1 | /* A state machine for detecting misuses of POSIX file descriptor APIs. |
2 | Copyright (C) 2019-2024 Free Software Foundation, Inc. |
3 | Contributed by Immad Mir <mir@sourceware.org>. |
4 | |
5 | This file is part of GCC. |
6 | |
7 | GCC is free software; you can redistribute it and/or modify it |
8 | under the terms of the GNU General Public License as published by |
9 | the Free Software Foundation; either version 3, or (at your option) |
10 | any later version. |
11 | |
12 | GCC is distributed in the hope that it will be useful, but |
13 | WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
15 | General Public License for more details. |
16 | |
17 | You should have received a copy of the GNU General Public License |
18 | along with GCC; see the file COPYING3. If not see |
19 | <http://www.gnu.org/licenses/>. */ |
20 | |
21 | #include "config.h" |
22 | #define INCLUDE_MEMORY |
23 | #include "system.h" |
24 | #include "coretypes.h" |
25 | #include "make-unique.h" |
26 | #include "tree.h" |
27 | #include "function.h" |
28 | #include "basic-block.h" |
29 | #include "gimple.h" |
30 | #include "options.h" |
31 | #include "diagnostic-path.h" |
32 | #include "analyzer/analyzer.h" |
33 | #include "diagnostic-event-id.h" |
34 | #include "analyzer/analyzer-logging.h" |
35 | #include "analyzer/sm.h" |
36 | #include "analyzer/pending-diagnostic.h" |
37 | #include "analyzer/function-set.h" |
38 | #include "analyzer/analyzer-selftests.h" |
39 | #include "stringpool.h" |
40 | #include "attribs.h" |
41 | #include "analyzer/call-string.h" |
42 | #include "analyzer/program-point.h" |
43 | #include "analyzer/store.h" |
44 | #include "analyzer/region-model.h" |
45 | #include "bitmap.h" |
46 | #include "analyzer/program-state.h" |
47 | #include "analyzer/supergraph.h" |
48 | #include "analyzer/analyzer-language.h" |
49 | #include "analyzer/call-details.h" |
50 | #include "analyzer/call-info.h" |
51 | |
52 | #if ENABLE_ANALYZER |
53 | |
54 | namespace ana { |
55 | |
56 | namespace { |
57 | |
58 | /* An enum for distinguishing between three different access modes. */ |
59 | |
60 | enum access_mode |
61 | { |
62 | READ_WRITE, |
63 | READ_ONLY, |
64 | WRITE_ONLY |
65 | }; |
66 | |
67 | enum access_directions |
68 | { |
69 | DIRS_READ_WRITE, |
70 | DIRS_READ, |
71 | DIRS_WRITE |
72 | }; |
73 | |
74 | /* An enum for distinguishing between dup, dup2 and dup3. */ |
75 | enum dup |
76 | { |
77 | DUP_1, |
78 | DUP_2, |
79 | DUP_3 |
80 | }; |
81 | |
82 | /* Enum for use by -Wanalyzer-fd-phase-mismatch. */ |
83 | |
84 | enum expected_phase |
85 | { |
86 | EXPECTED_PHASE_CAN_TRANSFER, /* can "read"/"write". */ |
87 | EXPECTED_PHASE_CAN_BIND, |
88 | EXPECTED_PHASE_CAN_LISTEN, |
89 | EXPECTED_PHASE_CAN_ACCEPT, |
90 | EXPECTED_PHASE_CAN_CONNECT |
91 | }; |
92 | |
93 | class fd_state_machine : public state_machine |
94 | { |
95 | public: |
96 | fd_state_machine (logger *logger); |
97 | |
98 | bool |
99 | inherited_state_p () const final override |
100 | { |
101 | return false; |
102 | } |
103 | |
104 | state_machine::state_t |
105 | get_default_state (const svalue *sval) const final override |
106 | { |
107 | if (tree cst = sval->maybe_get_constant ()) |
108 | { |
109 | if (TREE_CODE (cst) == INTEGER_CST) |
110 | { |
111 | int val = TREE_INT_CST_LOW (cst); |
112 | if (val >= 0) |
113 | return m_constant_fd; |
114 | else |
115 | return m_invalid; |
116 | } |
117 | } |
118 | return m_start; |
119 | } |
120 | |
121 | bool on_stmt (sm_context *sm_ctxt, const supernode *node, |
122 | const gimple *stmt) const final override; |
123 | |
124 | void on_condition (sm_context *sm_ctxt, const supernode *node, |
125 | const gimple *stmt, const svalue *lhs, const tree_code op, |
126 | const svalue *rhs) const final override; |
127 | |
128 | bool can_purge_p (state_t s) const final override; |
129 | std::unique_ptr<pending_diagnostic> on_leak (tree var) const final override; |
130 | |
131 | bool is_unchecked_fd_p (state_t s) const; |
132 | bool is_valid_fd_p (state_t s) const; |
133 | bool is_socket_fd_p (state_t s) const; |
134 | bool is_datagram_socket_fd_p (state_t s) const; |
135 | bool is_stream_socket_fd_p (state_t s) const; |
136 | bool is_closed_fd_p (state_t s) const; |
137 | bool is_constant_fd_p (state_t s) const; |
138 | bool is_readonly_fd_p (state_t s) const; |
139 | bool is_writeonly_fd_p (state_t s) const; |
140 | enum access_mode get_access_mode_from_flag (int flag) const; |
141 | /* Function for one-to-one correspondence between valid |
142 | and unchecked states. */ |
143 | state_t valid_to_unchecked_state (state_t state) const; |
144 | |
145 | void mark_as_valid_fd (region_model *model, |
146 | sm_state_map *smap, |
147 | const svalue *fd_sval, |
148 | const extrinsic_state &ext_state) const; |
149 | |
150 | bool on_socket (const call_details &cd, |
151 | bool successful, |
152 | sm_context *sm_ctxt, |
153 | const extrinsic_state &ext_state) const; |
154 | bool on_bind (const call_details &cd, |
155 | bool successful, |
156 | sm_context *sm_ctxt, |
157 | const extrinsic_state &ext_state) const; |
158 | bool on_listen (const call_details &cd, |
159 | bool successful, |
160 | sm_context *sm_ctxt, |
161 | const extrinsic_state &ext_state) const; |
162 | bool on_accept (const call_details &cd, |
163 | bool successful, |
164 | sm_context *sm_ctxt, |
165 | const extrinsic_state &ext_state) const; |
166 | bool on_connect (const call_details &cd, |
167 | bool successful, |
168 | sm_context *sm_ctxt, |
169 | const extrinsic_state &ext_state) const; |
170 | |
171 | /* State for a constant file descriptor (>= 0) */ |
172 | state_t m_constant_fd; |
173 | |
174 | /* States representing a file descriptor that hasn't yet been |
175 | checked for validity after opening, for three different |
176 | access modes. */ |
177 | state_t m_unchecked_read_write; |
178 | |
179 | state_t m_unchecked_read_only; |
180 | |
181 | state_t m_unchecked_write_only; |
182 | |
183 | /* States for representing a file descriptor that is known to be valid (>= |
184 | 0), for three different access modes. */ |
185 | state_t m_valid_read_write; |
186 | |
187 | state_t m_valid_read_only; |
188 | |
189 | state_t m_valid_write_only; |
190 | |
191 | /* State for a file descriptor that is known to be invalid (< 0). */ |
192 | state_t m_invalid; |
193 | |
194 | /* State for a file descriptor that has been closed. */ |
195 | state_t m_closed; |
196 | |
197 | /* States for FDs relating to socket APIs. */ |
198 | |
199 | /* Result of successful "socket" with SOCK_DGRAM. */ |
200 | state_t m_new_datagram_socket; |
201 | /* Result of successful "socket" with SOCK_STREAM. */ |
202 | state_t m_new_stream_socket; |
203 | /* Result of successful "socket" with unknown type. */ |
204 | state_t m_new_unknown_socket; |
205 | |
206 | /* The above after a successful call to "bind". */ |
207 | state_t m_bound_datagram_socket; |
208 | state_t m_bound_stream_socket; |
209 | state_t m_bound_unknown_socket; |
210 | |
211 | /* A bound socket after a successful call to "listen" (stream or unknown). */ |
212 | state_t m_listening_stream_socket; |
213 | |
214 | /* (i) the new FD as a result of a succesful call to "accept" on a |
215 | listening socket (via a passive open), or |
216 | (ii) an active socket after a successful call to "connect" |
217 | (via an active open). */ |
218 | state_t m_connected_stream_socket; |
219 | |
220 | /* State for a file descriptor that we do not want to track anymore . */ |
221 | state_t m_stop; |
222 | |
223 | /* Stashed constant values from the frontend. These could be NULL. */ |
224 | tree m_O_ACCMODE; |
225 | tree m_O_RDONLY; |
226 | tree m_O_WRONLY; |
227 | tree m_SOCK_STREAM; |
228 | tree m_SOCK_DGRAM; |
229 | |
230 | private: |
231 | void on_open (sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
232 | const gcall *call) const; |
233 | void on_creat (sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
234 | const gcall *call) const; |
235 | void on_close (sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
236 | const gcall *call) const; |
237 | void on_read (sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
238 | const gcall *call, const tree callee_fndecl) const; |
239 | void on_write (sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
240 | const gcall *call, const tree callee_fndecl) const; |
241 | void check_for_open_fd (sm_context *sm_ctxt, const supernode *node, |
242 | const gimple *stmt, const gcall *call, |
243 | const tree callee_fndecl, |
244 | enum access_directions access_fn) const; |
245 | |
246 | void make_valid_transitions_on_condition (sm_context *sm_ctxt, |
247 | const supernode *node, |
248 | const gimple *stmt, |
249 | const svalue *lhs) const; |
250 | void make_invalid_transitions_on_condition (sm_context *sm_ctxt, |
251 | const supernode *node, |
252 | const gimple *stmt, |
253 | const svalue *lhs) const; |
254 | void check_for_fd_attrs (sm_context *sm_ctxt, const supernode *node, |
255 | const gimple *stmt, const gcall *call, |
256 | const tree callee_fndecl, const char *attr_name, |
257 | access_directions fd_attr_access_dir) const; |
258 | void check_for_dup (sm_context *sm_ctxt, const supernode *node, |
259 | const gimple *stmt, const gcall *call, const tree callee_fndecl, |
260 | enum dup kind) const; |
261 | |
262 | state_t get_state_for_socket_type (const svalue *socket_type_sval) const; |
263 | |
264 | bool check_for_socket_fd (const call_details &cd, |
265 | bool successful, |
266 | sm_context *sm_ctxt, |
267 | const svalue *fd_sval, |
268 | const supernode *node, |
269 | state_t old_state, |
270 | bool *complained = NULL) const; |
271 | bool check_for_new_socket_fd (const call_details &cd, |
272 | bool successful, |
273 | sm_context *sm_ctxt, |
274 | const svalue *fd_sval, |
275 | const supernode *node, |
276 | state_t old_state, |
277 | enum expected_phase expected_phase) const; |
278 | }; |
279 | |
280 | /* Base diagnostic class relative to fd_state_machine. */ |
281 | class fd_diagnostic : public pending_diagnostic |
282 | { |
283 | public: |
284 | fd_diagnostic (const fd_state_machine &sm, tree arg) : m_sm (sm), m_arg (arg) |
285 | { |
286 | } |
287 | |
288 | bool |
289 | subclass_equal_p (const pending_diagnostic &base_other) const override |
290 | { |
291 | return same_tree_p (t1: m_arg, t2: ((const fd_diagnostic &)base_other).m_arg); |
292 | } |
293 | |
294 | label_text |
295 | describe_state_change (const evdesc::state_change &change) override |
296 | { |
297 | if (change.m_old_state == m_sm.get_start_state ()) |
298 | { |
299 | if (change.m_new_state == m_sm.m_unchecked_read_write |
300 | || change.m_new_state == m_sm.m_valid_read_write) |
301 | return change.formatted_print (fmt: "opened here as read-write" ); |
302 | |
303 | if (change.m_new_state == m_sm.m_unchecked_read_only |
304 | || change.m_new_state == m_sm.m_valid_read_only) |
305 | return change.formatted_print (fmt: "opened here as read-only" ); |
306 | |
307 | if (change.m_new_state == m_sm.m_unchecked_write_only |
308 | || change.m_new_state == m_sm.m_valid_write_only) |
309 | return change.formatted_print (fmt: "opened here as write-only" ); |
310 | |
311 | if (change.m_new_state == m_sm.m_new_datagram_socket) |
312 | return change.formatted_print (fmt: "datagram socket created here" ); |
313 | |
314 | if (change.m_new_state == m_sm.m_new_stream_socket) |
315 | return change.formatted_print (fmt: "stream socket created here" ); |
316 | |
317 | if (change.m_new_state == m_sm.m_new_unknown_socket |
318 | || change.m_new_state == m_sm.m_connected_stream_socket) |
319 | return change.formatted_print (fmt: "socket created here" ); |
320 | } |
321 | |
322 | if (change.m_new_state == m_sm.m_bound_datagram_socket) |
323 | return change.formatted_print (fmt: "datagram socket bound here" ); |
324 | |
325 | if (change.m_new_state == m_sm.m_bound_stream_socket) |
326 | return change.formatted_print (fmt: "stream socket bound here" ); |
327 | |
328 | if (change.m_new_state == m_sm.m_bound_unknown_socket |
329 | || change.m_new_state == m_sm.m_connected_stream_socket) |
330 | return change.formatted_print (fmt: "socket bound here" ); |
331 | |
332 | if (change.m_new_state == m_sm.m_listening_stream_socket) |
333 | return change.formatted_print |
334 | (fmt: "stream socket marked as passive here via %qs" , "listen" ); |
335 | |
