mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Mass rename L/RValue -> VarWrite/Read
This commit is contained in:
Chris Smowton
@@ -473,7 +473,7 @@ private module ControlFlowGraphImpl {
|
||||
or
|
||||
this instanceof ClassExpr
|
||||
or
|
||||
this instanceof RValue
|
||||
this instanceof VarRead
|
||||
or
|
||||
this instanceof Call // includes both expressions and statements
|
||||
or
|
||||
@@ -554,7 +554,7 @@ private module ControlFlowGraphImpl {
|
||||
or
|
||||
index = 0 and result = this.(LocalVariableDeclExpr).getInit()
|
||||
or
|
||||
index = 0 and result = this.(RValue).getQualifier() and not result instanceof TypeAccess
|
||||
index = 0 and result = this.(VarRead).getQualifier() and not result instanceof TypeAccess
|
||||
or
|
||||
exists(Call e | e = this |
|
||||
index = -1 and result = e.getQualifier() and not result instanceof TypeAccess
|
||||
|
||||
@@ -2273,10 +2273,10 @@ private module Qualifier {
|
||||
}
|
||||
|
||||
/** An expression that assigns a value to a field. */
|
||||
class FieldWrite extends FieldAccess, LValue { }
|
||||
class FieldWrite extends FieldAccess, VarWrite { }
|
||||
|
||||
/** An expression that reads a field. */
|
||||
class FieldRead extends FieldAccess, RValue { }
|
||||
class FieldRead extends FieldAccess, VarRead { }
|
||||
|
||||
private predicate hasInstantiation(RefType t) {
|
||||
t instanceof TypeVariable or
|
||||
|
||||
@@ -161,13 +161,13 @@ class Callable extends StmtParent, Member, @callable {
|
||||
* Holds if field `f` may be assigned a value
|
||||
* within the body of this callable.
|
||||
*/
|
||||
predicate writes(Field f) { f.getAnAccess().(LValue).getEnclosingCallable() = this }
|
||||
predicate writes(Field f) { f.getAnAccess().(VarWrite).getEnclosingCallable() = this }
|
||||
|
||||
/**
|
||||
* Holds if field `f` may be read
|
||||
* within the body of this callable.
|
||||
*/
|
||||
predicate reads(Field f) { f.getAnAccess().(RValue).getEnclosingCallable() = this }
|
||||
predicate reads(Field f) { f.getAnAccess().(VarRead).getEnclosingCallable() = this }
|
||||
|
||||
/**
|
||||
* Holds if field `f` may be either read or written
|
||||
|
||||
@@ -95,7 +95,7 @@ private ReflectiveClassIdentifier pointsToReflectiveClassIdentifier(Expr expr) {
|
||||
or
|
||||
// Or if this is an access of a variable which was defined as an expression creating a `Class<T>`,
|
||||
// return the inferred `T` from the definition expression.
|
||||
exists(RValue use, VariableAssign assign |
|
||||
exists(VarRead use, VariableAssign assign |
|
||||
use = expr and
|
||||
defUsePair(assign, use) and
|
||||
// The source of the assignment must be a `ReflectiveClassIdentifier`.
|
||||
|
||||
@@ -13,7 +13,7 @@ private import SSA
|
||||
*
|
||||
* This is the transitive closure of `adjacentUseUseSameVar`.
|
||||
*/
|
||||
predicate useUsePairSameVar(RValue use1, RValue use2) { adjacentUseUseSameVar+(use1, use2) }
|
||||
predicate useUsePairSameVar(VarRead use1, VarRead use2) { adjacentUseUseSameVar+(use1, use2) }
|
||||
|
||||
/**
|
||||
* Holds if `use1` and `use2` form a use-use-pair of the same
|
||||
@@ -23,7 +23,7 @@ predicate useUsePairSameVar(RValue use1, RValue use2) { adjacentUseUseSameVar+(u
|
||||
*
|
||||
* This is the transitive closure of `adjacentUseUse`.
|
||||
*/
|
||||
predicate useUsePair(RValue use1, RValue use2) { adjacentUseUse+(use1, use2) }
|
||||
predicate useUsePair(VarRead use1, VarRead use2) { adjacentUseUse+(use1, use2) }
|
||||
|
||||
/**
|
||||
* Holds if there exists a path from `def` to `use` without passing through another
|
||||
@@ -31,7 +31,7 @@ predicate useUsePair(RValue use1, RValue use2) { adjacentUseUse+(use1, use2) }
|
||||
*
|
||||
* Other paths may also exist, so the SSA variables in `def` and `use` can be different.
