From 2a55034e5505dbcfc32b8c47c7dd4f69746571ac Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 12 Sep 2023 15:58:10 +0100 Subject: [PATCH 1/3] C++: Add failing test. --- .../guard-condition-regression-test.cpp | 19 +++++++++ .../guard-condition-regression-test.expected | 2 + .../guard-condition-regression-test.ql | 40 +++++++++++++++++++ .../dataflow/dataflow-tests/test.expected | 2 +- 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp create mode 100644 cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.expected create mode 100644 cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.ql diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp new file mode 100644 index 00000000000..070076e341b --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp @@ -0,0 +1,19 @@ +int source(); +void gard_condition_sink(int); +void use(int); +/* + This test checks that we hit the node corresponding to the expression node that wraps `source` + in the condition `source >= 0`. +*/ +void test_guard_condition(int source, bool b) +{ + if (b) { + use(source); + } + + if (source >= 0) { + use(source); + } + + gard_condition_sink(source); // $ SPURIOUS: guard-condition-regression +} \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.expected new file mode 100644 index 00000000000..8ec8033d086 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.expected @@ -0,0 +1,2 @@ +testFailures +failures diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.ql new file mode 100644 index 00000000000..49b650a0793 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.ql @@ -0,0 +1,40 @@ +import TestUtilities.InlineExpectationsTest +private import cpp +private import semmle.code.cpp.ir.dataflow.DataFlow +private import semmle.code.cpp.controlflow.IRGuards + +module IRTestAllocationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asParameter().getName().matches("source%") and + source.getLocation().getFile().getBaseName() = "guard-condition-regression-test.cpp" + } + + predicate isSink(DataFlow::Node sink) { + exists(FunctionCall call, Expr e | e = call.getAnArgument() | + call.getTarget().getName() = "gard_condition_sink" and + sink.asExpr() = e + ) + } + + predicate isBarrier(DataFlow::Node node) { + exists(GuardCondition gc | node.asExpr() = gc.getAChild*()) + } +} + +private module Flow = DataFlow::Global; + +module GuardConditionRegressionTest implements TestSig { + string getARelevantTag() { result = "guard-condition-regression" } + + predicate hasActualResult(Location location, string element, string tag, string value) { + exists(DataFlow::Node sink | + Flow::flowTo(sink) and + location = sink.getLocation() and + element = sink.toString() and + tag = "guard-condition-regression" and + value = "" + ) + } +} + +import MakeTest diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected index 0260ed62b05..d4756e8d808 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected @@ -5,5 +5,5 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (test. WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:40,25-33) WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:42,17-25) WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:46,20-28) -failures testFailures +failures From 36b7b6cffe629bf55fa5a5606ef2532c97512a9a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 14 Sep 2023 14:02:03 +0100 Subject: [PATCH 2/3] C++: Fix phi-phi flow. --- .../lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 7c34dc43d07..967734f1cfd 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -766,7 +766,7 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) { or exists(PhiNode phiTo | phi != phiTo and - lastRefRedefExt(phi, _, _, phiTo) and + lastRefRedefExt(phi, bb1, i1, phiTo) and nodeTo.(SsaPhiNode).getPhiNode() = phiTo ) ) From b0566af938f9d3d6316388a2dbdabd684a057161 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 14 Sep 2023 14:04:12 +0100 Subject: [PATCH 3/3] C++: Accept test changes. --- .../dataflow/dataflow-tests/guard-condition-regression-test.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp index 070076e341b..39a9d78e143 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/guard-condition-regression-test.cpp @@ -15,5 +15,5 @@ void test_guard_condition(int source, bool b) use(source); } - gard_condition_sink(source); // $ SPURIOUS: guard-condition-regression + gard_condition_sink(source); // clean } \ No newline at end of file