C++: Don't consider additional loads when reusing dataflow operands.

2025-12-22 19:56:32 +01:00 · 2023-08-21 12:51:41 +01:00
parent 50190efe1c
commit c46f9e4572
5 changed files with 14 additions and 13 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -692,7 +692,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1,
 private predicate numberOfLoadsFromOperandRec(
  Operand operandFrom, Operand operandTo, int ind, boolean certain
 ) {
-  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
+  exists(Instruction load | Ssa::isDereference(load, operandFrom, _) |
    operandTo = operandFrom and ind = 0 and certain = true
    or
    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
@@ -716,7 +716,7 @@ private predicate numberOfLoadsFromOperand(
 ) {
  numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
  or
-  not Ssa::isDereference(_, operandFrom) and
+  not Ssa::isDereference(_, operandFrom, _) and
  not conversionFlow(operandFrom, _, _, _) and
  operandFrom = operandTo and
  n = 0 and
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
      hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
      hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
      instr = op2.getDef() and
-      isDereference(instr, op1)
+      isDereference(instr, op1, _)
    )
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -320,10 +320,12 @@ private module IteratorIndirections {
  }
 }

-predicate isDereference(Instruction deref, Operand address) {
-  any(Indirection ind).isAdditionalDereference(deref, address)
+predicate isDereference(Instruction deref, Operand address, boolean additional) {
+  any(Indirection ind).isAdditionalDereference(deref, address) and
+  additional = true
  or
-  deref.(LoadInstruction).getSourceAddressOperand() = address
+  deref.(LoadInstruction).getSourceAddressOperand() = address and
+  additional = false
 }

 predicate isWrite(Node0Impl value, Operand address, boolean certain) {
@@ -545,7 +547,7 @@ private module Cached {
      isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
      isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
      iteratorBase.getResultType() instanceof Interfaces::Iterator and
-      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
+      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and
      memory = read.getSideEffectOperand().getAnyDef()
    )
  }
@@ -786,7 +788,7 @@ private module Cached {
  ) {
    indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
    exists(Instruction load |
-      isDereference(load, operand) and
+      isDereference(load, operand, false) and
      operandRepr = unique( | | getAUse(load)) and
      indirectionIndexRepr = indirectionIndex - 1
    )
@@ -806,7 +808,7 @@ private module Cached {
    indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
    exists(Instruction load, Operand address |
      address.getDef() = instr and
-      isDereference(load, address) and
+      isDereference(load, address, false) and
      instrRepr = load and
      indirectionIndexRepr = indirectionIndex - 1
    )
@@ -829,7 +831,7 @@ private module Cached {
    or
    exists(int ind0 |
      exists(Operand address |
-        isDereference(operand.getDef(), address) and
+        isDereference(operand.getDef(), address, _) and
        isUseImpl(address, base, ind0)
      )
      or
@@ -899,7 +901,7 @@ private module Cached {
    )
    or
    exists(Operand address, boolean certain0 |
-      isDereference(operand.getDef(), address) and
+      isDereference(operand.getDef(), address, _) and
      isDefImpl(address, base, ind - 1, certain0)
    |
      if isCertainAddress(operand) then certain = certain0 else certain = false
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
  )
  or
  // Taint flow from an address to its dereference.
-  Ssa::isDereference(instrTo, opFrom)
+  Ssa::isDereference(instrTo, opFrom, _)
  or
  // Unary instructions tend to preserve enough information in practice that we
  // want taint to flow through.
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -4,5 +4,4 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
 WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
 testFailures
-| vector.cpp:532:10:532:12 | call to operator[] | Unexpected result: ir= |
 failures