|
||||
*/
|
||||
predicate defUsePair(VariableUpdate def, RValue use) {
|
||||
predicate defUsePair(VariableUpdate def, VarRead use) {
|
||||
exists(SsaVariable v |
|
||||
v.getAUse() = use and v.getAnUltimateDefinition().(SsaExplicitUpdate).getDefiningExpr() = def
|
||||
)
|
||||
@@ -43,7 +43,7 @@ predicate defUsePair(VariableUpdate def, RValue use) {
|
||||
*
|
||||
* Other paths may also exist, so the SSA variables can be different.
|
||||
*/
|
||||
predicate parameterDefUsePair(Parameter p, RValue use) {
|
||||
predicate parameterDefUsePair(Parameter p, VarRead use) {
|
||||
exists(SsaVariable v |
|
||||
v.getAUse() = use and v.getAnUltimateDefinition().(SsaImplicitInit).isParameterDefinition(p)
|
||||
)
|
||||
|
||||
@@ -234,7 +234,7 @@ class InstanceAccessExt extends TInstanceAccessExt {
|
||||
e instanceof InstanceAccess and result = e
|
||||
or
|
||||
exists(FieldAccess fa | fa = e |
|
||||
if fa instanceof RValue then fa = result else result.(AssignExpr).getDest() = fa
|
||||
if fa instanceof VarRead then fa = result else result.(AssignExpr).getDest() = fa
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -15,10 +15,10 @@ private Expr exprWithIntValue(int i) {
|
||||
|
||||
/**
|
||||
* An expression for which the predicate `integerGuard` is relevant.
|
||||
* This includes `RValue` and `MethodCall`.
|
||||
* This includes `VarRead` and `MethodCall`.
|
||||
*/
|
||||
class IntComparableExpr extends Expr {
|
||||
IntComparableExpr() { this instanceof RValue or this instanceof MethodCall }
|
||||
IntComparableExpr() { this instanceof VarRead or this instanceof MethodCall }
|
||||
|
||||
/** Gets an integer that is directly assigned to the expression in case of a variable; or zero. */
|
||||
int relevantInt() {
|
||||
@@ -132,7 +132,7 @@ Expr integerGuard(IntComparableExpr e, boolean branch, int k, boolean is_k) {
|
||||
* If `branch_with_lower_bound_k` is true then `result` is equivalent to `k <= x`
|
||||
* and if it is false then `result` is equivalent to `k > x`.
|
||||
*/
|
||||
Expr intBoundGuard(RValue x, boolean branch_with_lower_bound_k, int k) {
|
||||
Expr intBoundGuard(VarRead x, boolean branch_with_lower_bound_k, int k) {
|
||||
exists(ComparisonExpr comp, ConstantIntegerExpr c, int val |
|
||||
comp = result and
|
||||
comp.hasOperands(x, c) and
|
||||
|
||||
@@ -79,7 +79,7 @@ Expr clearlyNotNullExpr(Expr reason) {
|
||||
(reason = r1 or reason = r2)
|
||||
)
|
||||
or
|
||||
exists(SsaVariable v, boolean branch, RValue rval, Guard guard |
|
||||
exists(SsaVariable v, boolean branch, VarRead rval, Guard guard |
|
||||
guard = directNullGuard(v, branch, false) and
|
||||
guard.controls(rval.getBasicBlock(), branch) and
|
||||
reason = guard and
|
||||
|
||||
@@ -485,7 +485,7 @@ private predicate correlatedConditions(
|
||||
inverted = branch1.booleanXor(branch2)
|
||||
)
|
||||
or
|
||||
exists(SsaVariable v, RValue rv1, RValue rv2, int k, boolean branch1, boolean branch2 |
|
||||
exists(SsaVariable v, VarRead rv1, VarRead rv2, int k, boolean branch1, boolean branch2 |
|
||||
rv1 = v.getAUse() and
|
||||
rv2 = v.getAUse() and
|
||||
cond1.getCondition() = integerGuard(rv1, branch1, k, true) and
|
||||
|
||||
@@ -275,7 +275,7 @@ private module SsaImpl {
|
||||
}
|
||||
|
||||
/** Holds if `VarAccess` `use` of `v` occurs in `b` at index `i`. */
|
||||
private predicate variableUse(TrackedVar v, RValue use, BasicBlock b, int i) {
|
||||
private predicate variableUse(TrackedVar v, VarRead use, BasicBlock b, int i) {
|
||||
v.getAnAccess() = use and b.getNode(i) = use
|
||||
}
|
||||
|
||||
@@ -652,7 +652,7 @@ private module SsaImpl {
|
||||
* Holds if the SSA definition of `v` at `def` reaches `use` in the same basic block
|
||||
* without crossing another SSA definition of `v`.
