immunant · ahomescu · Jul 20, 2024 · Jul 24, 2024 · Jun 13, 2024 · Aug 19, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/analysis/runtime/src/events.rs b/analysis/runtime/src/events.rs
@@ -28,12 +28,12 @@ pub enum EventKind {
     /// the pointer.
     CopyPtr(Pointer),
 
-    CopyRef,
-
-    /// Field projection. Used for operations like `_2 = &(*_1).0`. Nested field
-    /// accesses like `_4 = &(*_1).x.y.z` are broken into multiple `Node`s, each
-    /// covering one level.
-    Field(Pointer, u32),
+    /// Projection. Used for operations like `_2 = &(*_1).0`.
+    /// The third value is a "projection key" that points to an element
+    /// of the projections data structure in the metadata. It is used to
+    /// disambiguate between different projections with the same pointer,
+    /// e.g., `(*p).x` and `(*p).x.a` where `a` is at offset 0.
+    Project(Pointer, Pointer, u64),
 
     Alloc {
         size: usize,
@@ -61,8 +61,19 @@ pub enum EventKind {
     /// are necessary for its underlying address.
     StoreAddrTaken(Pointer),
 
-    /// The pointer that appears as the address result of addr_of(Local)
-    AddrOfLocal(Pointer, Local),
+    /// The pointer that appears as the address result of addr_of(Local).
+    /// The fields encode the pointer of the local, its MIR index, and its size.
+    AddrOfLocal {
+        ptr: Pointer,
+        local: Local,
+        size: u32,
+    },
+
+    /// The address and size of a sized pointee of a pointer.
+    AddrOfSized {
+        ptr: Pointer,
+        size: usize,
+    },
 
     /// Casting the pointer to an int
     ToInt(Pointer),
@@ -90,7 +101,9 @@ impl Debug for EventKind {
         use EventKind::*;
         match *self {
             CopyPtr(ptr) => write!(f, "copy(0x{:x})", ptr),
-            Field(ptr, id) => write!(f, "field(0x{:x}, {})", ptr, id),
+            Project(ptr, new_ptr, idx) => {
+                write!(f, "project(0x{:x}, 0x{:x}, [{}])", ptr, new_ptr, idx)
+            }
             Alloc { size, ptr } => {
                 write!(f, "malloc({}) -> 0x{:x}", size, ptr)
             }
@@ -106,8 +119,10 @@ impl Debug for EventKind {
             LoadAddr(ptr) => write!(f, "load(0x{:x})", ptr),
             StoreAddr(ptr) => write!(f, "store(0x{:x})", ptr),
             StoreAddrTaken(ptr) => write!(f, "store(0x{:x})", ptr),
-            CopyRef => write!(f, "copy_ref"),
-            AddrOfLocal(ptr, _) => write!(f, "addr_of_local = 0x{:x}", ptr),
+            AddrOfLocal { ptr, local, size } => {
+                write!(f, "addr_of_local({:?}, {}) = 0x{:x}", local, size, ptr)
+            }
+            AddrOfSized { ptr, size } => write!(f, "addr_of_sized({}) = 0x{:x}", size, ptr),
             ToInt(ptr) => write!(f, "to_int(0x{:x})", ptr),
             FromInt(ptr) => write!(f, "from_int(0x{:x})", ptr),
             LoadValue(ptr) => write!(f, "load_value(0x{:x})", ptr),

diff --git a/analysis/runtime/src/handlers.rs b/analysis/runtime/src/handlers.rs
@@ -82,6 +82,18 @@ pub fn reallocarray(mir_loc: MirLocId, old_ptr: usize, nmemb: u64, size: u64, ne
 ///   = note: rustdoc does not allow disambiguating between `*const` and `*mut`, and pointers are unstable until it does
 /// ```
 pub fn offset(mir_loc: MirLocId, ptr: usize, offset: isize, new_ptr: usize) {
+    // Corner case: Offset(..) events with a base pointer of zero are special
+    // because the result might be an actual pointer, e.g., c2rust will
+    // emit a pointer increment `a += b` as `a = a.offset(b)` which we need
+    // to ignore here if `a == 0` which is equivalent to `a = b`.
+    if ptr == 0 {
+        RUNTIME.send_event(Event {
+            mir_loc,
+            kind: EventKind::CopyPtr(offset as usize),
+        });
+        return;
+    }
+
     RUNTIME.send_event(Event {
         mir_loc,
         kind: EventKind::Offset(ptr, offset, new_ptr),
@@ -110,10 +122,10 @@ pub const HOOK_FUNCTIONS: &[&str] = &[
     hook_fn!(offset),
 ];
 
