mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
C++: replace getType().getUnspecifiedType()
This commit is contained in:
Robert Marsh
@@ -17,10 +17,10 @@
|
||||
import cpp
|
||||
|
||||
from BitField bf
|
||||
where not bf.getType().getUnspecifiedType().(IntegralType).isExplicitlySigned()
|
||||
and not bf.getType().getUnspecifiedType().(IntegralType).isExplicitlyUnsigned()
|
||||
and not bf.getType().getUnspecifiedType() instanceof Enum
|
||||
and not bf.getType().getUnspecifiedType() instanceof BoolType
|
||||
where not bf.getUnspecifiedType().(IntegralType).isExplicitlySigned()
|
||||
and not bf.getUnspecifiedType().(IntegralType).isExplicitlyUnsigned()
|
||||
and not bf.getUnspecifiedType() instanceof Enum
|
||||
and not bf.getUnspecifiedType() instanceof BoolType
|
||||
// At least for C programs on Windows, BOOL is a common typedef for a type
|
||||
// representing BoolType.
|
||||
and not bf.getType().hasName("BOOL")
|
||||
|
||||
@@ -15,7 +15,7 @@ import cpp
|
||||
from EqualityOperation t, RemExpr lhs, Literal rhs
|
||||
where t.getLeftOperand() = lhs and
|
||||
t.getRightOperand() = rhs and
|
||||
lhs.getLeftOperand().getType().getUnspecifiedType().(IntegralType).isSigned() and
|
||||
lhs.getLeftOperand().getUnspecifiedType().(IntegralType).isSigned() and
|
||||
lhs.getRightOperand().getValue() = "2" and
|
||||
rhs.getValue() = "1"
|
||||
select t, "Possibly invalid test for oddness. This will fail for negative numbers."
|
||||
|
||||
@@ -45,7 +45,7 @@ predicate pointlessSelfComparison(ComparisonOperation cmp) {
|
||||
predicate nanTest(EqualityOperation cmp) {
|
||||
pointlessSelfComparison(cmp) and
|
||||
exists (Type t
|
||||
| t = cmp.getLeftOperand().getType().getUnspecifiedType()
|
||||
| t = cmp.getLeftOperand().getUnspecifiedType()
|
||||
| t instanceof FloatingPointType or
|
||||
t instanceof TemplateParameter)
|
||||
}
|
||||
|
||||
@@ -55,5 +55,5 @@ predicate introducesNewField(Class derived, Class base) {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, CastToPointerArithFlow cfg
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
and source.getNode().asExpr().getFullyConverted().getType().getUnspecifiedType() = sink.getNode().asExpr().getFullyConverted().getType().getUnspecifiedType()
|
||||
and source.getNode().asExpr().getFullyConverted().getUnspecifiedType() = sink.getNode().asExpr().getFullyConverted().getUnspecifiedType()
|
||||
select sink, source, sink, "Pointer arithmetic here may be done with the wrong type because of the cast $@.", source, "here"
|
||||
|
||||
@@ -48,7 +48,7 @@ predicate gettextFunction(Function f, int arg) {
|
||||
|
||||
predicate stringArray(Variable arr, AggregateLiteral init) {
|
||||
arr.getInitializer().getExpr() = init and
|
||||
stringType(arr.getType().getUnspecifiedType().(ArrayType).getBaseType(), _)
|
||||
stringType(arr.getUnspecifiedType().(ArrayType).getBaseType(), _)
|
||||
// Ideally, this predicate should also check that no item of `arr` is ever
|
||||
// reassigned, but such an analysis could get fairly complicated. Instead, we
|
||||
// just hope that nobody would initialize an array of constants and then
|
||||
|
||||
@@ -75,7 +75,7 @@ class LoopWithAlloca extends Stmt {
|
||||
conditionRequires(eq, truth) and
|
||||
eq.getAnOperand().getValue().toInt() = 1 and
|
||||
e = eq.getAnOperand() and
|
||||
e.getType().getUnspecifiedType() instanceof BoolType and
|
||||
e.getUnspecifiedType() instanceof BoolType and
|
||||
not exists(e.getValue())
|
||||
)
|
||||
or
|
||||
@@ -84,7 +84,7 @@ class LoopWithAlloca extends Stmt {
|
||||
conditionRequires(eq, truth.booleanNot()) and
|
||||
eq.getAnOperand().getValue().toInt() = 1 and
|
||||
e = eq.getAnOperand() and
|
||||
e.getType().getUnspecifiedType() instanceof BoolType and
|
||||
e.getUnspecifiedType() instanceof BoolType and
|
||||
not exists(e.getValue())
|
||||
)
|
||||
or
|
||||
|
||||
@@ -45,7 +45,7 @@ predicate hasNontrivialConversion(Expr e) {
|
||||
from LocalScopeVariable var, VariableAccess va, ReturnStmt r
|
||||
where
|
||||
not var.isStatic() and
|
||||
not var.getType().getUnspecifiedType() instanceof ReferenceType and
|
||||
not var.getUnspecifiedType() instanceof ReferenceType and
|
||||
not r.isFromUninstantiatedTemplate(_) and
|
||||
va = var.getAnAccess() and
|
||||
(
|
||||
|
||||
@@ -84,12 +84,12 @@ string nthString (int num) {
|
||||
* with a fixed size array.
|
||||
*/
|
||||
int arrayExprFixedSize(Expr e) {
|
||||
result = e.getType().getUnspecifiedType().(ArrayType).getSize()
|
||||
result = e.getUnspecifiedType().(ArrayType).getSize()
|
||||
or
|
||||
result = e.(NewArrayExpr).getAllocatedType().(ArrayType).getSize()
|
||||
or
|
||||
exists (SsaDefinition def, LocalVariable v
|
||||
| not (e.getType().getUnspecifiedType() instanceof ArrayType) and
|
||||
| not (e.getUnspecifiedType() instanceof ArrayType) and
|
||||
e = def.getAUse(v) and
|
||||
result = arrayExprFixedSize(def.getDefiningValue(v)))
|
||||
}
|
||||
@@ -103,7 +103,7 @@ where
|
||||
copySource = fc.getArgument(argSrc) and
|
||||
// Some of the functions operate on a larger char type, like `wchar_t`, so we
|
||||
// need to take this into account in the fixed size case.
|
||||
charSize = f.getParameter(argDest).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() and
|
||||
charSize = f.getParameter(argDest).getUnspecifiedType().(PointerType).getBaseType().getSize() and
|
||||
if exists(fc.getArgument(argLimit).getValue().toInt()) then (
|
||||
// Fixed sized case
|
||||
exists(int size |
|
||||
|
||||
@@ -17,11 +17,11 @@ import cpp
|
||||
class CandidateParameter extends Parameter {
|
||||
CandidateParameter() {
|
||||
// an array parameter
|
||||
getType().getUnspecifiedType() instanceof ArrayType
|
||||
getUnspecifiedType() instanceof ArrayType
|
||||
or
|
||||
(
|
||||
// a pointer parameter
|
||||
getType().getUnspecifiedType() instanceof PointerType and
|
||||
getUnspecifiedType() instanceof PointerType and
|
||||
|
||||
// whose address is never taken (rules out common
|
||||
// false positive patterns)
|
||||
|
||||
@@ -34,7 +34,7 @@ predicate bindThrownType(ThrowExpr te, Type thrown)
|
||||
|
||||
// For rethrows, we use the unqualified version of the type caught by the enclosing catch block.
|
||||
// Note that this is not precise, but is a reasonable first approximation.
|
||||
or exists(CatchBlock cb | bindEnclosingCatch(te, cb) and bindStrippedReferenceType(cb.getParameter().getType().getUnspecifiedType(), thrown))
|
||||
or exists(CatchBlock cb | bindEnclosingCatch(te, cb) and bindStrippedReferenceType(cb.getParameter().getUnspecifiedType(), thrown))
|
||||
}
|
||||
|
||||
// This predicate determines the catch blocks that can catch the exceptions thrown by each throw expression.
|
||||
@@ -43,7 +43,7 @@ predicate canCatch(ThrowExpr te, CatchBlock cb)
|
||||
{
|
||||
exists(Type thrown, Type caught |
|
||||
bindThrownType(te, thrown)
|
||||
and caught = cb.getParameter().getType().getUnspecifiedType()
|
||||
and caught = cb.getParameter().getUnspecifiedType()
|
||||
and not bindEnclosingCatch(te, cb)
|
||||
|
||||
and
|
||||
|
||||
@@ -73,8 +73,8 @@ predicate argTypeMayBeUsed(Type arg, Type parm) {
|
||||
// function parameter `parm` without need for run-time conversion.
|
||||
pragma[inline]
|
||||
predicate argMayBeUsed(Expr arg, Parameter parm) {
|
||||
argTypeMayBeUsed(arg.getFullyConverted().getType().getUnspecifiedType(),
|
||||
parm.getType().getUnspecifiedType())
|
||||
argTypeMayBeUsed(arg.getFullyConverted().getUnspecifiedType(),
|
||||
parm.getUnspecifiedType())
|
||||
}
|
||||
|
||||
// True if function was ()-declared, but not (void)-declared or K&R-defined
|
||||
@@ -104,5 +104,5 @@ where
|
||||
not argMayBeUsed(fc.getArgument(p.getIndex()), p)
|
||||
select fc, "Calling $@: argument $@ of type $@ is incompatible with parameter $@.", f, f.toString(),
|
||||
fc.getArgument(p.getIndex()) as arg, arg.toString(),
|
||||
arg.getExplicitlyConverted().getType().getUnspecifiedType() as atype, atype.toString(), p,
|
||||
arg.getExplicitlyConverted().getUnspecifiedType() as atype, atype.toString(), p,
|
||||
p.getTypedName()
|
||||
|
||||
@@ -21,7 +21,7 @@ predicate taintedAllocSize(Expr e, Expr source, string taintCause) {
|
||||
) and
|
||||
exists(Expr tainted |
|
||||
tainted = e.getAChild() and
|
||||
tainted.getType().getUnspecifiedType() instanceof IntegralType and
|
||||
tainted.getUnspecifiedType() instanceof IntegralType and
|
||||
isUserInput(source, taintCause) and
|
||||
tainted(source, tainted)
|
||||
)
|
||||
|
||||
@@ -43,7 +43,7 @@ where exists(pointerArithmeticParent(dest))
|
||||
// ```
|
||||
and forall(Expr parent |
|
||||
parent = pointerArithmeticParent+(dest) |
|
||||
parent.getFullyConverted().getType().getUnspecifiedType() instanceof PointerType)
|
||||
parent.getFullyConverted().getUnspecifiedType() instanceof PointerType)
|
||||
select
|
||||
dest,
|
||||
"This pointer might have type $@ (size " + sourceBase.getSize() +
|
||||
|
||||
@@ -47,7 +47,7 @@ where exists(pointerArithmeticParent(dest))
|
||||
// ```
|
||||
and forall(Expr parent |
|
||||
parent = pointerArithmeticParent+(dest) |
|
||||
parent.getFullyConverted().getType().getUnspecifiedType() instanceof PointerType)
|
||||
parent.getFullyConverted().getUnspecifiedType() instanceof PointerType)
|
||||
|
||||
// Only produce alerts that are not produced by `IncorrectPointerScaling.ql`.
|
||||
and (destBase instanceof CharType)
|
||||
|
||||
@@ -117,7 +117,7 @@ predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
|
||||
|
||||
// Source expressions
|
||||
else
|
||||
(sourceType = use.getType().getUnspecifiedType() and
|
||||
(sourceType = use.getUnspecifiedType() and
|
||||
isPointerType(sourceType) and
|
||||
sourceLoc = use.getLocation())
|
||||
}
|
||||
@@ -135,7 +135,7 @@ predicate defSourceType(SsaDefinition def, LocalScopeVariable v,
|
||||
exists (Parameter p
|
||||
| p = v and
|
||||
def.definedByParameter(p) and
|
||||
sourceType = p.getType().getUnspecifiedType() and
|
||||
sourceType = p.getUnspecifiedType() and
|
||||
strictcount(p.getType()) = 1 and
|
||||
isPointerType(sourceType) and
|
||||
sourceLoc = p.getLocation())
|
||||
|
||||
@@ -15,7 +15,7 @@ import IncorrectPointerScalingCommon
|
||||
|
||||
private predicate isCharSzPtrExpr(Expr e) {
|
||||
exists (PointerType pt
|
||||
| pt = e.getFullyConverted().getType().getUnspecifiedType()
|
||||
| pt = e.getFullyConverted().getUnspecifiedType()
|
||||
| pt.getBaseType() instanceof CharType
|
||||
or pt.getBaseType() instanceof VoidType)
|
||||
}
|
||||
|
||||
@@ -23,7 +23,7 @@ from Expr e1, Cast e2
|
||||
where
|
||||
e2 = e1.getConversion() and
|
||||
exists(WideCharPointerType w, CharPointerType c |
|
||||
w = e2.getType().getUnspecifiedType().(PointerType) and
|
||||
c = e1.getType().getUnspecifiedType().(PointerType)
|
||||
w = e2.getUnspecifiedType().(PointerType) and
|
||||
c = e1.getUnspecifiedType().(PointerType)
|
||||
)
|
||||
select e1, "Conversion from " + e1.getType().toString() + " to " + e2.getType().toString() + ". Use of invalid string can lead to undefined behavior."