336 | if (change.m_new_state == m_sm.m_closed) |
337 | return change.formatted_print (fmt: "closed here" ); |
338 | |
339 | if (m_sm.is_unchecked_fd_p (s: change.m_old_state) |
340 | && m_sm.is_valid_fd_p (s: change.m_new_state)) |
341 | { |
342 | if (change.m_expr) |
343 | return change.formatted_print ( |
344 | fmt: "assuming %qE is a valid file descriptor (>= 0)" , change.m_expr); |
345 | else |
346 | return change.formatted_print (fmt: "assuming a valid file descriptor" ); |
347 | } |
348 | |
349 | if (m_sm.is_unchecked_fd_p (s: change.m_old_state) |
350 | && change.m_new_state == m_sm.m_invalid) |
351 | { |
352 | if (change.m_expr) |
353 | return change.formatted_print ( |
354 | fmt: "assuming %qE is an invalid file descriptor (< 0)" , |
355 | change.m_expr); |
356 | else |
357 | return change.formatted_print (fmt: "assuming an invalid file descriptor" ); |
358 | } |
359 | |
360 | return label_text (); |
361 | } |
362 | |
363 | diagnostic_event::meaning |
364 | get_meaning_for_state_change ( |
365 | const evdesc::state_change &change) const final override |
366 | { |
367 | if (change.m_old_state == m_sm.get_start_state () |
368 | && (m_sm.is_unchecked_fd_p (s: change.m_new_state) |
369 | || change.m_new_state == m_sm.m_new_datagram_socket |
370 | || change.m_new_state == m_sm.m_new_stream_socket |
371 | || change.m_new_state == m_sm.m_new_unknown_socket)) |
372 | return diagnostic_event::meaning (diagnostic_event::VERB_acquire, |
373 | diagnostic_event::NOUN_resource); |
374 | if (change.m_new_state == m_sm.m_closed) |
375 | return diagnostic_event::meaning (diagnostic_event::VERB_release, |
376 | diagnostic_event::NOUN_resource); |
377 | return diagnostic_event::meaning (); |
378 | } |
379 | |
380 | protected: |
381 | const fd_state_machine &m_sm; |
382 | tree m_arg; |
383 | }; |
384 | |
385 | class fd_param_diagnostic : public fd_diagnostic |
386 | { |
387 | public: |
388 | fd_param_diagnostic (const fd_state_machine &sm, tree arg, tree callee_fndecl, |
389 | const char *attr_name, int arg_idx) |
390 | : fd_diagnostic (sm, arg), m_callee_fndecl (callee_fndecl), |
391 | m_attr_name (attr_name), m_arg_idx (arg_idx) |
392 | { |
393 | } |
394 | |
395 | fd_param_diagnostic (const fd_state_machine &sm, tree arg, tree callee_fndecl) |
396 | : fd_diagnostic (sm, arg), m_callee_fndecl (callee_fndecl), |
397 | m_attr_name (NULL), m_arg_idx (-1) |
398 | { |
399 | } |
400 | |
401 | bool |
402 | subclass_equal_p (const pending_diagnostic &base_other) const override |
403 | { |
404 | const fd_param_diagnostic &sub_other |
405 | = (const fd_param_diagnostic &)base_other; |
406 | return (same_tree_p (t1: m_arg, t2: sub_other.m_arg) |
407 | && same_tree_p (t1: m_callee_fndecl, t2: sub_other.m_callee_fndecl) |
408 | && m_arg_idx == sub_other.m_arg_idx |
409 | && ((m_attr_name) |
410 | ? (strcmp (s1: m_attr_name, s2: sub_other.m_attr_name) == 0) |
411 | : true)); |
412 | } |
413 | |
414 | void |
415 | inform_filedescriptor_attribute (access_directions fd_dir) |
416 | { |
417 | |
418 | if (m_attr_name) |
419 | switch (fd_dir) |
420 | { |
421 | case DIRS_READ_WRITE: |
422 | inform (DECL_SOURCE_LOCATION (m_callee_fndecl), |
423 | "argument %d of %qD must be an open file descriptor, due to " |
424 | "%<__attribute__((%s(%d)))%>" , |
425 | m_arg_idx + 1, m_callee_fndecl, m_attr_name, m_arg_idx + 1); |
426 | break; |
427 | case DIRS_WRITE: |
428 | inform (DECL_SOURCE_LOCATION (m_callee_fndecl), |
429 | "argument %d of %qD must be a readable file descriptor, due " |
430 | "to %<__attribute__((%s(%d)))%>" , |
431 | m_arg_idx + 1, m_callee_fndecl, m_attr_name, m_arg_idx + 1); |
432 | break; |
433 | case DIRS_READ: |
434 | inform (DECL_SOURCE_LOCATION (m_callee_fndecl), |
435 | "argument %d of %qD must be a writable file descriptor, due " |
436 | "to %<__attribute__((%s(%d)))%>" , |
437 | m_arg_idx + 1, m_callee_fndecl, m_attr_name, m_arg_idx + 1); |
438 | break; |
439 | } |
440 | } |
441 | |
442 | protected: |
443 | tree m_callee_fndecl; |
444 | const char *m_attr_name; |
445 | /* ARG_IDX is 0-based. */ |
446 | int m_arg_idx; |
447 | }; |
448 | |
449 | class fd_leak : public fd_diagnostic |
450 | { |
451 | public: |
452 | fd_leak (const fd_state_machine &sm, tree arg) : fd_diagnostic (sm, arg) {} |
453 | |
454 | const char * |
455 | get_kind () const final override |
456 | { |
457 | return "fd_leak" ; |
458 | } |
459 | |
460 | int |
461 | get_controlling_option () const final override |
462 | { |
463 | return OPT_Wanalyzer_fd_leak; |
464 | } |
465 | |
466 | bool |
467 | emit (diagnostic_emission_context &ctxt) final override |
468 | { |
469 | /*CWE-775: Missing Release of File Descriptor or Handle after Effective |
470 | Lifetime |
471 | */ |
472 | ctxt.add_cwe (cwe: 775); |
473 | if (m_arg) |
474 | return ctxt.warn ("leak of file descriptor %qE" , m_arg); |
475 | else |
476 | return ctxt.warn ("leak of file descriptor" ); |
477 | } |
478 | |
479 | label_text |
480 | describe_state_change (const evdesc::state_change &change) final override |
481 | { |
482 | if (m_sm.is_unchecked_fd_p (s: change.m_new_state)) |
483 | { |
484 | m_open_event = change.m_event_id; |
485 | return label_text::borrow (buffer: "opened here" ); |
486 | } |
487 | |
488 | return fd_diagnostic::describe_state_change (change); |
489 | } |
490 | |
491 | label_text |
492 | describe_final_event (const evdesc::final_event &ev) final override |
493 | { |
494 | if (m_open_event.known_p ()) |
495 | { |
496 | if (ev.m_expr) |
497 | return ev.formatted_print (fmt: "%qE leaks here; was opened at %@" , |
498 | ev.m_expr, &m_open_event); |
499 | else |
500 | return ev.formatted_print (fmt: "leaks here; was opened at %@" , |
501 | &m_open_event); |
502 | } |
503 | else |
504 | { |
505 | if (ev.m_expr) |
506 | return ev.formatted_print (fmt: "%qE leaks here" , ev.m_expr); |
507 | else |
508 | return ev.formatted_print (fmt: "leaks here" ); |
509 | } |
510 | } |
511 | |
512 | private: |
513 | diagnostic_event_id_t m_open_event; |
514 | }; |
515 | |
516 | class fd_access_mode_mismatch : public fd_param_diagnostic |
517 | { |
518 | public: |
519 | fd_access_mode_mismatch (const fd_state_machine &sm, tree arg, |
520 | enum access_directions fd_dir, |
521 | const tree callee_fndecl, const char *attr_name, |
522 | int arg_idx) |
523 | : fd_param_diagnostic (sm, arg, callee_fndecl, attr_name, arg_idx), |
524 | m_fd_dir (fd_dir) |
525 | |
526 | { |
527 | } |
528 | |
529 | fd_access_mode_mismatch (const fd_state_machine &sm, tree arg, |
530 | enum access_directions fd_dir, |
531 | const tree callee_fndecl) |
532 | : fd_param_diagnostic (sm, arg, callee_fndecl), m_fd_dir (fd_dir) |
533 | { |
534 | } |
535 | |
536 | const char * |
537 | get_kind () const final override |
538 | { |
539 | return "fd_access_mode_mismatch" ; |
540 | } |
541 | |
542 | int |
543 | get_controlling_option () const final override |
544 | { |
545 | return OPT_Wanalyzer_fd_access_mode_mismatch; |
546 | } |
547 | |
548 | bool |
549 | emit (diagnostic_emission_context &ctxt) final override |
550 | { |
551 | bool warned; |
552 | switch (m_fd_dir) |
553 | { |
554 | case DIRS_READ: |
555 | warned = ctxt.warn ("%qE on read-only file descriptor %qE" , |
556 | m_callee_fndecl, m_arg); |
557 | break; |
558 | case DIRS_WRITE: |
559 | warned = ctxt.warn ("%qE on write-only file descriptor %qE" , |
560 | m_callee_fndecl, m_arg); |
561 | break; |
562 | default: |
563 | gcc_unreachable (); |
564 | } |
565 | if (warned) |
566 | inform_filedescriptor_attribute (fd_dir: m_fd_dir); |
567 | return warned; |
568 | } |
569 | |
570 | label_text |
571 | describe_final_event (const evdesc::final_event &ev) final override |
572 | { |
573 | switch (m_fd_dir) |
574 | { |
575 | case DIRS_READ: |
576 | return ev.formatted_print (fmt: "%qE on read-only file descriptor %qE" , |
577 | m_callee_fndecl, m_arg); |
578 | case DIRS_WRITE: |
579 | return ev.formatted_print (fmt: "%qE on write-only file descriptor %qE" , |
580 | m_callee_fndecl, m_arg); |
581 | default: |
582 | gcc_unreachable (); |
583 | } |
584 | } |
585 | |
586 | private: |
587 | enum access_directions m_fd_dir; |
588 | }; |
589 | |
590 | class fd_double_close : public fd_diagnostic |
591 | { |
592 | public: |
593 | fd_double_close (const fd_state_machine &sm, tree arg) : fd_diagnostic (sm, arg) |
594 | { |
595 | } |
596 | |
597 | const char * |
598 | get_kind () const final override |
599 | { |
600 | return "fd_double_close" ; |
601 | } |
602 | |
603 | int |
604 | get_controlling_option () const final override |
605 | { |
606 | return OPT_Wanalyzer_fd_double_close; |
607 | } |
608 | bool |
609 | emit (diagnostic_emission_context &ctxt) final override |
610 | { |
611 | // CWE-1341: Multiple Releases of Same Resource or Handle |
612 | ctxt.add_cwe (cwe: 1341); |
613 | return ctxt.warn ("double %<close%> of file descriptor %qE" , m_arg); |
614 | } |
615 | |
616 | label_text |
617 | describe_state_change (const evdesc::state_change &change) override |
618 | { |
619 | if (m_sm.is_unchecked_fd_p (s: change.m_new_state)) |
620 | return label_text::borrow (buffer: "opened here" ); |
621 | |
622 | if (change.m_new_state == m_sm.m_closed) |
623 | { |
624 | m_first_close_event = change.m_event_id; |
625 | return change.formatted_print (fmt: "first %qs here" , "close" ); |
626 | } |
627 | return fd_diagnostic::describe_state_change (change); |
628 | } |
629 | |
630 | label_text |
631 | describe_final_event (const evdesc::final_event &ev) final override |
632 | { |
633 | if (m_first_close_event.known_p ()) |
634 | return ev.formatted_print (fmt: "second %qs here; first %qs was at %@" , |
635 | "close" , "close" , &m_first_close_event); |
636 | return ev.formatted_print (fmt: "second %qs here" , "close" ); |
637 | } |
638 | |
639 | private: |
640 | diagnostic_event_id_t m_first_close_event; |
641 | }; |
642 | |
643 | class fd_use_after_close : public fd_param_diagnostic |
644 | { |
645 | public: |
646 | fd_use_after_close (const fd_state_machine &sm, tree arg, |
647 | const tree callee_fndecl, const char *attr_name, |
648 | int arg_idx) |
649 | : fd_param_diagnostic (sm, arg, callee_fndecl, attr_name, arg_idx) |
650 | { |
651 | } |
652 | |
653 | fd_use_after_close (const fd_state_machine &sm, tree arg, |
654 | const tree callee_fndecl) |
655 | : fd_param_diagnostic (sm, arg, callee_fndecl) |
656 | { |
657 | } |
658 | |
659 | const char * |
660 | get_kind () const final override |
661 | { |
662 | return "fd_use_after_close" ; |
663 | } |
664 | |
665 | int |
666 | get_controlling_option () const final override |
667 | { |
668 | return OPT_Wanalyzer_fd_use_after_close; |
669 | } |
670 | |
671 | bool |
672 | emit (diagnostic_emission_context &ctxt) final override |
673 | { |
674 | bool warned = ctxt.warn ("%qE on closed file descriptor %qE" , |
675 | m_callee_fndecl, m_arg); |
676 | if (warned) |
677 | inform_filedescriptor_attribute (fd_dir: DIRS_READ_WRITE); |
678 | return warned; |
679 | } |
680 | |
681 | label_text |
682 | describe_state_change (const evdesc::state_change &change) override |
683 | { |
684 | if (m_sm.is_unchecked_fd_p (s: change.m_new_state)) |
685 | return label_text::borrow (buffer: "opened here" ); |
686 | |
687 | if (change.m_new_state == m_sm.m_closed) |
688 | { |
689 | m_first_close_event = change.m_event_id; |
690 | return change.formatted_print (fmt: "closed here" ); |
691 | } |
692 | |
693 | return fd_diagnostic::describe_state_change (change); |
694 | } |
695 | |
696 | label_text |
697 | describe_final_event (const evdesc::final_event &ev) final override |
698 | { |
699 | if (m_first_close_event.known_p ()) |
700 | return ev.formatted_print ( |
701 | fmt: "%qE on closed file descriptor %qE; %qs was at %@" , m_callee_fndecl, |
702 | m_arg, "close" , &m_first_close_event); |
703 | else |
704 | return ev.formatted_print (fmt: "%qE on closed file descriptor %qE" , |
705 | m_callee_fndecl, m_arg); |
706 | } |
707 | |
708 | private: |
709 | diagnostic_event_id_t m_first_close_event; |
710 | }; |
711 | |
712 | class fd_use_without_check : public fd_param_diagnostic |
713 | { |
714 | public: |
715 | fd_use_without_check (const fd_state_machine &sm, tree arg, |
716 | const tree callee_fndecl, const char *attr_name, |
717 | int arg_idx) |
718 | : fd_param_diagnostic (sm, arg, callee_fndecl, attr_name, arg_idx) |
719 | { |
720 | } |
721 | |
722 | fd_use_without_check (const fd_state_machine &sm, tree arg, |
723 | const tree callee_fndecl) |
724 | : fd_param_diagnostic (sm, arg, callee_fndecl) |
725 | { |
726 | } |
727 | |
728 | const char * |
729 | get_kind () const final override |
730 | { |
731 | return "fd_use_without_check" ; |
732 | } |
733 | |
734 | int |
735 | get_controlling_option () const final override |
736 | { |
737 | return OPT_Wanalyzer_fd_use_without_check; |
738 | } |
739 | |
740 | bool |
741 | emit (diagnostic_emission_context &ctxt) final override |
742 | { |
743 | bool warned = ctxt.warn ("%qE on possibly invalid file descriptor %qE" , |
744 | m_callee_fndecl, m_arg); |
745 | if (warned) |
746 | inform_filedescriptor_attribute (fd_dir: DIRS_READ_WRITE); |
747 | return warned; |
748 | } |
749 | |
750 | label_text |
751 | describe_state_change (const evdesc::state_change &change) override |
752 | { |
753 | if (m_sm.is_unchecked_fd_p (s: change.m_new_state)) |
754 | { |
755 | m_first_open_event = change.m_event_id; |
756 | return label_text::borrow (buffer: "opened here" ); |
757 | } |
758 | |
759 | return fd_diagnostic::describe_state_change (change); |
760 | } |
761 | |
762 | label_text |
763 | describe_final_event (const evdesc::final_event &ev) final override |
764 | { |
765 | if (m_first_open_event.known_p ()) |
766 | return ev.formatted_print ( |
767 | fmt: "%qE could be invalid: unchecked value from %@" , m_arg, |
768 | &m_first_open_event); |
769 | else |
770 | return ev.formatted_print (fmt: "%qE could be invalid" , m_arg); |
771 | } |
772 | |
773 | private: |
774 | diagnostic_event_id_t m_first_open_event; |
775 | }; |
776 | |
777 | /* Concrete pending_diagnostic subclass for -Wanalyzer-fd-phase-mismatch. */ |
778 | |
779 | class fd_phase_mismatch : public fd_param_diagnostic |
780 | { |
781 | public: |
782 | fd_phase_mismatch (const fd_state_machine &sm, tree arg, |
783 | const tree callee_fndecl, |
784 | state_machine::state_t actual_state, |
785 | enum expected_phase expected_phase) |
786 | : fd_param_diagnostic (sm, arg, callee_fndecl), |
787 | m_actual_state (actual_state), |
788 | m_expected_phase (expected_phase) |
789 | { |
790 | gcc_assert (m_sm.is_socket_fd_p (actual_state)); |
791 | switch (expected_phase) |
792 | { |
793 | case EXPECTED_PHASE_CAN_TRANSFER: |
794 | gcc_assert (actual_state == m_sm.m_new_stream_socket |
795 | || actual_state == m_sm.m_bound_stream_socket |
796 | || actual_state == m_sm.m_listening_stream_socket); |
797 | break; |
798 | case EXPECTED_PHASE_CAN_BIND: |
799 | gcc_assert (actual_state == m_sm.m_bound_datagram_socket |
800 | || actual_state == m_sm.m_bound_stream_socket |
801 | || actual_state == m_sm.m_bound_unknown_socket |
802 | || actual_state == m_sm.m_connected_stream_socket |
803 | || actual_state == m_sm.m_listening_stream_socket); |
804 | break; |
805 | case EXPECTED_PHASE_CAN_LISTEN: |
806 | gcc_assert (actual_state == m_sm.m_new_stream_socket |
807 | || actual_state == m_sm.m_new_unknown_socket |
808 | || actual_state == m_sm.m_connected_stream_socket); |
809 | break; |
810 | case EXPECTED_PHASE_CAN_ACCEPT: |
811 | gcc_assert (actual_state == m_sm.m_new_stream_socket |
812 | || actual_state == m_sm.m_new_unknown_socket |
813 | || actual_state == m_sm.m_bound_stream_socket |
814 | || actual_state == m_sm.m_bound_unknown_socket |
815 | || actual_state == m_sm.m_connected_stream_socket); |
816 | break; |
817 | case EXPECTED_PHASE_CAN_CONNECT: |
818 | gcc_assert (actual_state == m_sm.m_bound_datagram_socket |
819 | || actual_state == m_sm.m_bound_stream_socket |
820 | || actual_state == m_sm.m_bound_unknown_socket |
821 | || actual_state == m_sm.m_listening_stream_socket |
822 | || actual_state == m_sm.m_connected_stream_socket); |
823 | break; |
824 | } |
825 | } |
826 | |
827 | const char * |
828 | get_kind () const final override |
829 | { |
830 | return "fd_phase_mismatch" ; |
831 | } |
832 | |
833 | bool |
834 | subclass_equal_p (const pending_diagnostic &base_other) const final override |
835 | { |
836 | const fd_phase_mismatch &sub_other = (const fd_phase_mismatch &)base_other; |
837 | if (!fd_param_diagnostic ::subclass_equal_p (base_other: sub_other)) |
838 | return false; |
839 | return (m_actual_state == sub_other.m_actual_state |
840 | && m_expected_phase == sub_other.m_expected_phase); |
841 | } |
842 | |
843 | int |
844 | get_controlling_option () const final override |
845 | { |
846 | return OPT_Wanalyzer_fd_phase_mismatch; |
847 | } |
848 | |
849 | bool |
850 | emit (diagnostic_emission_context &ctxt) final override |
851 | { |
852 | /* CWE-666: Operation on Resource in Wrong Phase of Lifetime. */ |
853 | ctxt.add_cwe (cwe: 666); |
854 | return ctxt.warn ("%qE on file descriptor %qE in wrong phase" , |
855 | m_callee_fndecl, m_arg); |
856 | } |
857 | |
858 | label_text |
859 | describe_final_event (const evdesc::final_event &ev) final override |
860 | { |
861 | switch (m_expected_phase) |
862 | { |
863 | case EXPECTED_PHASE_CAN_TRANSFER: |
864 | { |
865 | if (m_actual_state == m_sm.m_new_stream_socket) |
866 | return ev.formatted_print |
867 | (fmt: "%qE expects a stream socket to be connected via %qs" |
868 | " but %qE has not yet been bound" , |
869 | m_callee_fndecl, "accept" , m_arg); |
870 | if (m_actual_state == m_sm.m_bound_stream_socket) |
871 | return ev.formatted_print |
872 | (fmt: "%qE expects a stream socket to be connected via %qs" |
873 | " but %qE is not yet listening" , |
874 | m_callee_fndecl, "accept" , m_arg); |
875 | if (m_actual_state == m_sm.m_listening_stream_socket) |
876 | return ev.formatted_print |
877 | (fmt: "%qE expects a stream socket to be connected via" |
878 | " the return value of %qs" |
879 | " but %qE is listening; wrong file descriptor?" , |
880 | m_callee_fndecl, "accept" , m_arg); |
881 | } |
882 | break; |
883 | case EXPECTED_PHASE_CAN_BIND: |
884 | { |
885 | if (m_actual_state == m_sm.m_bound_datagram_socket |
886 | || m_actual_state == m_sm.m_bound_stream_socket |
887 | || m_actual_state == m_sm.m_bound_unknown_socket) |
888 | return ev.formatted_print |
889 | (fmt: "%qE expects a new socket file descriptor" |
890 | " but %qE has already been bound" , |
891 | m_callee_fndecl, m_arg); |
892 | if (m_actual_state == m_sm.m_connected_stream_socket) |
893 | return ev.formatted_print |
894 | (fmt: "%qE expects a new socket file descriptor" |
895 | " but %qE is already connected" , |
896 | m_callee_fndecl, m_arg); |
897 | if (m_actual_state == m_sm.m_listening_stream_socket) |
898 | return ev.formatted_print |
899 | (fmt: "%qE expects a new socket file descriptor" |
900 | " but %qE is already listening" , |
901 | m_callee_fndecl, m_arg); |
902 | } |
903 | break; |
904 | case EXPECTED_PHASE_CAN_LISTEN: |
905 | { |
906 | if (m_actual_state == m_sm.m_new_stream_socket |
907 | || m_actual_state == m_sm.m_new_unknown_socket) |
908 | return ev.formatted_print |
909 | (fmt: "%qE expects a bound stream socket file descriptor" |
910 | " but %qE has not yet been bound" , |
911 | m_callee_fndecl, m_arg); |
912 | if (m_actual_state == m_sm.m_connected_stream_socket) |
913 | return ev.formatted_print |
914 | (fmt: "%qE expects a bound stream socket file descriptor" |
915 | " but %qE is connected" , |
916 | m_callee_fndecl, m_arg); |
917 | } |
918 | break; |
919 | case EXPECTED_PHASE_CAN_ACCEPT: |
920 | { |
921 | if (m_actual_state == m_sm.m_new_stream_socket |
922 | || m_actual_state == m_sm.m_new_unknown_socket) |
923 | return ev.formatted_print |
924 | (fmt: "%qE expects a listening stream socket file descriptor" |
925 | " but %qE has not yet been bound" , |
926 | m_callee_fndecl, m_arg); |
927 | if (m_actual_state == m_sm.m_bound_stream_socket |
928 | || m_actual_state == m_sm.m_bound_unknown_socket) |
929 | return ev.formatted_print |
930 | (fmt: "%qE expects a listening stream socket file descriptor" |
931 | " whereas %qE is bound but not yet listening" , |
932 | m_callee_fndecl, m_arg); |
933 | if (m_actual_state == m_sm.m_connected_stream_socket) |
934 | return ev.formatted_print |
935 | (fmt: "%qE expects a listening stream socket file descriptor" |
936 | " but %qE is connected" , |
937 | m_callee_fndecl, m_arg); |
938 | } |
939 | break; |
940 | case EXPECTED_PHASE_CAN_CONNECT: |
941 | { |
942 | if (m_actual_state == m_sm.m_bound_datagram_socket |
943 | || m_actual_state == m_sm.m_bound_stream_socket |
944 | || m_actual_state == m_sm.m_bound_unknown_socket) |
945 | return ev.formatted_print |
946 | (fmt: "%qE expects a new socket file descriptor but %qE is bound" , |
947 | m_callee_fndecl, m_arg); |
948 | else |
949 | return ev.formatted_print |
950 | (fmt: "%qE expects a new socket file descriptor" , m_callee_fndecl); |
951 | } |
952 | break; |
953 | } |
954 | gcc_unreachable (); |
955 | } |
956 | |
957 | private: |
958 | state_machine::state_t m_actual_state; |
959 | enum expected_phase m_expected_phase; |
960 | }; |
961 | |
962 | /* Enum for use by -Wanalyzer-fd-type-mismatch. */ |
963 | |
964 | enum expected_type |
965 | { |
966 | EXPECTED_TYPE_SOCKET, |
967 | EXPECTED_TYPE_STREAM_SOCKET |
968 | }; |
969 | |
970 | /* Concrete pending_diagnostic subclass for -Wanalyzer-fd-type-mismatch. */ |
971 | |
972 | class fd_type_mismatch : public fd_param_diagnostic |
973 | { |
974 | public: |
975 | fd_type_mismatch (const fd_state_machine &sm, tree arg, |
976 | const tree callee_fndecl, |
977 | state_machine::state_t actual_state, |
978 | enum expected_type expected_type) |
979 | : fd_param_diagnostic (sm, arg, callee_fndecl), |
980 | m_actual_state (actual_state), |
981 | m_expected_type (expected_type) |
982 | { |
983 | } |
984 | |
985 | const char * |
986 | get_kind () const final override |
987 | { |
988 | return "fd_type_mismatch" ; |
989 | } |
990 | |
991 | bool |
992 | subclass_equal_p (const pending_diagnostic &base_other) const final override |
993 | { |
994 | const fd_type_mismatch &sub_other = (const fd_type_mismatch &)base_other; |
995 | if (!fd_param_diagnostic ::subclass_equal_p (base_other: sub_other)) |
996 | return false; |
997 | return (m_actual_state == sub_other.m_actual_state |
998 | && m_expected_type == sub_other.m_expected_type); |
999 | } |
1000 | |
1001 | int |
1002 | get_controlling_option () const final override |
1003 | { |
1004 | return OPT_Wanalyzer_fd_type_mismatch; |
1005 | } |
1006 | |
1007 | bool |
1008 | emit (diagnostic_emission_context &ctxt) final override |
1009 | { |
1010 | switch (m_expected_type) |
1011 | { |
1012 | default: |
1013 | gcc_unreachable (); |
1014 | case EXPECTED_TYPE_SOCKET: |
1015 | return ctxt.warn ("%qE on non-socket file descriptor %qE" , |
1016 | m_callee_fndecl, m_arg); |
1017 | case EXPECTED_TYPE_STREAM_SOCKET: |
1018 | if (m_sm.is_datagram_socket_fd_p (s: m_actual_state)) |
1019 | return ctxt.warn ("%qE on datagram socket file descriptor %qE" , |
1020 | m_callee_fndecl, m_arg); |
1021 | else |
1022 | return ctxt.warn ("%qE on non-stream-socket file descriptor %qE" , |
1023 | m_callee_fndecl, m_arg); |
1024 | } |
1025 | } |
1026 | |
1027 | label_text |
1028 | describe_final_event (const evdesc::final_event &ev) final override |
1029 | { |
1030 | switch (m_expected_type) |
1031 | { |
1032 | default: |
1033 | break; |
1034 | gcc_unreachable (); |
1035 | case EXPECTED_TYPE_SOCKET: |
1036 | case EXPECTED_TYPE_STREAM_SOCKET: |
1037 | if (!m_sm.is_socket_fd_p (s: m_actual_state)) |
1038 | return ev.formatted_print (fmt: "%qE expects a socket file descriptor" |
1039 | " but %qE is not a socket" , |
1040 | m_callee_fndecl, m_arg); |
1041 | } |
1042 | gcc_assert (m_expected_type == EXPECTED_TYPE_STREAM_SOCKET); |
1043 | gcc_assert (m_sm.is_datagram_socket_fd_p (m_actual_state)); |
1044 | return ev.formatted_print |
1045 | (fmt: "%qE expects a stream socket file descriptor" |
1046 | " but %qE is a datagram socket" , |
1047 | m_callee_fndecl, m_arg); |
1048 | } |
1049 | |
1050 | private: |
1051 | state_machine::state_t m_actual_state; |
1052 | enum expected_type m_expected_type; |
1053 | }; |
1054 | |
1055 | fd_state_machine::fd_state_machine (logger *logger) |
1056 | : state_machine ("file-descriptor" , logger), |
1057 | m_constant_fd (add_state (name: "fd-constant" )), |
1058 | m_unchecked_read_write (add_state (name: "fd-unchecked-read-write" )), |
1059 | m_unchecked_read_only (add_state (name: "fd-unchecked-read-only" )), |
1060 | m_unchecked_write_only (add_state (name: "fd-unchecked-write-only" )), |
