gcc/analyzer/sm-signal.cc

   1 /* An experimental state machine, for tracking bad calls from within
   2    signal handlers.
   3
   4    Copyright (C) 2019-2020 Free Software Foundation, Inc.
   5    Contributed by David Malcolm <dmalcolm@redhat.com>.
   6
   7 This file is part of GCC.
   8
   9 GCC is free software; you can redistribute it and/or modify it
  10 under the terms of the GNU General Public License as published by
  11 the Free Software Foundation; either version 3, or (at your option)
  12 any later version.
  13
  14 GCC is distributed in the hope that it will be useful, but
  15 WITHOUT ANY WARRANTY; without even the implied warranty of
  16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17 General Public License for more details.
  18
  19 You should have received a copy of the GNU General Public License
  20 along with GCC; see the file COPYING3.  If not see
  21 <http://www.gnu.org/licenses/>.  */
  22
  23 #include "config.h"
  24 #include "system.h"
  25 #include "coretypes.h"
  26 #include "tree.h"
  27 #include "function.h"
  28 #include "basic-block.h"
  29 #include "gimple.h"
  30 #include "options.h"
  31 #include "bitmap.h"
  32 #include "diagnostic-path.h"
  33 #include "diagnostic-metadata.h"
  34 #include "function.h"
  35 #include "analyzer/analyzer.h"
  36 #include "diagnostic-event-id.h"
  37 #include "analyzer/analyzer-logging.h"
  38 #include "analyzer/sm.h"
  39 #include "analyzer/pending-diagnostic.h"
  40 #include "sbitmap.h"
  41 #include "tristate.h"
  42 #include "ordered-hash-map.h"
  43 #include "selftest.h"
  44 #include "analyzer/region-model.h"
  45 #include "analyzer/program-state.h"
  46 #include "analyzer/checker-path.h"
  47 #include "digraph.h"
  48 #include "cfg.h"
  49 #include "gimple-iterator.h"
  50 #include "cgraph.h"
  51 #include "analyzer/supergraph.h"
  52 #include "analyzer/call-string.h"
  53 #include "analyzer/program-point.h"
  54 #include "alloc-pool.h"
  55 #include "fibonacci_heap.h"
  56 #include "analyzer/diagnostic-manager.h"
  57 #include "shortest-paths.h"
  58 #include "analyzer/exploded-graph.h"
  59 #include "analyzer/function-set.h"
  60 #include "analyzer/analyzer-selftests.h"
  61
  62 #if ENABLE_ANALYZER
  63
  64 namespace {
  65
  66 /* An experimental state machine, for tracking calls to async-signal-unsafe
  67    functions from within signal handlers.  */
  68
  69 class signal_state_machine : public state_machine
  70 {
  71 public:
  72   signal_state_machine (logger *logger);
  73
  74   bool inherited_state_p () const FINAL OVERRIDE { return false; }
  75
  76   bool on_stmt (sm_context *sm_ctxt,
  77                 const supernode *node,
  78                 const gimple *stmt) const FINAL OVERRIDE;
  79
  80   void on_condition (sm_context *sm_ctxt,
  81                      const supernode *node,
  82                      const gimple *stmt,
  83                      tree lhs,
  84                      enum tree_code op,
  85                      tree rhs) const FINAL OVERRIDE;
  86
  87   bool can_purge_p (state_t s) const FINAL OVERRIDE;
  88
  89   /* These states are "global", rather than per-expression.  */
  90
  91   /* Start state.  */
  92   state_t m_start;
  93
  94   /* State for when we're in a signal handler.  */
  95   state_t m_in_signal_handler;
  96
  97   /* Stop state.  */
  98   state_t m_stop;
  99 };
 100
 101 /* Concrete subclass for describing call to an async-signal-unsafe function
 102    from a signal handler.  */
 103
 104 class signal_unsafe_call
 105   : public pending_diagnostic_subclass<signal_unsafe_call>
 106 {
 107 public:
 108   signal_unsafe_call (const signal_state_machine &sm, const gcall *unsafe_call,
 109                       tree unsafe_fndecl)
 110   : m_sm (sm), m_unsafe_call (unsafe_call), m_unsafe_fndecl (unsafe_fndecl)
 111   {
 112     gcc_assert (m_unsafe_fndecl);
 113   }
 114
 115   const char *get_kind () const FINAL OVERRIDE { return "signal_unsafe_call"; }
 116
 117   bool operator== (const signal_unsafe_call &other) const
 118   {
 119     return m_unsafe_call == other.m_unsafe_call;
 120   }
 121
 122   bool emit (rich_location *rich_loc) FINAL OVERRIDE
 123   {
 124     diagnostic_metadata m;
 125     /* CWE-479: Signal Handler Use of a Non-reentrant Function.  */
 126     m.add_cwe (479);
