Merge pull request #2213 from jbj/BarrierGuard

C++: Implement DataFlow::BarrierGuard for AST+IR
2026-04-26 09:15:12 +02:00 · 2019-11-04 11:08:36 +00:00
parent cc7c30def8 ff62afb575
commit 3e8b28a0a8
10 changed files with 147 additions and 9 deletions
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp
@@ -0,0 +1,68 @@
+int source();
+void sink(int);
+bool guarded(int);
+
+void bg_basic(int source) {
+  if (guarded(source)) {
+    sink(source); // no flow
+  } else {
+    sink(source); // flow
+  }
+}
+
+void bg_not(int source) {
+  if (!guarded(source)) {
+    sink(source); // flow
+  } else {
+    sink(source); // no flow
+  }
+}
+
+void bg_and(int source, bool arbitrary) {
+  if (guarded(source) && arbitrary) {
+    sink(source); // no flow
+  } else {
+    sink(source); // flow
+  }
+}
+
+void bg_or(int source, bool arbitrary) {
+  if (guarded(source) || arbitrary) {
+    sink(source); // flow
+  } else {
+    sink(source); // flow
+  }
+}
+
+void bg_return(int source) {
+  if (!guarded(source)) {
+    return;
+  }
+  sink(source); // no flow
+}
+
+struct XY {
+  int x, y;
+};
+
+void bg_stackstruct(XY s1, XY s2) {
+  s1.x = source();
+  if (guarded(s1.x)) {
+    sink(s1.x); // no flow
+  } else if (guarded(s1.y)) {
+    sink(s1.x); // flow
+  } else if (guarded(s2.y)) {
+    sink(s1.x); // flow
+  }
+}
+
+void bg_structptr(XY *p1, XY *p2) {
+  p1->x = source();
+  if (guarded(p1->x)) {
+    sink(p1->x); // no flow [FALSE POSITIVE in AST]
+  } else if (guarded(p1->y)) {
+    sink(p1->x); // flow [NOT DETECTED in IR]
+  } else if (guarded(p2->x)) {
+    sink(p1->x); // flow [NOT DETECTED in IR]
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll
@@ -1,6 +1,20 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow

+/**
+ * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
+ * S in `if (guarded(x)) S`.
+ */
+// This is tested in `BarrierGuard.cpp`.
+class TestBarrierGuard extends DataFlow::BarrierGuard {
+  TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" }
+
+  override predicate checks(Expr checked, boolean isTrue) {
+    checked = this.(FunctionCall).getArgument(0) and
+    isTrue = true
+  }
+}
+
 /** Common data flow configuration to be used by tests. */
 class TestAllocationConfig extends DataFlow::Configuration {
  TestAllocationConfig() { this = "TestAllocationConfig" }
@@ -26,4 +40,6 @@ class TestAllocationConfig extends DataFlow::Configuration {
  override predicate isBarrier(DataFlow::Node barrier) {
    barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
  }
+
+  override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll
@@ -1,5 +1,20 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.DataFlow
+import semmle.code.cpp.ir.IR
+
+/**
+ * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
+ * S in `if (guarded(x)) S`.
+ */
+// This is tested in `BarrierGuard.cpp`.
+class TestBarrierGuard extends DataFlow::BarrierGuard {
+  TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
+
+  override predicate checks(Instruction checked, boolean isTrue) {
+    checked = this.(CallInstruction).getPositionalArgument(0) and
+    isTrue = true
+  }
+}

 /** Common data flow configuration to be used by tests. */
 class TestAllocationConfig extends DataFlow::Configuration {
@@ -24,4 +39,6 @@ class TestAllocationConfig extends DataFlow::Configuration {
  override predicate isBarrier(DataFlow::Node barrier) {
    barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
  }
+
+  override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -1,3 +1,13 @@
+| BarrierGuard.cpp:9:10:9:15 | source | BarrierGuard.cpp:5:19:5:24 | source |
+| BarrierGuard.cpp:15:10:15:15 | source | BarrierGuard.cpp:13:17:13:22 | source |
+| BarrierGuard.cpp:25:10:25:15 | source | BarrierGuard.cpp:21:17:21:22 | source |
+| BarrierGuard.cpp:31:10:31:15 | source | BarrierGuard.cpp:29:16:29:21 | source |
+| BarrierGuard.cpp:33:10:33:15 | source | BarrierGuard.cpp:29:16:29:21 | source |
+| BarrierGuard.cpp:53:13:53:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source |
+| BarrierGuard.cpp:55:13:55:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source |
+| BarrierGuard.cpp:62:14:62:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
+| BarrierGuard.cpp:64:14:64:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
+| BarrierGuard.cpp:66:14:66:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
 | acrossLinkTargets.cpp:12:8:12:8 | x | acrossLinkTargets.cpp:19:27:19:32 | call to source |
 | clang.cpp:18:8:18:19 | sourceArray1 | clang.cpp:12:9:12:20 | sourceArray1 |
 | clang.cpp:22:8:22:20 | & ... | clang.cpp:12:9:12:20 | sourceArray1 |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -1,3 +1,6 @@
+| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:62:14:62:14 | AST only |
+| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:64:14:64:14 | AST only |
+| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:66:14:66:14 | AST only |
 | clang.cpp:12:9:12:20 | clang.cpp:22:8:22:20 | AST only |
 | clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only |
 | clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
@@ -1,3 +1,10 @@
+| BarrierGuard.cpp:9:10:9:15 | Load: source | BarrierGuard.cpp:5:19:5:24 | InitializeParameter: source |
+| BarrierGuard.cpp:15:10:15:15 | Load: source | BarrierGuard.cpp:13:17:13:22 | InitializeParameter: source |
+| BarrierGuard.cpp:25:10:25:15 | Load: source | BarrierGuard.cpp:21:17:21:22 | InitializeParameter: source |
+| BarrierGuard.cpp:31:10:31:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source |
+| BarrierGuard.cpp:33:10:33:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source |
+| BarrierGuard.cpp:53:13:53:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source |
+| BarrierGuard.cpp:55:13:55:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source |
 | acrossLinkTargets.cpp:12:8:12:8 | Convert: (int)... | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
 | acrossLinkTargets.cpp:12:8:12:8 | Load: x | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
 | clang.cpp:18:8:18:19 | Convert: (const int *)... | clang.cpp:12:9:12:20 | InitializeParameter: sourceArray1 |