hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12430 from MathiasVP/no-to-string-on-state-in-cast-array-pointer-arith

Browse Source 
C++: Convert `cpp/upcast-array-pointer-arithmetic` to the new API
This commit is contained in:
Mathias Vorreiter Pedersen
2023-03-07 16:48:15 +00:00
committed by GitHub
parent ce02de48a0 f2b311a008
commit cc0b8bbebb
1 changed files with 18 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
View File

@@ -18,31 +18,39 @@
import cpp import cpp
import semmle.code.cpp.ir.dataflow.DataFlow import semmle.code.cpp.ir.dataflow.DataFlow
import DataFlow::PathGraph import CastToPointerArithFlow::PathGraph
Type getFullyConvertedType(DataFlow::Node node) { Type getFullyConvertedType(DataFlow::Node node) {
result = node.asExpr().getFullyConverted().getUnspecifiedType() result = node.asExpr().getFullyConverted().getUnspecifiedType()
} }
class CastToPointerArithFlow extends DataFlow::Configuration { module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
CastToPointerArithFlow() { this = "CastToPointerArithFlow" } class FlowState = Type;
override predicate isSource(DataFlow::Node node, DataFlow::FlowState state) { predicate isSource(DataFlow::Node node, FlowState state) {
not node.asExpr() instanceof Conversion and not node.asExpr() instanceof Conversion and
exists(Type baseType1, Type baseType2 | exists(Type baseType1, Type baseType2 |
hasBaseType(node.asExpr(), baseType1) and hasBaseType(node.asExpr(), baseType1) and
hasBaseType(node.asExpr().getConversion*(), baseType2) and hasBaseType(node.asExpr().getConversion*(), baseType2) and
introducesNewField(baseType1, baseType2) introducesNewField(baseType1, baseType2)
) and ) and
getFullyConvertedType(node).getName() = state getFullyConvertedType(node) = state
} }
override predicate isSink(DataFlow::Node node, DataFlow::FlowState state) { predicate isSink(DataFlow::Node node, FlowState state) {
( (
exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr()) exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
) and ) and
getFullyConvertedType(node).getName() = state getFullyConvertedType(node) = state
}
predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
predicate isAdditionalFlowStep(
DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
) {
none()
} }
} }
@@ -72,15 +80,9 @@ predicate introducesNewField(Class derived, Class base) {
) )
} }
pragma[nomagic] module CastToPointerArithFlow = DataFlow::MakeWithState<CastToPointerArithFlowConfig>;
predicate hasFullyConvertedType(DataFlow::PathNode node, Type t) {
getFullyConvertedType(node.getNode()) = t
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CastToPointerArithFlow cfg, Type t from CastToPointerArithFlow::PathNode source, CastToPointerArithFlow::PathNode sink
where where CastToPointerArithFlow::hasFlowPath(source, sink)
cfg.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
hasFullyConvertedType(source, t) and
hasFullyConvertedType(sink, t)
select sink, source, sink, "This pointer arithmetic may be done with the wrong type because of $@.", select sink, source, sink, "This pointer arithmetic may be done with the wrong type because of $@.",
source, "this cast" source, "this cast"