|
||||
*/
|
||||
private predicate ssaDefReachesUseWithinBlock(TrackedVar v, TrackedSsaDef def, RValue use) {
|
||||
private predicate ssaDefReachesUseWithinBlock(TrackedVar v, TrackedSsaDef def, VarRead use) {
|
||||
exists(BasicBlock b, int rankix, int i |
|
||||
ssaDefReachesRank(v, def, b, rankix) and
|
||||
defUseRank(v, b, rankix, i) and
|
||||
@@ -665,7 +665,7 @@ private module SsaImpl {
|
||||
* SSA definition of `v`.
|
||||
*/
|
||||
cached
|
||||
predicate ssaDefReachesUse(TrackedVar v, TrackedSsaDef def, RValue use) {
|
||||
predicate ssaDefReachesUse(TrackedVar v, TrackedSsaDef def, VarRead use) {
|
||||
ssaDefReachesUseWithinBlock(v, def, use)
|
||||
or
|
||||
exists(BasicBlock b |
|
||||
@@ -813,7 +813,7 @@ private module SsaImpl {
|
||||
* any other uses, but possibly through phi nodes and uncertain implicit updates.
|
||||
*/
|
||||
cached
|
||||
predicate firstUse(TrackedSsaDef def, RValue use) {
|
||||
predicate firstUse(TrackedSsaDef def, VarRead use) {
|
||||
exists(TrackedVar v, BasicBlock b1, int i1, BasicBlock b2, int i2 |
|
||||
adjacentVarRefs(v, b1, i1, b2, i2) and
|
||||
def.definesAt(v, b1, i1) and
|
||||
@@ -838,7 +838,7 @@ private module SsaImpl {
|
||||
* through any other use or any SSA definition of the variable.
|
||||
*/
|
||||
cached
|
||||
predicate adjacentUseUseSameVar(RValue use1, RValue use2) {
|
||||
predicate adjacentUseUseSameVar(VarRead use1, VarRead use2) {
|
||||
exists(TrackedVar v, BasicBlock b1, int i1, BasicBlock b2, int i2 |
|
||||
adjacentVarRefs(v, b1, i1, b2, i2) and
|
||||
variableUse(v, use1, b1, i1) and
|
||||
@@ -853,7 +853,7 @@ private module SsaImpl {
|
||||
* except for phi nodes and uncertain implicit updates.
|
||||
*/
|
||||
cached
|
||||
predicate adjacentUseUse(RValue use1, RValue use2) {
|
||||
predicate adjacentUseUse(VarRead use1, VarRead use2) {
|
||||
adjacentUseUseSameVar(use1, use2)
|
||||
or
|
||||
exists(TrackedVar v, TrackedSsaDef def, BasicBlock b1, int i1, BasicBlock b2, int i2 |
|
||||
@@ -938,7 +938,7 @@ class SsaVariable extends TSsaVariable {
|
||||
BasicBlock getBasicBlock() { result = this.getCfgNode().getBasicBlock() }
|
||||
|
||||
/** Gets an access of this SSA variable. */
|
||||
RValue getAUse() {
|
||||
VarRead getAUse() {
|
||||
ssaDefReachesUse(_, this, result) or
|
||||
this = TSsaUntracked(_, result)
|
||||
}
|
||||
@@ -952,7 +952,7 @@ class SsaVariable extends TSsaVariable {
|
||||
* Subsequent uses can be found by following the steps defined by
|
||||
* `adjacentUseUse`.
|
||||
*/
|
||||
RValue getAFirstUse() {
|
||||
VarRead getAFirstUse() {
|
||||
firstUse(this, result) or
|
||||
this = TSsaUntracked(_, result)
|
||||
}
|
||||
|
||||
@@ -118,7 +118,7 @@ private module SsaImpl {
|
||||
}
|
||||
|
||||
/** Holds if `VarAccess` `use` of `v` occurs in `b` at index `i`. */
|
||||
private predicate variableUse(BaseSsaSourceVariable v, RValue use, BasicBlock b, int i) {
|
||||
private predicate variableUse(BaseSsaSourceVariable v, VarRead use, BasicBlock b, int i) {
|
||||
v.getAnAccess() = use and b.getNode(i) = use
|
||||
}
|
||||
|
||||
@@ -243,7 +243,7 @@ private module SsaImpl {
|
||||
* without crossing another SSA definition of `v`.
|
||||
*/
|
||||
private predicate ssaDefReachesUseWithinBlock(
|
||||
BaseSsaSourceVariable v, TrackedSsaDef def, RValue use
|
||||
BaseSsaSourceVariable v, TrackedSsaDef def, VarRead use
|
||||
) {
|
||||
exists(BasicBlock b, int rankix, int i |
|
||||
ssaDefReachesRank(v, def, b, rankix) and
|
||||
@@ -257,7 +257,7 @@ private module SsaImpl {
|
||||
* SSA definition of `v`.
