Merge pull request #3097 from jbj/detect-conflated-memory

C++: Implement Instruction.isResultConflated
2026-04-27 09:45:15 +02:00 · 2020-03-26 14:52:47 -04:00
parent 0f70da2258 2b2667aef7
commit 7879dde8b8
38 changed files with 630 additions and 74 deletions
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll
@@ -274,6 +274,36 @@ module InstructionSanity {
    funcText = Language::getIdentityString(func.getFunction())
  }

+  /**
+   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
+   * memory.
+   */
+  private predicate isOnAliasedDefinitionChain(Instruction instr) {
+    instr instanceof AliasedDefinitionInstruction
+    or
+    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
+    or
+    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
+  }
+
+  private predicate shouldBeConflated(Instruction instr) {
+    isOnAliasedDefinitionChain(instr)
+    or
+    instr instanceof UnmodeledDefinitionInstruction
+    or
+    instr.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
+  query predicate notMarkedAsConflated(Instruction instr) {
+    shouldBeConflated(instr) and
+    not instr.isResultConflated()
+  }
+
+  query predicate wronglyMarkedAsConflated(Instruction instr) {
+    instr.isResultConflated() and
+    not shouldBeConflated(instr)
+  }
+
  query predicate invalidOverlap(
    MemoryOperand useOperand, string message, IRFunction func, string funcText
  ) {
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll
@@ -338,6 +338,17 @@ class Instruction extends Construction::TInstruction {
    Construction::hasModeledMemoryResult(this)
  }

+  /**
+   * Holds if this is an instruction with a memory result that represents a
+   * conflation of more than one memory allocation.
+   *
+   * This happens in practice when dereferencing a pointer that cannot be
+   * tracked back to a single local allocation. Such memory is instead modeled
+   * as originating on the `AliasedDefinitionInstruction` at the entry of the
+   * function.
+   */
+  final predicate isResultConflated() { Construction::hasConflatedMemoryResult(this) }
+
  /**
   * Gets the successor of this instruction along the control flow edge
   * specified by `kind`.
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll
@@ -69,6 +69,15 @@ private module Cached {
  cached
  predicate hasModeledMemoryResult(Instruction instruction) { none() }

+  cached
+  predicate hasConflatedMemoryResult(Instruction instruction) {
+    instruction instanceof UnmodeledDefinitionInstruction
+    or
+    instruction instanceof AliasedDefinitionInstruction
+    or
+    instruction.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
  cached
  Expr getInstructionConvertedResultExpression(Instruction instruction) {
    exists(TranslatedExpr translatedExpr |
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll
@@ -274,6 +274,36 @@ module InstructionSanity {
    funcText = Language::getIdentityString(func.getFunction())
  }

+  /**
+   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
+   * memory.
+   */
+  private predicate isOnAliasedDefinitionChain(Instruction instr) {
+    instr instanceof AliasedDefinitionInstruction
+    or
+    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
+    or
+    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
+  }
+
+  private predicate shouldBeConflated(Instruction instr) {
+    isOnAliasedDefinitionChain(instr)
+    or
+    instr instanceof UnmodeledDefinitionInstruction
+    or
+    instr.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
+  query predicate notMarkedAsConflated(Instruction instr) {
+    shouldBeConflated(instr) and
+    not instr.isResultConflated()
+  }
+
+  query predicate wronglyMarkedAsConflated(Instruction instr) {
+    instr.isResultConflated() and
+    not shouldBeConflated(instr)
+  }
+
  query predicate invalidOverlap(
    MemoryOperand useOperand, string message, IRFunction func, string funcText
  ) {
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -338,6 +338,17 @@ class Instruction extends Construction::TInstruction {
    Construction::hasModeledMemoryResult(this)
  }

+  /**
+   * Holds if this is an instruction with a memory result that represents a
+   * conflation of more than one memory allocation.
+   *
+   * This happens in practice when dereferencing a pointer that cannot be
+   * tracked back to a single local allocation. Such memory is instead modeled
+   * as originating on the `AliasedDefinitionInstruction` at the entry of the
+   * function.
+   */
+  final predicate isResultConflated() { Construction::hasConflatedMemoryResult(this) }
+
  /**
   * Gets the successor of this instruction along the control flow edge
   * specified by `kind`.
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,6 +65,29 @@ private module Cached {
    instruction instanceof ChiInstruction // Chis always have modeled results
  }

+  cached
+  predicate hasConflatedMemoryResult(Instruction instruction) {
+    instruction instanceof UnmodeledDefinitionInstruction
+    or
+    instruction instanceof AliasedDefinitionInstruction
+    or
+    instruction.getOpcode() instanceof Opcode::InitializeNonLocal
+    or
+    // Chi instructions track virtual variables, and therefore a chi instruction is
+    // conflated if it's associated with the aliased virtual variable.
+    exists(OldInstruction oldInstruction | instruction = Chi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
+        Alias::AliasedVirtualVariable
+    )
+    or
+    // Phi instructions track locations, and therefore a phi instruction is
+    // conflated if it's associated with a conflated location.
+    exists(Alias::MemoryLocation location |
+      instruction = Phi(_, location) and
+      not exists(location.getAllocation())
+    )
+  }
+
  cached
  Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
    exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -61,6 +61,11 @@ class MemoryLocation extends TMemoryLocation {

 class VirtualVariable extends MemoryLocation { }

+/** A virtual variable that groups all escaped memory within a function. */
+class AliasedVirtualVariable extends VirtualVariable {
+  AliasedVirtualVariable() { none() }
+}
+
 Overlap getOverlap(MemoryLocation def, MemoryLocation use) {
  def = use and result instanceof MustExactlyOverlap
  or
--- a/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected
+++ b/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected
@@ -16,6 +16,8 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
 invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
--- a/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected
+++ b/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected
@@ -16,6 +16,8 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
 invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes