C++: add indexes for specific side effects

2025-12-21 03:06:31 +01:00 · 2019-09-17 16:41:23 -07:00
parent 24574be007
commit 8649978a43
18 changed files with 966 additions and 784 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
  final string getValue() { result = value }
 }

+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
  EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -342,6 +342,11 @@ private module Cached {
    result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField()
  }

+  cached
+  int getInstructionIndex(Instruction instruction) {
+    result = getOldInstruction(instruction).(OldIR::IndexedInstruction).getIndex()
+  }
+
  cached
  Function getInstructionFunction(Instruction instruction) {
    result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol()
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll
@@ -72,6 +72,8 @@ class BufferSizeOperandTag extends RegisterOperandTag, TBufferSizeOperand {
  final override int getSortOrder() { result = 1 }
 }

+BufferSizeOperandTag bufferSizeOperand() { result = TBufferSizeOperand() }
+
 /**
 * The operand representing the read side effect of a `SideEffectInstruction`.
 */
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
  final string getValue() { result = value }
 }

+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
  EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -259,6 +259,14 @@ private module Cached {
          .getInstructionConstantValue(getInstructionTag(instruction))
  }

+  cached
+  int getInstructionIndex(Instruction instruction) {
+    exists(TranslatedElement element, InstructionTag tag |
+      instructionOrigin(instruction, element, tag) and
+      result = element.getInstructionIndex(tag)
+    )
+  }
+
  cached
  StringLiteral getInstructionStringLiteral(Instruction instruction) {
    result = getInstructionTranslatedElement(instruction)
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -456,6 +456,12 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
    operandTag instanceof SideEffectOperandTag and
    call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(index, _) and
    result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    or
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof BufferSizeOperandTag and
+    result = getTranslatedExpr(call
+            .getArgument(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index)).getFullyConverted())
+          .getResult()
  }

  override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
@@ -471,15 +477,26 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff

  predicate hasSpecificWriteSideEffect(Opcode op) {
    exists(boolean buffer, boolean mustWrite |
-      call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, buffer, mustWrite) and
-      (
-        buffer = true and mustWrite = false and op instanceof Opcode::BufferMayWriteSideEffect
-        or
-        buffer = false and mustWrite = false and op instanceof Opcode::IndirectMayWriteSideEffect
-        or
-        buffer = true and mustWrite = true and op instanceof Opcode::BufferMustWriteSideEffect
-        or
-        buffer = false and mustWrite = true and op instanceof Opcode::IndirectMustWriteSideEffect
+      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
+      then
+        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, true, mustWrite) and
+        buffer = true and
+        (
+          mustWrite = false and op instanceof Opcode::SizedBufferMayWriteSideEffect
+          or
+          mustWrite = true and op instanceof Opcode::SizedBufferMustWriteSideEffect
+        )
+      else (
+        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, buffer, mustWrite) and
+        (
+          buffer = true and mustWrite = false and op instanceof Opcode::BufferMayWriteSideEffect
+          or
+          buffer = false and mustWrite = false and op instanceof Opcode::IndirectMayWriteSideEffect
+          or
+          buffer = true and mustWrite = true and op instanceof Opcode::BufferMustWriteSideEffect
+          or
+          buffer = false and mustWrite = true and op instanceof Opcode::IndirectMustWriteSideEffect
+        )
      )
    )
    or
@@ -495,7 +512,9 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
  predicate hasSpecificReadSideEffect(Opcode op) {
    exists(boolean buffer |
      call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(index, buffer) and
-      (
+      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
+      then buffer = true and op instanceof Opcode::SizedBufferReadSideEffect
+      else (
        buffer = true and op instanceof Opcode::BufferReadSideEffect
        or
        buffer = false and op instanceof Opcode::IndirectReadSideEffect
@@ -506,6 +525,11 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
    op instanceof Opcode::IndirectReadSideEffect
  }

+  final override int getInstructionIndex(InstructionTag tag) {
+    tag = OnlyInstructionTag() and
+    result = index
+  }
+
  /**
   * Gets the `TranslatedFunction` containing this expression.
   */
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -600,6 +600,12 @@ abstract class TranslatedElement extends TTranslatedElement {
   */
  string getInstructionConstantValue(InstructionTag tag) { none() }

+  /**
+   * If the instruction specified by `tag` is an `IndexedInstruction`, gets the
+   * index for that instruction.
+   */
+  int getInstructionIndex(InstructionTag tag) { none() }
+
  /**
   * If the instruction specified by `tag` is a `PointerArithmeticInstruction`,
   * gets the size of the type pointed to by the pointer.
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
  final string getValue() { result = value }
 }

+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
  EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -342,6 +342,11 @@ private module Cached {
    result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField()
  }

+  cached
+  int getInstructionIndex(Instruction instruction) {
+    result = getOldInstruction(instruction).(OldIR::IndexedInstruction).getIndex()
+  }
+
  cached
  Function getInstructionFunction(Instruction instruction) {
    result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol()
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
@@ -57,5 +57,12 @@ class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction
  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
    i = 1 and buffer = true
  }
-}

+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) {
+    result = 2 and
+    (
+      i = 0 or
+      i = 1
+    )
+  }
+}
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/SideEffect.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/SideEffect.qll
@@ -34,5 +34,7 @@ abstract class SideEffectFunction extends Function {
  }

  predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) { none() }
-}

+  // TODO: name?
+  ParameterIndex getParameterSizeIndex(ParameterIndex i) { none() }
+}