CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers #744

eupharina · 2024-06-28T10:48:43Z

Fix CSA crashes when compiling for CHERI
Few CSA core improvements
- Support non-constant offsets to ElementRegion
- Add provenance bit to LocAsInteger
- Improve LocAsInt arithmetic support
New checkers
- cheri.CapabilityCopy Check tag-stripping memory copy.
- cheri.CheriAPIModelling Model CheriAPI
- cheri.PointerSizeAssumptions Detect hardcoded expectations on pointer sizes
- cheri.ProvenanceSource Check expressions with ambiguous provenance source.
- cheri.SubObjectRepresentability Check for record fields with unrepresentable subobject bounds
- optin.portability.PointerAlignment Check underaligned pointers
- alpha.cheri.Allocation (Enable only for development!) Suggest narrowing bounds for escaping suballocation capabilities

Detects tag-stripping loads and stores that may be used to copy or swap capabilities

…d globals

Rely on ElementRegion type alignment solely when shift value is unknown Except for char shifts

…nment

…n to warning

ProvenanceSourceChecker, CapabilityCopyChecker, CapabilityAlignmentChecker

…ryOperator

Report warning when an underaligned pointer gets converted or stored as a capability-aligned pointer value for the first time. Do not report if it already has a strictly-aligned type.

Rework detection of addresses of capability-containing regions and generic regions (those that are intended to hold arbitrary data) by analyzing address Symbol type and origin.

…ning

…i-compressed-cap

… BugType

eupharina added 30 commits June 27, 2024 11:42

[CHERI-CSA] Allow ASTContext::getIntWidth() for reference type

f94a9e9

[CHERI-CSA] Use type IntWidth instead of TypeSize for NULL ptr SVal

fb1708e

[CHERI-CSA] Improve LocAsInt arithmetic support

89216c9

[CHERI-CSA] Add provenance bit to LocAsInteger

9066768

[analyzer] scan-build: Retain -nostdinc++ option

5af293b

[CHERI-CSA] Add alpha.cheri.ProvenanceSourceChecker

44ffe23

[CHERI-CSA] ProvenanceSourceChecker: add subtraction

bbda964

[CHERI-CSA] Add CapabilityCopyChecker

dc71e37

Detects tag-stripping loads and stores that may be used to copy or swap capabilities

[CHERI_CSA] CapabilityCopyChecker: suppress for short loops

66daaa8

[CHERI_CSA] CapabilityCopyChecker: suppress for unaligned ptr

fb9707f

[CHERI_CSA] CapabilityCopyChecker: silence for hybrid mode

9d24a62

[CHERI-CSA] CapabilityCopyChecker: char* as universal pointer

1152133

[CHERI-CSA] CapabilityCopyChecker: suppress FP for short copies

ca199f2

[CHERI-CSA] CapabilityCopyChecker: improve bug trace

58d95a9

[CHERI_CSA] ProvenanceSourceChecker: silence for hybrid mode

41cbcb7

[CHERI_CSA] CHERIUtils

cef342e

[CHERI_CSA] Add Capability Alignment Checker

b8f1f00

[CHERI_CSA] CapabilityAlignmentChecker: assume align on parameters an…

ea4adbb

…d globals

[CHERI_CSA] CapabilityAlignmentChecker: support align check

8e8d16d

[CHERI_CSA] CapabilityAlignmentChecker: array element alignment

f1c7332

Rely on ElementRegion type alignment solely when shift value is unknown Except for char shifts

[CHERI_CSA] CapabilityAlignmentChecker: attribute __aligned__

880a375

[CHERI_CSA] CapabilityAlignmentChecker: BugReporterVisitor

d5ed9a3

[CHERI_CSA] CapabilityAlignmentChecker: fix FP for comparison with void*

31a1238

[CHERI_CSA] CapabilityAlignmentChecker: refactoring of MemRegion alig…

bdb8b4c

…nment

[CHERI_CSA] CapabilityAlignmentChecker: add allocation source locatio…

da5f4e6

…n to warning

[CHERI_CSA] CapabilityAlignmentChecker: improve warning message

75c9b7c

[CHERI_CSA] CapabilityAlignmentChecker: removing dead symbols

b97d24d

[CHERI_CSA] move 3 checkers from CHERIAlpha to CHERI section

f54740e

ProvenanceSourceChecker, CapabilityCopyChecker, CapabilityAlignmentChecker

[CHERI_CSA] ProvenanceSourceChecker: propagate InvalidCap through Una…

3b9ce71

…ryOperator

[CHERI_CSA] Enable cheri.* checkers by default on purecap

7f94d78

eupharina added 30 commits June 27, 2024 11:42

[CHERI_CSA] PointerAlignmentChecker: suppress duplicate reports

76832fd

Report warning when an underaligned pointer gets converted or stored as a capability-aligned pointer value for the first time. Do not report if it already has a strictly-aligned type.

[CHERI_CSA] PointerAlignmentChecker: improve messages & traces

894c785

[CHERI_CSA] PointerAlignmentChecker: rework handling symbolic addresses

92ed225

Rework detection of addresses of capability-containing regions and generic regions (those that are intended to hold arbitrary data) by analyzing address Symbol type and origin.

[CHERI_CSA] PointerAlignmentChecker: false warnings suppression

08e449f

[CHERI_CSA] CapabilityCopyChecker: ReportForCharPtr=false by default

f95c3e4

[CHERI_CSA] PointerAlignmentChecker: refine warning types

9a8a687

[CHERI_CSA] ProvenanceSourceChecker: refine warning types

9f5b173

[CHERI_CSA] PointerAlignmentChecker: support bcopy

0c833f1

[CHERI_CSA] ProvenanceSourceChecker: delete ptrdiff as capability war…

f45ac19

…ning

[CHERI_CSA] ProvenanceSourceChecker: Fix for CompoundAssignmentOp

4cf1836

[CHERI_CSA] CapabilityCopyChecker: fix for BugType

76fe822

[CHERI_CSA] ProvenanceSourceChecker: refine warning types

fbc8f2e

[CHERI_CSA] New alpha.cheri.SubObjectRepresentability checker

fe342af

[CHERI_CSA] SubObjectRepresentability: detailed message

a90f7a7

[CHERI_CSA] SubObjectRepresentability: disable notes for now

69ae32d

[CHERI_CSA] SubObjectRepresentability: enable notes with updated cher…

9699a8e

…i-compressed-cap

[CHERI_CSA] SubObjectRepresentability: move alpha.cheri -> cheri

3a27311

[CHERI_CSA] New cheri.Allocation checker

40e900e

[CHERI_CSA] AllocationChecker: move static and heap allocation to new…

c946daf

… BugType

[CHERI_CSA] AllocationChecker: suppress for ptr to first field

f9a4b19

[CHERI_CSA] CHERIUtils: Print aka type in messages

ef612bb

[CHERI_CSA] AllocationChecker: suppress for flexible array

bbf8fdc

[CHERI_CSA] AllocationChecker: rework

5450663

[CHERI_CSA] AllocationChecker: suppress for free

bb55953

[CHERI_CSA] CHERI API Modelling

7d72902

[CHERI_CSA] AllocationChecker: suppress for bounded suballocations

f51699b

[CHERI_CSA] AllocationChecker: add ReportForUnknownAllocations option

aee174e

[CHERI_CSA] AllocationChecker: disable for non-purecap

cac85bb

[CHERI_CSA] Refactoring state cleanup for dead symbols & regions

f58077d

[CHERI_CSA] SubObjectRepresentability: support other CHERI targets

52238fd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers #744

CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers #744

eupharina commented Jun 28, 2024 •

edited

Loading

CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers #744

Are you sure you want to change the base?

CHERI CSA: CHERI support for Clang Static Analyzer + cheri.* Checkers #744

Conversation

eupharina commented Jun 28, 2024 • edited Loading

eupharina commented Jun 28, 2024 •

edited

Loading