hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix pointer content store step for write to field of pointer dereference

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-09-26 15:27:58 +01:00
parent 2ffb638b7e
commit 6fcd35885e
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
View File

@@ -164,15 +164,17 @@ predicate jumpStep(Node n1, Node n2) {
*/ */
predicate storeStep(Node node1, ContentSet cs, Node node2) { predicate storeStep(Node node1, ContentSet cs, Node node2) {
exists(Content c | cs.asOneContent() = c | exists(Content c | cs.asOneContent() = c |
// a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of `(*p)`, // a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of the
// which in turn flows into the pointer content of `p` // post-update node of `(*p)`, which in turn flows into the pointer content of the post-update
// node of `p`
exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) | exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) |
node1 = rhs and node1 = rhs and
node2 = base and node2 = base and
c = any(DataFlow::FieldContent fc | fc.getField() = f) c = any(DataFlow::FieldContent fc | fc.getField() = f)
or or
node1 = base and node1 = base and
node2.(PostUpdateNode).getPreUpdateNode() = node1.(PointerDereferenceNode).getOperand() and node2.(PostUpdateNode).getPreUpdateNode() =
node1.(PostUpdateNode).getPreUpdateNode().(PointerDereferenceNode).getOperand() and
c = any(DataFlow::PointerContent pc | pc.getPointerType() = node2.getType()) c = any(DataFlow::PointerContent pc | pc.getPointerType() = node2.getType())
) )
or or