1 /* Modeling API uses and misuses via state machines.
2 Copyright (C) 2019-2022 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
11
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21 #include "config.h"
22 #include "system.h"
23 #include "coretypes.h"
24 #include "tree.h"
25 #include "function.h"
26 #include "basic-block.h"
27 #include "gimple.h"
28 #include "options.h"
29 #include "function.h"
30 #include "diagnostic-core.h"
31 #include "pretty-print.h"
32 #include "diagnostic.h"
33 #include "tree-diagnostic.h"
34 #include "json.h"
35 #include "analyzer/analyzer.h"
36 #include "analyzer/analyzer-logging.h"
37 #include "analyzer/sm.h"
38 #include "tristate.h"
39 #include "analyzer/call-string.h"
40 #include "analyzer/program-point.h"
41 #include "analyzer/store.h"
42 #include "analyzer/svalue.h"
43 #include "analyzer/program-state.h"
44
45 #if ENABLE_ANALYZER
46
47 namespace ana {
48
49 /* Return true if VAR has pointer or reference type. */
50
51 bool
any_pointer_p(tree var)52 any_pointer_p (tree var)
53 {
54 return POINTER_TYPE_P (TREE_TYPE (var));
55 }
56
57 /* Return true if SVAL has pointer or reference type. */
58
59 bool
any_pointer_p(const svalue * sval)60 any_pointer_p (const svalue *sval)
61 {
62 if (!sval->get_type ())
63 return false;
64 return POINTER_TYPE_P (sval->get_type ());
65 }
66
67 /* class state_machine::state. */
68
69 /* Base implementation of dump_to_pp vfunc. */
70
71 void
dump_to_pp(pretty_printer * pp) const72 state_machine::state::dump_to_pp (pretty_printer *pp) const
73 {
74 pp_string (pp, m_name);
75 }
76
77 /* Return a new json::string describing the state. */
78
79 json::value *
to_json() const80 state_machine::state::to_json () const
81 {
82 pretty_printer pp;
83 pp_format_decoder (&pp) = default_tree_printer;
84 dump_to_pp (&pp);
85 return new json::string (pp_formatted_text (&pp));
86 }
87
88 /* class state_machine. */
89
90 /* state_machine's ctor. */
91
state_machine(const char * name,logger * logger)92 state_machine::state_machine (const char *name, logger *logger)
93 : log_user (logger), m_name (name), m_next_state_id (0),
94 m_start (add_state ("start"))
95 {
96 }
97
98 /* Add a state with name NAME to this state_machine.
99 The string is required to outlive the state_machine.
100
101 Return the state_t for the new state. */
102
103 state_machine::state_t
add_state(const char * name)104 state_machine::add_state (const char *name)
105 {
106 state *s = new state (name, alloc_state_id ());
107 m_states.safe_push (s);
108 return s;
109 }
110
111 /* Get the state with name NAME, which must exist.
112 This is purely intended for use in selftests. */
113
114 state_machine::state_t
get_state_by_name(const char * name) const115 state_machine::get_state_by_name (const char *name) const
116 {
117 unsigned i;
118 state *s;
119 FOR_EACH_VEC_ELT (m_states, i, s)
120 if (!strcmp (name, s->get_name ()))
121 return s;
122 /* Name not found. */
123 gcc_unreachable ();
124 }
125
126 /* Dump a multiline representation of this state machine to PP. */
127
128 void
dump_to_pp(pretty_printer * pp) const129 state_machine::dump_to_pp (pretty_printer *pp) const
130 {
131 unsigned i;
132 state *s;
133 FOR_EACH_VEC_ELT (m_states, i, s)
134 {
135 pp_printf (pp, " state %i: ", i);
136 s->dump_to_pp (pp);
137 pp_newline (pp);
138 }
139 }
140
141 /* Return a new json::object of the form
142 {"name" : str,
143 "states" : [str]}. */
144
145 json::object *
to_json() const146 state_machine::to_json () const
147 {
148 json::object *sm_obj = new json::object ();
149
150 sm_obj->set ("name", new json::string (m_name));
151 {
152 json::array *states_arr = new json::array ();
153 unsigned i;
154 state *s;
155 FOR_EACH_VEC_ELT (m_states, i, s)
156 states_arr->append (s->to_json ());
157 sm_obj->set ("states", states_arr);
158 }
159
160 return sm_obj;
161 }
162
163 /* class sm_context. */
164
165 const region_model *
get_old_region_model() const166 sm_context::get_old_region_model () const
167 {
168 if (const program_state *old_state = get_old_program_state ())
169 return old_state->m_region_model;
170 else
171 return NULL;
172 }
173
174 /* Create instances of the various state machines, each using LOGGER,
175 and populate OUT with them. */
176
177 void
make_checkers(auto_delete_vec<state_machine> & out,logger * logger)178 make_checkers (auto_delete_vec <state_machine> &out, logger *logger)
179 {
180 out.safe_push (make_malloc_state_machine (logger));
181 out.safe_push (make_fileptr_state_machine (logger));
182 /* The "taint" checker must be explicitly enabled (as it currently
183 leads to state explosions that stop the other checkers working). */
184 if (flag_analyzer_checker)
185 out.safe_push (make_taint_state_machine (logger));
186 out.safe_push (make_sensitive_state_machine (logger));
187 out.safe_push (make_signal_state_machine (logger));
188
189 /* We only attempt to run the pattern tests if it might have been manually
190 enabled (for DejaGnu purposes). */
191 if (flag_analyzer_checker)
192 out.safe_push (make_pattern_test_state_machine (logger));
193
194 if (flag_analyzer_checker)
195 {
196 unsigned read_index, write_index;
197 state_machine **sm;
198
199 /* TODO: this leaks the machines
200 Would be nice to log the things that were removed. */
201 VEC_ORDERED_REMOVE_IF (out, read_index, write_index, sm,
202 0 != strcmp (flag_analyzer_checker,
203 (*sm)->get_name ()));
204 }
205 }
206
207 } // namespace ana
208
209 #endif /* #if ENABLE_ANALYZER */
210