1/* Modeling API uses and misuses via state machines.
2 Copyright (C) 2019-2025 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
4
5This file is part of GCC.
6
7GCC is free software; you can redistribute it and/or modify it
8under the terms of the GNU General Public License as published by
9the Free Software Foundation; either version 3, or (at your option)
10any later version.
11
12GCC is distributed in the hope that it will be useful, but
13WITHOUT ANY WARRANTY; without even the implied warranty of
14MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15General Public License for more details.
16
17You should have received a copy of the GNU General Public License
18along with GCC; see the file COPYING3. If not see
19<http://www.gnu.org/licenses/>. */
20
21#ifndef GCC_ANALYZER_SM_H
22#define GCC_ANALYZER_SM_H
23
24/* Utility functions for use by state machines. */
25
26namespace ana {
27
28class state_machine;
29class sm_context;
30class pending_diagnostic;
31
32extern bool any_pointer_p (tree expr);
33extern bool any_pointer_p (const svalue *sval);
34
35/* An abstract base class for a state machine describing an API.
36 Manages a set of state objects, and has various virtual functions
37 for pattern-matching on statements. */
38
39class state_machine : public log_user
40{
41public:
42 /* States are represented by immutable objects, owned by the state
43 machine. */
44 class state
45 {
46 public:
47 state (const char *name, unsigned id) : m_name (name), m_id (id) {}
48 virtual ~state () {}
49
50 const char *get_name () const { return m_name; }
51 virtual void dump_to_pp (pretty_printer *pp) const;
52 virtual std::unique_ptr<json::value> to_json () const;
53
54 unsigned get_id () const { return m_id; }
55
56 private:
57 const char *m_name;
58 unsigned m_id;
59 };
60 typedef const state_machine::state *state_t;
61
62 state_machine (const char *name, logger *logger);
63 virtual ~state_machine () {}
64
65 /* Should states be inherited from a parent region to a child region,
66 when first accessing a child region?
67 For example we should inherit the taintedness of a subregion,
68 but we should not inherit the "malloc:non-null" state of a field
69 within a heap-allocated struct. */
70 virtual bool inherited_state_p () const = 0;
71
72 /* A vfunc for more general handling of inheritance. */
73 virtual state_t
74 alt_get_inherited_state (const sm_state_map &,
75 const svalue *,
76 const extrinsic_state &) const
77 {
78 return NULL;
79 }
80
81 virtual bool
82 has_alt_get_inherited_state_p () const
83 {
84 return false;
85 }
86
87 virtual state_machine::state_t get_default_state (const svalue *) const
88 {
89 return m_start;
90 }
91
92 const char *get_name () const { return m_name; }
93
94 state_t get_state_by_name (const char *name) const;
95
96 /* Return true if STMT is a function call recognized by this sm. */
97 virtual bool on_stmt (sm_context &sm_ctxt,
98 const supernode *node,
99 const gimple *stmt) const = 0;
100
101 virtual void on_phi (sm_context &sm_ctxt ATTRIBUTE_UNUSED,
102 const supernode *node ATTRIBUTE_UNUSED,
103 const gphi *phi ATTRIBUTE_UNUSED,
104 tree rhs ATTRIBUTE_UNUSED) const
105 {
106 }
107
108 virtual void on_condition (sm_context &sm_ctxt ATTRIBUTE_UNUSED,
109 const supernode *node ATTRIBUTE_UNUSED,
110 const gimple *stmt ATTRIBUTE_UNUSED,
111 const svalue *lhs ATTRIBUTE_UNUSED,
112 enum tree_code op ATTRIBUTE_UNUSED,
113 const svalue *rhs ATTRIBUTE_UNUSED) const
114 {
115 }
116
117 virtual void
118 on_bounded_ranges (sm_context &sm_ctxt ATTRIBUTE_UNUSED,
119 const supernode *node ATTRIBUTE_UNUSED,
120 const gimple *stmt ATTRIBUTE_UNUSED,
121 const svalue &sval ATTRIBUTE_UNUSED,
122 const bounded_ranges &ranges ATTRIBUTE_UNUSED) const
123 {
124 }
125
126 virtual void
127 on_pop_frame (sm_state_map *smap ATTRIBUTE_UNUSED,
128 const frame_region *frame_reg ATTRIBUTE_UNUSED) const
129 {
130 }
131
132 /* Return true if it safe to discard the given state (to help
133 when simplifying state objects).