 127     return warning_at (rich_loc, m,
 128                        OPT_Wanalyzer_unsafe_call_within_signal_handler,
 129                        "call to %qD from within signal handler",
 130                        m_unsafe_fndecl);
 131   }
 132
 133   label_text describe_state_change (const evdesc::state_change &change)
 134     FINAL OVERRIDE
 135   {
 136     if (change.is_global_p ()
 137         && change.m_new_state == m_sm.m_in_signal_handler)
 138       {
 139         function *handler
 140           = change.m_event.m_dst_state.m_region_model->get_current_function ();
 141         return change.formatted_print ("registering %qD as signal handler",
 142                                        handler->decl);
 143       }
 144     return label_text ();
 145   }
 146
 147   label_text describe_final_event (const evdesc::final_event &ev) FINAL OVERRIDE
 148   {
 149     return ev.formatted_print ("call to %qD from within signal handler",
 150                                m_unsafe_fndecl);
 151   }
 152
 153 private:
 154   const signal_state_machine &m_sm;
 155   const gcall *m_unsafe_call;
 156   tree m_unsafe_fndecl;
 157 };
 158
 159 /* signal_state_machine's ctor.  */
 160
 161 signal_state_machine::signal_state_machine (logger *logger)
 162 : state_machine ("signal", logger)
 163 {
 164   m_start = add_state ("start");
 165   m_in_signal_handler = add_state ("in_signal_handler");
 166   m_stop = add_state ("stop");
 167 }
 168
 169 /* Update MODEL for edges that simulate HANDLER_FUN being called as
 170    an signal-handler in response to a signal.  */
 171
 172 static void
 173 update_model_for_signal_handler (region_model *model,
 174                                  function *handler_fun)
 175 {
 176   /* Purge all state within MODEL.  */
 177   *model = region_model ();
 178   model->push_frame (handler_fun, NULL, NULL);
 179 }
 180
 181 /* Custom exploded_edge info: entry into a signal-handler.  */
 182
 183 class signal_delivery_edge_info_t : public exploded_edge::custom_info_t
 184 {
 185 public:
 186   void print (pretty_printer *pp) FINAL OVERRIDE
 187   {
 188     pp_string (pp, "signal delivered");
 189   }
 190
 191   void update_model (region_model *model,
 192                      const exploded_edge &eedge) FINAL OVERRIDE
 193   {
 194     update_model_for_signal_handler (model, eedge.m_dest->get_function ());
 195   }
 196
 197   void add_events_to_path (checker_path *emission_path,
 198                            const exploded_edge &eedge ATTRIBUTE_UNUSED)
 199     FINAL OVERRIDE
 200   {
 201     emission_path->add_event
 202       (new custom_event (UNKNOWN_LOCATION, NULL_TREE, 0,
 203                          "later on,"
 204                          " when the signal is delivered to the process"));
 205   }
 206 };
 207
 208 /* Concrete subclass of custom_transition for modeling registration of a
 209    signal handler and the signal handler later being called.  */
 210
 211 class register_signal_handler : public custom_transition
 212 {
 213 public:
 214   register_signal_handler (const signal_state_machine &sm,
 215                            tree fndecl)
 216   : m_sm (sm), m_fndecl (fndecl) {}
 217
 218   /* Model a signal-handler FNDECL being called at some later point
 219      by injecting an edge to a new function-entry node with an empty
 220      callstring, setting the 'in-signal-handler' global state
 221      on the node.  */
 222   void impl_transition (exploded_graph *eg,
 223                         exploded_node *src_enode,
 224                         int sm_idx) FINAL OVERRIDE
 225   {
 226     function *handler_fun = DECL_STRUCT_FUNCTION (m_fndecl);
 227     if (!handler_fun)
 228       return;
 229     program_point entering_handler
 230       = program_point::from_function_entry (eg->get_supergraph (),
 231                                             handler_fun);
 232
 233     program_state state_entering_handler (eg->get_ext_state ());
 234     update_model_for_signal_handler (state_entering_handler.m_region_model,
 235                                      handler_fun);
 236     state_entering_handler.m_checker_states[sm_idx]->set_global_state
 237       (m_sm.m_in_signal_handler);
 238
 239     exploded_node *dst_enode = eg->get_or_create_node (entering_handler,
 240                                                        state_entering_handler,
 241                                                        NULL);
 242     if (dst_enode)
 243       eg->add_edge (src_enode, dst_enode, NULL, state_change (),
 244                     new signal_delivery_edge_info_t ());
 245   }
 246
 247   const signal_state_machine &m_sm;
 248   tree m_fndecl;
 249 };
 250
 251 /* Get a set of functions that are known to be unsafe to call from an
 252    async signal handler.  */
 253
 254 static function_set
 255 get_async_signal_unsafe_fns ()
 256 {
 257   // TODO: populate this list more fully
 258   static const char * const async_signal_unsafe_fns[] = {
 259     /* This array must be kept sorted.  */
 260     "fprintf",
 261     "free",
 262     "malloc",
 263     "printf",
 264     "snprintf",
 265     "sprintf",
 266     "vfprintf",
 267     "vprintf",
 268     "vsnprintf",
 269     "vsprintf"
 270   };
 271   const size_t count
 272     = sizeof(async_signal_unsafe_fns) / sizeof (async_signal_unsafe_fns[0]);
 273   function_set fs (async_signal_unsafe_fns, count);
 274   return fs;
 275 };
 276
 277 /* Return true if FNDECL is known to be unsafe to call from a signal
 278    handler.  */
 279
 280 static bool
 281 signal_unsafe_p (tree fndecl)
 282 {
 283   function_set fs = get_async_signal_unsafe_fns ();
 284   return fs.contains_decl_p (fndecl);
 285 }
 286
 287 /* Implementation of state_machine::on_stmt vfunc for signal_state_machine.  */
 288
 289 bool
 290 signal_state_machine::on_stmt (sm_context *sm_ctxt,
 291                                const supernode *node,
 292                                const gimple *stmt) const
 293 {
 294   const state_t global_state = sm_ctxt->get_global_state ();
 295   if (global_state == m_start)
 296     {
 297       if (const gcall *call = dyn_cast <const gcall *> (stmt))
 298         if (tree callee_fndecl = sm_ctxt->get_fndecl_for_call (call))
 299           if (is_named_call_p (callee_fndecl, "signal", call, 2))
 300             {
 301               tree handler = gimple_call_arg (call, 1);
 302               if (TREE_CODE (handler) == ADDR_EXPR
 303                   && TREE_CODE (TREE_OPERAND (handler, 0)) == FUNCTION_DECL)
 304                 {
 305                   tree fndecl = TREE_OPERAND (handler, 0);
 306                   register_signal_handler rsh (*this, fndecl);
 307                   sm_ctxt->on_custom_transition (&rsh);
 308                 }
 309             }
 310     }
 311   else if (global_state == m_in_signal_handler)
 312     {
 313       if (const gcall *call = dyn_cast <const gcall *> (stmt))
 314         if (tree callee_fndecl = sm_ctxt->get_fndecl_for_call (call))
 315           if (signal_unsafe_p (callee_fndecl))
 316             sm_ctxt->warn_for_state (node, stmt, NULL_TREE, m_in_signal_handler,
 317                                      new signal_unsafe_call (*this, call,
 318                                                              callee_fndecl));
 319     }
 320
 321   return false;
 322 }
 323
 324 /* Implementation of state_machine::on_condition vfunc for
 325    signal_state_machine.  */
 326
 327 void
 328 signal_state_machine::on_condition (sm_context *sm_ctxt ATTRIBUTE_UNUSED,
 329                                     const supernode *node ATTRIBUTE_UNUSED,
 330                                     const gimple *stmt ATTRIBUTE_UNUSED,
 331                                     tree lhs ATTRIBUTE_UNUSED,
 332                                     enum tree_code op ATTRIBUTE_UNUSED,
 333                                     tree rhs ATTRIBUTE_UNUSED) const
 334 {
 335   // Empty
 336 }
 337
 338 bool
 339 signal_state_machine::can_purge_p (state_t s ATTRIBUTE_UNUSED) const
 340 {
 341   return true;
 342 }
 343
 344 } // anonymous namespace
 345
 346 /* Internal interface to this file. */
 347
 348 state_machine *
 349 make_signal_state_machine (logger *logger)
 350 {
 351   return new signal_state_machine (logger);
 352 }
 353
 354 #if CHECKING_P
 355
 356 namespace selftest {
 357
 358 /* Run all of the selftests within this file.  */
 359
 360 void
 361 analyzer_sm_signal_cc_tests ()
 362 {
 363   function_set fs = get_async_signal_unsafe_fns ();
 364   fs.assert_sorted ();
 365   fs.assert_sane ();
 366 }
 367
 368 } // namespace selftest
 369
 370 #endif /* CHECKING_P */
 371 #endif /* #if ENABLE_ANALYZER */