[thirdparty/gcc.git] / gcc / testsuite / gcc.dg / plugin / analyzer_kernel_plugin.c

/* Proof-of-concept of a -fanalyzer plugin for the Linux kernel.  */
/* { dg-options "-g" } */

#define INCLUDE_MEMORY
#include "gcc-plugin.h"
#include "config.h"
#include "system.h"
#include "coretypes.h"
#include "tree.h"
#include "function.h"
#include "basic-block.h"
#include "gimple.h"
#include "gimple-iterator.h"
#include "diagnostic-core.h"
#include "graphviz.h"
#include "options.h"
#include "cgraph.h"
#include "tree-dfa.h"
#include "stringpool.h"
#include "convert.h"
#include "target.h"
#include "fold-const.h"
#include "tree-pretty-print.h"
#include "diagnostic-color.h"
#include "diagnostic-metadata.h"
#include "tristate.h"
#include "bitmap.h"
#include "selftest.h"
#include "function.h"
#include "json.h"
#include "analyzer/analyzer.h"
#include "analyzer/analyzer-logging.h"
#include "ordered-hash-map.h"
#include "options.h"
#include "cgraph.h"
#include "cfg.h"
#include "digraph.h"
#include "analyzer/supergraph.h"
#include "sbitmap.h"
#include "analyzer/call-string.h"
#include "analyzer/program-point.h"
#include "analyzer/store.h"
#include "analyzer/region-model.h"
#include "analyzer/call-info.h"

int plugin_is_GPL_compatible;

#if ENABLE_ANALYZER

namespace ana {

/* Implementation of "copy_from_user" and "copy_to_user".  */
  
class copy_across_boundary_fn : public known_function
{
 public:
  virtual bool untrusted_source_p () const = 0;
  virtual bool untrusted_destination_p () const = 0;

  void impl_call_pre (const call_details &cd) const final override
  {
    region_model_manager *mgr = cd.get_manager ();
    region_model *model = cd.get_model ();
    region_model_context *ctxt = cd.get_ctxt ();

    const svalue *dest_sval = cd.get_arg_svalue (0);
    const svalue *src_sval = cd.get_arg_svalue (1);
    const svalue *num_bytes_sval = cd.get_arg_svalue (2);

    const region *dest_reg = model->deref_rvalue (dest_sval,
						  cd.get_arg_tree (0),
						  ctxt);
    const region *src_reg = model->deref_rvalue (src_sval,
						 cd.get_arg_tree (1),
						 ctxt);
    if (const svalue *bounded_sval
	  = model->maybe_get_copy_bounds (src_reg, num_bytes_sval))
      num_bytes_sval = bounded_sval;

    if (tree cst = num_bytes_sval->maybe_get_constant ())
      if (zerop (cst))
	/* No-op.  */
	return;

    const region *sized_src_reg = mgr->get_sized_region (src_reg,
							 NULL_TREE,
							 num_bytes_sval);

    const svalue *copied_sval
      = model->get_store_value (sized_src_reg, ctxt);
    const region *sized_dest_reg = mgr->get_sized_region (dest_reg,
							  NULL_TREE,
							  num_bytes_sval);

    if (ctxt)
      {
	/* Bifurcate state, creating a "failure" out-edge.  */
	ctxt->bifurcate (new copy_failure (cd));

	/* The "unbifurcated" state is the "success" case.  */
	copy_success success (cd,
			      sized_dest_reg,
			      copied_sval,
			      sized_src_reg,
			      untrusted_source_p (),
			      untrusted_destination_p ());
	success.update_model (model, NULL, ctxt);
      }
  }

 private:
  class copy_success : public success_call_info
  {
  public:
    copy_success (const call_details &cd,
		  const region *sized_dest_reg,
		  const svalue *copied_sval,
		  const region *sized_src_reg,
		  bool untrusted_source,
		  bool untrusted_destination)
    : success_call_info (cd),
      m_sized_dest_reg (sized_dest_reg),
      m_copied_sval (copied_sval),
      m_sized_src_reg (sized_src_reg),
      m_untrusted_source (untrusted_source),
      m_untrusted_destination (untrusted_destination)
    {}

    bool update_model (region_model *model,
		       const exploded_edge *,
		       region_model_context *ctxt) const final override
    {
      call_details cd (get_call_details (model, ctxt));
      model->update_for_zero_return (cd, true);
      model->set_value (m_sized_dest_reg, m_copied_sval, ctxt);
      if (ctxt && m_untrusted_source)
	model->mark_as_tainted (m_copied_sval, ctxt);
      if (m_untrusted_destination)
	model->maybe_complain_about_infoleak (m_sized_dest_reg,
					      m_copied_sval,
					      m_sized_src_reg,
					      ctxt);
      return true;
    }

    const region *m_sized_dest_reg;
    const svalue *m_copied_sval;
    const region *m_sized_src_reg;
    bool m_untrusted_source;
    bool m_untrusted_destination;
  };

  class copy_failure : public failed_call_info
  {
  public:
    copy_failure (const call_details &cd)
    : failed_call_info (cd)
    {}

    bool update_model (region_model *model,
		       const exploded_edge *,
		       region_model_context *ctxt) const final override
    {
      call_details cd (get_call_details (model, ctxt));
      model->update_for_nonzero_return (cd);
      /* Leave the destination region untouched.  */
      return true;
    }
  };
};