-pub fn ptr_field(mir_loc: MirLocId, ptr: usize, field_id: u32) {
+pub fn ptr_project(mir_loc: MirLocId, ptr: usize, new_ptr: usize, proj_key: u64) {
     RUNTIME.send_event(Event {
         mir_loc,
-        kind: EventKind::Field(ptr, field_id),
+        kind: EventKind::Project(ptr, new_ptr, proj_key),
     });
 }
 
@@ -138,10 +150,25 @@ pub fn ptr_to_int(mir_loc: MirLocId, ptr: usize) {
     });
 }
 
-pub fn addr_of_local(mir_loc: MirLocId, ptr: usize, local: u32) {
+pub fn addr_of_local(mir_loc: MirLocId, ptr: usize, local: u32, size: u32) {
     RUNTIME.send_event(Event {
         mir_loc,
-        kind: EventKind::AddrOfLocal(ptr, local.into()),
+        kind: EventKind::AddrOfLocal {
+            ptr,
+            local: local.into(),
+            size,
+        },
+    });
+}
+
+pub fn addr_of_sized<T: ?Sized>(mir_loc: MirLocId, ptr: *const T) {
+    let size = unsafe { core::mem::size_of_val(&*ptr) };
+    RUNTIME.send_event(Event {
+        mir_loc,
+        kind: EventKind::AddrOfSized {
+            ptr: ptr as *const u8 as usize,
+            size,
+        },
     });
 }
 

diff --git a/analysis/runtime/src/metadata.rs b/analysis/runtime/src/metadata.rs
@@ -13,6 +13,7 @@ use crate::mir_loc::{Func, FuncId, MirLoc, MirLocId};
 pub struct Metadata {
     pub locs: Vec<MirLoc>,
     pub functions: HashMap<FuncId, String>,
+    pub projections: HashMap<u64, Vec<usize>>,
 }
 
 impl Metadata {
@@ -46,11 +47,27 @@ impl FromIterator<Metadata> for Metadata {
     fn from_iter<I: IntoIterator<Item = Metadata>>(iter: I) -> Self {
         let mut locs = Vec::new();
         let mut functions = HashMap::new();
+        let mut projections = HashMap::new();
         for metadata in iter {
             locs.extend(metadata.locs);
             functions.extend(metadata.functions);
+
+            for (key, proj) in metadata.projections.into_iter() {
+                projections
+                    .entry(key)
+                    .and_modify(|old_proj| {
+                        panic!(
+                            "Projection key collision at {key:x} between {old_proj:?} and {proj:?}"
+                        )
+                    })
+                    .or_insert(proj);
+            }
+        }
+        Self {
+            locs,
+            functions,
+            projections,
         }
-        Self { locs, functions }
     }
 }
 

diff --git a/analysis/tests/minimal/reference_pdg.bc b/analysis/tests/minimal/reference_pdg.bc
diff --git a/analysis/tests/misc/src/pointers.rs b/analysis/tests/misc/src/pointers.rs
@@ -93,6 +93,9 @@ pub unsafe extern "C" fn malloc_wrapper(mut size: size_t) -> *mut libc::c_void {
 #[no_mangle]
 pub unsafe extern "C" fn recur(x: libc::c_int, s: *mut S) {
     if x == 0 {
+        if s.is_null() {
+            return;
+        }
         return free(s as *mut libc::c_void);
     }
 
@@ -122,6 +125,7 @@ pub unsafe extern "C" fn simple() {
     let s = *y;
     *x = s;
     recur(3, x);
+    recur(3, std::ptr::null_mut());
     free(x2 as *mut libc::c_void);
 }