134 States that need leak detection should return false. */
135 virtual bool can_purge_p (state_t s) const = 0;
136
137 /* Called when VAR leaks (and !can_purge_p). */
138 virtual std::unique_ptr<pending_diagnostic>
139 on_leak (tree var ATTRIBUTE_UNUSED) const;
140
141 /* Return true if S should be reset to "start" for values passed (or reachable
142 from) calls to unknown functions. IS_MUTABLE is true for pointers as
143 non-const, false if only passed as const-pointers.
144
145 For example, in sm-malloc.cc, an on-stack ptr doesn't stop being
146 stack-allocated when passed to an unknown fn, but a malloc-ed pointer
147 could be freed when passed to an unknown fn (unless passed as "const"). */
148 virtual bool reset_when_passed_to_unknown_fn_p (state_t s ATTRIBUTE_UNUSED,
149 bool is_mutable) const
150 {
151 return is_mutable;
152 }
153
154 /* Attempt to get a state for the merger of STATE_A and STATE_B,
155 or return NULL if merging shouldn't occur, so that differences
156 between sm-state will lead to separate exploded nodes.
157
158 Most state machines will only merge equal states, but can
159 override maybe_get_merged_states_nonequal to support mergers
160 of certain non-equal states. */
161 state_t maybe_get_merged_state (state_t state_a,
162 state_t state_b) const
163 {
164 if (state_a == state_b)
165 return state_a;
166 return maybe_get_merged_states_nonequal (state_a, state_b);
167 }
168
169 /* Base implementation of hook for maybe_get_merged_state on non-equal
170 states. */
171 virtual state_t
172 maybe_get_merged_states_nonequal (state_t state_a ATTRIBUTE_UNUSED,
173 state_t state_b ATTRIBUTE_UNUSED) const
174 {
175 /* By default, non-equal sm states should inhibit merger of enodes. */
176 return NULL;
177 }
178
179 void validate (state_t s) const;
180
181 void dump_to_pp (pretty_printer *pp) const;
182
183 std::unique_ptr<json::object> to_json () const;
184
185 state_t get_start_state () const { return m_start; }
186
187protected:
188 state_t add_state (const char *name);
189 state_t add_custom_state (state *s)
190 {
191 m_states.safe_push (obj: s);
192 return s;
193 }
194
195 unsigned alloc_state_id () { return m_next_state_id++; }
196
197private:
198 DISABLE_COPY_AND_ASSIGN (state_machine);
199
200 const char *m_name;
201
202 /* States are owned by the state_machine. */
203 auto_delete_vec<state> m_states;
204
205 unsigned m_next_state_id;
206
207protected:
208 /* Must be inited after m_next_state_id. */
209 state_t m_start;
210};
211
212/* Abstract base class for state machines to pass to
213 sm_context::on_custom_transition for handling non-standard transitions
214 (e.g. adding a node and edge to simulate registering a callback and having
215 the callback be called later). */
216
217class custom_transition
218{
219public:
220 virtual ~custom_transition () {}
221 virtual void impl_transition (exploded_graph *eg,
222 exploded_node *src_enode,
223 int sm_idx) = 0;
224};
225
226/* Abstract base class giving an interface for the state machine to call
227 the checker engine, at a particular stmt. */
228
229class sm_context
230{
231public:
232 virtual ~sm_context () {}
233
234 /* Get the fndecl used at call, or NULL_TREE.
235 Use in preference to gimple_call_fndecl (and gimple_call_addr_fndecl),
236 since it can look through function pointer assignments and
237 other callback handling. */
238 virtual tree get_fndecl_for_call (const gcall &call) = 0;
239
240 /* Get the old state of VAR at STMT. */
241 virtual state_machine::state_t get_state (const gimple *stmt,
242 tree var) = 0;
243 virtual state_machine::state_t get_state (const gimple *stmt,
244 const svalue *) = 0;
245 /* Set the next state of VAR to be TO, recording the "origin" of the
246 state as ORIGIN.
