CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

@@ -120,6 +120,9 @@ def FuchsiaAlpha : Package<"fuchsia">, ParentPackage<Alpha>;
 def WebKit : Package<"webkit">;
 def WebKitAlpha : Package<"webkit">, ParentPackage<Alpha>;
 
+def CHERI : Package<"cheri">;
+def CHERIAlpha : Package<"cheri">, ParentPackage<Alpha>;
+
 //===----------------------------------------------------------------------===//
 // Core Checkers.
 //===----------------------------------------------------------------------===//
@@ -1664,6 +1667,10 @@ def UnixAPIPortabilityChecker : Checker<"UnixAPI">,
   HelpText<"Finds implementation-defined behavior in UNIX/Posix functions">,
   Documentation<NotDocumented>;
 
+def PointerAlignmentChecker : Checker<"PointerAlignment">,
+  HelpText<"Check underaligned pointers.">,
+  Documentation<NotDocumented>;
+
 } // end optin.portability
 
 //===----------------------------------------------------------------------===//
@@ -1734,3 +1741,69 @@ def UncountedLocalVarsChecker : Checker<"UncountedLocalVarsChecker">,
   Documentation<HasDocumentation>;
 
 } // end alpha.webkit
+
+//===----------------------------------------------------------------------===//
+// CHERI checkers.
+//===----------------------------------------------------------------------===//
+
+let ParentPackage = CHERI in {
+
+def CheriAPIModelling : Checker<"CheriAPIModelling">,
+  HelpText<"Model CheriAPI">,
+  Documentation<NotDocumented>;
+
+def ProvenanceSourceChecker : Checker<"ProvenanceSource">,
+  HelpText<"Check expressions with ambiguous provenance source.">,
+  CheckerOptions<[
+    CmdLineOption<Boolean,
+                  "ShowFixIts",
+                  "Enable fix-it hints for this checker",
+                  "false",
+                  InAlpha>,
+    CmdLineOption<Boolean,
+                  "ReportForAmbiguousProvenance",
+                  "Report for binary operations with ambiguous provenance "
+                  "for which the default capability derivation from LHS is fine. "
+                  "Disabled if [-Wcheri-provenance] is disabled.",
+                  "true",
+                  Released>
+  ]>,
+  Documentation<NotDocumented>;
+
+def CapabilityCopyChecker : Checker<"CapabilityCopy">,
+  HelpText<"Check tag-stripping memory copy.">,
+  CheckerOptions<[
+    CmdLineOption<Boolean,
+                  "ReportForCharPtr",
+                  "Report tag-stripping copy for char* function parameters. "
+                  "Suppression of warnings for C-strings is used to reduce "
+                  "the number of false alarms, but it's not very reliable.",
+                  "false",
+                  Released>
+  ]>,
+  Documentation<NotDocumented>;
+
+def PointerSizeAssumptionsChecker : Checker<"PointerSizeAssumptions">,
+  HelpText<"Detect hardcoded expectations on pointer sizes">,
+  Documentation<NotDocumented>;
+
+def SubObjectRepresentabilityChecker : Checker<"SubObjectRepresentability">,
+  HelpText<"Check for record fields with unrepresentable subobject bounds">,
+  Documentation<NotDocumented>;
+
+} // end cheri
+
+let ParentPackage = CHERIAlpha in {
+
+def AllocationChecker : Checker<"Allocation">,
+  HelpText<"Suggest narrowing bounds for escaping suballocation capabilities">,
+  CheckerOptions<[
+    CmdLineOption<Boolean,
+                  "ReportForUnknownAllocations",
+                  "Report for pointers with untracked origin",
+                  "true",
+                  Released>
+  ]>,
+  Documentation<NotDocumented>;
+
+} // end alpha.cheri

clang/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h

@@ -223,7 +223,7 @@ class BasicValueFactory {
 
   const llvm::APSInt &getZeroWithTypeSize(QualType T) {
     assert(T->isScalarType());
-    return getValue(0, Ctx.getTypeSize(T), true);
+    return getValue(0, Ctx.getIntWidth(T), true);
   }
 
   const llvm::APSInt &getTruthValue(bool b, QualType T) {

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

@@ -794,9 +794,11 @@ inline SVal ProgramState::getLValue(const IndirectFieldDecl *D,
   return Base;
 }
 
-inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
+inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx,
+                                    SVal Base) const {
   if (Optional<NonLoc> N = Idx.getAs<NonLoc>())
-    return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
+    return getStateManager().StoreMgr->getLValueElement(this, ElementType, *N,
+                                                        Base);
   return UnknownVal();
 }
 

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

@@ -305,7 +305,10 @@ class SValBuilder {
     return nonloc::ConcreteInt(BasicVals.getValue(integer, ptrType));
   }
 
-  NonLoc makeLocAsInteger(Loc loc, unsigned bits) {
+  NonLoc makeLocAsInteger(Loc loc, unsigned bits, bool hasProvenance) {
+    assert((bits & ~255) == 0);
+    if (hasProvenance)
+      bits |= 256;
     return nonloc::LocAsInteger(BasicVals.getPersistentSValWithData(loc, bits));
   }
 

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

@@ -364,7 +364,13 @@ class LocAsInteger : public NonLoc {
   unsigned getNumBits() const {
     const std::pair<SVal, uintptr_t> *D =
       static_cast<const std::pair<SVal, uintptr_t> *>(Data);
-    return D->second;
+    return D->second & 255;
+  }
+
+  bool hasProvenance() const {
+    const std::pair<SVal, uintptr_t> *D =
+        static_cast<const std::pair<SVal, uintptr_t> *>(Data);
+    return D->second & 256;
   }
 
   static bool classof(SVal V) {

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

@@ -146,7 +146,8 @@ class StoreManager {
     return getLValueFieldOrIvar(D, Base);
   }
 
-  virtual SVal getLValueElement(QualType elementType, NonLoc offset, SVal Base);
+  virtual SVal getLValueElement(ProgramStateRef State, QualType elementType,
+                                NonLoc offset, SVal Base);
 
   /// ArrayToPointer - Used by ExprEngine::VistCast to handle implicit
   ///  conversions between arrays and pointers.

clang/lib/AST/ASTContext.cpp

@@ -10972,9 +10972,11 @@ unsigned ASTContext::getIntWidth(QualType T) const {
   if (Target->SupportsCapabilities()) {
     if (T->isPointerType() && T->getAs<PointerType>()->isCHERICapability())
       return Target->getPointerRangeForCHERICapability();
+    if (T->isReferenceType() && T->getAs<ReferenceType>()->isCHERICapability()) {
+      return Target->getPointerRangeForCHERICapability();
+    }
     if (T->isIntCapType())
       return Target->getPointerRangeForCHERICapability();
-    assert(!T->isReferenceType() && "Should probably not be handled here");
   }
   // For builtin types, just use the standard type sizing method
   return (unsigned)getTypeSize(T);

clang/lib/Driver/ToolChains/Clang.cpp

@@ -26,6 +26,7 @@
 #include "clang/Basic/CLWarnings.h"
 #include "clang/Basic/CharInfo.h"
 #include "clang/Basic/CodeGenOptions.h"
+#include <clang/Basic/DiagnosticSema.h>
 #include "clang/Basic/LangOptions.h"
 #include "clang/Basic/MakeSupport.h"
 #include "clang/Basic/ObjCRuntime.h"
@@ -3191,7 +3192,8 @@ static void RenderFloatingPointOptions(const ToolChain &TC, const Driver &D,
 
 static void RenderAnalyzerOptions(const ArgList &Args, ArgStringList &CmdArgs,
                                   const llvm::Triple &Triple,
-                                  const InputInfo &Input) {
+                                  const InputInfo &Input,
+                                  DiagnosticsEngine &Diags) {
   // Add default argument set.
   if (!Args.hasArg(options::OPT__analyzer_no_default_checks)) {
     CmdArgs.push_back("-analyzer-checker=core");
@@ -3237,6 +3239,26 @@ static void RenderAnalyzerOptions(const ArgList &Args, ArgStringList &CmdArgs,
       CmdArgs.push_back("-analyzer-checker=security.insecureAPI.vfork");
     }
 
+    if (Triple.getEnvironment() == llvm::Triple::CheriPurecap ||
+        // FIXME: checks below should eventually become unreachable when
+        // Triple is updated to purecap in ToolChain constructor
+        (Triple.isMIPS() && tools::mips::hasMipsAbiArg(Args, "purecap")) ||
+        (Triple.isRISCV() && tools::riscv::isCheriPurecap(Args, Triple))) {
+      CmdArgs.push_back("-analyzer-checker=cheri");
+
+      // disable AmbiguousProvenance war if [-Wcheri-provenance] is disabled
+      if (Diags.getDiagnosticLevel(
+              diag::warn_ambiguous_provenance_capability_binop,
+              SourceLocation()) < DiagnosticsEngine::Warning) {
+        CmdArgs.push_back("-analyzer-config");
+        CmdArgs.push_back(
+            "cheri.ProvenanceSource:ReportForAmbiguousProvenance=false");
+      }
+
+      CmdArgs.push_back("-analyzer-checker=optin.portability.PointerAlignment");
+      CmdArgs.push_back("-analyzer-checker=alpha.core.PointerSub");
+    }
+
     // Default nullability checks.
     CmdArgs.push_back("-analyzer-checker=nullability.NullPassedToNonnull");
     CmdArgs.push_back("-analyzer-checker=nullability.NullReturnedFromNonnull");
@@ -4986,7 +5008,7 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
     CmdArgs.push_back("-DUNICODE");
 
   if (isa<AnalyzeJobAction>(JA))
-    RenderAnalyzerOptions(Args, CmdArgs, Triple, Input);
+    RenderAnalyzerOptions(Args, CmdArgs, Triple, Input, D.getDiags());
 
   if (isa<AnalyzeJobAction>(JA) ||
       (isa<PreprocessJobAction>(JA) && Args.hasArg(options::OPT__analyze)))