hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Model implied dataflow

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-01-27 16:41:19 +01:00
parent a4d7bfbb2b
commit 32b5c7fe06
2 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -920,6 +920,27 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
)
)
)
or
impliedModelFlow(opFrom, iTo)
}
/**
* When a `DataFlowFunction` specifies dataflow from a parameter `p` to the return value there should
* also be dataflow from the parameter dereference (i.e., `*p`) to the return value dereference.
*/
private predicate impliedModelFlow(Operand opFrom, Instruction iTo) {
exists(
CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut,
int index
|
call.getStaticCallTarget() = func and
func.hasDataFlow(modelIn, modelOut)
|
modelIn.isParameterOrQualifierAddress(index) and
modelOut.isReturnValue() and
opFrom = getSideEffectFor(call, index).(ReadSideEffectInstruction).getSideEffectOperand() and
iTo = call // TODO: Add write side effects for return values
)
}
/**

12
cpp/ql/src/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll
View File

@@ -108,6 +108,16 @@ class FunctionInput extends TFunctionInput {
*/
predicate isQualifierAddress() { none() }
/**
* Holds if `i >= 0` and `isParameter(i)` holds for this value, or
* if `i = -1` and `isQualifierAddress()` holds for this value.
*/
final predicate isParameterOrQualifierAddress(ParameterIndex i) {
i >= 0 and this.isParameter(i)
or
i = -1 and this.isQualifierAddress()
}
/**
* Holds if this is the input value pointed to by the return value of a
* function, if the function returns a pointer, or the input value referred
@@ -134,7 +144,7 @@ class FunctionInput extends TFunctionInput {
predicate isReturnValueDeref() { none() }
/**
* Holds if `i >= 0` and `isParameterDeref(i)` holds for this is value, or
* Holds if `i >= 0` and `isParameterDeref(i)` holds for this value, or
* if `i = -1` and `isQualifierObject()` holds for this value.
*/
final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {