[thirdparty/gcc.git] / gcc / testsuite / gcc.dg / plugin / analyzer_kernel_plugin.c

/* Proof-of-concept of a -fanalyzer plugin for the Linux kernel.  */
/* { dg-options "-g" } */

#define INCLUDE_MEMORY
#include "gcc-plugin.h"
#include "config.h"
#include "system.h"
#include "coretypes.h"
#include "tree.h"
#include "function.h"
#include "basic-block.h"
#include "gimple.h"
#include "gimple-iterator.h"
#include "diagnostic-core.h"
#include "graphviz.h"
#include "options.h"
#include "cgraph.h"
#include "tree-dfa.h"
#include "stringpool.h"
#include "convert.h"
#include "target.h"
#include "fold-const.h"
#include "tree-pretty-print.h"
#include "diagnostic-color.h"
#include "diagnostic-metadata.h"
#include "tristate.h"
#include "bitmap.h"
#include "selftest.h"
#include "function.h"
#include "json.h"
#include "analyzer/analyzer.h"
#include "analyzer/analyzer-logging.h"
#include "ordered-hash-map.h"
#include "options.h"
#include "cgraph.h"
#include "cfg.h"
#include "digraph.h"
#include "analyzer/supergraph.h"
#include "sbitmap.h"
#include "analyzer/call-string.h"
#include "analyzer/program-point.h"
#include "analyzer/store.h"
#include "analyzer/region-model.h"
#include "analyzer/call-info.h"
#include "make-unique.h"

int plugin_is_GPL_compatible;

#if ENABLE_ANALYZER

namespace ana {

/* Implementation of "copy_from_user" and "copy_to_user".  */
  
class copy_across_boundary_fn : public known_function
{
 public:
  virtual bool untrusted_source_p () const = 0;
  virtual bool untrusted_destination_p () const = 0;

  void impl_call_pre (const call_details &cd) const final override
  {
    region_model_manager *mgr = cd.get_manager ();
    region_model *model = cd.get_model ();
    region_model_context *ctxt = cd.get_ctxt ();

    const svalue *dest_sval = cd.get_arg_svalue (0);
    const svalue *src_sval = cd.get_arg_svalue (1);
    const svalue *num_bytes_sval = cd.get_arg_svalue (2);

    const region *dest_reg = model->deref_rvalue (dest_sval,
						  cd.get_arg_tree (0),
						  ctxt);
    const region *src_reg = model->deref_rvalue (src_sval,
						 cd.get_arg_tree (1),
						 ctxt);
    if (const svalue *bounded_sval
	  = model->maybe_get_copy_bounds (src_reg, num_bytes_sval))
      num_bytes_sval = bounded_sval;

    if (tree cst = num_bytes_sval->maybe_get_constant ())
      if (zerop (cst))
	/* No-op.  */
	return;

    const region *sized_src_reg = mgr->get_sized_region (src_reg,
							 NULL_TREE,
							 num_bytes_sval);

    const svalue *copied_sval
      = model->get_store_value (sized_src_reg, ctxt);
    const region *sized_dest_reg = mgr->get_sized_region (dest_reg,
							  NULL_TREE,
							  num_bytes_sval);

    if (ctxt)
      {
	/* Bifurcate state, creating a "failure" out-edge.  */
	ctxt->bifurcate (make_unique<copy_failure> (cd));

	/* The "unbifurcated" state is the "success" case.  */
	copy_success success (cd,
			      sized_dest_reg,
			      copied_sval,
			      sized_src_reg,
			      untrusted_source_p (),
			      untrusted_destination_p ());
	success.update_model (model, NULL, ctxt);
      }
  }

 private:
  class copy_success : public success_call_info
  {
  public:
    copy_success (const call_details &cd,
		  const region *sized_dest_reg,
		  const svalue *copied_sval,
		  const region *sized_src_reg,
		  bool untrusted_source,
		  bool untrusted_destination)
    : success_call_info (cd),
      m_sized_dest_reg (sized_dest_reg),
      m_copied_sval (copied_sval),
      m_sized_src_reg (sized_src_reg),
      m_untrusted_source (untrusted_source),
      m_untrusted_destination (untrusted_destination)
    {}

    bool update_model (region_model *model,
		       const exploded_edge *,
		       region_model_context *ctxt) const final override
    {
      call_details cd (get_call_details (model, ctxt));
      model->update_for_zero_return (cd, true);
      model->set_value (m_sized_dest_reg, m_copied_sval, ctxt);
      if (ctxt && m_untrusted_source)
	model->mark_as_tainted (m_copied_sval, ctxt);
      if (m_untrusted_destination)
	model->maybe_complain_about_infoleak (m_sized_dest_reg,
					      m_copied_sval,
					      m_sized_src_reg,
					      ctxt);
      return true;
    }

    const region *m_sized_dest_reg;
    const svalue *m_copied_sval;
    const region *m_sized_src_reg;
    bool m_untrusted_source;
    bool m_untrusted_destination;
  };

  class copy_failure : public failed_call_info
  {
  public:
    copy_failure (const call_details &cd)
    : failed_call_info (cd)
    {}

    bool update_model (region_model *model,
		       const exploded_edge *,
		       region_model_context *ctxt) const final override
    {
      call_details cd (get_call_details (model, ctxt));
      model->update_for_nonzero_return (cd);
      /* Leave the destination region untouched.  */
      return true;
    }
  };
};

/* "copy_from_user".  */

class known_function_copy_from_user : public copy_across_boundary_fn
{
public:
  bool untrusted_source_p () const final override
  {
    return true;
  }
  bool untrusted_destination_p () const final override
  {
    return false;
  }
};

/* "copy_to_user".  */

class known_function_copy_to_user : public copy_across_boundary_fn
{
public:
  bool untrusted_source_p () const final override
  {
    return false;
  }
  bool untrusted_destination_p () const final override
  {
    return true;
  }
};

/* Callback handler for the PLUGIN_ANALYZER_INIT event.  */

static void
kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
{
  ana::plugin_analyzer_init_iface *iface
    = (ana::plugin_analyzer_init_iface *)gcc_data;
  LOG_SCOPE (iface->get_logger ());
  if (0)
    inform (input_location, "got here: kernel_analyzer_init_cb");
  iface->register_known_function
    ("copy_from_user",
     make_unique<known_function_copy_from_user> ());
  iface->register_known_function ("copy_to_user",
				  make_unique<known_function_copy_to_user> ());
}