|
||||
*/
|
||||
cached
|
||||
predicate ssaDefReachesUse(BaseSsaSourceVariable v, TrackedSsaDef def, RValue use) {
|
||||
predicate ssaDefReachesUse(BaseSsaSourceVariable v, TrackedSsaDef def, VarRead use) {
|
||||
ssaDefReachesUseWithinBlock(v, def, use)
|
||||
or
|
||||
exists(BasicBlock b |
|
||||
@@ -378,7 +378,7 @@ private module SsaImpl {
|
||||
* any other uses, but possibly through phi nodes.
|
||||
*/
|
||||
cached
|
||||
predicate firstUse(TrackedSsaDef def, RValue use) {
|
||||
predicate firstUse(TrackedSsaDef def, VarRead use) {
|
||||
exists(BaseSsaSourceVariable v, BasicBlock b1, int i1, BasicBlock b2, int i2 |
|
||||
adjacentVarRefs(v, b1, i1, b2, i2) and
|
||||
def.definesAt(v, b1, i1) and
|
||||
@@ -405,7 +405,7 @@ private module SsaImpl {
|
||||
* through any other use or any SSA definition of the variable.
|
||||
*/
|
||||
cached
|
||||
predicate baseSsaAdjacentUseUseSameVar(RValue use1, RValue use2) {
|
||||
predicate baseSsaAdjacentUseUseSameVar(VarRead use1, VarRead use2) {
|
||||
exists(BaseSsaSourceVariable v, BasicBlock b1, int i1, BasicBlock b2, int i2 |
|
||||
adjacentVarRefs(v, b1, i1, b2, i2) and
|
||||
variableUse(v, use1, b1, i1) and
|
||||
@@ -420,7 +420,7 @@ private module SsaImpl {
|
||||
* except for phi nodes.
|
||||
*/
|
||||
cached
|
||||
predicate baseSsaAdjacentUseUse(RValue use1, RValue use2) {
|
||||
predicate baseSsaAdjacentUseUse(VarRead use1, VarRead use2) {
|
||||
baseSsaAdjacentUseUseSameVar(use1, use2)
|
||||
or
|
||||
exists(
|
||||
@@ -490,7 +490,7 @@ class BaseSsaVariable extends TBaseSsaVariable {
|
||||
BasicBlock getBasicBlock() { result = this.getCfgNode().getBasicBlock() }
|
||||
|
||||
/** Gets an access of this SSA variable. */
|
||||
RValue getAUse() { ssaDefReachesUse(_, this, result) }
|
||||
VarRead getAUse() { ssaDefReachesUse(_, this, result) }
|
||||
|
||||
/**
|
||||
* Gets an access of the SSA source variable underlying this SSA variable
|
||||
@@ -500,7 +500,7 @@ class BaseSsaVariable extends TBaseSsaVariable {
|
||||
* Subsequent uses can be found by following the steps defined by
|
||||
* `baseSsaAdjacentUseUse`.
|
||||
*/
|
||||
RValue getAFirstUse() { firstUse(this, result) }
|
||||
VarRead getAFirstUse() { firstUse(this, result) }
|
||||
|
||||
/** Holds if this SSA variable is live at the end of `b`. */
|
||||
predicate isLiveAtEndOfBlock(BasicBlock b) { ssaDefReachesEndOfBlock(_, this, b) }
|
||||
|
||||
@@ -114,7 +114,7 @@ private module CaptureInput implements VariableCapture::InputSig {
|
||||
CapturedVariable getVariable() { result = v }
|
||||
}
|
||||
|
||||
class VariableRead extends Expr instanceof RValue {
|
||||
class VariableRead extends Expr instanceof VarRead {
|
||||
CapturedVariable v;
|
||||
|
||||
VariableRead() { super.getVariable() = v }
|
||||
|
||||
@@ -169,7 +169,7 @@ predicate localMustFlowStep(Node node1, Node node2) {
|
||||
import Cached
|
||||
|
||||
private predicate capturedVariableRead(Node n) {
|
||||
n.asExpr().(RValue).getVariable() instanceof CapturedVariable
|
||||
n.asExpr().(VarRead).getVariable() instanceof CapturedVariable
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -379,7 +379,7 @@ signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
|
||||
module BarrierGuard<guardChecksSig/3 guardChecks> {
|
||||
/** Gets a node that is safely guarded by the given guard check. */
|
||||
Node getABarrierNode() {
|
||||
exists(Guard g, SsaVariable v, boolean branch, RValue use |
|
||||
exists(Guard g, SsaVariable v, boolean branch, VarRead use |
|
||||
guardChecks(g, v.getAUse(), branch) and
|
||||
use = v.getAUse() and
|
||||
g.controls(use.getBasicBlock(), branch) and
|
||||
|
||||
@@ -429,13 +429,13 @@ private predicate comparisonStep(Expr tracked, Expr sink) {
|
||||
private predicate serializationStep(Expr tracked, Expr sink) {
|
||||
exists(ObjectOutputStreamVar v, VariableAssign def |
|
||||
def = v.getADef() and
|
||||
exists(MethodCall ma, RValue use |
|
||||
exists(MethodCall ma, VarRead use |