/* "copy_from_user".  */

class known_function_copy_from_user : public copy_across_boundary_fn
{
public:
  bool untrusted_source_p () const final override
  {
    return true;
  }
  bool untrusted_destination_p () const final override
  {
    return false;
  }
};

/* "copy_to_user".  */

class known_function_copy_to_user : public copy_across_boundary_fn
{
public:
  bool untrusted_source_p () const final override
  {
    return false;
  }
  bool untrusted_destination_p () const final override
  {
    return true;
  }
};

/* Callback handler for the PLUGIN_ANALYZER_INIT event.  */

static void
kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
{
  ana::plugin_analyzer_init_iface *iface
    = (ana::plugin_analyzer_init_iface *)gcc_data;
  LOG_SCOPE (iface->get_logger ());
  if (0)
    inform (input_location, "got here: kernel_analyzer_init_cb");
  iface->register_known_function ("copy_from_user",
				  new known_function_copy_from_user ());
  iface->register_known_function ("copy_to_user",
				  new known_function_copy_to_user ());
}

} // namespace ana

#endif /* #if ENABLE_ANALYZER */

int
plugin_init (struct plugin_name_args *plugin_info,
	     struct plugin_gcc_version *version)
{
#if ENABLE_ANALYZER
  const char *plugin_name = plugin_info->base_name;
  if (0)
    inform (input_location, "got here; %qs", plugin_name);
  register_callback (plugin_info->base_name,
		     PLUGIN_ANALYZER_INIT,
		     ana::kernel_analyzer_init_cb,
		     NULL); /* void *user_data */
#else
  sorry_no_analyzer ();
#endif
  return 0;
}
Commit	Line	Data
c81b60b8 DM	1	/* Proof-of-concept of a -fanalyzer plugin for the Linux kernel. */
	2	/* { dg-options "-g" } */
	3
6341f14e	4	#define INCLUDE_MEMORY
c81b60b8 DM	5	#include "gcc-plugin.h"
	6	#include "config.h"
	7	#include "system.h"
	8	#include "coretypes.h"
	9	#include "tree.h"
	10	#include "function.h"
	11	#include "basic-block.h"
	12	#include "gimple.h"
	13	#include "gimple-iterator.h"
	14	#include "diagnostic-core.h"
	15	#include "graphviz.h"
	16	#include "options.h"
	17	#include "cgraph.h"
	18	#include "tree-dfa.h"
	19	#include "stringpool.h"
	20	#include "convert.h"
	21	#include "target.h"
	22	#include "fold-const.h"
	23	#include "tree-pretty-print.h"
	24	#include "diagnostic-color.h"
	25	#include "diagnostic-metadata.h"
	26	#include "tristate.h"
	27	#include "bitmap.h"
	28	#include "selftest.h"
	29	#include "function.h"
	30	#include "json.h"
	31	#include "analyzer/analyzer.h"
	32	#include "analyzer/analyzer-logging.h"
	33	#include "ordered-hash-map.h"
	34	#include "options.h"
	35	#include "cgraph.h"
	36	#include "cfg.h"
	37	#include "digraph.h"
	38	#include "analyzer/supergraph.h"
	39	#include "sbitmap.h"
	40	#include "analyzer/call-string.h"
	41	#include "analyzer/program-point.h"
	42	#include "analyzer/store.h"
	43	#include "analyzer/region-model.h"
	44	#include "analyzer/call-info.h"
	45
	46	int plugin_is_GPL_compatible;
	47
	48	#if ENABLE_ANALYZER
	49
	50	namespace ana {
	51
	52	/* Implementation of "copy_from_user" and "copy_to_user". */
	53
	54	class copy_across_boundary_fn : public known_function
	55	{
	56	public:
	57	virtual bool untrusted_source_p () const = 0;
	58	virtual bool untrusted_destination_p () const = 0;
	59
	60	void impl_call_pre (const call_details &cd) const final override
	61	{
	62	region_model_manager *mgr = cd.get_manager ();
	63	region_model *model = cd.get_model ();
	64	region_model_context *ctxt = cd.get_ctxt ();
	65
	66	const svalue *dest_sval = cd.get_arg_svalue (0);
	67	const svalue *src_sval = cd.get_arg_svalue (1);
	68	const svalue *num_bytes_sval = cd.get_arg_svalue (2);
69
70	const region *dest_reg = model->deref_rvalue (dest_sval,
71	cd.get_arg_tree (0),
72	ctxt);
73	const region *src_reg = model->deref_rvalue (src_sval,
74	cd.get_arg_tree (1),
75	ctxt);
76	if (const svalue *bounded_sval
77	= model->maybe_get_copy_bounds (src_reg, num_bytes_sval))
78	num_bytes_sval = bounded_sval;
79
80	if (tree cst = num_bytes_sval->maybe_get_constant ())
81	if (zerop (cst))
82	/* No-op. */
83	return;
84
