hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: IR data flow through total chi operands

Browse Source
This commit is contained in:
Jonas Jensen
2019-12-27 11:28:04 +01:00
parent 64c79bf9e1
commit 618bf2e29e
3 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -265,7 +265,21 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
iTo.(PhiInstruction).getAnOperand().getDef() = iFrom or
// Treat all conversions as flow, even conversions between different numeric types.
iTo.(ConvertInstruction).getUnary() = iFrom or
iTo.(InheritanceConversionInstruction).getUnary() = iFrom
iTo.(InheritanceConversionInstruction).getUnary() = iFrom or
// A chi instruction represents a point where a new value (the _partial_
// operand) may overwrite an old value (the _total_ operand), but the alias
// analysis couldn't determine that it surely will overwrite every bit of it or
// that it surely will overwrite no bit of it.
//
// By allowing flow through the total operand, we ensure that flow is not lost
// due to shortcomings of the alias analysis. We may get false flow in cases
// where the data is indeed overwritten.
//
// Allowing flow through the partial operand would be more noisy, especially
// for variables that have escaped: for soundness, the IR has to assume that
// every write to an unknown address can affect every escaped variable, and
// this assumption shows up as data flowing through partial chi operands.
iTo.getAnOperand().(ChiTotalOperand).getDef() = iFrom
}
/**

1
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -22,6 +22,5 @@
| taint.cpp:250:8:250:8 | taint.cpp:223:10:223:15 | AST only |
| taint.cpp:256:8:256:8 | taint.cpp:223:10:223:15 | AST only |
| taint.cpp:261:7:261:7 | taint.cpp:258:7:258:12 | AST only |
| taint.cpp:350:7:350:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |

1
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -14,3 +14,4 @@
| taint.cpp:290:7:290:7 | x | taint.cpp:275:6:275:11 | call to source |
| taint.cpp:291:7:291:7 | y | taint.cpp:275:6:275:11 | call to source |
| taint.cpp:337:7:337:7 | t | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |