diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 4b2885fb08c..c5732ef5a06 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -692,7 +692,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1, private predicate numberOfLoadsFromOperandRec( Operand operandFrom, Operand operandTo, int ind, boolean certain ) { - exists(Instruction load | Ssa::isDereference(load, operandFrom) | + exists(Instruction load | Ssa::isDereference(load, operandFrom, _) | operandTo = operandFrom and ind = 0 and certain = true or numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain) @@ -716,7 +716,7 @@ private predicate numberOfLoadsFromOperand( ) { numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain) or - not Ssa::isDereference(_, operandFrom) and + not Ssa::isDereference(_, operandFrom, _) and not conversionFlow(operandFrom, _, _, _) and operandFrom = operandTo and n = 0 and diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 41870e01b5e..a76edb8a8e5 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) { hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and instr = op2.getDef() and - isDereference(instr, op1) + isDereference(instr, op1, _) ) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll index 977803477b6..218d6562565 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll @@ -320,10 +320,12 @@ private module IteratorIndirections { } } -predicate isDereference(Instruction deref, Operand address) { - any(Indirection ind).isAdditionalDereference(deref, address) +predicate isDereference(Instruction deref, Operand address, boolean additional) { + any(Indirection ind).isAdditionalDereference(deref, address) and + additional = true or - deref.(LoadInstruction).getSourceAddressOperand() = address + deref.(LoadInstruction).getSourceAddressOperand() = address and + additional = false } predicate isWrite(Node0Impl value, Operand address, boolean certain) { @@ -545,7 +547,7 @@ private module Cached { isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and iteratorBase.getResultType() instanceof Interfaces::Iterator and - isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and + isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and memory = read.getSideEffectOperand().getAnyDef() ) } @@ -786,7 +788,7 @@ private module Cached { ) { indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and exists(Instruction load | - isDereference(load, operand) and + isDereference(load, operand, false) and operandRepr = unique( | | getAUse(load)) and indirectionIndexRepr = indirectionIndex - 1 ) @@ -806,7 +808,7 @@ private module Cached { indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and exists(Instruction load, Operand address | address.getDef() = instr and - isDereference(load, address) and + isDereference(load, address, false) and instrRepr = load and indirectionIndexRepr = indirectionIndex - 1 ) @@ -829,7 +831,7 @@ private module Cached { or exists(int ind0 | exists(Operand address | - isDereference(operand.getDef(), address) and + isDereference(operand.getDef(), address, _) and isUseImpl(address, base, ind0) ) or @@ -899,7 +901,7 @@ private module Cached { ) or exists(Operand address, boolean certain0 | - isDereference(operand.getDef(), address) and + isDereference(operand.getDef(), address, _) and isDefImpl(address, base, ind - 1, certain0) | if isCertainAddress(operand) then certain = certain0 else certain = false diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll index 50e45e3081d..fd4169edd7d 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll @@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst ) or // Taint flow from an address to its dereference. - Ssa::isDereference(instrTo, opFrom) + Ssa::isDereference(instrTo, opFrom, _) or // Unary instructions tend to preserve enough information in practice that we // want taint to flow through. diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected index 69682372967..0065ae75d21 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected @@ -4,5 +4,4 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33) WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33) testFailures -| vector.cpp:532:10:532:12 | call to operator[] | Unexpected result: ir= | failures