be inherited from a parent region to a child region,
66 : : when first accessing a child region?
67 : : For example we should inherit the taintedness of a subregion,
68 : : but we should not inherit the "malloc:non-null" state of a field
69 : : within a heap-allocated struct. */
70 : : virtual bool inherited_state_p () const = 0;
71 : :
72 : : /* A vfunc for more general handling of inheritance. */
73 : : virtual state_t
74 : 7591784 : alt_get_inherited_state (const sm_state_map &,
75 : : const svalue *,
76 : : const extrinsic_state &) const
77 : : {
78 : 7591784 : return NULL;
79 : : }
80 : :
81 : : virtual bool
82 : 4118138 : has_alt_get_inherited_state_p () const
83 : : {
84 : 4118138 : return false;
85 : : }
86 : :
87 : 5003820 : virtual state_machine::state_t get_default_state (const svalue *) const
88 : : {
89 : 5003820 : return m_start;
90 : : }
91 : :
92 : 3170156 : const char *get_name () const { return m_name; }
93 : :
94 : : state_t get_state_by_name (const char *name) const;
95 : :
96 : : /* Return true if STMT is a function call recognized by this sm. */
97 : : virtual bool on_stmt (sm_context *sm_ctxt,
98 : : const supernode *node,
99 : : const gimple *stmt) const = 0;
100 : :
101 : 168984 : virtual void on_phi (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
102 : : const supernode *node ATTRIBUTE_UNUSED,
103 : : const gphi *phi ATTRIBUTE_UNUSED,
104 : : tree rhs ATTRIBUTE_UNUSED) const
105 : : {
106 : 168984 : }
107 : :
108 : 106233 : virtual void on_condition (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
109 : : const supernode *node ATTRIBUTE_UNUSED,
110 : : const gimple *stmt ATTRIBUTE_UNUSED,
111 : : const svalue *lhs ATTRIBUTE_UNUSED,
112 : : enum tree_code op ATTRIBUTE_UNUSED,
113 : : const svalue *rhs ATTRIBUTE_UNUSED) const
114 : : {
115 : 106233 : }
116 : :
117 : : virtual void
118 : 46146 : on_bounded_ranges (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
119 : : const supernode *node ATTRIBUTE_UNUSED,
120 : : const gimple *stmt ATTRIBUTE_UNUSED,
121 : : const svalue &sval ATTRIBUTE_UNUSED,
122 : : const bounded_ranges &ranges ATTRIBUTE_UNUSED) const
123 : : {
124 : 46146 : }
125 : :
126 : : virtual void
127 : 112835 : on_pop_frame (sm_state_map *smap ATTRIBUTE_UNUSED,
128 : : const frame_region *frame_reg ATTRIBUTE_UNUSED) const
129 : : {
130 : 112835 : }
131 : :
132 : : /* Return true if it safe to discard the given state (to help
133 : : when simplifying state objects).
134 : : States that need leak detection should return false. */
135 : : virtual bool can_purge_p (state_t s) const = 0;
136 : :
137 : : /* Called when VAR leaks (and !can_purge_p). */
138 : : virtual std::unique_ptr<pending_diagnostic>
139 : : on_leak (tree var ATTRIBUTE_UNUSED) const;
140 : :
141 : : /* Return true if S should be reset to "start" for values passed (or reachable
142 : : from) calls to unknown functions. IS_MUTABLE is true for pointers as
143 : : non-const, false if only passed as const-pointers.
144 : :
145 : : For example, in sm-malloc.cc, an on-stack ptr doesn't stop being
146 : : stack-allocated when passed to an unknown fn, but a malloc-ed pointer
147 : : could be freed when passed to an unknown fn (unless passed as "const"). */
148 : 3119 : virtual bool reset_when_passed_to_unknown_fn_p (state_t s ATTRIBUTE_UNUSED,
149 : : bool is_mutable) const
150 : : {
151 : 3119 : return is_mutable;
152 : : }
153 : :
154 : : /* Attempt to get a state for the merger of STATE_A and STATE_B,
155 : : or return NULL if merging shouldn't occur, so that differences
156 : : between sm-state will lead to separate exploded nodes.
157 : :
158 : : Most state machines will only merge equal states, but can
159 : : override maybe_get_merged_states_nonequal to support mergers
160 : : of certain non-equal states. */
161 : 588297 : state_t maybe_get_merged_state (state_t state_a,
162 : : state_t state_b) const
163 : : {
164 : 588297 : if (state_a == state_b)
165 : : return state_a;
166 : 240823 : return maybe_get_merged_states_nonequal (state_a, state_b);
167 : : }
168 : :
169 : : /* Base implementation of hook for maybe_get_merged_state on non-equal
170 : : states. */
171 : : virtual state_t
172 : 18640 : maybe_get_merged_states_nonequal (state_t state_a ATTRIBUTE_UNUSED,
173 : : state_t state_b ATTRIBUTE_UNUSED) const
174 : : {
175 : : /* By default, non-equal sm states should inhibit merger of enodes. */
176 : 18640 : return NULL;
177 : : }
178 : :
179 : : void validate (state_t s) const;
180 : :
181 : : void dump_to_pp (pretty_printer *pp) const;
182 : :
183 : : json::object *to_json () const;
184 : :
185 : 19462 : state_t get_start_state () const { return m_start; }
186 : :
187 : : protected:
188 : : state_t add_state (const char *name);
189 : 52246 : state_t add_custom_state (state *s)
190 : : {
191 : 52246 : m_states.safe_push (s);
192 : 3258 : return s;
193 : : }
194 : :
195 : 205506 : unsigned alloc_state_id () { return m_next_state_id++; }
196 : :
197 : : private:
198 : : DISABLE_COPY_AND_ASSIGN (state_machine);
199 : :
200 : : const char *m_name;
201 : :
202 : : /* States are owned by the state_machine. */
203 : : auto_delete_vec<state> m_states;
204 : :
205 : : unsigned m_next_state_id;
206 : :
207 : : protected:
208 : : /* Must be inited after m_next_state_id. */
209 : : state_t m_start;
210 : : };
211 : :
212 : : /* Abstract base class for state machines to pass to
213 : : sm_context::on_custom_transition for handling non-standard transitions
214 : : (e.g. adding a node and edge to simulate registering a callback and having
215 : : the callback be called later). */
216 : :
217 : 18 : class custom_transition
218 : : {
219 : : public:
220 : 18 : virtual ~custom_transition () {}
221 : : virtual void impl_transition (exploded_graph *eg,
222 : : exploded_node *src_enode,
223 : : int sm_idx) = 0;
224 : : };
225 : :
226 : : /* Abstract base class giving an interface for the state machine to call
227 : : the checker engine, at a particular stmt. */
228 : :
229 : : class sm_context
230 : : {
231 : : public:
232 : 2741832 : virtual ~sm_context () {}
233 : :
234 : : /* Get the fndecl used at call, or NULL_TREE.
235 : : Use in preference to gimple_call_fndecl (and gimple_call_addr_fndecl),
236 : : since it can look through function pointer assignments and
237 : : other callback handling. */
238 : : virtual tree get_fndecl_for_call (const gcall *call) = 0;
239 : :
240 : : /* Get the old state of VAR at STMT. */
241 : : virtual state_machine::state_t get_state (const gimple *stmt,
242 : : tree var) = 0;
243 : : virtual state_machine::state_t get_state (const gimple *stmt,
244 : : const svalue *) = 0;
245 : : /* Set the next state of VAR to be TO, recording the "origin" of the
246 : : state as ORIGIN.
247 : : Use STMT for location information. */
248 : : virtual void set_next_state (const gimple *stmt,
249 : : tree var,
250 : : state_machine::state_t to,
251 : : tree origin = NULL_TREE) = 0;
252 : : virtual void set_next_state (const gimple *stmt,
253 : : const svalue *var,
254 : : state_machine::state_t to,
255 : : tree origin = NULL_TREE) = 0;
256 : :
257 : : /* Called by state_machine in response to pattern matches:
258 : : if VAR is in state FROM, transition it to state TO, potentially
259 : : recording the "origin" of the state as ORIGIN.
260 : : Use NODE and STMT for location information. */
261 : 11546 : void on_transition (const supernode *node ATTRIBUTE_UNUSED,
262 : : const gimple *stmt,
263 : : tree var,
264 : : state_machine::state_t from,
265 : : state_machine::state_t to,
266 : : tree origin = NULL_TREE)
267 : : {
268 : 11546 : state_machine::state_t current = get_state (stmt, var);
269 : 11546 : if (current == from)
270 : 1834 : set_next_state (stmt, var, to, origin);
271 : 11546 : }
272 : :
273 : 44447 : void on_transition (const supernode *node ATTRIBUTE_UNUSED,
274 : : const gimple *stmt,
275 : : const svalue *var,
276 : : state_machine::state_t from,
277 : : state_machine::state_t to,
278 : : tree origin = NULL_TREE)
279 : : {
280 : 44447 : state_machine::state_t current = get_state (stmt, var);
281 : 44447 : if (current == from)
282 : 761 : set_next_state (stmt, var, to, origin);
283 : 44447 : }
284 : :
285 : : /* Called by state_machine in response to pattern matches:
286 : : issue a diagnostic D using NODE and STMT for location information. */
287 : : virtual void warn (const supernode *node, const gimple *stmt,
288 : : tree var,
289 : : std::unique_ptr<pending_diagnostic> d) = 0;
290 : : virtual void warn (const supernode *node, const gimple *stmt,
291 : : const svalue *var,
292 : : std::unique_ptr<pending_diagnostic> d) = 0;
293 : :
294 : : /* For use when generating trees when creating pending_diagnostics, so that
295 : : rather than e.g.
296 : : "double-free of '<unknown>'"
297 : : we can print:
298 : : "double-free of 'inbuf.data'". */
299 : 0 : virtual tree get_diagnostic_tree (tree expr)
300 : : {
301 : 0 : return expr;
302 : : }
303 : : virtual tree get_diagnostic_tree (const svalue *) = 0;
304 : :
305 : : virtual state_machine::state_t get_global_state () const = 0;
306 : : virtual void set_global_state (state_machine::state_t) = 0;
307 : :
308 : : virtual void clear_all_per_svalue_state () = 0;
309 : :
310 : : /* A vfunc for handling custom transitions, such as when registering
311 : : a signal handler. */
312 : : virtual void on_custom_transition (custom_transition *transition) = 0;
313 : :
314 : : /* If STMT is an assignment known to assign zero to its LHS, return
315 : : the LHS.
316 : : Otherwise return NULL_TREE. */
317 : : virtual tree is_zero_assignment (const gimple *stmt) = 0;
318 : :
319 : 0 : virtual path_context *get_path_context () const
320 : : {
321 : 0 : return NULL;
322 : : }
323 : :
324 : : /* Are we handling an external function with unknown side effects? */
325 : 0 : virtual bool unknown_side_effects_p () const { return false; }
326 : :
327 : : virtual const program_state *get_old_program_state () const = 0;
328 : : virtual const program_state *get_new_program_state () const = 0;
329 : :
330 : : const region_model *get_old_region_model () const;
331 : :
332 : : protected:
333 : 2742718 : sm_context (int sm_idx, const state_machine &sm)
334 : 2742718 : : m_sm_idx (sm_idx), m_sm (sm) {}
335 : :
336 : : int m_sm_idx;
337 : : const state_machine &m_sm;
338 : : };
339 : :
340 : :
341 : : /* The various state_machine subclasses are hidden in their respective
342 : : implementation files. */
343 : :
344 : : extern void make_checkers (auto_delete_vec <state_machine> &out,
345 : : logger *logger);
346 : :
347 : : extern state_machine *make_malloc_state_machine (logger *logger);
348 : : extern state_machine *make_fileptr_state_machine (logger *logger);
349 : : extern state_machine *make_taint_state_machine (logger *logger);
350 : : extern state_machine *make_sensitive_state_machine (logger *logger);
351 : : extern state_machine *make_signal_state_machine (logger *logger);
352 : : extern state_machine *make_pattern_test_state_machine (logger *logger);
353 : : extern state_machine *make_va_list_state_machine (logger *logger);
354 : : extern state_machine *make_fd_state_machine (logger *logger);
355 : :
356 : : } // namespace ana
357 : :
358 : : #endif /* GCC_ANALYZER_SM_H */
|