1061 | m_valid_read_write (add_state (name: "fd-valid-read-write" )), |
1062 | m_valid_read_only (add_state (name: "fd-valid-read-only" )), |
1063 | m_valid_write_only (add_state (name: "fd-valid-write-only" )), |
1064 | m_invalid (add_state (name: "fd-invalid" )), |
1065 | m_closed (add_state (name: "fd-closed" )), |
1066 | m_new_datagram_socket (add_state (name: "fd-new-datagram-socket" )), |
1067 | m_new_stream_socket (add_state (name: "fd-new-stream-socket" )), |
1068 | m_new_unknown_socket (add_state (name: "fd-new-unknown-socket" )), |
1069 | m_bound_datagram_socket (add_state (name: "fd-bound-datagram-socket" )), |
1070 | m_bound_stream_socket (add_state (name: "fd-bound-stream-socket" )), |
1071 | m_bound_unknown_socket (add_state (name: "fd-bound-unknown-socket" )), |
1072 | m_listening_stream_socket (add_state (name: "fd-listening-stream-socket" )), |
1073 | m_connected_stream_socket (add_state (name: "fd-connected-stream-socket" )), |
1074 | m_stop (add_state (name: "fd-stop" )), |
1075 | m_O_ACCMODE (get_stashed_constant_by_name (name: "O_ACCMODE" )), |
1076 | m_O_RDONLY (get_stashed_constant_by_name (name: "O_RDONLY" )), |
1077 | m_O_WRONLY (get_stashed_constant_by_name (name: "O_WRONLY" )), |
1078 | m_SOCK_STREAM (get_stashed_constant_by_name (name: "SOCK_STREAM" )), |
1079 | m_SOCK_DGRAM (get_stashed_constant_by_name (name: "SOCK_DGRAM" )) |
1080 | { |
1081 | } |
1082 | |
1083 | bool |
1084 | fd_state_machine::is_unchecked_fd_p (state_t s) const |
1085 | { |
1086 | return (s == m_unchecked_read_write |
1087 | || s == m_unchecked_read_only |
1088 | || s == m_unchecked_write_only); |
1089 | } |
1090 | |
1091 | bool |
1092 | fd_state_machine::is_valid_fd_p (state_t s) const |
1093 | { |
1094 | return (s == m_valid_read_write |
1095 | || s == m_valid_read_only |
1096 | || s == m_valid_write_only); |
1097 | } |
1098 | |
1099 | bool |
1100 | fd_state_machine::is_socket_fd_p (state_t s) const |
1101 | { |
1102 | return (s == m_new_datagram_socket |
1103 | || s == m_new_stream_socket |
1104 | || s == m_new_unknown_socket |
1105 | || s == m_bound_datagram_socket |
1106 | || s == m_bound_stream_socket |
1107 | || s == m_bound_unknown_socket |
1108 | || s == m_listening_stream_socket |
1109 | || s == m_connected_stream_socket); |
1110 | } |
1111 | |
1112 | bool |
1113 | fd_state_machine::is_datagram_socket_fd_p (state_t s) const |
1114 | { |
1115 | return (s == m_new_datagram_socket |
1116 | || s == m_new_unknown_socket |
1117 | || s == m_bound_datagram_socket |
1118 | || s == m_bound_unknown_socket); |
1119 | } |
1120 | |
1121 | bool |
1122 | fd_state_machine::is_stream_socket_fd_p (state_t s) const |
1123 | { |
1124 | return (s == m_new_stream_socket |
1125 | || s == m_new_unknown_socket |
1126 | || s == m_bound_stream_socket |
1127 | || s == m_bound_unknown_socket |
1128 | || s == m_listening_stream_socket |
1129 | || s == m_connected_stream_socket); |
1130 | } |
1131 | |
1132 | enum access_mode |
1133 | fd_state_machine::get_access_mode_from_flag (int flag) const |
1134 | { |
1135 | if (m_O_ACCMODE && TREE_CODE (m_O_ACCMODE) == INTEGER_CST) |
1136 | { |
1137 | const unsigned HOST_WIDE_INT mask_val = TREE_INT_CST_LOW (m_O_ACCMODE); |
1138 | const unsigned HOST_WIDE_INT masked_flag = flag & mask_val; |
1139 | |
1140 | if (m_O_RDONLY && TREE_CODE (m_O_RDONLY) == INTEGER_CST) |
1141 | if (masked_flag == TREE_INT_CST_LOW (m_O_RDONLY)) |
1142 | return READ_ONLY; |
1143 | |
1144 | if (m_O_WRONLY && TREE_CODE (m_O_WRONLY) == INTEGER_CST) |
1145 | if (masked_flag == TREE_INT_CST_LOW (m_O_WRONLY)) |
1146 | return WRITE_ONLY; |
1147 | } |
1148 | return READ_WRITE; |
1149 | } |
1150 | |
1151 | bool |
1152 | fd_state_machine::is_readonly_fd_p (state_t state) const |
1153 | { |
1154 | return (state == m_unchecked_read_only || state == m_valid_read_only); |
1155 | } |
1156 | |
1157 | bool |
1158 | fd_state_machine::is_writeonly_fd_p (state_t state) const |
1159 | { |
1160 | return (state == m_unchecked_write_only || state == m_valid_write_only); |
1161 | } |
1162 | |
1163 | bool |
1164 | fd_state_machine::is_closed_fd_p (state_t state) const |
1165 | { |
1166 | return (state == m_closed); |
1167 | } |
1168 | |
1169 | bool |
1170 | fd_state_machine::is_constant_fd_p (state_t state) const |
1171 | { |
1172 | return (state == m_constant_fd); |
1173 | } |
1174 | |
1175 | fd_state_machine::state_t |
1176 | fd_state_machine::valid_to_unchecked_state (state_t state) const |
1177 | { |
1178 | if (state == m_valid_read_write) |
1179 | return m_unchecked_read_write; |
1180 | else if (state == m_valid_write_only) |
1181 | return m_unchecked_write_only; |
1182 | else if (state == m_valid_read_only) |
1183 | return m_unchecked_read_only; |
1184 | else |
1185 | gcc_unreachable (); |
1186 | return NULL; |
1187 | } |
1188 | |
1189 | void |
1190 | fd_state_machine::mark_as_valid_fd (region_model *model, |
1191 | sm_state_map *smap, |
1192 | const svalue *fd_sval, |
1193 | const extrinsic_state &ext_state) const |
1194 | { |
1195 | smap->set_state (model, sval: fd_sval, state: m_valid_read_write, NULL, ext_state); |
1196 | } |
1197 | |
1198 | bool |
1199 | fd_state_machine::on_stmt (sm_context *sm_ctxt, const supernode *node, |
1200 | const gimple *stmt) const |
1201 | { |
1202 | if (const gcall *call = dyn_cast<const gcall *> (p: stmt)) |
1203 | if (tree callee_fndecl = sm_ctxt->get_fndecl_for_call (call)) |
1204 | { |
1205 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "open" , call, num_args: 2)) |
1206 | { |
1207 | on_open (sm_ctxt, node, stmt, call); |
1208 | return true; |
1209 | } // "open" |
1210 | |
1211 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "creat" , call, num_args: 2)) |
1212 | { |
1213 | on_creat (sm_ctxt, node, stmt, call); |
1214 | return true; |
1215 | } // "creat" |
1216 | |
1217 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "close" , call, num_args: 1)) |
1218 | { |
1219 | on_close (sm_ctxt, node, stmt, call); |
1220 | return true; |
1221 | } // "close" |
1222 | |
1223 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "write" , call, num_args: 3)) |
1224 | { |
1225 | on_write (sm_ctxt, node, stmt, call, callee_fndecl); |
1226 | return true; |
1227 | } // "write" |
1228 | |
1229 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "read" , call, num_args: 3)) |
1230 | { |
1231 | on_read (sm_ctxt, node, stmt, call, callee_fndecl); |
1232 | return true; |
1233 | } // "read" |
1234 | |
1235 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "dup" , call, num_args: 1)) |
1236 | { |
1237 | check_for_dup (sm_ctxt, node, stmt, call, callee_fndecl, kind: DUP_1); |
1238 | return true; |
1239 | } |
1240 | |
1241 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "dup2" , call, num_args: 2)) |
1242 | { |
1243 | check_for_dup (sm_ctxt, node, stmt, call, callee_fndecl, kind: DUP_2); |
1244 | return true; |
1245 | } |
1246 | |
1247 | if (is_named_call_p (fndecl: callee_fndecl, funcname: "dup3" , call, num_args: 3)) |
1248 | { |
1249 | check_for_dup (sm_ctxt, node, stmt, call, callee_fndecl, kind: DUP_3); |
1250 | return true; |
1251 | } |
1252 | |
1253 | { |
1254 | // Handle __attribute__((fd_arg)) |
1255 | |
1256 | check_for_fd_attrs (sm_ctxt, node, stmt, call, callee_fndecl, |
1257 | attr_name: "fd_arg" , fd_attr_access_dir: DIRS_READ_WRITE); |
1258 | |
1259 | // Handle __attribute__((fd_arg_read)) |
1260 | |
1261 | check_for_fd_attrs (sm_ctxt, node, stmt, call, callee_fndecl, |
1262 | attr_name: "fd_arg_read" , fd_attr_access_dir: DIRS_READ); |
1263 | |
1264 | // Handle __attribute__((fd_arg_write)) |
1265 | |
1266 | check_for_fd_attrs (sm_ctxt, node, stmt, call, callee_fndecl, |
1267 | attr_name: "fd_arg_write" , fd_attr_access_dir: DIRS_WRITE); |
1268 | } |
1269 | } |
1270 | |
1271 | return false; |
1272 | } |
1273 | |
1274 | void |
1275 | fd_state_machine::check_for_fd_attrs ( |
1276 | sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
1277 | const gcall *call, const tree callee_fndecl, const char *attr_name, |
1278 | access_directions fd_attr_access_dir) const |
1279 | { |
1280 | /* Handle interesting fd attributes of the callee_fndecl, |
1281 | or prioritize those of the builtin that callee_fndecl is |
1282 | expected to be. |
1283 | Might want this to be controlled by a flag. */ |
1284 | tree fndecl = callee_fndecl; |
1285 | /* If call is recognized as a builtin known_function, |
1286 | use that builtin's function_decl. */ |
1287 | if (const region_model *old_model = sm_ctxt->get_old_region_model ()) |
1288 | if (const builtin_known_function *builtin_kf |
1289 | = old_model->get_builtin_kf (call)) |
1290 | fndecl = builtin_kf->builtin_decl (); |
1291 | |
1292 | tree attrs = TYPE_ATTRIBUTES (TREE_TYPE (fndecl)); |
1293 | attrs = lookup_attribute (attr_name, list: attrs); |
1294 | if (!attrs) |
1295 | return; |
1296 | |
1297 | if (!TREE_VALUE (attrs)) |
1298 | return; |
1299 | |
1300 | auto_bitmap argmap; |
1301 | |
1302 | for (tree idx = TREE_VALUE (attrs); idx; idx = TREE_CHAIN (idx)) |
1303 | { |
1304 | unsigned int val = TREE_INT_CST_LOW (TREE_VALUE (idx)) - 1; |
1305 | bitmap_set_bit (argmap, val); |
1306 | } |
1307 | if (bitmap_empty_p (map: argmap)) |
1308 | return; |
1309 | |
1310 | for (unsigned arg_idx = 0; arg_idx < gimple_call_num_args (gs: call); arg_idx++) |
1311 | { |
1312 | tree arg = gimple_call_arg (gs: call, index: arg_idx); |
1313 | tree diag_arg = sm_ctxt->get_diagnostic_tree (expr: arg); |
1314 | state_t state = sm_ctxt->get_state (stmt, var: arg); |
1315 | bool bit_set = bitmap_bit_p (argmap, arg_idx); |
1316 | if (TREE_CODE (TREE_TYPE (arg)) != INTEGER_TYPE) |
1317 | continue; |
1318 | if (bit_set) // Check if arg_idx is marked by any of the file descriptor |
1319 | // attributes |
1320 | { |
1321 | |
1322 | /* Do use the fndecl that caused the warning so that the |
1323 | misused attributes are printed and the user not confused. */ |
1324 | if (is_closed_fd_p (state)) |
1325 | { |
1326 | |
1327 | sm_ctxt->warn (node, stmt, var: arg, |
1328 | d: make_unique<fd_use_after_close> |
1329 | (args: *this, args&: diag_arg, |
1330 | args&: fndecl, args&: attr_name, |
1331 | args&: arg_idx)); |
1332 | continue; |
1333 | } |
1334 | |
1335 | if (!(is_valid_fd_p (s: state) || (state == m_stop))) |
1336 | { |
1337 | if (!is_constant_fd_p (state)) |
1338 | { |
1339 | sm_ctxt->warn (node, stmt, var: arg, |
1340 | d: make_unique<fd_use_without_check> |
1341 | (args: *this, args&: diag_arg, |
1342 | args&: fndecl, args&: attr_name, |
1343 | args&: arg_idx)); |
1344 | continue; |
1345 | } |
1346 | } |
1347 | |
1348 | switch (fd_attr_access_dir) |
1349 | { |
1350 | case DIRS_READ_WRITE: |
1351 | break; |
1352 | case DIRS_READ: |
1353 | |
1354 | if (is_writeonly_fd_p (state)) |
1355 | { |
1356 | sm_ctxt->warn ( |
1357 | node, stmt, var: arg, |
1358 | d: make_unique<fd_access_mode_mismatch> (args: *this, args&: diag_arg, |
1359 | args: DIRS_WRITE, |
1360 | args&: fndecl, |
1361 | args&: attr_name, |
1362 | args&: arg_idx)); |
1363 | } |
1364 | |
1365 | break; |
1366 | case DIRS_WRITE: |
1367 | |
1368 | if (is_readonly_fd_p (state)) |
1369 | { |
1370 | sm_ctxt->warn ( |
1371 | node, stmt, var: arg, |
1372 | d: make_unique<fd_access_mode_mismatch> (args: *this, args&: diag_arg, |
1373 | args: DIRS_READ, |
1374 | args&: fndecl, |
1375 | args&: attr_name, |
1376 | args&: arg_idx)); |
1377 | } |
1378 | |
1379 | break; |
1380 | } |
1381 | } |
1382 | } |
1383 | } |
1384 | |
1385 | |
1386 | void |
1387 | fd_state_machine::on_open (sm_context *sm_ctxt, const supernode *node, |
1388 | const gimple *stmt, const gcall *call) const |
1389 | { |
1390 | tree lhs = gimple_call_lhs (gs: call); |
1391 | if (lhs) |
1392 | { |
1393 | tree arg = gimple_call_arg (gs: call, index: 1); |
1394 | enum access_mode mode = READ_WRITE; |
1395 | if (TREE_CODE (arg) == INTEGER_CST) |
1396 | { |
1397 | int flag = TREE_INT_CST_LOW (arg); |
1398 | mode = get_access_mode_from_flag (flag); |
1399 | } |
1400 | switch (mode) |
1401 | { |
1402 | case READ_ONLY: |
1403 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_start, |
1404 | to: m_unchecked_read_only); |
1405 | break; |
1406 | case WRITE_ONLY: |
1407 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_start, |
1408 | to: m_unchecked_write_only); |
1409 | break; |
1410 | default: |
1411 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_start, |
