Merge pull request #2740 from dbartol/dbartol/InitializeNonLocal

C++: Prevent `AliasedVirtualVariable` from overlapping string literals
2026-04-27 01:35:13 +02:00 · 2020-02-06 08:28:01 +01:00
parent 5125dc7939 e06f468b59
commit c0417ac161
15 changed files with 4212 additions and 3595 deletions
--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll
@@ -63,6 +63,7 @@ private newtype TOpcode =
  TUnmodeledDefinition() or
  TUnmodeledUse() or
  TAliasedDefinition() or
+  TInitializeNonLocal() or
  TAliasedUse() or
  TPhi() or
  TBuiltIn() or
@@ -596,6 +597,14 @@ module Opcode {
    final override MemoryAccessKind getWriteMemoryAccess() { result instanceof EscapedMemoryAccess }
  }

+  class InitializeNonLocal extends Opcode, TInitializeNonLocal {
+    final override string toString() { result = "InitializeNonLocal" }
+
+    final override MemoryAccessKind getWriteMemoryAccess() {
+      result instanceof NonLocalMemoryAccess
+    }
+  }
+
  class AliasedUse extends Opcode, TAliasedUse {
    final override string toString() { result = "AliasedUse" }

--- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -759,7 +759,21 @@ module DefUse {
      then defLocation = useLocation
      else (
        definitionHasPhiNode(defLocation, block) and
-        defLocation = useLocation.getVirtualVariable()
+        defLocation = useLocation.getVirtualVariable() and
+        // Handle the unusual case where a virtual variable does not overlap one of its member
+        // locations. For example, a definition of the virtual variable representing all aliased
+        // memory does not overlap a use of a string literal, because the contents of a string
+        // literal can never be redefined. The string literal's location could still be a member of
+        // the `AliasedVirtualVariable` due to something like:
+        // ```
+        // char s[10];
+        // strcpy(s, p);
+        // const char* p = b ? "SomeLiteral" : s;
+        // return p[3];
+        // ```
+        // In the above example, `p[3]` may access either the string literal or the local variable
+        // `s`, so both of those locations must be members of the `AliasedVirtualVariable`.
+        exists(Alias::getOverlap(defLocation, useLocation))
      )
    )
    or