|
||||
ma.getArgument(0) = tracked and
|
||||
ma = v.getAWriteObjectMethodCall() and
|
||||
use = ma.getQualifier() and
|
||||
defUsePair(def, use)
|
||||
) and
|
||||
exists(RValue outputstream, ClassInstanceExpr cie |
|
||||
exists(VarRead outputstream, ClassInstanceExpr cie |
|
||||
cie = def.getSource() and
|
||||
outputstream = cie.getArgument(0) and
|
||||
adjacentUseUse(outputstream, sink)
|
||||
@@ -475,13 +475,13 @@ class ObjectOutputStreamVar extends LocalVariableDecl {
|
||||
private predicate formatStep(Expr tracked, Expr sink) {
|
||||
exists(FormatterVar v, VariableAssign def |
|
||||
def = v.getADef() and
|
||||
exists(MethodCall ma, RValue use |
|
||||
exists(MethodCall ma, VarRead use |
|
||||
ma.getAnArgument() = tracked and
|
||||
ma = v.getAFormatMethodCall() and
|
||||
use = ma.getQualifier() and
|
||||
defUsePair(def, use)
|
||||
) and
|
||||
exists(RValue output, ClassInstanceExpr cie |
|
||||
exists(VarRead output, ClassInstanceExpr cie |
|
||||
cie = def.getSource() and
|
||||
output = cie.getArgument(0) and
|
||||
adjacentUseUse(output, sink) and
|
||||
@@ -586,7 +586,7 @@ module StringBuilderVarModule {
|
||||
result.getQualifier() = append
|
||||
or
|
||||
not exists(MethodCall chainAccess | chainAccess.getQualifier() = append) and
|
||||
exists(RValue sbva1, RValue sbva2 |
|
||||
exists(VarRead sbva1, VarRead sbva2 |
|
||||
adjacentUseUse(sbva1, sbva2) and
|
||||
append.getQualifier() = this.getAChainedReference(sbva1) and
|
||||
result.getQualifier() = sbva2
|
||||
|
||||
@@ -133,7 +133,7 @@ private module TypeTrackingSteps {
|
||||
class LocalSourceNode extends RelevantNode {
|
||||
LocalSourceNode() {
|
||||
this.asExpr() instanceof Call or
|
||||
this.asExpr() instanceof RValue or
|
||||
this.asExpr() instanceof VarRead or
|
||||
this instanceof DataFlow::ParameterNode or
|
||||
this instanceof DataFlow::ImplicitVarargsArray or
|
||||
this.asExpr() instanceof ArrayInit or
|
||||
@@ -253,7 +253,7 @@ private module TypeTrackingSteps {
|
||||
exists(AssignExpr a, Variable v |
|
||||
a.getSource() = n1.asExpr() and
|
||||
a.getDest().(ArrayAccess).getArray() = v.getAnAccess() and
|
||||
n2.asExpr() = v.getAnAccess().(RValue) and
|
||||
n2.asExpr() = v.getAnAccess().(VarRead) and
|
||||
f = ContentArray()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -118,7 +118,7 @@ private predicate step(Node n1, Node n2) {
|
||||
exists(AssignExpr a, Field v |
|
||||
a.getSource() = n1.asExpr() and
|
||||
a.getDest().(ArrayAccess).getArray() = v.getAnAccess() and
|
||||
n2.asExpr() = v.getAnAccess().(RValue)
|
||||
n2.asExpr() = v.getAnAccess().(VarRead)
|
||||
)
|
||||
or
|
||||
exists(AssignExpr a |
|
||||
|
||||
@@ -47,7 +47,7 @@ private Guard sizeGuard(SsaVariable v, boolean branch, boolean upper) {
|
||||
)
|
||||
or
|
||||
// overflow test
|
||||
exists(AddExpr add, RValue use, Expr pos |
|
||||
exists(AddExpr add, VarRead use, Expr pos |
|
||||
use = ssaRead(v, 0) and
|
||||
add.hasOperands(use, pos) and
|
||||
positive(use) and
|
||||
|
||||
@@ -68,10 +68,10 @@ private class CommandArgumentList extends SsaExplicitUpdate {
|
||||
}
|
||||
|
||||
/** Gets a use of the variable for which the list could be empty. */
|
||||
private RValue getAUseBeforeFirstAdd() {
|
||||
private VarRead getAUseBeforeFirstAdd() {
|
||||
result = this.getAFirstUse()
|
||||
or
|
||||
exists(RValue mid |
|
||||
exists(VarRead mid |
|
||||
mid = this.getAUseBeforeFirstAdd() and
|
||||
adjacentUseUse(mid, result) and
|
||||
not exists(MethodCall ma |
|
||||
@@ -114,7 +114,7 @@ private class ArrayOfStringType extends Array {
|
||||
ArrayOfStringType() { this.getElementType() instanceof TypeString }
|
||||
}
|
||||
|
||||
private predicate arrayLValue(ArrayAccess acc) { exists(Assignment a | a.getDest() = acc) }
|
||||
private predicate arrayVarWrite(ArrayAccess acc) { exists(Assignment a | a.getDest() = acc) }
|
||||
|
||||
/**
|
||||
* A variable that could be an array of arguments to a command.
|
||||
@@ -122,13 +122,13 @@ private predicate arrayLValue(ArrayAccess acc) { exists(Assignment a | a.getDest
|
||||
private class CommandArgumentArray extends SsaExplicitUpdate {
|
||||
CommandArgumentArray() {
|
||||
this.getSourceVariable().getType() instanceof ArrayOfStringType and
|
||||
forall(ArrayAccess a | a.getArray() = this.getAUse() and arrayLValue(a) |
|
||||
forall(ArrayAccess a | a.getArray() = this.getAUse() and arrayVarWrite(a) |
|
||||
a.getIndexExpr() instanceof CompileTimeConstantExpr
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets an expression that is written to the given index of this array at the given use. */
|
||||
Expr getAWrite(int index, RValue use) {
|
||||
Expr getAWrite(int index, VarRead use) {
|
||||
exists(Assignment a, ArrayAccess acc |
|
||||
acc.getArray() = use and
|
||||
use = this.getAUse() and
|
||||
@@ -148,7 +148,7 @@ private class CommandArgumentArray extends SsaExplicitUpdate {
|
||||
private class CommandArgArrayImmutableFirst extends CommandArgumentArray {
|
||||
CommandArgArrayImmutableFirst() {
|
||||
(exists(this.getAWrite(0)) or exists(firstElementOf(this.getDefiningExpr()))) and
|
||||
forall(RValue use | exists(this.getAWrite(0, use)) | use = this.getAFirstUse())
|
||||
forall(VarRead use | exists(this.getAWrite(0, use)) | use = this.getAFirstUse())
|
||||
}
|
||||
|
||||
/** Gets the first element of this array. */
|
||||
|
||||
@@ -45,7 +45,7 @@ class RightShiftOp extends Expr {
|
||||
}
|
||||
}
|
||||
|
||||
private predicate boundedRead(RValue read) {
|
||||
private predicate boundedRead(VarRead read) {
|
||||
exists(SsaVariable v, ConditionBlock cb, ComparisonExpr comp, boolean testIsTrue |
|
||||
read = v.getAUse() and
|
||||
cb.controls(read.getBasicBlock(), testIsTrue) and
|
||||
@@ -57,7 +57,7 @@ private predicate boundedRead(RValue read) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate castCheck(RValue read) {
|
||||
private predicate castCheck(VarRead read) {
|
||||
exists(EqualityTest eq, CastExpr cast |
|
||||
cast.getExpr() = read and
|
||||
eq.hasOperands(cast, read.getVariable().getAnAccess())
|
||||
|
||||
@@ -16,7 +16,7 @@ abstract class PathInjectionSanitizer extends DataFlow::Node { }
|
||||
private module ValidationMethod<DataFlow::guardChecksSig/3 validationGuard> {
|
||||
/** Gets a node that is safely guarded by a method that uses the given guard check. */
|
||||
DataFlow::Node getAValidatedNode() {
|
||||
exists(MethodCall ma, int pos, RValue rv |
|
||||
exists(MethodCall ma, int pos, VarRead rv |
|
||||
validationMethod(ma.getMethod(), pos) and
|
||||
ma.getArgument(pos) = rv and
|
||||
adjacentUseUseSameVar(rv, result.asExpr()) and
|
||||
|
||||
@@ -20,10 +20,10 @@ class GetRandomData extends StdlibRandomSource {
|
||||
GetRandomData() { this.getQualifier().getType() instanceof SecureRandomNumberGenerator }
|
||||
}
|
||||
|
||||
private predicate isSeeded(RValue use) {
|
||||
private predicate isSeeded(VarRead use) {
|
||||
isSeeding(_, use)
|
||||
or
|
||||
exists(GetRandomData da, RValue seeduse |
|
||||
exists(GetRandomData da, VarRead seeduse |
|
||||
da.getQualifier() = seeduse and
|
||||
useUsePair(seeduse, use)
|
||||
)
|
||||
@@ -76,16 +76,16 @@ private predicate predictableCalcStep(Expr e1, Expr e2) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate safelySeeded(RValue use) {
|
||||
private predicate safelySeeded(VarRead use) {
|
||||
exists(Expr arg |
|
||||
isSeeding(arg, use) and
|
||||
not PredictableSeedFlow::flowToExpr(arg)
|
||||
)
|
||||
or
|
||||
exists(GetRandomData da, RValue seeduse |
|
||||
exists(GetRandomData da, VarRead seeduse |
|
||||
da.getQualifier() = seeduse and useUsePair(seeduse, use)
|
||||
|
|
||||
not exists(RValue prior | useUsePair(prior, seeduse) | isSeeded(prior))
|
||||
not exists(VarRead prior | useUsePair(prior, seeduse) | isSeeded(prior))
|
||||
)
|
||||
}
|
||||
|
||||
@@ -93,12 +93,12 @@ private predicate safelySeeded(RValue use) {
|
||||
* Holds if predictable seed `source` is used to initialise a random-number generator
|
||||
* used at `use`.