247 Use STMT for location information. */
248 virtual void set_next_state (const gimple *stmt,
249 tree var,
250 state_machine::state_t to,
251 tree origin = NULL_TREE) = 0;
252 virtual void set_next_state (const gimple *stmt,
253 const svalue *var,
254 state_machine::state_t to,
255 tree origin = NULL_TREE) = 0;
256
257 /* Called by state_machine in response to pattern matches:
258 if VAR is in state FROM, transition it to state TO, potentially
259 recording the "origin" of the state as ORIGIN.
260 Use NODE and STMT for location information. */
261 void on_transition (const supernode *node ATTRIBUTE_UNUSED,
262 const gimple *stmt,
263 tree var,
264 state_machine::state_t from,
265 state_machine::state_t to,
266 tree origin = NULL_TREE)
267 {
268 state_machine::state_t current = get_state (stmt, var);
269 if (current == from)
270 set_next_state (stmt, var, to, origin);
271 }
272
273 void on_transition (const supernode *node ATTRIBUTE_UNUSED,
274 const gimple *stmt,
275 const svalue *var,
276 state_machine::state_t from,
277 state_machine::state_t to,
278 tree origin = NULL_TREE)
279 {
280 state_machine::state_t current = get_state (stmt, var);
281 if (current == from)
282 set_next_state (stmt, var, to, origin);
283 }
284
285 /* Called by state_machine in response to pattern matches:
286 issue a diagnostic D using NODE and STMT for location information. */
287 virtual void warn (const supernode *node, const gimple *stmt,
288 tree var,
289 std::unique_ptr<pending_diagnostic> d) = 0;
290 virtual void warn (const supernode *node, const gimple *stmt,
291 const svalue *var,
292 std::unique_ptr<pending_diagnostic> d) = 0;
293
294 /* For use when generating trees when creating pending_diagnostics, so that
295 rather than e.g.
296 "double-free of '<unknown>'"
297 we can print:
298 "double-free of 'inbuf.data'". */
299 virtual tree get_diagnostic_tree (tree expr)
300 {
301 return expr;
302 }
303 virtual tree get_diagnostic_tree (const svalue *) = 0;
304
305 virtual state_machine::state_t get_global_state () const = 0;
306 virtual void set_global_state (state_machine::state_t) = 0;
307
308 virtual void clear_all_per_svalue_state () = 0;
309
310 /* A vfunc for handling custom transitions, such as when registering
311 a signal handler. */
312 virtual void on_custom_transition (custom_transition *transition) = 0;
313
314 /* If STMT is an assignment known to assign zero to its LHS, return
315 the LHS.
316 Otherwise return NULL_TREE. */
317 virtual tree is_zero_assignment (const gimple *stmt) = 0;
318
319 virtual path_context *get_path_context () const
320 {
321 return NULL;
322 }
323
324 /* Are we handling an external function with unknown side effects? */
325 virtual bool unknown_side_effects_p () const { return false; }
326
327 virtual const program_state *get_old_program_state () const = 0;
328 virtual const program_state *get_new_program_state () const = 0;
329
330 const region_model *get_old_region_model () const;
331
332protected:
333 sm_context (int sm_idx, const state_machine &sm)
334 : m_sm_idx (sm_idx), m_sm (sm) {}
335
336 int m_sm_idx;
337 const state_machine &m_sm;
338};
339
340
341/* The various state_machine subclasses are hidden in their respective
342 implementation files. */
343
344extern std::vector<std::unique_ptr<state_machine>>
345make_checkers (logger *logger);
346
347extern std::unique_ptr<state_machine> make_malloc_state_machine (logger *);
348extern std::unique_ptr<state_machine> make_fileptr_state_machine (logger *);
349extern std::unique_ptr<state_machine> make_taint_state_machine (logger *);
350extern std::unique_ptr<state_machine> make_sensitive_state_machine (logger *);
351extern std::unique_ptr<state_machine> make_signal_state_machine (logger *);
352extern std::unique_ptr<state_machine> make_pattern_test_state_machine (logger *);
353extern std::unique_ptr<state_machine> make_va_list_state_machine (logger *);
354extern std::unique_ptr<state_machine> make_fd_state_machine (logger *);
355
356} // namespace ana
357
358#endif /* GCC_ANALYZER_SM_H */
359

source code of gcc/analyzer/sm.h