} // namespace ana

#endif /* #if ENABLE_ANALYZER */

int
plugin_init (struct plugin_name_args *plugin_info,
	     struct plugin_gcc_version *version)
{
#if ENABLE_ANALYZER
  const char *plugin_name = plugin_info->base_name;
  if (0)
    inform (input_location, "got here; %qs", plugin_name);
  register_callback (plugin_info->base_name,
		     PLUGIN_ANALYZER_INIT,
		     ana::kernel_analyzer_init_cb,
		     NULL); /* void *user_data */
#else
  sorry_no_analyzer ();
#endif
  return 0;
}
Commit	Line	Data
c81b60b8 DM	1	/* Proof-of-concept of a -fanalyzer plugin for the Linux kernel. */
	2	/* { dg-options "-g" } */
	3
6341f14e	4	#define INCLUDE_MEMORY
c81b60b8 DM	5	#include "gcc-plugin.h"
	6	#include "config.h"
	7	#include "system.h"
	8	#include "coretypes.h"
	9	#include "tree.h"
	10	#include "function.h"
	11	#include "basic-block.h"
	12	#include "gimple.h"
	13	#include "gimple-iterator.h"
	14	#include "diagnostic-core.h"
	15	#include "graphviz.h"
	16	#include "options.h"
	17	#include "cgraph.h"
	18	#include "tree-dfa.h"
	19	#include "stringpool.h"
	20	#include "convert.h"
	21	#include "target.h"
	22	#include "fold-const.h"
	23	#include "tree-pretty-print.h"
	24	#include "diagnostic-color.h"
	25	#include "diagnostic-metadata.h"
	26	#include "tristate.h"
	27	#include "bitmap.h"
	28	#include "selftest.h"
	29	#include "function.h"
	30	#include "json.h"
	31	#include "analyzer/analyzer.h"
	32	#include "analyzer/analyzer-logging.h"
	33	#include "ordered-hash-map.h"
	34	#include "options.h"
	35	#include "cgraph.h"
	36	#include "cfg.h"
	37	#include "digraph.h"
	38	#include "analyzer/supergraph.h"
	39	#include "sbitmap.h"
	40	#include "analyzer/call-string.h"
	41	#include "analyzer/program-point.h"
	42	#include "analyzer/store.h"
	43	#include "analyzer/region-model.h"
	44	#include "analyzer/call-info.h"
accece8c	45	#include "make-unique.h"
c81b60b8 DM	46
	47	int plugin_is_GPL_compatible;
	48
	49	#if ENABLE_ANALYZER
	50
	51	namespace ana {
	52
	53	/* Implementation of "copy_from_user" and "copy_to_user". */
	54
	55	class copy_across_boundary_fn : public known_function
	56	{
	57	public:
	58	virtual bool untrusted_source_p () const = 0;
	59	virtual bool untrusted_destination_p () const = 0;
	60
	61	void impl_call_pre (const call_details &cd) const final override
	62	{
	63	region_model_manager *mgr = cd.get_manager ();
	64	region_model *model = cd.get_model ();
	65	region_model_context *ctxt = cd.get_ctxt ();
	66
	67	const svalue *dest_sval = cd.get_arg_svalue (0);
	68	const svalue *src_sval = cd.get_arg_svalue (1);
	69	const svalue *num_bytes_sval = cd.get_arg_svalue (2);
	70
	71	const region *dest_reg = model->deref_rvalue (dest_sval,
	72	cd.get_arg_tree (0),
	73	ctxt);
	74	const region *src_reg = model->deref_rvalue (src_sval,
	75	cd.get_arg_tree (1),
	76	ctxt);
	77	if (const svalue *bounded_sval
	78	= model->maybe_get_copy_bounds (src_reg, num_bytes_sval))
	79	num_bytes_sval = bounded_sval;
	80
	81	if (tree cst = num_bytes_sval->maybe_get_constant ())
	82	if (zerop (cst))
	83	/* No-op. */
	84	return;
	85
	86	const region *sized_src_reg = mgr->get_sized_region (src_reg,
	87	NULL_TREE,
	88	num_bytes_sval);
	89
	90	const svalue *copied_sval
	91	= model->get_store_value (sized_src_reg, ctxt);
	92	const region *sized_dest_reg = mgr->get_sized_region (dest_reg,
	93	NULL_TREE,
	94	num_bytes_sval);
	95
	96	if (ctxt)
	97	{
	98	/* Bifurcate state, creating a "failure" out-edge. */
accece8c	99	ctxt->bifurcate (make_unique<copy_failure> (cd));
c81b60b8 DM	100
	101	/* The "unbifurcated" state is the "success" case. */
	102	copy_success success (cd,
	103	sized_dest_reg,
	104	copied_sval,
	105	sized_src_reg,
