diff --git a/tools/unsafe-finder/Cargo.toml b/tools/unsafe-finder/Cargo.toml new file mode 100644 index 0000000000000..1630694e76dd1 --- /dev/null +++ b/tools/unsafe-finder/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "unsafe-finder" +version = "0.1.0" +edition = "2024" + +[dependencies] +prettyplease = "0.2.32" +syn = {version = "2.0.101", features = ["full", "extra-traits", "visit"]} +csv = "1.1" +serde = { version = "1.0.55", features = ["derive"] } +regex = "1.11.2" +itertools = "0.14.0" diff --git a/tools/unsafe-finder/LICENSE-APACHE b/tools/unsafe-finder/LICENSE-APACHE new file mode 100644 index 0000000000000..1b5ec8b78e237 --- /dev/null +++ b/tools/unsafe-finder/LICENSE-APACHE @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS diff --git a/tools/unsafe-finder/LICENSE-MIT b/tools/unsafe-finder/LICENSE-MIT new file mode 100644 index 0000000000000..31aa79387f27e --- /dev/null +++ b/tools/unsafe-finder/LICENSE-MIT @@ -0,0 +1,23 @@ +Permission is hereby granted, free of charge, to any +person obtaining a copy of this software and associated +documentation files (the "Software"), to deal in the +Software without restriction, including without +limitation the rights to use, copy, modify, merge, +publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software +is furnished to do so, subject to the following +conditions: + +The above copyright notice and this permission notice +shall be included in all copies or substantial portions +of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF +ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED +TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT +SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR +IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. diff --git a/tools/unsafe-finder/README.md b/tools/unsafe-finder/README.md new file mode 100644 index 0000000000000..e59ddb7bbe6c2 --- /dev/null +++ b/tools/unsafe-finder/README.md @@ -0,0 +1,49 @@ +# Unsafe finder + +This tool parses a Rust file and identifies three types of functions: +1. those that belong to impls and are `pub unsafe`; +2. those that belong to impls and are *not* `unsafe` but contain `unsafe` code; and, +3. those that are default functions belonging to traits and contain `unsafe` code. + +The clippy `missing_safety_doc` lint nags developers to add +(plain-text) safety comments to functions in category (1), with a +configuration option that will make clippy also complain about private +unsafe functions (default false). For the purpose of verifying the +Rust standard library, such functions should have contracts and be +verified against them. + +For categories (2) and (3), the unsafety is encapsulated in the +function; there must be some reason that the unsafe code in the +function is actually OK. (See +https://github.com/rust-lang/rust-clippy/issues/9330 for more +discussion on this issue). To verify the Rust standard library, one +must verify that there is no undefined behaviour triggered by the +unsafe code, probably by verifying the stated reason that the code is +OK. + +There are some related metrics which are automatically generated in the +`verify-rust-std` project. Those metrics live in `scritps/kani-std-analysis/metrics-data-core.json`. + +# Command-line arguments + +This tool takes a directory or a list of .rs files as input and prints +out a list of impls and traits that have functions in categories (1) +through (3), as well as the involved functions. + +``` +$ target/debug/unsafe-finder rc.rs +impl Rc {} +--- unsafe-containing fn inner +--- unsafe-containing fn into_inner_with_allocator + +impl Rc {} +--- unsafe-containing fn new +--- unsafe-containing fn new_uninit +--- unsafe-containing fn new_zeroed +--- unsafe-containing fn try_new +--- unsafe-containing fn try_new_uninit +--- unsafe-containing fn try_new_zeroed +--- unsafe-containing fn pin + +etc +``` diff --git a/tools/unsafe-finder/src/main.rs b/tools/unsafe-finder/src/main.rs new file mode 100644 index 0000000000000..bd5f43e336815 --- /dev/null +++ b/tools/unsafe-finder/src/main.rs @@ -0,0 +1,240 @@ +use std::env; +use std::fs; +use std::error::Error; +use std::process; +use std::path::Path; + +use std::collections::HashMap; + +use itertools::Itertools; + +use serde::Serialize; +use serde::Deserialize; + +use regex::Regex; + +// from kani repo's tools/scanner/src/analysis.rs: +#[derive(Clone, Debug, Serialize, Deserialize)] +struct FnStats { + name: String, + is_unsafe: Option, + has_unsafe_ops: Option, + has_unsupported_input: Option, // i.e. a function contains coroutines, floats, fn defs, fn ptrs, interior mut, raw pointers, recursive types, and mut refs + has_loop_or_iterator: Option, + is_public: Option, +} + +#[derive(Clone)] +struct StructuredFnName { + trait_impl: Option<(String, String)>, // type as trait + module_path: Vec, + type_parameters: Vec, + item: String, + is_public: bool +} + +fn split_by_double_colons(s:&str) -> Vec { + let mut bracket_level = 0; + let mut current_string = String::new(); + let mut previous_strings = vec![]; + let mut colons = 0; + for c in s.chars() { + current_string.push(c); + match c { + '<' => bracket_level += 1, + '>' => bracket_level -= 