1412 | to: m_unchecked_read_write); |
1413 | } |
1414 | } |
1415 | else |
1416 | { |
1417 | sm_ctxt->warn (node, stmt, NULL_TREE, |
1418 | d: make_unique<fd_leak> (args: *this, NULL_TREE)); |
1419 | } |
1420 | } |
1421 | |
1422 | void |
1423 | fd_state_machine::on_creat (sm_context *sm_ctxt, const supernode *node, |
1424 | const gimple *stmt, const gcall *call) const |
1425 | { |
1426 | tree lhs = gimple_call_lhs (gs: call); |
1427 | if (lhs) |
1428 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_start, to: m_unchecked_write_only); |
1429 | else |
1430 | sm_ctxt->warn (node, stmt, NULL_TREE, |
1431 | d: make_unique<fd_leak> (args: *this, NULL_TREE)); |
1432 | } |
1433 | |
1434 | void |
1435 | fd_state_machine::check_for_dup (sm_context *sm_ctxt, const supernode *node, |
1436 | const gimple *stmt, const gcall *call, |
1437 | const tree callee_fndecl, enum dup kind) const |
1438 | { |
1439 | tree lhs = gimple_call_lhs (gs: call); |
1440 | tree arg_1 = gimple_call_arg (gs: call, index: 0); |
1441 | state_t state_arg_1 = sm_ctxt->get_state (stmt, var: arg_1); |
1442 | if (state_arg_1 == m_stop) |
1443 | return; |
1444 | if (!(is_constant_fd_p (state: state_arg_1) || is_valid_fd_p (s: state_arg_1) |
1445 | || state_arg_1 == m_start)) |
1446 | { |
1447 | check_for_open_fd (sm_ctxt, node, stmt, call, callee_fndecl, |
1448 | access_fn: DIRS_READ_WRITE); |
1449 | return; |
1450 | } |
1451 | switch (kind) |
1452 | { |
1453 | case DUP_1: |
1454 | if (lhs) |
1455 | { |
1456 | if (is_constant_fd_p (state: state_arg_1) || state_arg_1 == m_start) |
1457 | sm_ctxt->set_next_state (stmt, var: lhs, to: m_unchecked_read_write); |
1458 | else |
1459 | sm_ctxt->set_next_state (stmt, var: lhs, |
1460 | to: valid_to_unchecked_state (state: state_arg_1)); |
1461 | } |
1462 | break; |
1463 | |
1464 | case DUP_2: |
1465 | case DUP_3: |
1466 | tree arg_2 = gimple_call_arg (gs: call, index: 1); |
1467 | state_t state_arg_2 = sm_ctxt->get_state (stmt, var: arg_2); |
1468 | tree diag_arg_2 = sm_ctxt->get_diagnostic_tree (expr: arg_2); |
1469 | if (state_arg_2 == m_stop) |
1470 | return; |
1471 | /* Check if -1 was passed as second argument to dup2. */ |
1472 | if (!(is_constant_fd_p (state: state_arg_2) || is_valid_fd_p (s: state_arg_2) |
1473 | || state_arg_2 == m_start)) |
1474 | { |
1475 | sm_ctxt->warn ( |
1476 | node, stmt, var: arg_2, |
1477 | d: make_unique<fd_use_without_check> (args: *this, args&: diag_arg_2, |
1478 | args: callee_fndecl)); |
1479 | return; |
1480 | } |
1481 | /* dup2 returns value of its second argument on success.But, the |
1482 | access mode of the returned file descriptor depends on the duplicated |
1483 | file descriptor i.e the first argument. */ |
1484 | if (lhs) |
1485 | { |
1486 | if (is_constant_fd_p (state: state_arg_1) || state_arg_1 == m_start) |
1487 | sm_ctxt->set_next_state (stmt, var: lhs, to: m_unchecked_read_write); |
1488 | else |
1489 | sm_ctxt->set_next_state (stmt, var: lhs, |
1490 | to: valid_to_unchecked_state (state: state_arg_1)); |
1491 | } |
1492 | |
1493 | break; |
1494 | } |
1495 | } |
1496 | |
1497 | void |
1498 | fd_state_machine::on_close (sm_context *sm_ctxt, const supernode *node, |
1499 | const gimple *stmt, const gcall *call) const |
1500 | { |
1501 | tree arg = gimple_call_arg (gs: call, index: 0); |
1502 | state_t state = sm_ctxt->get_state (stmt, var: arg); |
1503 | tree diag_arg = sm_ctxt->get_diagnostic_tree (expr: arg); |
1504 | |
1505 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_start, to: m_closed); |
1506 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_unchecked_read_write, to: m_closed); |
1507 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_unchecked_read_only, to: m_closed); |
1508 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_unchecked_write_only, to: m_closed); |
1509 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_valid_read_write, to: m_closed); |
1510 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_valid_read_only, to: m_closed); |
1511 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_valid_write_only, to: m_closed); |
1512 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_constant_fd, to: m_closed); |
1513 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_new_datagram_socket, to: m_closed); |
1514 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_new_stream_socket, to: m_closed); |
1515 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_new_unknown_socket, to: m_closed); |
1516 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_bound_datagram_socket, to: m_closed); |
1517 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_bound_stream_socket, to: m_closed); |
1518 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_bound_unknown_socket, to: m_closed); |
1519 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_listening_stream_socket, to: m_closed); |
1520 | sm_ctxt->on_transition (node, stmt, var: arg, from: m_connected_stream_socket, to: m_closed); |
1521 | |
1522 | if (is_closed_fd_p (state)) |
1523 | { |
1524 | sm_ctxt->warn (node, stmt, var: arg, |
1525 | d: make_unique<fd_double_close> (args: *this, args&: diag_arg)); |
1526 | sm_ctxt->set_next_state (stmt, var: arg, to: m_stop); |
1527 | } |
1528 | } |
1529 | void |
1530 | fd_state_machine::on_read (sm_context *sm_ctxt, const supernode *node, |
1531 | const gimple *stmt, const gcall *call, |
1532 | const tree callee_fndecl) const |
1533 | { |
1534 | check_for_open_fd (sm_ctxt, node, stmt, call, callee_fndecl, access_fn: DIRS_READ); |
1535 | } |
1536 | void |
1537 | fd_state_machine::on_write (sm_context *sm_ctxt, const supernode *node, |
1538 | const gimple *stmt, const gcall *call, |
1539 | const tree callee_fndecl) const |
1540 | { |
1541 | check_for_open_fd (sm_ctxt, node, stmt, call, callee_fndecl, access_fn: DIRS_WRITE); |
1542 | } |
1543 | |
1544 | void |
1545 | fd_state_machine::check_for_open_fd ( |
1546 | sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
1547 | const gcall *call, const tree callee_fndecl, |
1548 | enum access_directions callee_fndecl_dir) const |
1549 | { |
1550 | tree arg = gimple_call_arg (gs: call, index: 0); |
1551 | tree diag_arg = sm_ctxt->get_diagnostic_tree (expr: arg); |
1552 | state_t state = sm_ctxt->get_state (stmt, var: arg); |
1553 | |
1554 | if (is_closed_fd_p (state)) |
1555 | { |
1556 | sm_ctxt->warn (node, stmt, var: arg, |
1557 | d: make_unique<fd_use_after_close> (args: *this, args&: diag_arg, |
1558 | args: callee_fndecl)); |
1559 | } |
1560 | |
1561 | else |
1562 | { |
1563 | if (state == m_new_stream_socket |
1564 | || state == m_bound_stream_socket |
1565 | || state == m_listening_stream_socket) |
1566 | /* Complain about fncall on socket in wrong phase. */ |
1567 | sm_ctxt->warn |
1568 | (node, stmt, var: arg, |
1569 | d: make_unique<fd_phase_mismatch> (args: *this, args&: diag_arg, |
1570 | args: callee_fndecl, |
1571 | args&: state, |
1572 | args: EXPECTED_PHASE_CAN_TRANSFER)); |
1573 | else if (!(is_valid_fd_p (s: state) |
1574 | || state == m_new_datagram_socket |
1575 | || state == m_bound_unknown_socket |
1576 | || state == m_connected_stream_socket |
1577 | || state == m_start |
1578 | || state == m_stop)) |
1579 | { |
1580 | if (!is_constant_fd_p (state)) |
1581 | sm_ctxt->warn ( |
1582 | node, stmt, var: arg, |
1583 | d: make_unique<fd_use_without_check> (args: *this, args&: diag_arg, |
1584 | args: callee_fndecl)); |
1585 | } |
1586 | switch (callee_fndecl_dir) |
1587 | { |
1588 | case DIRS_READ_WRITE: |
1589 | break; |
1590 | case DIRS_READ: |
1591 | if (is_writeonly_fd_p (state)) |
1592 | { |
1593 | tree diag_arg = sm_ctxt->get_diagnostic_tree (expr: arg); |
1594 | sm_ctxt->warn (node, stmt, var: arg, |
1595 | d: make_unique<fd_access_mode_mismatch> ( |
1596 | args: *this, args&: diag_arg, args: DIRS_WRITE, args: callee_fndecl)); |
1597 | } |
1598 | |
1599 | break; |
1600 | case DIRS_WRITE: |
1601 | |
1602 | if (is_readonly_fd_p (state)) |
1603 | { |
1604 | tree diag_arg = sm_ctxt->get_diagnostic_tree (expr: arg); |
1605 | sm_ctxt->warn (node, stmt, var: arg, |
1606 | d: make_unique<fd_access_mode_mismatch> ( |
1607 | args: *this, args&: diag_arg, args: DIRS_READ, args: callee_fndecl)); |
1608 | } |
1609 | break; |
1610 | } |
1611 | } |
1612 | } |
1613 | |
1614 | static bool |
1615 | add_constraint_ge_zero (region_model *model, |
1616 | const svalue *fd_sval, |
1617 | region_model_context *ctxt) |
1618 | { |
1619 | const svalue *zero |
1620 | = model->get_manager ()->get_or_create_int_cst (integer_type_node, cst: 0); |
1621 | return model->add_constraint (lhs: fd_sval, op: GE_EXPR, rhs: zero, ctxt); |
1622 | } |
1623 | |
1624 | /* Get the state for a new socket type based on SOCKET_TYPE_SVAL, |
1625 | a SOCK_* value. */ |
1626 | |
1627 | state_machine::state_t |
1628 | fd_state_machine:: |
1629 | get_state_for_socket_type (const svalue *socket_type_sval) const |
1630 | { |
1631 | if (tree socket_type_cst = socket_type_sval->maybe_get_constant ()) |
1632 | { |
1633 | /* Attempt to use SOCK_* constants stashed from the frontend. */ |
1634 | if (tree_int_cst_equal (socket_type_cst, m_SOCK_STREAM)) |
1635 | return m_new_stream_socket; |
1636 | if (tree_int_cst_equal (socket_type_cst, m_SOCK_DGRAM)) |
1637 | return m_new_datagram_socket; |
1638 | } |
1639 | |
1640 | /* Unrecognized constant, or a symbolic "type" value. */ |
1641 | return m_new_unknown_socket; |
1642 | } |
1643 | |
1644 | /* Update the model and fd state for an outcome of a call to "socket", |
1645 | where SUCCESSFUL indicate which of the two outcomes. |
1646 | Return true if the outcome is feasible, or false to reject it. */ |
1647 | |
1648 | bool |
1649 | fd_state_machine::on_socket (const call_details &cd, |
1650 | bool successful, |
1651 | sm_context *sm_ctxt, |
1652 | const extrinsic_state &ext_state) const |
1653 | { |
1654 | const gcall *stmt = cd.get_call_stmt (); |
1655 | engine *eng = ext_state.get_engine (); |
1656 | const supergraph *sg = eng->get_supergraph (); |
1657 | const supernode *node = sg->get_supernode_for_stmt (stmt); |
1658 | region_model *model = cd.get_model (); |
1659 | |
1660 | if (successful) |
1661 | { |
1662 | if (gimple_call_lhs (gs: stmt)) |
1663 | { |
1664 | conjured_purge p (model, cd.get_ctxt ()); |
1665 | region_model_manager *mgr = model->get_manager (); |
1666 | const svalue *new_fd |
1667 | = mgr->get_or_create_conjured_svalue (integer_type_node, |
1668 | stmt, |
1669 | id_reg: cd.get_lhs_region (), |
1670 | p); |
1671 | if (!add_constraint_ge_zero (model, fd_sval: new_fd, ctxt: cd.get_ctxt ())) |
1672 | return false; |
1673 | |
1674 | const svalue *socket_type_sval = cd.get_arg_svalue (idx: 1); |
1675 | state_machine::state_t new_state |
1676 | = get_state_for_socket_type (socket_type_sval); |
1677 | sm_ctxt->on_transition (node, stmt, var: new_fd, from: m_start, to: new_state); |
1678 | model->set_value (lhs_reg: cd.get_lhs_region (), rhs_sval: new_fd, ctxt: cd.get_ctxt ()); |
1679 | } |
1680 | else |
1681 | sm_ctxt->warn (node, stmt, NULL_TREE, |
1682 | d: make_unique<fd_leak> (args: *this, NULL_TREE)); |
1683 | } |
1684 | else |
1685 | { |
1686 | /* Return -1; set errno. */ |
1687 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
1688 | model->set_errno (cd); |
1689 | } |
1690 | |
1691 | return true; |
1692 | } |
1693 | |
1694 | /* Check that FD_SVAL is usable by socket APIs. |
1695 | Complain if it has been closed, if it is a non-socket, |
1696 | or is invalid. |
1697 | If COMPLAINED is non-NULL and a problem is found, |
1698 | write *COMPLAINED = true. |
1699 | |
1700 | If SUCCESSFUL is true, attempt to add the constraint that FD_SVAL >= 0. |
1701 | Return true if this outcome is feasible. */ |
1702 | |
1703 | bool |
1704 | fd_state_machine::check_for_socket_fd (const call_details &cd, |
1705 | bool successful, |
1706 | sm_context *sm_ctxt, |
1707 | const svalue *fd_sval, |
1708 | const supernode *node, |
1709 | state_t old_state, |
1710 | bool *complained) const |
1711 | { |
1712 | const gcall *stmt = cd.get_call_stmt (); |
1713 | |
1714 | if (is_closed_fd_p (state: old_state)) |
1715 | { |
1716 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
1717 | sm_ctxt->warn |
1718 | (node, stmt, var: fd_sval, |
1719 | d: make_unique<fd_use_after_close> (args: *this, args&: diag_arg, |
1720 | args: cd.get_fndecl_for_call ())); |
