[CHERI_CSA] Refactoring state cleanup for dead symbols & regions

Author: eupharina

clang/lib/StaticAnalyzer/Checkers/CHERI/AllocationChecker.cpp

@@ -14,10 +14,10 @@
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h>
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
-#include <clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h>
 
 
 using namespace clang;
@@ -42,7 +42,8 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
                                          check::PreCall,
                                          check::PostCall,
                                          check::Bind,
-                                         check::EndFunction> {
+                                         check::EndFunction,
+                                         check::DeadSymbols> {
   BugType BT_Default{this, "Allocation partitioning", "CHERI portability"};
   BugType BT_UnknownReg{this, "Unknown allocation partitioning",
                       "CHERI portability"};
@@ -86,6 +87,7 @@ class AllocationChecker : public Checker<check::PostStmt<CastExpr>,
   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
   void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
   void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
+  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
 
   bool ReportForUnknownAllocations;
 
@@ -437,6 +439,22 @@ void AllocationChecker::checkEndFunction(const ReturnStmt *RS,
   }
 }
 
+void AllocationChecker::checkDeadSymbols(SymbolReaper &SymReaper,
+                                         CheckerContext &C) const {
+  if (!isPureCapMode(C.getASTContext()))
+    return;
+
+  ProgramStateRef State = C.getState();
+  bool Removed = false;
+  State = cleanDead<AllocMap>(State, SymReaper, Removed);
+  State = cleanDead<ShiftMap>(State, SymReaper, Removed);
+  State = cleanDead<SuballocationSet>(State, SymReaper, Removed);
+  State = cleanDead<BoundedSet>(State, SymReaper, Removed);
+
+  if (Removed)
+    C.addTransition(State);
+}
+
 PathDiagnosticPieceRef AllocationChecker::AllocPartitionBugVisitor::VisitNode(
     const ExplodedNode *N, BugReporterContext &BRC,
     PathSensitiveBugReport &BR) {

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.cpp

@@ -7,6 +7,10 @@
 //===----------------------------------------------------------------------===//
 
 #include "CHERIUtils.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h>
+
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+
 
 namespace clang {
 namespace ento {
@@ -54,8 +58,7 @@ bool hasCapability(const QualType OrigTy, ASTContext &Ctx) {
 
 namespace {
 
-void printType(raw_ostream &OS, const QualType &Ty,
-               const PrintingPolicy &PP) {
+void printType(raw_ostream &OS, const QualType &Ty, const PrintingPolicy &PP) {
   std::string TyStr = Ty.getAsString(PP);
   OS << "'" << TyStr << "'";
   std::string CanTyStr = Ty.getCanonicalType().getAsString(PP);
@@ -67,7 +70,7 @@ void printType(raw_ostream &OS, const QualType &Ty,
 } // namespace
 
 void describeCast(raw_ostream &OS, const CastExpr *CE,
-                         const LangOptions &LangOpts) {
+                  const LangOptions &LangOpts) {
   const PrintingPolicy &PP = PrintingPolicy(LangOpts);
   OS << (dyn_cast<ImplicitCastExpr>(CE) ? "implicit" : "explicit");
   OS << " cast from ";
@@ -84,7 +87,6 @@ const DeclRegion *getAllocationDecl(const MemRegion *MR) {
   return nullptr;
 }
 
-
-} // end of namespace: cheri
-} // end of namespace: ento
-} // end of namespace: clang
+} // namespace cheri
+} // namespace ento
+} // namespace clang

clang/lib/StaticAnalyzer/Checkers/CHERI/CHERIUtils.h

@@ -10,6 +10,8 @@
 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_CHERI_CHERIUTILS_H
 
 #include "clang/StaticAnalyzer/Core/Checker.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h>
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
 
 namespace clang {
 namespace ento {
@@ -32,8 +34,44 @@ void describeCast(raw_ostream &OS, const CastExpr *CE,
 
 const DeclRegion *getAllocationDecl(const MemRegion *MR);
 
-} // end of namespace: cheri
-} // end of namespace: ento
-} // end of namespace: clang
+} // namespace cheri
+
+template <typename C>
+inline typename ProgramStateTrait<C>::key_type
+getKey(const std::pair<typename ProgramStateTrait<C>::key_type,
+                       typename ProgramStateTrait<C>::value_type> &P) {
+  return P.first;
+}
+
+template <typename C>
+inline typename ProgramStateTrait<C>::key_type
+getKey(const typename ProgramStateTrait<C>::key_type &K) {
+  return K;
+}
+
+inline bool isLive(SymbolReaper &SymReaper, const MemRegion *MR) {
+  return SymReaper.isLiveRegion(MR);
+}
+
+inline bool isLive(SymbolReaper &SymReaper, SymbolRef Sym) {
+  return SymReaper.isLive(Sym);
+}
+
+template <typename M>
+ProgramStateRef cleanDead(ProgramStateRef State, SymbolReaper &SymReaper,
+                         bool &Removed) {
+  const typename ProgramStateTrait<M>::data_type &Map = State->get<M>();
+  for (const auto &E : Map) {
+    const typename ProgramStateTrait<M>::key_type &K = getKey<M>(E);
+    if (isLive(SymReaper, K))
+      continue;
+    State = State->remove<M>(K);
+    Removed = true;
+  }
+  return State;
+}
+
+} // namespace ento
+} // namespace clang
 
 #endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_CHERI_CHERIUTILS_H

clang/lib/StaticAnalyzer/Checkers/CHERI/CapabilityCopyChecker.cpp

@@ -14,13 +14,13 @@
 #include "CHERIUtils.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
 #include "clang/ASTMatchers/ASTMatchers.h"
+#include <clang/ASTMatchers/ASTMatchersInternal.h>
 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include <clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h>
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
-#include <clang/ASTMatchers/ASTMatchersInternal.h>
-#include <clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h>
 
 using namespace clang;
 using namespace ento;
@@ -57,7 +57,8 @@ class CapabilityCopyChecker :public Checker<check::Location, check::Bind,
                                             check::PostStmt<BinaryOperator>,
                                             check::PostStmt<ArraySubscriptExpr>,
                                             check::BranchCondition,
-                                            check::PreCall> {
+                                            check::PreCall,
+                                            check::DeadSymbols> {
 
   BugType UseCapAsNonCap{this,
                          "Part of capability value used in binary operator",
@@ -83,6 +84,7 @@ class CapabilityCopyChecker :public Checker<check::Location, check::Bind,
   void checkPostStmt(const ArraySubscriptExpr *E, CheckerContext &C) const;
   void checkBranchCondition(const Stmt *Cond, CheckerContext &C) const;
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
+  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
 
   bool ReportForCharPtr = false;
 
@@ -95,7 +97,7 @@ class CapabilityCopyChecker :public Checker<check::Location, check::Bind,
 REGISTER_SET_WITH_PROGRAMSTATE(VoidPtrArgDeref, const MemRegion *)
 REGISTER_SET_WITH_PROGRAMSTATE(UnalignedPtr, const MemRegion *)
 REGISTER_SET_WITH_PROGRAMSTATE(CString, const MemRegion *)
-REGISTER_LIST_WITH_PROGRAMSTATE(WhileBoundVar, SymbolRef)
+REGISTER_SET_WITH_PROGRAMSTATE(WhileBoundVar, SymbolRef)
 
 namespace {
 
@@ -260,8 +262,8 @@ bool isInsideSmallConstantBoundLoop(const Stmt *S, CheckerContext &C, long N) {
   SValBuilder &SVB = C.getSValBuilder();
   const NonLoc &ItVal = SVB.makeIntVal(N, true);
 
-  auto BoundVarList = C.getState()->get<WhileBoundVar>();
-  for (auto &&V : BoundVarList) {
+  auto BoundVarSet = C.getState()->get<WhileBoundVar>();
+  for (auto &&V : BoundVarSet) {
     auto SmallLoop =
         SVB.evalBinOpNN(C.getState(), clang::BO_GE, nonloc::SymbolVal(V), ItVal,
                         SVB.getConditionType());
@@ -485,8 +487,6 @@ bool checkForWhileBoundVar(const Stmt *Condition, CheckerContext &C,
     if (SymbolRef ISym = C.getSVal(L).getAsSymbol()) {
       if (ThenSt)
         ThenSt = ThenSt->add<WhileBoundVar>(ISym);
-      if (ElseSt)
-        ElseSt = ElseSt->set<WhileBoundVar>(llvm::ImmutableList<SymbolRef>());
     } else
       return false;
   }
@@ -627,6 +627,23 @@ void CapabilityCopyChecker::checkPreCall(const CallEvent &Call,
   C.addTransition(State);
 }
 