1, + ':' => { + if bracket_level > 0 { continue; } + colons += 1; + if colons == 2 { + colons = 0; + previous_strings.push(current_string[..current_string.len()-2].to_string()); + current_string.clear(); + }}, + _ => () + } + } + previous_strings.push(current_string.clone()); + previous_strings +} + +fn split_by_commas(s:&str) -> Vec { + let mut bracket_level = 0; + let mut parens_level = 0; + let mut current_string = String::new(); + let mut previous_strings = vec![]; + for c in s.chars() { + current_string.push(c); + match c { + '<' => bracket_level += 1, + '>' => bracket_level -= 1, + '(' => parens_level += 1, + ')' => parens_level -= 1, + ',' => { + if bracket_level > 0 || parens_level > 0 { continue; } + previous_strings.push(current_string[..current_string.len()-1].trim().to_string()); + current_string.clear(); + }, + _ => () + } + } + previous_strings.push(current_string.trim().to_string().clone()); + previous_strings +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn colons_singleton() { + let result = split_by_double_colons("a"); + assert_eq!(result, ["a"]); + } + + #[test] + fn colons_no_brackets() { + let result = split_by_double_colons("one::two"); + assert_eq!(result, ["one", "two"]); + } + + #[test] + fn colons_brackets_no_colons() { + let result = split_by_double_colons("one::::three"); + assert_eq!(result, ["one", "", "three"]); + } + + #[test] + fn colons_brackets_with_colons() { + let result = split_by_double_colons("one::::three"); + assert_eq!(result, ["one", "", "three"]); + } + + #[test] + fn commas_singleton() { + let result = split_by_commas("a"); + assert_eq!(result, ["a"]); + } + + #[test] + fn commas_brackets() { + let result = split_by_commas(""); + assert_eq!(result, [""]); + } + + #[test] + fn commas_no_brackets() { + let result = split_by_commas("a, b"); + assert_eq!(result, ["a","b"]); + } + + #[test] + fn commas_parens() { + let result = split_by_commas("(a,b)"); + assert_eq!(result, ["(a,b)"]); + } + + #[test] + fn commas_unmatched() { + let result = split_by_commas(" StructuredFnName { + let trait_impl_re = Regex::new(r"<(.+) as (.+)>").unwrap(); + let brackets_re = Regex::new(r"<(.+)>").unwrap(); + + let parts:Vec = split_by_double_colons(&raw_name).into_iter().rev().collect(); + + if parts.len() == 2 && trait_impl_re.is_match(&parts[1]) { + let ti_captures = trait_impl_re.captures(&parts[1]).unwrap(); + return StructuredFnName { + trait_impl: Some((ti_captures[1].to_string(), ti_captures[2].to_string())), + module_path: vec![], + type_parameters: vec![], + item: parts[0].to_string(), + is_public: is_public + } + } + + let mut parts_index = 0; + let item = &parts[parts_index]; parts_index += 1; + let tp = &parts[parts_index].as_str(); + let type_parameters = if brackets_re.is_match(tp) { + let tp_commas = &brackets_re.captures(tp).unwrap(); + parts_index += 1; + split_by_commas(&tp_commas[1]).into_iter().map(|x| x.to_string()).collect() + } else { + vec![] + }; + let mut mp = vec![]; + while parts_index < parts.len() { + mp.push(parts[parts_index].to_string()); + parts_index += 1; + } + + StructuredFnName { + trait_impl: None, + module_path: mp.into_iter().rev().collect(), + type_parameters: type_parameters.into_iter().map(|x| x.to_string()).collect(), + item: item.to_string(), + is_public: is_public + } +} + +fn handle_file(path:&Path) -> Result<(), Box> { + let path_contents = fs::read_to_string(&path).expect("unable to read file"); + let mut rdr = csv::ReaderBuilder::new().delimiter(b';').from_reader(path_contents.as_bytes()); + + println!("# Unsafe usages in file {}", path.display()); + + let mut fns_by_modules: HashMap, Vec> = HashMap::new(); + + for result in rdr.deserialize() { + let fn_stats: FnStats = result?; + if matches!(fn_stats.is_unsafe, Some(true)) || matches!(fn_stats.has_unsafe_ops, Some(true)) { + let structured_fn_name = parse_fn_name(fn_stats.name, fn_stats.is_public.is_some() && fn_stats.is_public.unwrap()); + match fns_by_modules.get_mut(&structured_fn_name.module_path) { + Some(fns) => fns.push(structured_fn_name.clone()), + None => { fns_by_modules.insert(structured_fn_name.module_path.clone(), vec![structured_fn_name.clone()]); } + } + } + } + + for mp in fns_by_modules.keys().sorted() { + println!("modules {:?}", mp); + if let Some(fns) = fns_by_modules.get(mp) { + for structured_fn_name in fns { + println!("--- unsafe-containing fn {} {}", structured_fn_name.item, if structured_fn_name.is_public { "[pub]" } else { "" } ); + if let Some(ti) = &structured_fn_name.trait_impl { + println!(" trait impl: type {} as trait {}", ti.0, ti.1); + } else {} + if !structured_fn_name.type_parameters.is_empty() { + println!(" type parameters {:?}", structured_fn_name.type_parameters); + } + } + } + } + + Ok(()) +} + +fn main() { + let mut args = env::args(); + let _ = args.next(); // executable name + + if args.len() == 0 { + // should we only handle files named "_scan_functions.csv"? + eprintln!("Usage: unsafe-finder [[prefix]_scan_functions.csv]*"); + process::exit(1); + } + + for arg in args { + let path = Path::new(&arg); + if let Err(err) = handle_file(&path) { + eprintln!("error processing {}: {}", arg, err); + process::exit(1); + } + } +}