1721 | if (complained) |
1722 | *complained = true; |
1723 | if (successful) |
1724 | return false; |
1725 | } |
1726 | else if (is_unchecked_fd_p (s: old_state) || is_valid_fd_p (s: old_state)) |
1727 | { |
1728 | /* Complain about non-socket. */ |
1729 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
1730 | sm_ctxt->warn |
1731 | (node, stmt, var: fd_sval, |
1732 | d: make_unique<fd_type_mismatch> (args: *this, args&: diag_arg, |
1733 | args: cd.get_fndecl_for_call (), |
1734 | args&: old_state, |
1735 | args: EXPECTED_TYPE_SOCKET)); |
1736 | if (complained) |
1737 | *complained = true; |
1738 | if (successful) |
1739 | return false; |
1740 | } |
1741 | else if (old_state == m_invalid) |
1742 | { |
1743 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
1744 | sm_ctxt->warn |
1745 | (node, stmt, var: fd_sval, |
1746 | d: make_unique<fd_use_without_check> (args: *this, args&: diag_arg, |
1747 | args: cd.get_fndecl_for_call ())); |
1748 | if (complained) |
1749 | *complained = true; |
1750 | if (successful) |
1751 | return false; |
1752 | } |
1753 | |
1754 | if (successful) |
1755 | if (!add_constraint_ge_zero (model: cd.get_model (), fd_sval, ctxt: cd.get_ctxt ())) |
1756 | return false; |
1757 | |
1758 | return true; |
1759 | } |
1760 | |
1761 | /* For use by "bind" and "connect". |
1762 | As per fd_state_machine::check_for_socket_fd above, |
1763 | but also complain if we don't have a new socket, and check that |
1764 | we can read up to the size bytes from the address. */ |
1765 | |
1766 | bool |
1767 | fd_state_machine::check_for_new_socket_fd (const call_details &cd, |
1768 | bool successful, |
1769 | sm_context *sm_ctxt, |
1770 | const svalue *fd_sval, |
1771 | const supernode *node, |
1772 | state_t old_state, |
1773 | enum expected_phase expected_phase) |
1774 | const |
1775 | { |
1776 | bool complained = false; |
1777 | |
1778 | /* Check address and len. */ |
1779 | const svalue *address_sval = cd.get_arg_svalue (idx: 1); |
1780 | const svalue *len_sval = cd.get_arg_svalue (idx: 2); |
1781 | |
1782 | /* Check that we can read the given number of bytes from the |
1783 | address. */ |
1784 | region_model *model = cd.get_model (); |
1785 | const region *address_reg |
1786 | = model->deref_rvalue (ptr_sval: address_sval, ptr_tree: cd.get_arg_tree (idx: 1), |
1787 | ctxt: cd.get_ctxt ()); |
1788 | const region *sized_address_reg |
1789 | = model->get_manager ()->get_sized_region (parent: address_reg, |
1790 | NULL_TREE, |
1791 | byte_size_sval: len_sval); |
1792 | model->get_store_value (reg: sized_address_reg, ctxt: cd.get_ctxt ()); |
1793 | |
1794 | if (!check_for_socket_fd (cd, successful, sm_ctxt, |
1795 | fd_sval, node, old_state, complained: &complained)) |
1796 | return false; |
1797 | else if (!complained |
1798 | && !(old_state == m_new_stream_socket |
1799 | || old_state == m_new_datagram_socket |
1800 | || old_state == m_new_unknown_socket |
1801 | || old_state == m_start |
1802 | || old_state == m_stop |
1803 | || old_state == m_constant_fd)) |
1804 | { |
1805 | /* Complain about "bind" or "connect" in wrong phase. */ |
1806 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
1807 | sm_ctxt->warn |
1808 | (node, stmt: cd.get_call_stmt (), var: fd_sval, |
1809 | d: make_unique<fd_phase_mismatch> (args: *this, args&: diag_arg, |
1810 | args: cd.get_fndecl_for_call (), |
1811 | args&: old_state, |
1812 | args&: expected_phase)); |
1813 | if (successful) |
1814 | return false; |
1815 | } |
1816 | else if (!successful) |
1817 | { |
1818 | /* If we were in the start state, assume we had a new socket. */ |
1819 | if (old_state == m_start) |
1820 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, |
1821 | to: m_new_unknown_socket); |
1822 | } |
1823 | |
1824 | /* Passing NULL as the address will lead to failure. */ |
1825 | if (successful) |
1826 | if (address_sval->all_zeroes_p ()) |
1827 | return false; |
1828 | |
1829 | return true; |
1830 | } |
1831 | |
1832 | /* Update the model and fd state for an outcome of a call to "bind", |
1833 | where SUCCESSFUL indicate which of the two outcomes. |
1834 | Return true if the outcome is feasible, or false to reject it. */ |
1835 | |
1836 | bool |
1837 | fd_state_machine::on_bind (const call_details &cd, |
1838 | bool successful, |
1839 | sm_context *sm_ctxt, |
1840 | const extrinsic_state &ext_state) const |
1841 | { |
1842 | const gcall *stmt = cd.get_call_stmt (); |
1843 | engine *eng = ext_state.get_engine (); |
1844 | const supergraph *sg = eng->get_supergraph (); |
1845 | const supernode *node = sg->get_supernode_for_stmt (stmt); |
1846 | const svalue *fd_sval = cd.get_arg_svalue (idx: 0); |
1847 | region_model *model = cd.get_model (); |
1848 | state_t old_state = sm_ctxt->get_state (stmt, fd_sval); |
1849 | |
1850 | if (!check_for_new_socket_fd (cd, successful, sm_ctxt, |
1851 | fd_sval, node, old_state, |
1852 | expected_phase: EXPECTED_PHASE_CAN_BIND)) |
1853 | return false; |
1854 | |
1855 | if (successful) |
1856 | { |
1857 | state_t next_state = NULL; |
1858 | if (old_state == m_new_stream_socket) |
1859 | next_state = m_bound_stream_socket; |
1860 | else if (old_state == m_new_datagram_socket) |
1861 | next_state = m_bound_datagram_socket; |
1862 | else if (old_state == m_new_unknown_socket) |
1863 | next_state = m_bound_unknown_socket; |
1864 | else if (old_state == m_start |
1865 | || old_state == m_constant_fd) |
1866 | next_state = m_bound_unknown_socket; |
1867 | else if (old_state == m_stop) |
1868 | next_state = m_stop; |
1869 | else |
1870 | gcc_unreachable (); |
1871 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, to: next_state); |
1872 | model->update_for_zero_return (cd, unmergeable: true); |
1873 | } |
1874 | else |
1875 | { |
1876 | /* Return -1; set errno. */ |
1877 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
1878 | model->set_errno (cd); |
1879 | } |
1880 | |
1881 | return true; |
1882 | } |
1883 | |
1884 | /* Update the model and fd state for an outcome of a call to "listen", |
1885 | where SUCCESSFUL indicate which of the two outcomes. |
1886 | Return true if the outcome is feasible, or false to reject it. */ |
1887 | |
1888 | bool |
1889 | fd_state_machine::on_listen (const call_details &cd, |
1890 | bool successful, |
1891 | sm_context *sm_ctxt, |
1892 | const extrinsic_state &ext_state) const |
1893 | { |
1894 | const gcall *stmt = cd.get_call_stmt (); |
1895 | engine *eng = ext_state.get_engine (); |
1896 | const supergraph *sg = eng->get_supergraph (); |
1897 | const supernode *node = sg->get_supernode_for_stmt (stmt: cd.get_call_stmt ()); |
1898 | const svalue *fd_sval = cd.get_arg_svalue (idx: 0); |
1899 | region_model *model = cd.get_model (); |
1900 | state_t old_state = sm_ctxt->get_state (stmt, fd_sval); |
1901 | |
1902 | /* We expect a stream socket that's had "bind" called on it. */ |
1903 | if (!check_for_socket_fd (cd, successful, sm_ctxt, fd_sval, node, old_state)) |
1904 | return false; |
1905 | if (!(old_state == m_start |
1906 | || old_state == m_constant_fd |
1907 | || old_state == m_stop |
1908 | || old_state == m_invalid |
1909 | || old_state == m_bound_stream_socket |
1910 | || old_state == m_bound_unknown_socket |
1911 | /* Assume it's OK to call "listen" more than once. */ |
1912 | || old_state == m_listening_stream_socket)) |
1913 | { |
1914 | /* Complain about fncall on wrong type or in wrong phase. */ |
1915 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
1916 | if (is_stream_socket_fd_p (s: old_state)) |
1917 | sm_ctxt->warn |
1918 | (node, stmt, var: fd_sval, |
1919 | d: make_unique<fd_phase_mismatch> (args: *this, args&: diag_arg, |
1920 | args: cd.get_fndecl_for_call (), |
1921 | args&: old_state, |
1922 | args: EXPECTED_PHASE_CAN_LISTEN)); |
1923 | else |
1924 | sm_ctxt->warn |
1925 | (node, stmt, var: fd_sval, |
1926 | d: make_unique<fd_type_mismatch> (args: *this, args&: diag_arg, |
1927 | args: cd.get_fndecl_for_call (), |
1928 | args&: old_state, |
1929 | args: EXPECTED_TYPE_STREAM_SOCKET)); |
1930 | if (successful) |
1931 | return false; |
1932 | } |
1933 | |
1934 | if (successful) |
1935 | { |
1936 | model->update_for_zero_return (cd, unmergeable: true); |
1937 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, |
1938 | to: m_listening_stream_socket); |
1939 | } |
1940 | else |
1941 | { |
1942 | /* Return -1; set errno. */ |
1943 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
1944 | model->set_errno (cd); |
1945 | if (old_state == m_start) |
1946 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, |
1947 | to: m_bound_stream_socket); |
1948 | } |
1949 | |
1950 | return true; |
1951 | } |
1952 | |
1953 | /* Update the model and fd state for an outcome of a call to "accept", |
1954 | where SUCCESSFUL indicate which of the two outcomes. |
1955 | Return true if the outcome is feasible, or false to reject it. */ |
1956 | |
1957 | bool |
1958 | fd_state_machine::on_accept (const call_details &cd, |
1959 | bool successful, |
1960 | sm_context *sm_ctxt, |
1961 | const extrinsic_state &ext_state) const |
1962 | { |
1963 | const gcall *stmt = cd.get_call_stmt (); |
1964 | engine *eng = ext_state.get_engine (); |
1965 | const supergraph *sg = eng->get_supergraph (); |
1966 | const supernode *node = sg->get_supernode_for_stmt (stmt); |
1967 | const svalue *fd_sval = cd.get_arg_svalue (idx: 0); |
1968 | const svalue *address_sval = cd.get_arg_svalue (idx: 1); |
1969 | const svalue *len_ptr_sval = cd.get_arg_svalue (idx: 2); |
1970 | region_model *model = cd.get_model (); |
1971 | state_t old_state = sm_ctxt->get_state (stmt, fd_sval); |
1972 | |
1973 | if (!address_sval->all_zeroes_p ()) |
1974 | { |
1975 | region_model_manager *mgr = model->get_manager (); |
1976 | |
1977 | /* We might have a union of various pointer types, rather than a |
1978 | pointer type; cast to (void *) before dereferencing. */ |
1979 | address_sval = mgr->get_or_create_cast (ptr_type_node, arg: address_sval); |
1980 | |
1981 | const region *address_reg |
1982 | = model->deref_rvalue (ptr_sval: address_sval, ptr_tree: cd.get_arg_tree (idx: 1), |
1983 | ctxt: cd.get_ctxt ()); |
1984 | const region *len_reg |
1985 | = model->deref_rvalue (ptr_sval: len_ptr_sval, ptr_tree: cd.get_arg_tree (idx: 2), |
1986 | ctxt: cd.get_ctxt ()); |
1987 | const svalue *old_len_sval |
1988 | = model->get_store_value (reg: len_reg, ctxt: cd.get_ctxt ()); |
1989 | tree len_ptr = cd.get_arg_tree (idx: 2); |
1990 | tree star_len_ptr = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (len_ptr)), |
1991 | len_ptr, |
1992 | build_int_cst (TREE_TYPE (len_ptr), 0)); |
1993 | old_len_sval = model->check_for_poison (sval: old_len_sval, |
1994 | expr: star_len_ptr, |
1995 | src_region: len_reg, |
1996 | ctxt: cd.get_ctxt ()); |
1997 | if (successful) |
1998 | { |
1999 | conjured_purge p (model, cd.get_ctxt ()); |
2000 | const region *old_sized_address_reg |
2001 | = mgr->get_sized_region (parent: address_reg, |
2002 | NULL_TREE, |
2003 | byte_size_sval: old_len_sval); |
2004 | const svalue *new_addr_sval |
2005 | = mgr->get_or_create_conjured_svalue (NULL_TREE, |
2006 | stmt, |
2007 | id_reg: old_sized_address_reg, |
2008 | p); |
2009 | model->set_value (lhs_reg: old_sized_address_reg, rhs_sval: new_addr_sval, |
2010 | ctxt: cd.get_ctxt ()); |
2011 | const svalue *new_addr_len |
2012 | = mgr->get_or_create_conjured_svalue (NULL_TREE, |
2013 | stmt, |
2014 | id_reg: len_reg, |
2015 | p); |
2016 | model->set_value (lhs_reg: len_reg, rhs_sval: new_addr_len, ctxt: cd.get_ctxt ()); |
2017 | } |
2018 | } |
2019 | |
2020 | /* We expect a stream socket in the "listening" state. */ |
2021 | if (!check_for_socket_fd (cd, successful, sm_ctxt, fd_sval, node, old_state)) |
2022 | return false; |
2023 | |
2024 | if (old_state == m_start || old_state == m_constant_fd) |
2025 | /* If we were in the start state (or a constant), assume we had the |
2026 | expected state. */ |
2027 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, |
2028 | to: m_listening_stream_socket); |
2029 | else if (old_state == m_stop) |
2030 | { |
2031 | /* No further complaints. */ |
2032 | } |
2033 | else if (old_state != m_listening_stream_socket) |
2034 | { |
2035 | /* Complain about fncall on wrong type or in wrong phase. */ |
2036 | tree diag_arg = sm_ctxt->get_diagnostic_tree (fd_sval); |
2037 | if (is_stream_socket_fd_p (s: old_state)) |