85	const region *sized_src_reg = mgr->get_sized_region (src_reg,
86	NULL_TREE,
87	num_bytes_sval);
88
89	const svalue *copied_sval
90	= model->get_store_value (sized_src_reg, ctxt);
91	const region *sized_dest_reg = mgr->get_sized_region (dest_reg,
92	NULL_TREE,
93	num_bytes_sval);
94
95	if (ctxt)
96	{
97	/* Bifurcate state, creating a "failure" out-edge. */
98	ctxt->bifurcate (new copy_failure (cd));
99
100	/* The "unbifurcated" state is the "success" case. */
101	copy_success success (cd,
102	sized_dest_reg,
103	copied_sval,
104	sized_src_reg,
105	untrusted_source_p (),
106	untrusted_destination_p ());
107	success.update_model (model, NULL, ctxt);
108	}
109	}
110
111	private:
112	class copy_success : public success_call_info
113	{
114	public:
115	copy_success (const call_details &cd,
116	const region *sized_dest_reg,
117	const svalue *copied_sval,
118	const region *sized_src_reg,
119	bool untrusted_source,
120	bool untrusted_destination)
121	: success_call_info (cd),
122	m_sized_dest_reg (sized_dest_reg),
123	m_copied_sval (copied_sval),
124	m_sized_src_reg (sized_src_reg),
125	m_untrusted_source (untrusted_source),
126	m_untrusted_destination (untrusted_destination)
127	{}
128
129	bool update_model (region_model *model,
130	const exploded_edge *,
131	region_model_context *ctxt) const final override
132	{
133	call_details cd (get_call_details (model, ctxt));
134	model->update_for_zero_return (cd, true);
135	model->set_value (m_sized_dest_reg, m_copied_sval, ctxt);
136	if (ctxt && m_untrusted_source)
137	model->mark_as_tainted (m_copied_sval, ctxt);
138	if (m_untrusted_destination)
139	model->maybe_complain_about_infoleak (m_sized_dest_reg,
140	m_copied_sval,
141	m_sized_src_reg,
142	ctxt);
143	return true;
144	}
145
146	const region *m_sized_dest_reg;
147	const svalue *m_copied_sval;
148	const region *m_sized_src_reg;
149	bool m_untrusted_source;
150	bool m_untrusted_destination;
151	};
152
153	class copy_failure : public failed_call_info
154	{
155	public:
156	copy_failure (const call_details &cd)
157	: failed_call_info (cd)
158	{}
159
160	bool update_model (region_model *model,
161	const exploded_edge *,
162	region_model_context *ctxt) const final override
163	{
164	call_details cd (get_call_details (model, ctxt));
165	model->update_for_nonzero_return (cd);
166	/* Leave the destination region untouched. */
167	return true;
168	}
169	};
170	};
171
172	/* "copy_from_user". */
173
174	class known_function_copy_from_user : public copy_across_boundary_fn
175	{
176	public:
177	bool untrusted_source_p () const final override
178	{
179	return true;
180	}
181	bool untrusted_destination_p () const final override
182	{
183	return false;
184	}
185	};
186
187	/* "copy_to_user". */
188
189	class known_function_copy_to_user : public copy_across_boundary_fn
190	{
191	public:
192	bool untrusted_source_p () const final override
193	{
194	return false;
195	}
196	bool untrusted_destination_p () const final override
197	{
198	return true;
199	}
200	};
201
202	/* Callback handler for the PLUGIN_ANALYZER_INIT event. */
203
204	static void
205	kernel_analyzer_init_cb (void gcc_data, void /user_data/)
206	{
207	ana::plugin_analyzer_init_iface *iface
208	= (ana::plugin_analyzer_init_iface *)gcc_data;
209	LOG_SCOPE (iface->get_logger ());
210	if (0)
211	inform (input_location, "got here: kernel_analyzer_init_cb");
212	iface->register_known_function ("copy_from_user",
213	new known_function_copy_from_user ());
214	iface->register_known_function ("copy_to_user",
215	new known_function_copy_to_user ());
216	}
217
218	} // namespace ana
219
220	#endif /* #if ENABLE_ANALYZER */
221
222	int
223	plugin_init (struct plugin_name_args *plugin_info,
224	struct plugin_gcc_version *version)
225	{
226	#if ENABLE_ANALYZER
227	const char *plugin_name = plugin_info->base_name;
228	if (0)
229	inform (input_location, "got here; %qs", plugin_name);
230	register_callback (plugin_info->base_name,
231	PLUGIN_ANALYZER_INIT,
232	ana::kernel_analyzer_init_cb,
233	NULL); /* void user_data /
234	#else
235	sorry_no_analyzer ();
236	#endif
237	return 0;
238	}