1use annotate_snippets::{Level, Renderer, Snippet};
2use rustc_data_structures::fx::FxHashMap;
3use rustc_span::{Span, symbol::Symbol};
4
5use crate::utils::log::{
6 are_spans_in_same_file, get_basic_block_span, get_variable_name, relative_pos_range,
7 span_to_filename, span_to_line_number, span_to_source_code,
8};
9use rustc_middle::mir::{Body, HasLocalDecls, Local};
10
11#[derive(Debug)]
12pub struct TyBug {
13 pub drop_bb: usize,
14 pub drop_id: usize,
15 pub trigger_bb: usize,
16 pub trigger_id: usize,
17 pub span: Span,
18 pub confidence: usize,
19}
20
21#[derive(Debug)]
25pub struct BugRecords {
26 pub df_bugs: FxHashMap<usize, TyBug>,
27 pub df_bugs_unwind: FxHashMap<usize, TyBug>,
28 pub uaf_bugs: FxHashMap<usize, TyBug>,
29 pub dp_bugs: FxHashMap<usize, TyBug>,
30 pub dp_bugs_unwind: FxHashMap<usize, TyBug>,
31}
32
33impl BugRecords {
34 pub fn new() -> BugRecords {
35 BugRecords {
36 df_bugs: FxHashMap::default(),
37 df_bugs_unwind: FxHashMap::default(),
38 uaf_bugs: FxHashMap::default(),
39 dp_bugs: FxHashMap::default(),
40 dp_bugs_unwind: FxHashMap::default(),
41 }
42 }
43
44 pub fn is_bug_free(&self) -> bool {
45 self.df_bugs.is_empty()
46 && self.df_bugs_unwind.is_empty()
47 && self.uaf_bugs.is_empty()
48 && self.dp_bugs.is_empty()
49 && self.dp_bugs_unwind.is_empty()
50 }
51
52 pub fn df_bugs_output<'tcx>(&self, body: &Body<'tcx>, fn_name: Symbol, span: Span) {
53 self.emit_bug_reports(
54 body, &self.df_bugs, fn_name, span,
55 "Double free detected",
56 "Double free detected.",
57 |bug, drop_name, trigger_name, drop_bb_str, trigger_bb_str| {
58 format!(
59 "Double free (confidence {}%): Location in file {} line {}.\n | MIR detail: Value {} and {} are alias.\n | MIR detail: {} is dropped at {}; {} is dropped at {}.",
60 bug.confidence,
61 span_to_filename(bug.span),
62 span_to_line_number(bug.span),
63 drop_name, trigger_name,
64 drop_name, drop_bb_str,
65 trigger_name, trigger_bb_str
66 )
67 }
68 );
69
70 self.emit_bug_reports(
71 body, &self.df_bugs_unwind, fn_name, span,
72 "Double free detected",
73 "Double free detected during unwinding.",
74 |bug, drop_name, trigger_name, drop_bb_str, trigger_bb_str| {
75 format!(
76 "Double free (confidence {}%): Location in file {} line {}.\n | MIR detail: Value {} and {} are alias.\n | MIR detail: {} is dropped at {}; {} is dropped at {}.",
77 bug.confidence,
78 span_to_filename(bug.span),
79 span_to_line_number(bug.span),
80 drop_name, trigger_name,
81 drop_name, drop_bb_str,
82 trigger_name, trigger_bb_str
83 )
84 }
85 );
86 }
87
88 pub fn uaf_bugs_output<'tcx>(&self, body: &Body<'tcx>, fn_name: Symbol, span: Span) {
89 self.emit_bug_reports(
90 body, &self.uaf_bugs, fn_name, span,
91 "Use-after-free detected",
92 "Use-after-free detected.",
93 |bug, drop_name, trigger_name, drop_bb_str, trigger_bb_str| {
94 format!(
95 "Use-after-free (confidence {}%): Location in file {} line {}.\n | MIR detail: Value {} and {} are alias.\n | MIR detail: {} is dropped at {}; {} is used at {}.",
96 bug.confidence,
97 span_to_filename(bug.span),
98 span_to_line_number(bug.span),
99 drop_name, trigger_name,
100 drop_name, drop_bb_str,
101 trigger_name, trigger_bb_str
102 )
103 }
104 );
105 }
106
107 pub fn dp_bug_output<'tcx>(&self, body: &Body<'tcx>, fn_name: Symbol, span: Span) {
108 rap_warn!("fn_name: {:?}; body: {:?}", fn_name, body);
109 self.emit_bug_reports(
110 body, &self.dp_bugs, fn_name, span,
111 "Dangling pointer detected",
112 "Dangling pointer detected.",
113 |bug, drop_name, trigger_name, drop_bb_str, _trigger_bb_str| {
114 format!(
115 "Dangling pointer (confidence {}%): Location in file {} line {}.\n | MIR detail: Value {} and {} are alias.\n | MIR detail: {} is dropped at {}; {} became dangling.",
116 bug.confidence,
117 span_to_filename(bug.span),
118 span_to_line_number(bug.span),
119 drop_name, trigger_name,
120 drop_name, drop_bb_str,
121 trigger_name,
122 )
123 }
124 );
125
126 self.emit_bug_reports(
127 body, &self.dp_bugs_unwind, fn_name, span,
128 "Dangling pointer detected during unwinding",
129 "Dangling pointer detected during unwinding.",
130 |bug, drop_name, trigger_name, drop_bb_str, _trigger_bb_str| {
131 format!(
132 "Dangling pointer (confidence {}%): Location in file {} line {}.\n | MIR detail: Value {} and {} are alias.\n | MIR detail: {} is dropped at {}; {} became dangling.",
133 bug.confidence,
134 span_to_filename(bug.span),
135 span_to_line_number(bug.span),
136 drop_name, trigger_name,
137 drop_name, drop_bb_str,
138 trigger_name,
139 )
140 }
141 );
142 }
143
144 fn emit_bug_reports<'tcx, F>(
145 &self,
146 body: &Body<'tcx>,
147 bugs: &FxHashMap<usize, TyBug>,
148 fn_name: Symbol,
149 span: Span,
150 log_msg: &str,
151 title: &str,
152 detail_formatter: F,
153 ) where
154 F: Fn(&TyBug, &str, &str, &str, &str) -> String,
155 {
156 if bugs.is_empty() {
157 return;
158 }
159
160 rap_warn!("{} in function {:?}", log_msg, fn_name);
161
162 let code_source = span_to_source_code(span);
163 let filename = span_to_filename(span);
164 let renderer = Renderer::styled();
165
166 for bug in bugs.values() {
167 if are_spans_in_same_file(span, bug.span) {
168 let format_debug_info = |id: usize| -> String {
169 if id >= body.local_decls().len() {
170 return format!("UNKNWON(_{}) in {}", id, fn_name.as_str());
171 }
172 let local = Local::from_usize(id);
173 let name_opt = get_variable_name(body, id);
174 let decl_span = body.local_decls[local].source_info.span;
175 let location = format!(
176 "{}:{}",
177 span_to_filename(decl_span),
178 span_to_line_number(decl_span)
179 );
180 match name_opt {
181 Some(name) => format!("_{}({}, {})", id, name, location),
182 None => format!("_{}(_, {})", id, location),
183 }
184 };
185
186 let format_bb_info = |bb_id: usize| -> String {
187 let bb_span = get_basic_block_span(body, bb_id);
188 let location = format!(
189 "{}:{}",
190 span_to_filename(bb_span),
191 span_to_line_number(bb_span)
192 );
193 format!("BB{}({})", bb_id, location)
194 };
195
196 let drop_name = format_debug_info(bug.drop_id);
197 let trigger_name = format_debug_info(bug.trigger_id);
198 let drop_bb_str = format_bb_info(bug.drop_bb);
199 let trigger_bb_str = format_bb_info(bug.trigger_bb);
200
201 let detail = detail_formatter(
202 bug,
203 &drop_name,
204 &trigger_name,
205 &drop_bb_str,
206 &trigger_bb_str,
207 );
208
209 let mut snippet = Snippet::source(&code_source)
210 .line_start(span_to_line_number(span))
211 .origin(&filename)
212 .fold(false);
213
214 snippet = snippet.annotation(
215 Level::Warning
216 .span(relative_pos_range(span, bug.span))
217 .label(&detail),
218 );
219
220 let message = Level::Warning.title(title).snippet(snippet);
221
222 println!("{}", renderer.render(message));
223 }
224 }
225 }
226}