nyx-scanner 0.5.0

A multi-language static analysis tool for detecting security vulnerabilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466

//! Abstract domain for field-sensitive Steensgaard points-to.
//!
//! Locations are interned to compact `LocId(u32)` handles so the
//! union-find resolver can operate on dense integer keys.  Field
//! locations are keyed structurally by `(parent_loc_id, field_id)` —
//! interning a `Field(parent, f)` always returns the same `LocId` no
//! matter how many times the same `(parent, f)` pair is requested.

use crate::cfg::BodyId;
use crate::ssa::ir::FieldId;
use smallvec::SmallVec;
use std::collections::HashMap;

/// Maximum nesting depth for `Field(...)` chains before folding to `Top`.
///
/// Bounds the per-body work for pathological recursive walks like
/// `a.next.next.next.…` and matches the bound called out in the
/// pointer-analysis prompt.
pub const MAX_FIELD_DEPTH: u8 = 3;

/// Maximum members per [`PointsToSet`] before we collapse the set to
/// the over-approximation `{Top}`.  Keeps both the set and downstream
/// constraint propagation bounded; mirrors the spirit of
/// [`crate::ssa::heap::effective_max_pointsto`] without sharing the
/// exact value (this analysis runs flow-insensitively across the body
/// so its sets are typically smaller).
pub const MAX_POINTSTO_MEMBERS: usize = 16;

/// Compact handle for an interned [`AbsLoc`].
///
/// All abstract locations referenced by a single body share one
/// [`LocInterner`] — `LocId`s are only meaningful relative to that
/// interner.  IDs are assigned densely from 0 and are stable for the
/// lifetime of the interner so the union-find can index parent / rank
/// arrays directly.
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
pub struct LocId(pub u32);

/// Sentinel "anywhere" location.  Always `LocId(0)` — the interner
/// reserves the first slot at construction so callers can compare
/// against it cheaply.
pub const LOC_TOP: LocId = LocId(0);

/// Abstract heap location in the points-to lattice.
///
/// A pointer-targets-this kind of fact.  Cyclic field chains (e.g.
/// `a.next.next.…`) are bounded by [`MAX_FIELD_DEPTH`]; once the cap
/// is exceeded the chain folds to [`AbsLoc::Top`].
#[derive(Clone, Debug, PartialEq, Eq, Hash)]
pub enum AbsLoc {
    /// "Anywhere" — the over-approximation used when precision is
    /// unrecoverable (e.g. a value sourced from outside the analysed
    /// body, or a points-to set that exceeded the cap).
    Top,
    /// Allocation site within a body, identified by the SSA value of
    /// the defining instruction.  SSA guarantees a single definition
    /// per value, so the SSA value uniquely names the allocation site.
    ///
    /// `body` disambiguates allocations across bodies in the same
    /// file.  The interned `u32` is the `SsaValue.0` of the call /
    /// constructor instruction.
    Alloc(BodyId, u32),
    /// Function parameter — the abstract identity of the value
    /// supplied by the caller for parameter `index`.  The receiver
    /// (`self` / `this`) uses [`AbsLoc::SelfParam`] instead.
    Param(BodyId, usize),
    /// Implicit method receiver (`self` / `this`).  Distinct from
    /// `Param(_, _)` so callers don't have to encode an "is the
    /// receiver" sentinel index.
    SelfParam(BodyId),
    /// Heap field of a parent location: `parent.f`.  `parent` is
    /// itself a [`LocId`] — chains of field accesses produce nested
    /// `Field` locations.  Depth is bounded by [`MAX_FIELD_DEPTH`].
    Field { parent: LocId, field: FieldId },
}

/// Per-body interner mapping [`AbsLoc`] → dense [`LocId`].
///
/// Owns the canonical store: callers only hold [`LocId`]s and resolve
/// them through the interner.  The first slot ([`LOC_TOP`]) is always
/// `Top`, so the union-find resolver can short-circuit "is this Top?"
/// queries with a single integer compare.
#[derive(Clone, Debug)]
pub struct LocInterner {
    /// Locations indexed by `LocId.0`.
    locs: Vec<AbsLoc>,
    /// Reverse lookup: `(BodyId, alloc-ssa-value)` → `LocId`.
    alloc_lookup: HashMap<(BodyId, u32), LocId>,
    /// Reverse lookup: `(BodyId, param-index)` → `LocId`.
    param_lookup: HashMap<(BodyId, usize), LocId>,
    /// Reverse lookup for `SelfParam`.
    self_param_lookup: HashMap<BodyId, LocId>,
    /// Reverse lookup for `Field { parent, field }`.
    field_lookup: HashMap<(LocId, FieldId), LocId>,
    /// Interned depth of each location (0 for non-Field).  Used to
    /// fold deeply-nested `Field` chains to [`AbsLoc::Top`].
    depths: Vec<u8>,
}

impl Default for LocInterner {
    fn default() -> Self {
        Self::new()
    }
}

impl LocInterner {
    /// Create a fresh interner with [`LOC_TOP`] pre-installed.
    pub fn new() -> Self {
        Self {
            locs: vec![AbsLoc::Top],
            alloc_lookup: HashMap::new(),
            param_lookup: HashMap::new(),
            self_param_lookup: HashMap::new(),
            field_lookup: HashMap::new(),
            depths: vec![0],
        }
    }

    /// Total number of interned locations (including the reserved
    /// [`LOC_TOP`] slot).
    #[inline]
    pub fn len(&self) -> usize {
        self.locs.len()
    }

    /// Whether the interner only holds the reserved [`LOC_TOP`] slot.
    #[inline]
    pub fn is_empty(&self) -> bool {
        self.locs.len() <= 1
    }

    /// Resolve a [`LocId`] back to its [`AbsLoc`].  Panics on out-of-
    /// range ids — only ids the interner produced are valid.
    #[inline]
    pub fn resolve(&self, id: LocId) -> &AbsLoc {
        &self.locs[id.0 as usize]
    }

    /// Depth of an interned location.  `0` for non-`Field` locations;
    /// `1 + depth(parent)` for `Field { parent, .. }`.
    #[inline]
    pub fn depth(&self, id: LocId) -> u8 {
        self.depths[id.0 as usize]
    }

    /// Intern an `Alloc` location.
    pub fn intern_alloc(&mut self, body: BodyId, ssa_value: u32) -> LocId {
        if let Some(&id) = self.alloc_lookup.get(&(body, ssa_value)) {
            return id;
        }
        let id = self.push(AbsLoc::Alloc(body, ssa_value), 0);
        self.alloc_lookup.insert((body, ssa_value), id);
        id
    }

    /// Intern a positional `Param` location.
    pub fn intern_param(&mut self, body: BodyId, index: usize) -> LocId {
        if let Some(&id) = self.param_lookup.get(&(body, index)) {
            return id;
        }
        let id = self.push(AbsLoc::Param(body, index), 0);
        self.param_lookup.insert((body, index), id);
        id
    }

    /// Intern a `SelfParam` location for the given body.
    pub fn intern_self_param(&mut self, body: BodyId) -> LocId {
        if let Some(&id) = self.self_param_lookup.get(&body) {
            return id;
        }
        let id = self.push(AbsLoc::SelfParam(body), 0);
        self.self_param_lookup.insert(body, id);
        id
    }

    /// Intern a `Field { parent, field }` location.  Returns
    /// [`LOC_TOP`] when `parent` is `Top` or when the resulting depth
    /// would exceed [`MAX_FIELD_DEPTH`].
    pub fn intern_field(&mut self, parent: LocId, field: FieldId) -> LocId {
        if parent == LOC_TOP {
            return LOC_TOP;
        }
        let parent_depth = self.depth(parent);
        if parent_depth >= MAX_FIELD_DEPTH {
            return LOC_TOP;
        }
        let key = (parent, field);
        if let Some(&id) = self.field_lookup.get(&key) {
            return id;
        }
        let id = self.push(AbsLoc::Field { parent, field }, parent_depth + 1);
        self.field_lookup.insert(key, id);
        id
    }

    fn push(&mut self, loc: AbsLoc, depth: u8) -> LocId {
        let id = LocId(self.locs.len() as u32);
        self.locs.push(loc);
        self.depths.push(depth);
        id
    }
}

/// Coarse classification of a value's points-to set, used by consumers
/// (Phase 2: resource lifecycle) that don't need full set membership but
/// do need to know "is this value's heap identity a *field* of some
/// other value, or does it stand on its own?".
///
/// The classifier is intentionally narrow: only [`PtrProxyHint::FieldOnly`]
/// is interesting to today's consumers, every other shape (empty, root,
/// `Top`, mixed) collapses to [`PtrProxyHint::Other`] so the consumer
/// keeps its existing behaviour.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum PtrProxyHint {
    /// Every member of the points-to set is an [`AbsLoc::Field`].  The
    /// value is a sub-object alias — e.g. `m` in `m := c.mu`.
    FieldOnly,
    /// Anything else: the set is empty, contains a root location
    /// ([`AbsLoc::SelfParam`] / [`AbsLoc::Param`] / [`AbsLoc::Alloc`]),
    /// contains [`AbsLoc::Top`], or mixes fields with roots.  Consumers
    /// fall back to their default behaviour.
    Other,
}

/// Bounded points-to set: a small sorted vector of [`LocId`]s.
///
/// "Bounded" means the set silently collapses to `{Top}` on overflow;
/// downstream consumers treat `Top`-containing sets as
/// over-approximations exactly the same way [`AbsLoc::Top`] is treated
/// at the singleton level.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct PointsToSet {
    /// Sorted, deduped list of locations.  When the cap is exceeded
    /// the set is replaced by `[LOC_TOP]`.
    ids: SmallVec<[LocId; 4]>,
}

impl Default for PointsToSet {
    fn default() -> Self {
        Self::empty()
    }
}

impl PointsToSet {
    /// Empty set — the value points to nothing tracked by the
    /// analysis (e.g. a scalar constant).
    pub fn empty() -> Self {
        Self {
            ids: SmallVec::new(),
        }
    }

    /// Singleton set wrapping `id`.
    pub fn singleton(id: LocId) -> Self {
        let mut ids = SmallVec::new();
        ids.push(id);
        Self { ids }
    }

    /// `{Top}` — the universal over-approximation.
    pub fn top() -> Self {
        Self::singleton(LOC_TOP)
    }

    /// True when the set contains [`LOC_TOP`] (i.e. has saturated to
    /// the over-approximation).
    pub fn is_top(&self) -> bool {
        self.ids.contains(&LOC_TOP)
    }

    pub fn is_empty(&self) -> bool {
        self.ids.is_empty()
    }

    pub fn len(&self) -> usize {
        self.ids.len()
    }

    /// Iterate over members in sorted order.
    pub fn iter(&self) -> impl Iterator<Item = LocId> + '_ {
        self.ids.iter().copied()
    }

    /// Whether `id` is one of the set members (or the set is `Top`).
    pub fn contains(&self, id: LocId) -> bool {
        if self.is_top() {
            return true;
        }
        self.ids.binary_search(&id).is_ok()
    }

    /// Insert `id`, maintaining sort/dedup.  Saturates to `{Top}`
    /// when the set would exceed [`MAX_POINTSTO_MEMBERS`].
    pub fn insert(&mut self, id: LocId) {
        if self.is_top() {
            return;
        }
        if id == LOC_TOP {
            self.ids.clear();
            self.ids.push(LOC_TOP);
            return;
        }
        match self.ids.binary_search(&id) {
            Ok(_) => {}
            Err(pos) => {
                if self.ids.len() >= MAX_POINTSTO_MEMBERS {
                    self.ids.clear();
                    self.ids.push(LOC_TOP);
                } else {
                    self.ids.insert(pos, id);
                }
            }
        }
    }

    /// Set-union, in place.  Returns `true` when `self` changed —
    /// the constraint solver uses the bit to decide whether the
    /// containing equivalence class needs another pass.
    pub fn union_in_place(&mut self, other: &PointsToSet) -> bool {
        if self.is_top() {
            return false;
        }
        if other.is_top() {
            let was_top = self.is_top();
            self.ids.clear();
            self.ids.push(LOC_TOP);
            return !was_top;
        }
        let mut changed = false;
        for id in other.iter() {
            if id == LOC_TOP {
                let was_top = self.is_top();
                self.ids.clear();
                self.ids.push(LOC_TOP);
                return !was_top;
            }
            match self.ids.binary_search(&id) {
                Ok(_) => {}
                Err(pos) => {
                    if self.ids.len() >= MAX_POINTSTO_MEMBERS {
                        self.ids.clear();
                        self.ids.push(LOC_TOP);
                        return true;
                    }
                    self.ids.insert(pos, id);
                    changed = true;
                }
            }
        }
        changed
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn body() -> BodyId {
        BodyId(0)
    }

    #[test]
    fn loc_top_is_zero() {
        let interner = LocInterner::new();
        assert_eq!(interner.len(), 1);
        assert_eq!(interner.resolve(LOC_TOP), &AbsLoc::Top);
    }

    #[test]
    fn alloc_intern_dedupes() {
        let mut interner = LocInterner::new();
        let a = interner.intern_alloc(body(), 7);
        let b = interner.intern_alloc(body(), 7);
        let c = interner.intern_alloc(body(), 8);
        assert_eq!(a, b);
        assert_ne!(a, c);
    }

    #[test]
    fn param_intern_dedupes_by_index() {
        let mut interner = LocInterner::new();
        let p0 = interner.intern_param(body(), 0);
        let p1 = interner.intern_param(body(), 1);
        let p0_again = interner.intern_param(body(), 0);
        assert_eq!(p0, p0_again);
        assert_ne!(p0, p1);
    }

    #[test]
    fn field_intern_dedupes_structurally() {
        let mut interner = LocInterner::new();
        let parent = interner.intern_self_param(body());
        let f = FieldId(7);
        let a = interner.intern_field(parent, f);
        let b = interner.intern_field(parent, f);
        assert_eq!(a, b, "same parent + same field id ⇒ same loc id");
    }

    #[test]
    fn field_chain_depth_bounded() {
        let mut interner = LocInterner::new();
        let mut cur = interner.intern_self_param(body());
        let f = FieldId(1);
        for _ in 0..MAX_FIELD_DEPTH {
            cur = interner.intern_field(cur, f);
            assert_ne!(cur, LOC_TOP, "depth ≤ MAX should not fold");
        }
        let folded = interner.intern_field(cur, f);
        assert_eq!(folded, LOC_TOP, "exceeding MAX_FIELD_DEPTH folds to Top");
    }

    #[test]
    fn field_of_top_is_top() {
        let mut interner = LocInterner::new();
        let folded = interner.intern_field(LOC_TOP, FieldId(0));
        assert_eq!(folded, LOC_TOP);
    }

    #[test]
    fn pointsto_set_empty_singleton_top() {
        assert!(PointsToSet::empty().is_empty());
        assert!(PointsToSet::top().is_top());
        let mut interner = LocInterner::new();
        let p = interner.intern_self_param(body());
        let s = PointsToSet::singleton(p);
        assert!(s.contains(p));
        assert!(!s.is_top());
    }

    #[test]
    fn pointsto_set_insert_and_union() {
        let mut interner = LocInterner::new();
        let p0 = interner.intern_param(body(), 0);
        let p1 = interner.intern_param(body(), 1);
        let mut a = PointsToSet::singleton(p0);
        let b = PointsToSet::singleton(p1);
        let changed = a.union_in_place(&b);
        assert!(changed);
        assert_eq!(a.len(), 2);
        assert!(a.contains(p0));
        assert!(a.contains(p1));
        // Re-union is idempotent.
        let changed2 = a.union_in_place(&b);
        assert!(!changed2);
    }

    #[test]
    fn pointsto_set_saturates_to_top_on_overflow() {
        let mut interner = LocInterner::new();
        let mut s = PointsToSet::empty();
        for i in 0..(MAX_POINTSTO_MEMBERS as u32 + 4) {
            s.insert(interner.intern_alloc(body(), i));
        }
        assert!(s.is_top(), "set should collapse to {{Top}} on overflow");
    }

    #[test]
    fn pointsto_set_union_with_top_is_top() {
        let mut interner = LocInterner::new();
        let p = interner.intern_param(body(), 0);
        let mut a = PointsToSet::singleton(p);
        let changed = a.union_in_place(&PointsToSet::top());
        assert!(changed);
        assert!(a.is_top());
    }
}