2038 | sm_ctxt->warn |
2039 | (node, stmt, var: fd_sval, |
2040 | d: make_unique<fd_phase_mismatch> (args: *this, args&: diag_arg, |
2041 | args: cd.get_fndecl_for_call (), |
2042 | args&: old_state, |
2043 | args: EXPECTED_PHASE_CAN_ACCEPT)); |
2044 | else |
2045 | sm_ctxt->warn |
2046 | (node, stmt, var: fd_sval, |
2047 | d: make_unique<fd_type_mismatch> (args: *this, args&: diag_arg, |
2048 | args: cd.get_fndecl_for_call (), |
2049 | args&: old_state, |
2050 | args: EXPECTED_TYPE_STREAM_SOCKET)); |
2051 | if (successful) |
2052 | return false; |
2053 | } |
2054 | |
2055 | if (successful) |
2056 | { |
2057 | /* Return new conjured FD in "connected" state. */ |
2058 | if (gimple_call_lhs (gs: stmt)) |
2059 | { |
2060 | conjured_purge p (model, cd.get_ctxt ()); |
2061 | region_model_manager *mgr = model->get_manager (); |
2062 | const svalue *new_fd |
2063 | = mgr->get_or_create_conjured_svalue (integer_type_node, |
2064 | stmt, |
2065 | id_reg: cd.get_lhs_region (), |
2066 | p); |
2067 | if (!add_constraint_ge_zero (model, fd_sval: new_fd, ctxt: cd.get_ctxt ())) |
2068 | return false; |
2069 | sm_ctxt->on_transition (node, stmt, var: new_fd, |
2070 | from: m_start, to: m_connected_stream_socket); |
2071 | model->set_value (lhs_reg: cd.get_lhs_region (), rhs_sval: new_fd, ctxt: cd.get_ctxt ()); |
2072 | } |
2073 | else |
2074 | sm_ctxt->warn (node, stmt, NULL_TREE, |
2075 | d: make_unique<fd_leak> (args: *this, NULL_TREE)); |
2076 | } |
2077 | else |
2078 | { |
2079 | /* Return -1; set errno. */ |
2080 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
2081 | model->set_errno (cd); |
2082 | } |
2083 | |
2084 | return true; |
2085 | } |
2086 | |
2087 | /* Update the model and fd state for an outcome of a call to "connect", |
2088 | where SUCCESSFUL indicate which of the two outcomes. |
2089 | Return true if the outcome is feasible, or false to reject it. */ |
2090 | |
2091 | bool |
2092 | fd_state_machine::on_connect (const call_details &cd, |
2093 | bool successful, |
2094 | sm_context *sm_ctxt, |
2095 | const extrinsic_state &ext_state) const |
2096 | { |
2097 | const gcall *stmt = cd.get_call_stmt (); |
2098 | engine *eng = ext_state.get_engine (); |
2099 | const supergraph *sg = eng->get_supergraph (); |
2100 | const supernode *node = sg->get_supernode_for_stmt (stmt); |
2101 | const svalue *fd_sval = cd.get_arg_svalue (idx: 0); |
2102 | region_model *model = cd.get_model (); |
2103 | state_t old_state = sm_ctxt->get_state (stmt, fd_sval); |
2104 | |
2105 | if (!check_for_new_socket_fd (cd, successful, sm_ctxt, |
2106 | fd_sval, node, old_state, |
2107 | expected_phase: EXPECTED_PHASE_CAN_CONNECT)) |
2108 | return false; |
2109 | |
2110 | if (successful) |
2111 | { |
2112 | model->update_for_zero_return (cd, unmergeable: true); |
2113 | state_t next_state = NULL; |
2114 | if (old_state == m_new_stream_socket) |
2115 | next_state = m_connected_stream_socket; |
2116 | else if (old_state == m_new_datagram_socket) |
2117 | /* It's legal to call connect on a datagram socket, potentially |
2118 | more than once. We don't transition states for this. */ |
2119 | next_state = m_new_datagram_socket; |
2120 | else if (old_state == m_new_unknown_socket) |
2121 | next_state = m_stop; |
2122 | else if (old_state == m_start |
2123 | || old_state == m_constant_fd) |
2124 | next_state = m_stop; |
2125 | else if (old_state == m_stop) |
2126 | next_state = m_stop; |
2127 | else |
2128 | gcc_unreachable (); |
2129 | sm_ctxt->set_next_state (stmt: cd.get_call_stmt (), var: fd_sval, to: next_state); |
2130 | } |
2131 | else |
2132 | { |
2133 | /* Return -1; set errno. */ |
2134 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
2135 | model->set_errno (cd); |
2136 | /* TODO: perhaps transition to a failed state, since the |
2137 | portable way to handle a failed "connect" is to close |
2138 | the socket and try again with a new socket. */ |
2139 | } |
2140 | |
2141 | return true; |
2142 | } |
2143 | |
2144 | void |
2145 | fd_state_machine::on_condition (sm_context *sm_ctxt, const supernode *node, |
2146 | const gimple *stmt, const svalue *lhs, |
2147 | enum tree_code op, const svalue *rhs) const |
2148 | { |
2149 | if (tree cst = rhs->maybe_get_constant ()) |
2150 | { |
2151 | if (TREE_CODE (cst) == INTEGER_CST) |
2152 | { |
2153 | int val = TREE_INT_CST_LOW (cst); |
2154 | if (val == -1) |
2155 | { |
2156 | if (op == NE_EXPR) |
2157 | make_valid_transitions_on_condition (sm_ctxt, node, stmt, lhs); |
2158 | |
2159 | else if (op == EQ_EXPR) |
2160 | make_invalid_transitions_on_condition (sm_ctxt, node, stmt, |
2161 | lhs); |
2162 | } |
2163 | } |
2164 | } |
2165 | |
2166 | if (rhs->all_zeroes_p ()) |
2167 | { |
2168 | if (op == GE_EXPR) |
2169 | make_valid_transitions_on_condition (sm_ctxt, node, stmt, lhs); |
2170 | else if (op == LT_EXPR) |
2171 | make_invalid_transitions_on_condition (sm_ctxt, node, stmt, lhs); |
2172 | } |
2173 | } |
2174 | |
2175 | void |
2176 | fd_state_machine::make_valid_transitions_on_condition (sm_context *sm_ctxt, |
2177 | const supernode *node, |
2178 | const gimple *stmt, |
2179 | const svalue *lhs) const |
2180 | { |
2181 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_read_write, |
2182 | to: m_valid_read_write); |
2183 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_read_only, |
2184 | to: m_valid_read_only); |
2185 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_write_only, |
2186 | to: m_valid_write_only); |
2187 | } |
2188 | |
2189 | void |
2190 | fd_state_machine::make_invalid_transitions_on_condition ( |
2191 | sm_context *sm_ctxt, const supernode *node, const gimple *stmt, |
2192 | const svalue *lhs) const |
2193 | { |
2194 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_read_write, to: m_invalid); |
2195 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_read_only, to: m_invalid); |
2196 | sm_ctxt->on_transition (node, stmt, var: lhs, from: m_unchecked_write_only, to: m_invalid); |
2197 | } |
2198 | |
2199 | bool |
2200 | fd_state_machine::can_purge_p (state_t s) const |
2201 | { |
2202 | if (is_unchecked_fd_p (s) |
2203 | || is_valid_fd_p (s) |
2204 | || is_socket_fd_p (s)) |
2205 | return false; |
2206 | else |
2207 | return true; |
2208 | } |
2209 | |
2210 | std::unique_ptr<pending_diagnostic> |
2211 | fd_state_machine::on_leak (tree var) const |
2212 | { |
2213 | return make_unique<fd_leak> (args: *this, args&: var); |
2214 | } |
2215 | } // namespace |
2216 | |
2217 | state_machine * |
2218 | make_fd_state_machine (logger *logger) |
2219 | { |
2220 | return new fd_state_machine (logger); |
2221 | } |
2222 | |
2223 | static bool |
2224 | get_fd_state (region_model_context *ctxt, |
2225 | sm_state_map **out_smap, |
2226 | const fd_state_machine **out_sm, |
2227 | unsigned *out_sm_idx, |
2228 | std::unique_ptr<sm_context> *out_sm_context) |
2229 | { |
2230 | if (!ctxt) |
2231 | return false; |
2232 | |
2233 | const state_machine *sm; |
2234 | if (!ctxt->get_fd_map (out_smap, out_sm: &sm, out_sm_idx, out_sm_context)) |
2235 | return false; |
2236 | |
2237 | gcc_assert (sm); |
2238 | |
2239 | *out_sm = (const fd_state_machine *)sm; |
2240 | return true; |
2241 | } |
2242 | |
2243 | /* Specialcase hook for handling pipe, for use by |
2244 | kf_pipe::success::update_model. */ |
2245 | |
2246 | void |
2247 | region_model::mark_as_valid_fd (const svalue *sval, region_model_context *ctxt) |
2248 | { |
2249 | sm_state_map *smap; |
2250 | const fd_state_machine *fd_sm; |
2251 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, NULL)) |
2252 | return; |
2253 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2254 | if (!ext_state) |
2255 | return; |
2256 | fd_sm->mark_as_valid_fd (model: this, smap, fd_sval: sval, ext_state: *ext_state); |
2257 | } |
2258 | |
2259 | /* Handle calls to "socket". |
2260 | See e.g. https://man7.org/linux/man-pages/man3/socket.3p.html */ |
2261 | |
2262 | class kf_socket : public known_function |
2263 | { |
2264 | public: |
2265 | class outcome_of_socket : public succeed_or_fail_call_info |
2266 | { |
2267 | public: |
2268 | outcome_of_socket (const call_details &cd, bool success) |
2269 | : succeed_or_fail_call_info (cd, success) |
2270 | {} |
2271 | |
2272 | bool update_model (region_model *model, |
2273 | const exploded_edge *, |
2274 | region_model_context *ctxt) const final override |
2275 | { |
2276 | const call_details cd (get_call_details (model, ctxt)); |
2277 | sm_state_map *smap; |
2278 | const fd_state_machine *fd_sm; |
2279 | std::unique_ptr<sm_context> sm_ctxt; |
2280 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2281 | { |
2282 | cd.set_any_lhs_with_defaults (); |
2283 | return true; |
2284 | } |
2285 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2286 | if (!ext_state) |
2287 | { |
2288 | cd.set_any_lhs_with_defaults (); |
2289 | return true; |
2290 | } |
2291 | |
2292 | return fd_sm->on_socket (cd, successful: m_success, sm_ctxt: sm_ctxt.get (), ext_state: *ext_state); |
2293 | } |
2294 | }; |
2295 | |
2296 | bool matches_call_types_p (const call_details &cd) const final override |
2297 | { |
2298 | return cd.num_args () == 3; |
2299 | } |
2300 | |
2301 | void impl_call_post (const call_details &cd) const final override |
2302 | { |
2303 | if (cd.get_ctxt ()) |
2304 | { |
2305 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_socket> (args: cd, args: false)); |
2306 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_socket> (args: cd, args: true)); |
2307 | cd.get_ctxt ()->terminate_path (); |
2308 | } |
2309 | } |
2310 | }; |
2311 | |
2312 | /* Handle calls to "bind". |
2313 | See e.g. https://man7.org/linux/man-pages/man3/bind.3p.html */ |
2314 | |
2315 | class kf_bind : public known_function |
2316 | { |
2317 | public: |
2318 | class outcome_of_bind : public succeed_or_fail_call_info |
2319 | { |
2320 | public: |
2321 | outcome_of_bind (const call_details &cd, bool success) |
2322 | : succeed_or_fail_call_info (cd, success) |
2323 | {} |
2324 | |
2325 | bool update_model (region_model *model, |
2326 | const exploded_edge *, |
2327 | region_model_context *ctxt) const final override |
2328 | { |
2329 | const call_details cd (get_call_details (model, ctxt)); |
2330 | sm_state_map *smap; |
2331 | const fd_state_machine *fd_sm; |
2332 | std::unique_ptr<sm_context> sm_ctxt; |
2333 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2334 | { |
2335 | cd.set_any_lhs_with_defaults (); |
2336 | return true; |
2337 | } |
2338 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2339 | if (!ext_state) |
2340 | { |
2341 | cd.set_any_lhs_with_defaults (); |
2342 | return true; |
2343 | } |
2344 | return fd_sm->on_bind (cd, successful: m_success, sm_ctxt: sm_ctxt.get (), ext_state: *ext_state); |
2345 | } |
2346 | }; |
2347 | |
2348 | bool matches_call_types_p (const call_details &cd) const final override |
2349 | { |
2350 | return (cd.num_args () == 3 && cd.arg_is_pointer_p (idx: 1)); |
2351 | } |
2352 | |
2353 | void impl_call_post (const call_details &cd) const final override |
2354 | { |
2355 | if (cd.get_ctxt ()) |
2356 | { |
2357 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_bind> (args: cd, args: false)); |
2358 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_bind> (args: cd, args: true)); |
2359 | cd.get_ctxt ()->terminate_path (); |
2360 | } |
2361 | } |
2362 | }; |
2363 | |
2364 | /* Handle calls to "listen". |
2365 | See e.g. https://man7.org/linux/man-pages/man3/listen.3p.html */ |
2366 | |
2367 | class kf_listen : public known_function |
2368 | { |
2369 | class outcome_of_listen : public succeed_or_fail_call_info |
2370 | { |
2371 | public: |
2372 | outcome_of_listen (const call_details &cd, bool success) |
2373 | : succeed_or_fail_call_info (cd, success) |
2374 | {} |
2375 | |
2376 | bool update_model (region_model *model, |
2377 | const exploded_edge *, |
2378 | region_model_context *ctxt) const final override |
2379 | { |
2380 | const call_details cd (get_call_details (model, ctxt)); |
2381 | sm_state_map *smap; |
2382 | const fd_state_machine *fd_sm; |
2383 | std::unique_ptr<sm_context> sm_ctxt; |
2384 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2385 | { |
2386 | cd.set_any_lhs_with_defaults (); |
2387 | return true; |
2388 | } |
2389 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2390 | if (!ext_state) |
2391 | { |
2392 | cd.set_any_lhs_with_defaults (); |
2393 | return true; |
2394 | } |
2395 | |
2396 | return fd_sm->on_listen (cd, successful: m_success, sm_ctxt: sm_ctxt.get (), ext_state: *ext_state); |
2397 | } |
2398 | }; |
2399 | |
2400 | bool matches_call_types_p (const call_details &cd) const final override |
2401 | { |
2402 | return cd.num_args () == 2; |
2403 | } |
2404 | |
2405 | void impl_call_post (const call_details &cd) const final override |
2406 | { |
2407 | if (cd.get_ctxt ()) |
2408 | { |
2409 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_listen> (args: cd, args: false)); |
2410 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_listen> (args: cd, args: true)); |
2411 | cd.get_ctxt ()->terminate_path (); |
2412 | } |
2413 | } |
2414 | }; |
2415 | |
2416 | /* Handle calls to "accept". |
2417 | See e.g. https://man7.org/linux/man-pages/man3/accept.3p.html */ |
2418 | |
2419 | class kf_accept : public known_function |
2420 | { |
2421 | class outcome_of_accept : public succeed_or_fail_call_info |
2422 | { |
2423 | public: |
2424 | outcome_of_accept (const call_details &cd, bool success) |
2425 | : succeed_or_fail_call_info (cd, success) |
2426 | {} |
2427 | |
2428 | bool update_model (region_model *model, |
2429 | const exploded_edge *, |
2430 | region_model_context *ctxt) const final override |
2431 | { |
2432 | const call_details cd (get_call_details (model, ctxt)); |
2433 | sm_state_map *smap; |
2434 | const fd_state_machine *fd_sm; |
2435 | std::unique_ptr<sm_context> sm_ctxt; |
2436 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2437 | { |
2438 | cd.set_any_lhs_with_defaults (); |
2439 | return true; |
2440 | } |
2441 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2442 | if (!ext_state) |
2443 | { |
2444 | cd.set_any_lhs_with_defaults (); |
2445 | return true; |
2446 | } |
2447 | |
2448 | return fd_sm->on_accept (cd, successful: m_success, sm_ctxt: sm_ctxt.get (), ext_state: *ext_state); |
2449 | } |
2450 | }; |
2451 | |
2452 | bool matches_call_types_p (const call_details &cd) const final override |
2453 | { |
2454 | return (cd.num_args () == 3 |
2455 | && cd.arg_is_pointer_p (idx: 1) |
2456 | && cd.arg_is_pointer_p (idx: 2)); |
2457 | } |
2458 | |
2459 | void impl_call_post (const call_details &cd) const final override |
2460 | { |
2461 | if (cd.get_ctxt ()) |
2462 | { |
2463 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_accept> (args: cd, args: false)); |
2464 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_accept> (args: cd, args: true)); |
2465 | cd.get_ctxt ()->terminate_path (); |
2466 | } |
2467 | } |
2468 | }; |
2469 | |
2470 | /* Handle calls to "connect". |
2471 | See e.g. https://man7.org/linux/man-pages/man3/connect.3p.html */ |
2472 | |
2473 | class kf_connect : public known_function |
2474 | { |
2475 | public: |
2476 | class outcome_of_connect : public succeed_or_fail_call_info |
2477 | { |
2478 | public: |
2479 | outcome_of_connect (const call_details &cd, bool success) |
2480 | : succeed_or_fail_call_info (cd, success) |
2481 | {} |
2482 | |
2483 | bool update_model (region_model *model, |
2484 | const exploded_edge *, |
2485 | region_model_context *ctxt) const final override |
2486 | { |
2487 | const call_details cd (get_call_details (model, ctxt)); |
2488 | sm_state_map *smap; |
2489 | const fd_state_machine *fd_sm; |
2490 | std::unique_ptr<sm_context> sm_ctxt; |
2491 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2492 | { |
2493 | cd.set_any_lhs_with_defaults (); |
2494 | return true; |
2495 | } |
2496 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2497 | if (!ext_state) |
2498 | { |
2499 | cd.set_any_lhs_with_defaults (); |
2500 | return true; |
2501 | } |
2502 | |
2503 | return fd_sm->on_connect (cd, successful: m_success, sm_ctxt: sm_ctxt.get (), ext_state: *ext_state); |
2504 | } |
2505 | }; |
2506 | |
2507 | bool matches_call_types_p (const call_details &cd) const final override |
2508 | { |
2509 | return (cd.num_args () == 3 |
2510 | && cd.arg_is_pointer_p (idx: 1)); |
2511 | } |
2512 | |
2513 | void impl_call_post (const call_details &cd) const final override |
2514 | { |
2515 | if (cd.get_ctxt ()) |
2516 | { |
2517 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_connect> (args: cd, args: false)); |
2518 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_connect> (args: cd, args: true)); |
2519 | cd.get_ctxt ()->terminate_path (); |
2520 | } |
2521 | } |
2522 | }; |
2523 | |
2524 | /* Handler for "isatty"". |
2525 | See e.g. https://man7.org/linux/man-pages/man3/isatty.3.html */ |
2526 | |
2527 | class kf_isatty : public known_function |
2528 | { |
2529 | class outcome_of_isatty : public succeed_or_fail_call_info |
2530 | { |
2531 | public: |
2532 | outcome_of_isatty (const call_details &cd, bool success) |
2533 | : succeed_or_fail_call_info (cd, success) |
2534 | {} |
2535 | |
2536 | bool update_model (region_model *model, |
2537 | const exploded_edge *, |
2538 | region_model_context *ctxt) const final override |
2539 | { |
2540 | const call_details cd (get_call_details (model, ctxt)); |
2541 | |
2542 | if (m_success) |
2543 | { |
2544 | /* Return 1. */ |
2545 | model->update_for_int_cst_return (cd, retval: 1, unmergeable: true); |
2546 | } |
2547 | else |
2548 | { |
2549 | /* Return 0; set errno. */ |
2550 | model->update_for_int_cst_return (cd, retval: 0, unmergeable: true); |
2551 | model->set_errno (cd); |
2552 | } |
2553 | |
2554 | return feasible_p (cd, ctxt); |
2555 | } |
2556 | |
2557 | private: |
2558 | bool feasible_p (const call_details &cd, |
2559 | region_model_context *ctxt) const |
2560 | { |
2561 | if (m_success) |
2562 | { |
2563 | /* Can't be "success" on a closed/invalid fd. */ |
2564 | sm_state_map *smap; |
2565 | const fd_state_machine *fd_sm; |
2566 | std::unique_ptr<sm_context> sm_ctxt; |
2567 | if (!get_fd_state (ctxt, out_smap: &smap, out_sm: &fd_sm, NULL, out_sm_context: &sm_ctxt)) |
2568 | return true; |
2569 | const extrinsic_state *ext_state = ctxt->get_ext_state (); |
2570 | if (!ext_state) |
2571 | return true; |
2572 | |
2573 | const svalue *fd_sval = cd.get_arg_svalue (idx: 0); |
2574 | state_machine::state_t old_state |
2575 | = sm_ctxt->get_state (stmt: cd.get_call_stmt (), fd_sval); |
2576 | |
2577 | if (fd_sm->is_closed_fd_p (state: old_state) |
2578 | || old_state == fd_sm->m_invalid) |
2579 | return false; |
2580 | } |
2581 | return true; |
2582 | } |
2583 | }; // class outcome_of_isatty |
2584 | |
2585 | public: |
2586 | bool matches_call_types_p (const call_details &cd) const final override |
2587 | { |
2588 | return cd.num_args () == 1; |
2589 | } |
2590 | |
2591 | void impl_call_post (const call_details &cd) const final override |
2592 | { |
2593 | if (cd.get_ctxt ()) |
2594 | { |
2595 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_isatty> (args: cd, args: false)); |
2596 | cd.get_ctxt ()->bifurcate (info: make_unique<outcome_of_isatty> (args: cd, args: true)); |
2597 | cd.get_ctxt ()->terminate_path (); |
2598 | } |
2599 | } |
2600 | }; |
2601 | |
2602 | /* Handler for calls to "pipe" and "pipe2". |
2603 | See e.g. https://www.man7.org/linux/man-pages/man2/pipe.2.html */ |
2604 | |
2605 | class kf_pipe : public known_function |
2606 | { |
2607 | class failure : public failed_call_info |
2608 | { |
2609 | public: |
2610 | failure (const call_details &cd) : failed_call_info (cd) {} |
2611 | |
2612 | bool update_model (region_model *model, |
2613 | const exploded_edge *, |
2614 | region_model_context *ctxt) const final override |
2615 | { |
2616 | /* Return -1; everything else is unchanged. */ |
2617 | const call_details cd (get_call_details (model, ctxt)); |
2618 | model->update_for_int_cst_return (cd, retval: -1, unmergeable: true); |
2619 | return true; |
2620 | } |
2621 | }; |
2622 | |
2623 | class success : public success_call_info |
2624 | { |
2625 | public: |
2626 | success (const call_details &cd) : success_call_info (cd) {} |
2627 | |
2628 | bool update_model (region_model *model, |
2629 | const exploded_edge *, |
2630 | region_model_context *ctxt) const final override |
2631 | { |
2632 | const call_details cd (get_call_details (model, ctxt)); |
2633 | |
2634 | /* Return 0. */ |
2635 | model->update_for_zero_return (cd, unmergeable: true); |
2636 | |
2637 | /* Update fd array. */ |
2638 | region_model_manager *mgr = cd.get_manager (); |
2639 | tree arr_tree = cd.get_arg_tree (idx: 0); |
2640 | const svalue *arr_sval = cd.get_arg_svalue (idx: 0); |
2641 | for (int idx = 0; idx < 2; idx++) |
2642 | { |
2643 | const region *arr_reg |
2644 | = model->deref_rvalue (ptr_sval: arr_sval, ptr_tree: arr_tree, ctxt: cd.get_ctxt ()); |
2645 | const svalue *idx_sval |
2646 | = mgr->get_or_create_int_cst (integer_type_node, cst: idx); |
2647 | const region *element_reg |
2648 | = mgr->get_element_region (parent: arr_reg, integer_type_node, index: idx_sval); |
2649 | conjured_purge p (model, cd.get_ctxt ()); |
2650 | const svalue *fd_sval |
2651 | = mgr->get_or_create_conjured_svalue (integer_type_node, |
2652 | stmt: cd.get_call_stmt (), |
2653 | id_reg: element_reg, |
2654 | p); |
2655 | model->set_value (lhs_reg: element_reg, rhs_sval: fd_sval, ctxt: cd.get_ctxt ()); |
2656 | model->mark_as_valid_fd (sval: fd_sval, ctxt: cd.get_ctxt ()); |
2657 | } |
2658 | return true; |
2659 | } |
2660 | }; |
2661 | |
2662 | public: |
2663 | kf_pipe (unsigned num_args) |
2664 | : m_num_args (num_args) |
2665 | { |
2666 | gcc_assert (num_args > 0); |
2667 | } |
2668 | |
2669 | bool matches_call_types_p (const call_details &cd) const final override |
2670 | { |
2671 | return (cd.num_args () == m_num_args && cd.arg_is_pointer_p (idx: 0)); |
2672 | } |
2673 | |
2674 | void impl_call_post (const call_details &cd) const final override |
2675 | { |
2676 | if (cd.get_ctxt ()) |
2677 | { |
2678 | cd.get_ctxt ()->bifurcate (info: make_unique<failure> (args: cd)); |
2679 | cd.get_ctxt ()->bifurcate (info: make_unique<success> (args: cd)); |
2680 | cd.get_ctxt ()->terminate_path (); |
2681 | } |
2682 | } |
2683 | |
2684 | private: |
2685 | unsigned m_num_args; |
2686 | }; |
2687 | |
2688 | /* Handler for "read". |
2689 | ssize_t read(int fildes, void *buf, size_t nbyte); |
2690 | See e.g. https://man7.org/linux/man-pages/man2/read.2.html */ |
2691 | |
2692 | class kf_read : public known_function |
2693 | { |
2694 | public: |
2695 | bool matches_call_types_p (const call_details &cd) const final override |
2696 | { |
2697 | return (cd.num_args () == 3 |
2698 | && cd.arg_is_pointer_p (idx: 1) |
2699 | && cd.arg_is_size_p (idx: 2)); |
2700 | } |
2701 | |
2702 | /* For now, assume that any call to "read" fully clobbers the buffer |
2703 | passed in. This isn't quite correct (e.g. errors, partial reads; |
2704 | see PR analyzer/108689), but at least stops us falsely complaining |
2705 | about the buffer being uninitialized. */ |
2706 | void impl_call_pre (const call_details &cd) const final override |
2707 | { |
2708 | region_model *model = cd.get_model (); |
2709 | const svalue *ptr_sval = cd.get_arg_svalue (idx: 1); |
2710 | if (const region *reg = ptr_sval->maybe_get_region ()) |
2711 | { |
2712 | const region *base_reg = reg->get_base_region (); |
2713 | const svalue *new_sval = cd.get_or_create_conjured_svalue (base_reg); |
2714 | model->set_value (lhs_reg: base_reg, rhs_sval: new_sval, ctxt: cd.get_ctxt ()); |
2715 | } |
2716 | cd.set_any_lhs_with_defaults (); |
2717 | } |
2718 | }; |
2719 | |
2720 | |
2721 | /* Populate KFM with instances of known functions relating to |
2722 | file descriptors. */ |
2723 | |
2724 | void |
2725 | register_known_fd_functions (known_function_manager &kfm) |
2726 | { |
2727 | kfm.add (name: "accept" , kf: make_unique<kf_accept> ()); |
2728 | kfm.add (name: "bind" , kf: make_unique<kf_bind> ()); |
2729 | kfm.add (name: "connect" , kf: make_unique<kf_connect> ()); |
2730 | kfm.add (name: "isatty" , kf: make_unique<kf_isatty> ()); |
2731 | kfm.add (name: "listen" , kf: make_unique<kf_listen> ()); |
2732 | kfm.add (name: "pipe" , kf: make_unique<kf_pipe> (args: 1)); |
2733 | kfm.add (name: "pipe2" , kf: make_unique<kf_pipe> (args: 2)); |
2734 | kfm.add (name: "read" , kf: make_unique<kf_read> ()); |
2735 | kfm.add (name: "socket" , kf: make_unique<kf_socket> ()); |
2736 | } |
2737 | |
2738 | } // namespace ana |
2739 | |
2740 | #endif // ENABLE_ANALYZER |
2741 | |