	106	untrusted_source_p (),
	107	untrusted_destination_p ());
	108	success.update_model (model, NULL, ctxt);
	109	}
	110	}
	111
	112	private:
	113	class copy_success : public success_call_info
	114	{
	115	public:
	116	copy_success (const call_details &cd,
	117	const region *sized_dest_reg,
	118	const svalue *copied_sval,
	119	const region *sized_src_reg,
	120	bool untrusted_source,
	121	bool untrusted_destination)
	122	: success_call_info (cd),
	123	m_sized_dest_reg (sized_dest_reg),
	124	m_copied_sval (copied_sval),
	125	m_sized_src_reg (sized_src_reg),
	126	m_untrusted_source (untrusted_source),
	127	m_untrusted_destination (untrusted_destination)
	128	{}
	129
	130	bool update_model (region_model *model,
	131	const exploded_edge *,
	132	region_model_context *ctxt) const final override
	133	{
	134	call_details cd (get_call_details (model, ctxt));
	135	model->update_for_zero_return (cd, true);
	136	model->set_value (m_sized_dest_reg, m_copied_sval, ctxt);
	137	if (ctxt && m_untrusted_source)
	138	model->mark_as_tainted (m_copied_sval, ctxt);
	139	if (m_untrusted_destination)
	140	model->maybe_complain_about_infoleak (m_sized_dest_reg,
	141	m_copied_sval,
	142	m_sized_src_reg,
	143	ctxt);
	144	return true;
	145	}
	146
	147	const region *m_sized_dest_reg;
	148	const svalue *m_copied_sval;
	149	const region *m_sized_src_reg;
	150	bool m_untrusted_source;
	151	bool m_untrusted_destination;
	152	};
	153
	154	class copy_failure : public failed_call_info
	155	{
	156	public:
	157	copy_failure (const call_details &cd)
	158	: failed_call_info (cd)
	159	{}
	160
	161	bool update_model (region_model *model,
	162	const exploded_edge *,
	163	region_model_context *ctxt) const final override
164	{
165	call_details cd (get_call_details (model, ctxt));
166	model->update_for_nonzero_return (cd);
167	/* Leave the destination region untouched. */
168	return true;
169	}
170	};
171	};
172
173	/* "copy_from_user". */
174
175	class known_function_copy_from_user : public copy_across_boundary_fn
176	{
177	public:
178	bool untrusted_source_p () const final override
179	{
180	return true;
181	}
182	bool untrusted_destination_p () const final override
183	{
184	return false;
185	}
186	};
187
188	/* "copy_to_user". */
189
190	class known_function_copy_to_user : public copy_across_boundary_fn
191	{
192	public:
193	bool untrusted_source_p () const final override
194	{
195	return false;
196	}
197	bool untrusted_destination_p () const final override
198	{
199	return true;
200	}
201	};
202
203	/* Callback handler for the PLUGIN_ANALYZER_INIT event. */
204
205	static void
206	kernel_analyzer_init_cb (void gcc_data, void /user_data/)
207	{
208	ana::plugin_analyzer_init_iface *iface
209	= (ana::plugin_analyzer_init_iface *)gcc_data;
210	LOG_SCOPE (iface->get_logger ());
211	if (0)
212	inform (input_location, "got here: kernel_analyzer_init_cb");
76dd2c4f DM	213	iface->register_known_function
	214	("copy_from_user",
	215	make_unique<known_function_copy_from_user> ());
c81b60b8	216	iface->register_known_function ("copy_to_user",
76dd2c4f	217	make_unique<known_function_copy_to_user> ());
c81b60b8 DM	218	}
	219
	220	} // namespace ana
	221
	222	#endif /* #if ENABLE_ANALYZER */
	223
	224	int
	225	plugin_init (struct plugin_name_args *plugin_info,
	226	struct plugin_gcc_version *version)
	227	{
	228	#if ENABLE_ANALYZER
	229	const char *plugin_name = plugin_info->base_name;
	230	if (0)
	231	inform (input_location, "got here; %qs", plugin_name);
	232	register_callback (plugin_info->base_name,
	233	PLUGIN_ANALYZER_INIT,
	234	ana::kernel_analyzer_init_cb,
	235	NULL); /* void user_data /
	236	#else
	237	sorry_no_analyzer ();
	238	#endif
	239	return 0;
	240	}