+void CapabilityCopyChecker::checkDeadSymbols(SymbolReaper &SymReaper,
+                                               CheckerContext &C) const {
+  if (!isPureCapMode(C.getASTContext()))
+    return;
+
+  ProgramStateRef State = C.getState();
+  bool Removed = false;
+
+  State = cleanDead<VoidPtrArgDeref>(State, SymReaper, Removed);
+  State = cleanDead<UnalignedPtr>(State, SymReaper, Removed);
+  State = cleanDead<CString>(State, SymReaper, Removed);
+  State = cleanDead<WhileBoundVar>(State, SymReaper, Removed);
+
+  if (Removed)
+    C.addTransition(State);
+}
+
 void ento::registerCapabilityCopyChecker(CheckerManager &mgr) {
   auto *Checker = mgr.registerChecker<CapabilityCopyChecker>();
   Checker->ReportForCharPtr = mgr.getAnalyzerOptions().getCheckerBooleanOption(

clang/lib/StaticAnalyzer/Checkers/CHERI/ProvenanceSourceChecker.cpp

@@ -515,23 +515,10 @@ void ProvenanceSourceChecker::checkDeadSymbols(SymbolReaper &SymReaper,
     return;
 
   ProgramStateRef State = C.getState();
-
   bool Removed = false;
-  const InvalidCapTy &Set = State->get<InvalidCap>();
-  for (const auto &Sym : Set) {
-    if (!SymReaper.isDead(Sym))
-      continue;
-    State = State->remove<InvalidCap>(Sym);
-    Removed = true;
-  }
-
-  const AmbiguousProvenanceSymTy &Set2 = State->get<AmbiguousProvenanceSym>();
-  for (const auto &Sym : Set2) {
-    if (!SymReaper.isDead(Sym))
-      continue;
-    State = State->remove<AmbiguousProvenanceSym>(Sym);
-    Removed = true;
-  }
+  State = cleanDead<InvalidCap>(State, SymReaper, Removed);
+  State = cleanDead<AmbiguousProvenanceSym>(State, SymReaper, Removed);
+  State = cleanDead<AmbiguousProvenanceReg>(State, SymReaper, Removed);
 
   if (Removed)
     C.addTransition(State);

clang/lib/StaticAnalyzer/Checkers/PointerAlignmentChecker.cpp

@@ -29,13 +29,13 @@
 //===----------------------------------------------------------------------===//
 
 #include "CHERI/CHERIUtils.h"
+#include <clang/ASTMatchers/ASTMatchFinder.h>
 #include "clang/ASTMatchers/ASTMatchers.h"
 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
-#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
-#include <clang/ASTMatchers/ASTMatchFinder.h>
 #include <clang/StaticAnalyzer/Core/BugReporter/BugType.h>
 #include <clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h>
 #include <clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h>
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 
 using namespace clang;
 using namespace ento;
@@ -914,17 +914,11 @@ void PointerAlignmentChecker::checkPostStmt(const BinaryOperator *BO,
 
 void PointerAlignmentChecker::checkDeadSymbols(SymbolReaper &SymReaper,
                                                   CheckerContext &C) const {
-  bool Updated = false;
   ProgramStateRef State = C.getState();
+  bool Updated = false;
 
-  TrailingZerosMapTy TZMap = State->get<TrailingZerosMap>();
-  for (TrailingZerosMapTy::iterator I = TZMap.begin(), E = TZMap.end();
-                                    I != E; ++I) {
-    if (SymReaper.isDead(I->first)) {
-      State = State->remove<TrailingZerosMap>(I->first);
-      Updated = true;
-    }
-  }
+  State = cleanDead<TrailingZerosMap>(State, SymReaper, Updated);
+  State = cleanDead<CapStorageSet>(State, SymReaper, Updated);
 
   if (Updated)
     C.addTransition(State);