hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Only allow flow through non-conflated chi instructions

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2020-03-27 13:37:17 +01:00
parent 580310f321
commit 5ba5791ec6
2 changed files with 1 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -219,7 +219,7 @@ abstract class PostUpdateNode extends InstructionNode {
abstract private class PartialDefinitionNode extends PostUpdateNode, TInstructionNode {
final Instruction getInstructionOrChi() {
exists(ChiInstruction chi |
// TODO: This should be a non-conflated ChiInstruction once #3123 is merged
not chi.isResultConflated() and
chi.getPartial() = getInstruction() and
result = chi
)
@@ -356,7 +356,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
or
exists(LoadInstruction load |
// TODO: These can probably be getSourceValue() after #3112 is merged
load.getSourceValueOperand().getAnyDef() =
nodeFrom.(PartialDefinitionNode).getInstructionOrChi() and
nodeTo.asInstruction() = load.getSourceAddress().(FieldAddressInstruction).getObjectAddress()

15
cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
View File

@@ -1,10 +1,4 @@
edges
| A.cpp:126:5:126:5 | IndirectMayWriteSideEffect [c] : void | A.cpp:131:8:131:8 | BufferMayWriteSideEffect [c] : void |
| A.cpp:126:12:126:18 | new : void | A.cpp:126:5:126:5 | IndirectMayWriteSideEffect [c] : void |
| A.cpp:131:8:131:8 | BufferMayWriteSideEffect [c] : void | A.cpp:132:10:132:10 | b [c] : void |
| A.cpp:132:10:132:10 | b [c] : void | A.cpp:132:13:132:13 | c |
| A.cpp:132:10:132:10 | b [c] : void | A.cpp:132:13:132:13 | c : void |
| A.cpp:132:13:132:13 | c : void | A.cpp:132:10:132:13 | (void *)... |
| aliasing.cpp:9:3:9:22 | Store : void | aliasing.cpp:9:3:9:22 | Store [m1] : void |
| aliasing.cpp:9:3:9:22 | Store [m1] : void | aliasing.cpp:25:17:25:19 | BufferMayWriteSideEffect [m1] : void |
| aliasing.cpp:9:11:9:20 | call to user_input : void | aliasing.cpp:9:3:9:22 | Store : void |
@@ -58,13 +52,6 @@ edges
| struct_init.c:27:7:27:16 | call to user_input : void | struct_init.c:31:23:31:23 | a |
| struct_init.c:31:14:31:21 | nestedAB [a] : void | struct_init.c:31:23:31:23 | a |
nodes
| A.cpp:126:5:126:5 | IndirectMayWriteSideEffect [c] : void | semmle.label | IndirectMayWriteSideEffect [c] : void |
| A.cpp:126:12:126:18 | new : void | semmle.label | new : void |
| A.cpp:131:8:131:8 | BufferMayWriteSideEffect [c] : void | semmle.label | BufferMayWriteSideEffect [c] : void |
| A.cpp:132:10:132:10 | b [c] : void | semmle.label | b [c] : void |
| A.cpp:132:10:132:13 | (void *)... | semmle.label | (void *)... |
| A.cpp:132:13:132:13 | c | semmle.label | c |
| A.cpp:132:13:132:13 | c : void | semmle.label | c : void |
| aliasing.cpp:9:3:9:22 | Store : void | semmle.label | Store : void |
| aliasing.cpp:9:3:9:22 | Store [m1] : void | semmle.label | Store [m1] : void |
| aliasing.cpp:9:11:9:20 | call to user_input : void | semmle.label | call to user_input : void |
@@ -113,8 +100,6 @@ nodes
| struct_init.c:31:14:31:21 | nestedAB [a] : void | semmle.label | nestedAB [a] : void |
| struct_init.c:31:23:31:23 | a | semmle.label | a |
#select
| A.cpp:132:10:132:13 | (void *)... | A.cpp:126:12:126:18 | new : void | A.cpp:132:10:132:13 | (void *)... | (void *)... flows from $@ | A.cpp:126:12:126:18 | new : void | new : void |
| A.cpp:132:13:132:13 | c | A.cpp:126:12:126:18 | new : void | A.cpp:132:13:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new : void | new : void |
| aliasing.cpp:29:11:29:12 | m1 | aliasing.cpp:9:11:9:20 | call to user_input : void | aliasing.cpp:29:11:29:12 | m1 | m1 flows from $@ | aliasing.cpp:9:11:9:20 | call to user_input : void | call to user_input : void |
| aliasing.cpp:30:11:30:12 | m1 | aliasing.cpp:13:10:13:19 | call to user_input : void | aliasing.cpp:30:11:30:12 | m1 | m1 flows from $@ | aliasing.cpp:13:10:13:19 | call to user_input : void | call to user_input : void |
| aliasing.cpp:38:11:38:12 | m1 | aliasing.cpp:37:13:37:22 | call to user_input : void | aliasing.cpp:38:11:38:12 | m1 | m1 flows from $@ | aliasing.cpp:37:13:37:22 | call to user_input : void | call to user_input : void |