hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: respond to PR comments

Browse Source
This commit is contained in:
Robert Marsh
2022-08-09 15:25:32 -04:00
parent e4d0e7431c
commit 0ebd7d0de5
2 changed files with 13 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
View File

@@ -52,10 +52,6 @@ module ProductFlow {
override predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
exists(Configuration conf | conf.isSinkPair(_, sink)) exists(Configuration conf | conf.isSinkPair(_, sink))
} }
override int explorationLimit() {
result = 10
}
} }
predicate reachablePair1( predicate reachablePair1(
@@ -67,7 +63,7 @@ module ProductFlow {
exists(DataFlow::PathNode mid1 | exists(DataFlow::PathNode mid1 |
reachablePair1(conf, source1, source2, mid1, node2) and reachablePair1(conf, source1, source2, mid1, node2) and
mid1.getASuccessor() = node1 and mid1.getASuccessor() = node1 and
mid1.getNode().getFunction() = node1.getNode().getFunction() mid1.getNode().getEnclosingCallable() = node1.getNode().getEnclosingCallable()
) )
} }
@@ -80,7 +76,7 @@ module ProductFlow {
exists(DataFlow2::PathNode mid2 | exists(DataFlow2::PathNode mid2 |
reachablePair2(conf, source1, source2, node1, mid2) and reachablePair2(conf, source1, source2, node1, mid2) and
mid2.getASuccessor() = node2 and mid2.getASuccessor() = node2 and
mid2.getNode().getFunction() = node2.getNode().getFunction() mid2.getNode().getEnclosingCallable() = node2.getNode().getEnclosingCallable()
) )
} }
@@ -92,10 +88,10 @@ module ProductFlow {
reachablePair2(conf, source1, source2, mid1, mid2) and reachablePair2(conf, source1, source2, mid1, mid2) and
mid1.getASuccessor() = node1 and mid1.getASuccessor() = node1 and
mid2.getASuccessor() = node2 and mid2.getASuccessor() = node2 and
mid1.getNode().getFunction() = funcMid and // TODO: recursive function weirdness? mid1.getNode().getEnclosingCallable() = funcMid and // TODO: recursive function weirdness?
mid2.getNode().getFunction() = funcMid and mid2.getNode().getEnclosingCallable() = funcMid and
node1.getNode().getFunction() = func and node1.getNode().getEnclosingCallable() = func and
node2.getNode().getFunction() = func and node2.getNode().getEnclosingCallable() = func and
funcMid != func funcMid != func
) )
} }

11
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
View File

@@ -10,10 +10,10 @@ class StringSizeConfiguration extends ProductFlow::Configuration {
override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) { override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) {
exists( exists(
GVN sizeGVN // TODO: use-use flow instead of GVN GVN sizeGvn // TODO: use-use flow instead of GVN
| |
bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGVN.getAnExpr() and bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
sizeSource.asConvertedExpr() = sizeGVN.getAnExpr() sizeSource.asConvertedExpr() = sizeGvn.getAnExpr()
) )
} }
@@ -26,6 +26,9 @@ class StringSizeConfiguration extends ProductFlow::Configuration {
} }
} }
from StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1, DataFlow2::PathNode sink2 // we don't actually check correctness yet. Right now the query just finds relevant source/sink pairs.
from
StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
DataFlow::PathNode sink1, DataFlow2::PathNode sink2
where conf.hasFlowPath(source1, source2, sink1, sink2) where conf.hasFlowPath(source1, source2, sink1, sink2)
select source1, source2, sink1, sink2 select source1, source2, sink1, sink2