From b290c7b47a23257919a3124a0dbea73a2f3e1ebb Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Fri, 24 Jan 2020 15:51:33 +0100 Subject: [PATCH 1/2] C++: Model that string functions read their buffer --- cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll index 9a1a24a6192..f25aed49d23 100644 --- a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll @@ -83,6 +83,11 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE override predicate hasOnlySpecificReadSideEffects() { none() } override predicate hasOnlySpecificWriteSideEffects() { any() } + + override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) { + getParameter(i).getUnspecifiedType() instanceof PointerType and + buffer = true + } } class PureFunction extends TaintFunction, SideEffectFunction { From fb6ad5274f2438a5973e05e65409e4bd19c8ad3d Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Fri, 24 Jan 2020 22:28:20 +0100 Subject: [PATCH 2/2] C++: Accept test changes --- .../library-tests/ir/ssa/aliased_ssa_ir.expected | 15 +++++++++------ .../ir/ssa/unaliased_ssa_ir.expected | 15 +++++++++------ .../library-tests/syntax-zoo/raw_sanity.expected | 2 +- 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected index 602cc6035b2..413384da8fe 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected @@ -850,23 +850,26 @@ ssa.cpp: # 199| r199_8(char *) = Convert : r199_7 # 199| r199_9(int) = Call : func:r199_2, 0:r199_5, 1:r199_8 # 199| v199_10(void) = ^CallReadSideEffect : ~m198_13 -# 199| m199_11(int) = Store : &:r199_1, r199_9 +# 199| v199_11(void) = ^BufferReadSideEffect[0] : &:r199_5, ~m198_13 +# 199| v199_12(void) = ^BufferReadSideEffect[1] : &:r199_8, ~m198_13 +# 199| m199_13(int) = Store : &:r199_1, r199_9 # 200| r200_1(glval) = FunctionAddress[strlen] : # 200| r200_2(glval) = VariableAddress[str1] : # 200| r200_3(char *) = Load : &:r200_2, m198_5 # 200| r200_4(char *) = Convert : r200_3 # 200| r200_5(int) = Call : func:r200_1, 0:r200_4 # 200| v200_6(void) = ^CallReadSideEffect : ~m198_13 -# 200| r200_7(glval) = VariableAddress[ret] : -# 200| r200_8(int) = Load : &:r200_7, m199_11 -# 200| r200_9(int) = Add : r200_8, r200_5 -# 200| m200_10(int) = Store : &:r200_7, r200_9 +# 200| v200_7(void) = ^BufferReadSideEffect[0] : &:r200_4, ~m198_13 +# 200| r200_8(glval) = VariableAddress[ret] : +# 200| r200_9(int) = Load : &:r200_8, m199_13 +# 200| r200_10(int) = Add : r200_9, r200_5 +# 200| m200_11(int) = Store : &:r200_8, r200_10 # 201| r201_1(glval) = FunctionAddress[abs] : # 201| r201_2(glval) = VariableAddress[x] : # 201| r201_3(int) = Load : &:r201_2, m198_15 # 201| r201_4(int) = Call : func:r201_1, 0:r201_3 # 201| r201_5(glval) = VariableAddress[ret] : -# 201| r201_6(int) = Load : &:r201_5, m200_10 +# 201| r201_6(int) = Load : &:r201_5, m200_11 # 201| r201_7(int) = Add : r201_6, r201_4 # 201| m201_8(int) = Store : &:r201_5, r201_7 # 202| r202_1(glval) = VariableAddress[#return] : diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected index 5ea397b91dc..83021d91c9c 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected @@ -808,23 +808,26 @@ ssa.cpp: # 199| r199_8(char *) = Convert : r199_7 # 199| r199_9(int) = Call : func:r199_2, 0:r199_5, 1:r199_8 # 199| v199_10(void) = ^CallReadSideEffect : ~mu198_3 -# 199| m199_11(int) = Store : &:r199_1, r199_9 +# 199| v199_11(void) = ^BufferReadSideEffect[0] : &:r199_5, ~mu198_3 +# 199| v199_12(void) = ^BufferReadSideEffect[1] : &:r199_8, ~mu198_3 +# 199| m199_13(int) = Store : &:r199_1, r199_9 # 200| r200_1(glval) = FunctionAddress[strlen] : # 200| r200_2(glval) = VariableAddress[str1] : # 200| r200_3(char *) = Load : &:r200_2, m198_5 # 200| r200_4(char *) = Convert : r200_3 # 200| r200_5(int) = Call : func:r200_1, 0:r200_4 # 200| v200_6(void) = ^CallReadSideEffect : ~mu198_3 -# 200| r200_7(glval) = VariableAddress[ret] : -# 200| r200_8(int) = Load : &:r200_7, m199_11 -# 200| r200_9(int) = Add : r200_8, r200_5 -# 200| m200_10(int) = Store : &:r200_7, r200_9 +# 200| v200_7(void) = ^BufferReadSideEffect[0] : &:r200_4, ~mu198_3 +# 200| r200_8(glval) = VariableAddress[ret] : +# 200| r200_9(int) = Load : &:r200_8, m199_13 +# 200| r200_10(int) = Add : r200_9, r200_5 +# 200| m200_11(int) = Store : &:r200_8, r200_10 # 201| r201_1(glval) = FunctionAddress[abs] : # 201| r201_2(glval) = VariableAddress[x] : # 201| r201_3(int) = Load : &:r201_2, m198_13 # 201| r201_4(int) = Call : func:r201_1, 0:r201_3 # 201| r201_5(glval) = VariableAddress[ret] : -# 201| r201_6(int) = Load : &:r201_5, m200_10 +# 201| r201_6(int) = Load : &:r201_5, m200_11 # 201| r201_7(int) = Add : r201_6, r201_4 # 201| m201_8(int) = Store : &:r201_5, r201_7 # 202| r202_1(glval) = VariableAddress[#return] : diff --git a/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected b/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected index 966813efe96..80da8a79ced 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected @@ -108,7 +108,7 @@ instructionWithoutSuccessor | stmt_in_type.cpp:5:53:5:53 | Constant: 1 | | vla.c:5:9:5:14 | Uninitialized: definition of matrix | | vla.c:5:16:5:19 | Load: argc | -| vla.c:5:22:5:25 | CallReadSideEffect: call to atoi | +| vla.c:5:27:5:33 | BufferReadSideEffect: (const char *)... | | vla.c:11:6:11:16 | UnmodeledDefinition: vla_typedef | | vla.c:12:33:12:44 | Add: ... + ... | | vla.c:12:50:12:62 | Mul: ... * ... |