C++: Fix join orders in 'DataFlowDispatch.qll' and Ssa.qll.

2026-05-05 05:35:13 +02:00 · 2021-10-20 16:12:55 +01:00
parent 21a1ee7758
commit 2547a8d746
2 changed files with 18 additions and 6 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -63,8 +63,10 @@ private module VirtualDispatch {
      |
        // Call argument
        exists(DataFlowCall call, int i |
-          other.(DataFlow::ParameterNode).isParameterOf(call.getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, i)
+          other
+              .(DataFlow::ParameterNode)
+              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
+          src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
        ) and
        allowOtherFromArg = true and
        allowFromArg = true
@@ -128,6 +130,7 @@ private module VirtualDispatch {
   *
   * Used to fix a join ordering issue in flowsFrom.
   */
+  pragma[noinline]
  private predicate returnNodeWithKindAndEnclosingCallable(
    ReturnNode node, ReturnKind kind, DataFlowCallable callable
  ) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
@@ -436,6 +436,16 @@ private module Cached {
    iTo.(InheritanceConversionInstruction).getUnary() = iFrom
  }

+  pragma[noinline]
+  private predicate callTargetHasInputOutput(
+    CallInstruction call, DataFlow::FunctionInput input, DataFlow::FunctionOutput output
+  ) {
+    exists(DataFlow::DataFlowFunction func |
+      call.getStaticCallTarget() = func and
+      func.hasDataFlow(input, output)
+    )
+  }
+
  private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
    // Flow into a read node
    exists(ReadNode readNode | readNode = nTo |
@@ -500,13 +510,12 @@ private module Cached {
    or
    // Flow through a modelled function that has parameter -> return value flow.
    exists(
-      CallInstruction call, DataFlow::DataFlowFunction func, int index,
-      DataFlow::FunctionInput input, DataFlow::FunctionOutput output
+      CallInstruction call, int index, DataFlow::FunctionInput input,
+      DataFlow::FunctionOutput output
    |
-      call.getStaticCallTarget() = func and
+      callTargetHasInputOutput(call, input, output) and
      call.getArgumentOperand(index) = operand and
      not getSideEffectFor(call, index) instanceof ReadSideEffectInstruction and
-      func.hasDataFlow(input, output) and
      input.isParameter(index) and
      output.isReturnValue() and
      flowOutOfAddressStep(call.getAUse(), nTo)