C++: Add a 'allowInterproceduralFlow' predicate to the 'MustFlow' library to and use it instead of checking the enclosing callables after computing the dataflow graph.

2026-04-20 22:44:52 +02:00 · 2022-08-02 13:43:01 +01:00
parent b906c1a6b7
commit 5181cc1295
3 changed files with 32 additions and 18 deletions
--- a/Management/ReturnStackAllocatedMemory.ql
+++ b/Management/ReturnStackAllocatedMemory.ql
@@ -52,6 +52,18 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
    )
  }

+  //  We disable flow into callables in this query as we'd otherwise get a result on this piece of code:
+  //   ```cpp
+  //  int* id(int* px) {
+  //   return px; // this returns the local variable `x`, but it's fine as the local variable isn't declared in this scope.
+  //  }
+  //  void f() {
+  //   int x;
+  //   int* px = id(&x);
+  //  }
+  //   ```
+  override predicate allowInterproceduralFlow() { none() }
+
  /**
   * This configuration intentionally conflates addresses of fields and their object, and pointer offsets
   * with their base pointer as this allows us to detect cases where an object's address flows to a
@@ -77,9 +89,6 @@ from
  ReturnStackAllocatedMemoryConfig conf
 where
  conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getNode().asInstruction() = var and
-  // Only raise an alert if we're returning from the _same_ callable as the on that
-  // declared the stack variable.
-  var.getEnclosingFunction() = sink.getNode().getEnclosingCallable()
+  source.getNode().asInstruction() = var
 select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(),
  var.getAst().toString()