|
||||
*/
|
||||
predicate unsafelySeeded(RValue use, PredictableSeedExpr source) {
|
||||
predicate unsafelySeeded(VarRead use, PredictableSeedExpr source) {
|
||||
isSeedingSource(_, use, source) and
|
||||
not safelySeeded(use)
|
||||
}
|
||||
|
||||
private predicate isSeeding(Expr arg, RValue use) {
|
||||
private predicate isSeeding(Expr arg, VarRead use) {
|
||||
exists(Expr e, VariableAssign def |
|
||||
def.getSource() = e and
|
||||
isSeedingConstruction(e, arg)
|
||||
@@ -107,14 +107,14 @@ private predicate isSeeding(Expr arg, RValue use) {
|
||||
def.getDestVar().(Field).getAnAccess() = use
|
||||
)
|
||||
or
|
||||
exists(Expr e, RValue seeduse |
|
||||
exists(Expr e, VarRead seeduse |
|
||||
e.(MethodCall).getQualifier() = seeduse and
|
||||
isRandomSeeding(e, arg) and
|
||||
useUsePair(seeduse, use)
|
||||
)
|
||||
}
|
||||
|
||||
private predicate isSeedingSource(Expr arg, RValue use, Expr source) {
|
||||
private predicate isSeedingSource(Expr arg, VarRead use, Expr source) {
|
||||
isSeeding(arg, use) and
|
||||
PredictableSeedFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(arg))
|
||||
}
|
||||
|
||||
@@ -73,7 +73,7 @@ where
|
||||
loopWhileTrue(loop) and loopExitGuard(loop, cond)
|
||||
) and
|
||||
// None of the ssa variables in `cond` are updated inside the loop.
|
||||
forex(SsaVariable ssa, RValue use | ssa.getAUse() = use and use.getParent*() = cond |
|
||||
forex(SsaVariable ssa, VarRead use | ssa.getAUse() = use and use.getParent*() = cond |
|
||||
not ssa.getCfgNode().getEnclosingStmt().getEnclosingStmt*() = loop or
|
||||
ssa.getCfgNode().(Expr).getParent*() = loop.(ForStmt).getAnInit()
|
||||
) and
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
import java
|
||||
import semmle.code.java.security.RandomQuery
|
||||
|
||||
from GetRandomData da, RValue use, PredictableSeedExpr source
|
||||
from GetRandomData da, VarRead use, PredictableSeedExpr source
|
||||
where
|
||||
da.getQualifier() = use and
|
||||
unsafelySeeded(use, source)
|
||||
|
||||
@@ -26,7 +26,7 @@ class LocalBoxedVar extends LocalVariableDecl {
|
||||
* some number of boxing operations, these cases are excluded.
|
||||
*/
|
||||
predicate notDeliberatelyBoxed(LocalBoxedVar v) {
|
||||
not forall(RValue a | a = v.getAnAccess() |
|
||||
not forall(VarRead a | a = v.getAnAccess() |
|
||||
exists(Call c, int i |
|
||||
c.getCallee().getParameterType(i) instanceof RefType and
|
||||
c.getArgument(i) = a
|
||||
|
||||
@@ -42,15 +42,15 @@ class ZipOutputStream extends Class {
|
||||
}
|
||||
|
||||
from
|
||||
ZipOutputStream jos, MethodCall putNextEntry, MethodCall closeEntry, RValue putNextQualifier,
|
||||
RValue closeQualifier
|
||||
ZipOutputStream jos, MethodCall putNextEntry, MethodCall closeEntry, VarRead putNextQualifier,
|
||||
VarRead closeQualifier
|
||||
where
|
||||
putNextEntry.getMethod() = jos.putNextEntry() and
|
||||
closeEntry.getMethod() = jos.closeEntry() and
|
||||
putNextQualifier = putNextEntry.getQualifier() and
|
||||
closeQualifier = closeEntry.getQualifier() and
|
||||
adjacentUseUseSameVar(putNextQualifier, closeQualifier) and
|
||||
not exists(RValue other |
|
||||
not exists(VarRead other |
|
||||
adjacentUseUseSameVar(other, closeQualifier) and
|
||||
other != putNextQualifier
|
||||
)
|
||||
|
||||
@@ -58,7 +58,7 @@ predicate overwritten(SsaExplicitUpdate ssa) {
|
||||
* A local variable with a read access.
|
||||
*/
|
||||
predicate read(LocalScopeVariable v) {
|
||||
exists(VarAccess va | va = v.getAnAccess() | va.isRValue())
|
||||
exists(VarAccess va | va = v.getAnAccess() | va.isVarRead())
|
||||
or
|
||||
readImplicitly(_, v)
|
||||
}
|
||||
@@ -72,7 +72,7 @@ private predicate readImplicitly(SsaExplicitUpdate ssa, LocalScopeVariable v) {
|
||||
* A local variable with a write access.
|
||||
*/
|
||||
predicate assigned(LocalScopeVariable v) {
|
||||
exists(VarAccess va | va = v.getAnAccess() | va.isLValue())
|
||||
exists(VarAccess va | va = v.getAnAccess() | va.isVarWrite())
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.SSA
|
||||
|
||||
class SsaConvertibleReadAccess extends RValue {
|
||||
class SsaConvertibleReadAccess extends VarRead {
|
||||
SsaConvertibleReadAccess() {
|
||||
this.getEnclosingCallable().getBody().getBasicBlock().getABBSuccessor*() = this.getBasicBlock() and
|
||||
(
|
||||
|
||||
@@ -50,5 +50,5 @@ query predicate missingSuccessor(Expr n) {
|
||||
maybeSuccessor(n) instanceof NoMaybeControlFlowNode and
|
||||
n.getFile().(CompilationUnit).fromSource() and
|
||||
not n instanceof TypeAccess and
|
||||
not n instanceof LValue
|
||||
not n instanceof VarWrite
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import default
|
||||
import semmle.code.java.dataflow.DefUse
|
||||
|
||||
from VariableUpdate d, RValue u, Variable v
|
||||
from VariableUpdate d, VarRead u, Variable v
|
||||
where defUsePair(d, u) and u.getVariable() = v
|
||||
select v, d.getLocation().getStartLine(), u.getLocation().getStartLine()
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import default
|
||||
import semmle.code.java.dataflow.DefUse
|
||||
|
||||
from RValue u, Parameter v
|
||||
from VarRead u, Parameter v
|
||||
where parameterDefUsePair(v, u)
|
||||
select v, u.getLocation().getStartLine()
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import default
|
||||
import semmle.code.java.dataflow.DefUse
|
||||
|
||||
from RValue u1, RValue u2, Variable v
|
||||
from VarRead u1, VarRead u2, Variable v
|
||||
where useUsePair(u1, u2) and u1.getVariable() = v
|
||||
select v, u1.getLocation().getStartLine(), u2.getLocation().getStartLine()
|
||||
|
||||
@@ -3,6 +3,6 @@ import semmle.code.java.dataflow.SSA
|
||||
|
||||
from int uses, int live
|
||||
where
|
||||
uses = strictcount(SsaVariable ssa, RValue use | use = ssa.getAUse()) and
|
||||
uses = strictcount(SsaVariable ssa, VarRead use | use = ssa.getAUse()) and
|
||||
live = strictcount(SsaVariable ssa, BasicBlock b | ssa.isLiveAtEndOfBlock(b))
|
||||
select uses, live
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.SSA
|
||||
|
||||
from RValue use1, RValue use2
|
||||
from VarRead use1, VarRead use2
|
||||
where adjacentUseUse(use1, use2)
|
||||
select use1, use2
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.SSA
|
||||
|
||||
from SsaVariable ssa, RValue use
|
||||
from SsaVariable ssa, VarRead use
|
||||
where use = ssa.getAFirstUse()
|
||||
select ssa, use
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TypeFlow
|
||||
|
||||
from RValue e, RefType t, boolean exact
|
||||
from VarRead e, RefType t, boolean exact
|
||||
where exprTypeFlow(e, t, exact)
|
||||
select e, t.toString(), exact
|
||||
|
||||
@@ -5,6 +5,6 @@ int countUnionTypes(Expr e) {
|
||||
result = strictcount(RefType t, boolean exact | exprUnionTypeFlow(e, t, exact))
|
||||
}
|
||||
|
||||
from RValue e, RefType t, boolean exact
|
||||
from VarRead e, RefType t, boolean exact
|
||||
where exprUnionTypeFlow(e, t, exact)
|
||||
select e, countUnionTypes(e), t.toString(), exact
|
||||
|
||||
Reference in New Issue
Block a user