hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: expose support for more general BarrierGuards.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2025-12-10 11:21:01 +01:00
parent 09058e48aa
commit 9cd2247b91
2 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
View File

@@ -374,6 +374,29 @@ class ContentSet instanceof Content {
} }
} }
/**
* Holds if the guard `g` validates the expression `e` upon evaluating to `gv`.
*
* The expression `e` is expected to be a syntactic part of the guard `g`.
* For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
* the argument `x`.
*/
signature predicate valueGuardChecksSig(Guard g, Expr e, GuardValue gv);
/**
* Provides a set of barrier nodes for a guard that validates an expression.
*
* This is expected to be used in `isBarrier`/`isSanitizer` definitions
* in data flow and taint tracking.
*/
module BarrierGuardValue<valueGuardChecksSig/3 guardChecks> {
/** Gets a node that is safely guarded by the given guard check. */
Node getABarrierNode() {
SsaFlow::asNode(result) =
SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
}
}
/** /**
* Holds if the guard `g` validates the expression `e` upon evaluating to `branch`. * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
* *
@@ -390,9 +413,10 @@ signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
* in data flow and taint tracking. * in data flow and taint tracking.
*/ */
module BarrierGuard<guardChecksSig/3 guardChecks> { module BarrierGuard<guardChecksSig/3 guardChecks> {
/** Gets a node that is safely guarded by the given guard check. */ private predicate guardChecks0(Guard g, Expr e, GuardValue gv) {
Node getABarrierNode() { guardChecks(g, e, gv.asBooleanValue())
SsaFlow::asNode(result) =
SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
} }
/** Gets a node that is safely guarded by the given guard check. */
Node getABarrierNode() { result = BarrierGuardValue<guardChecks0/3>::getABarrierNode() }
} }

4
java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll
View File

@@ -564,14 +564,14 @@ private module Cached {
DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo) DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo)
} }
signature predicate guardChecksSig(Guards::Guard g, Expr e, boolean branch); signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::GuardValue gv);
cached // nothing is actually cached cached // nothing is actually cached
module BarrierGuard<guardChecksSig/3 guardChecks> { module BarrierGuard<guardChecksSig/3 guardChecks> {
private predicate guardChecksAdjTypes( private predicate guardChecksAdjTypes(
Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv
) { ) {
guardChecks(g, e, gv.asBooleanValue()) guardChecks(g, e, gv)
} }
private predicate guardChecksWithWrappers( private predicate guardChecksWithWrappers(