C++: Sort out the localFlow / simpleLocalFlow confusion (and the same for taint).

2026-05-03 04:39:29 +02:00 · 2024-03-27 15:18:13 +00:00
parent 8fbbc2b6d8
commit 507ada1951
2 changed files with 25 additions and 11 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1962,10 +1962,20 @@ cached
 private module Cached {
  /**
   * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
-   * (intra-procedural) step.
+   * (intra-procedural) step. This relation is only used for local dataflow
+   * (for example `DataFlow::localFlow(source, sink)`) so it contains
+   * special cases that should only apply to local dataflow.
   */
  cached
-  predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) }
+  predicate localFlowStep(Node nodeFrom, Node nodeTo) {
+    // common dataflow steps
+    simpleLocalFlowStep(nodeFrom, nodeTo)
+    or
+    // models-as-data summarized flow for local data flow (i.e. special case for flow
+    // through calls to modelled functions, without relying on global dataflow to join
+    // the dots).
+    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
+ }

  private predicate indirectionOperandFlow(RawIndirectOperand nodeFrom, Node nodeTo) {
    nodeFrom != nodeTo and
@@ -2031,8 +2041,9 @@ private module Cached {
  /**
   * INTERNAL: do not use.
   *
-   * This is the local flow predicate that's used as a building block in global
-   * data flow. It may have less flow than the `localFlowStep` predicate.
+   * This is the local flow predicate that's used as a building block in both
+   * local and global data flow. It may have less flow than the `localFlowStep`
+   * predicate.
   */
  cached
  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
@@ -2072,11 +2083,8 @@ private module Cached {
    reverseFlow(nodeFrom, nodeTo)
    or
    // models-as-data summarized flow
-    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
-    or
    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
      nodeTo.(FlowSummaryNode).getSummaryNode(), true)
-    // TODO: should these really be in the same place?
  }

  private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -10,12 +10,21 @@ private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryI

 /**
 * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
+ * (intra-procedural) step. This relation is only used for local taint flow
+ * (for example `TaintTracking::localTaint(source, sink)`) so it may contain
+ * special cases that should only apply to local taint flow.
 */
 predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // dataflow step
  DataFlow::localFlowStep(nodeFrom, nodeTo)
  or
+  // taint flow step
  localAdditionalTaintStep(nodeFrom, nodeTo)
+  or
+  // models-as-data summarized flow for local data flow (i.e. special case for flow
+  // through calls to modelled functions, without relying on global dataflow to join
+  // the dots).
+  FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
 }

 /**
@@ -40,11 +49,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
  any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo)
  or
  // models-as-data summarized flow
-  FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
-  or
  FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
    nodeTo.(FlowSummaryNode).getSummaryNode(), false)
-  // TODO: should these really be in the same place?
 }

 /**