|
||||
@@ -60,7 +60,7 @@ class NonNullDaclConfig extends DataFlow2::Configuration {
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source.getType().getUnspecifiedType().(PointerType).getBaseType() =
|
||||
source.getUnspecifiedType().(PointerType).getBaseType() =
|
||||
any(Type t | t.getName() = "ACL").getUnspecifiedType() and
|
||||
(
|
||||
// If the value comes from a function whose body we can't see, assume
|
||||
|
||||
@@ -74,7 +74,7 @@ predicate assignOperatorWithWrongType(Operator op, string msg) {
|
||||
and exists(op.getBlock())
|
||||
and exists(Class c |
|
||||
c = op.getDeclaringType()
|
||||
and op.getType().getUnspecifiedType() = c
|
||||
and op.getUnspecifiedType() = c
|
||||
and msg = "Assignment operator in class " + c.getName() + " should have return type " + c.getName() + "&. Otherwise a copy is created at each call."
|
||||
)
|
||||
}
|
||||
|
||||
@@ -30,5 +30,5 @@ where e.getType() instanceof ArrayType
|
||||
and
|
||||
baseElement(e.getType(), cl) // only interested in arrays with classes
|
||||
and
|
||||
not compatible(f.getParameter(i).getType().getUnspecifiedType(), e.getType().getUnspecifiedType()))
|
||||
not compatible(f.getParameter(i).getUnspecifiedType(), e.getUnspecifiedType()))
|
||||
select e, "AV Rule 96: Arrays shall not be teated polymorphically"
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
import cpp
|
||||
|
||||
from BitField bf
|
||||
where not bf.getType().getUnspecifiedType().(IntegralType).isUnsigned()
|
||||
where not bf.getUnspecifiedType().(IntegralType).isUnsigned()
|
||||
and not bf.getUnderlyingType() instanceof Enum
|
||||
and not bf.getUnderlyingType().getUnspecifiedType() instanceof BoolType
|
||||
and not bf.getType().hasName("BOOL") // At least for C programs on Windows, BOOL is a common typedef for a type representing BoolType.
|
||||
|
||||
@@ -1038,7 +1038,7 @@ class CopyAssignmentOperator extends Operator {
|
||||
(hasCopySignature(this) or
|
||||
// Unlike CopyConstructor, this member allows a non-reference
|
||||
// parameter.
|
||||
getParameter(0).getType().getUnspecifiedType() = getDeclaringType()
|
||||
getParameter(0).getUnspecifiedType() = getDeclaringType()
|
||||
) and
|
||||
not exists(this.getParameter(1)) and
|
||||
not exists(getATemplateArgument())
|
||||
|
||||
@@ -66,7 +66,7 @@ class RecoverableAssert extends MacroInvocation, Assertion {
|
||||
not result.getParent() = this.getAnAssertedExpr() and
|
||||
// Remove spurious "string literals" that arise when the macro
|
||||
// uses #stringification
|
||||
not result.(Literal).getType().getUnspecifiedType().(ArrayType).getBaseType() instanceof CharType
|
||||
not result.(Literal).getUnspecifiedType().(ArrayType).getBaseType() instanceof CharType
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -28,12 +28,12 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
|
||||
v = c.getCanonicalMember(i) and
|
||||
|
||||
// v is an array of size at most 1
|
||||
v.getType().getUnspecifiedType().(ArrayType).getArraySize() <= 1
|
||||
v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
|
||||
) and (
|
||||
exists(SizeofOperator so |
|
||||
// `sizeof(c)` is taken
|
||||
so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
|
||||
so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c |
|
||||
so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c |
|
||||
|
||||
// arithmetic is performed on the result
|
||||
so.getParent*() instanceof AddExpr
|
||||
@@ -55,7 +55,7 @@ int getBufferSize(Expr bufferExpr, Element why) {
|
||||
exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
|
||||
(
|
||||
// buffer is a fixed size array
|
||||
result = bufferVar.getType().getUnspecifiedType().(ArrayType).getSize() and
|
||||
result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
|
||||
why = bufferVar and
|
||||
not memberMayBeVarSize(_, bufferVar) and
|
||||
not result = 0 // zero sized arrays are likely to have special usage, for example
|
||||
@@ -69,13 +69,13 @@ int getBufferSize(Expr bufferExpr, Element why) {
|
||||
why instanceof StringLiteral
|
||||
) and
|
||||
result = why.(Expr).getType().(ArrayType).getSize() and
|
||||
not exists(bufferVar.getType().getUnspecifiedType().(ArrayType).getSize())
|
||||
not exists(bufferVar.getUnspecifiedType().(ArrayType).getSize())
|
||||
) or exists(Class parentClass, VariableAccess parentPtr |
|
||||
// buffer is the parentPtr->bufferVar of a 'variable size struct'
|
||||
memberMayBeVarSize(parentClass, bufferVar) and
|
||||
why = bufferVar and
|
||||
parentPtr = bufferExpr.(VariableAccess).getQualifier() and
|
||||
parentPtr.getTarget().getType().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
|
||||
parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
|
||||
result =
|
||||
getBufferSize(parentPtr, _) +
|
||||
bufferVar.getType().getSize() -
|
||||
|
||||
@@ -33,8 +33,8 @@ class AnalysedString extends Expr
|
||||
{
|
||||
AnalysedString()
|
||||
{
|
||||
this.getType().getUnspecifiedType() instanceof ArrayType or
|
||||
this.getType().getUnspecifiedType() instanceof PointerType
|
||||
this.getUnspecifiedType() instanceof ArrayType or
|
||||
this.getUnspecifiedType() instanceof PointerType
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -69,7 +69,7 @@ private predicate addressTakenVariable(LocalScopeVariable var) {
|
||||
}
|
||||
|
||||
private predicate isReferenceVar(LocalScopeVariable v) {
|
||||
v.getType().getUnspecifiedType() instanceof ReferenceType
|
||||
v.getUnspecifiedType() instanceof ReferenceType
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -435,7 +435,7 @@ library class ExprEvaluator extends int {
|
||||
interestingInternal(e, fc, _) |
|
||||
f = fc.getTarget()
|
||||
and not obviouslyNonConstant(f)
|
||||
and not f.getType().getUnspecifiedType() instanceof VoidType
|
||||
and not f.getUnspecifiedType() instanceof VoidType
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -68,7 +68,7 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
|
||||
pointerOut instanceof PointerSubExpr
|
||||
) and
|
||||
pointerIn = pointerOut.getAChild().getFullyConverted() and
|
||||
pointerIn.getType().getUnspecifiedType() instanceof PointerType
|
||||
pointerIn.getUnspecifiedType() instanceof PointerType
|
||||
or
|
||||
pointerIn = pointerOut.(UnaryPlusExpr).getOperand().getFullyConverted()
|
||||
or
|
||||
|
||||
@@ -92,7 +92,7 @@ predicate stackPointerFlowsToUse(
|
||||
* expression.
|
||||
*/
|
||||
cached private PointerType getExprPtrType(Expr use) {
|
||||
result = use.getType().getUnspecifiedType()
|
||||
result = use.getUnspecifiedType()
|
||||
}
|
||||
|
||||
predicate stackReferenceFlowsToUse(
|
||||
@@ -122,11 +122,11 @@ predicate stackReferenceFlowsToUse(
|
||||
// a PointerType for `p`. Luckily, this conversion happens
|
||||
// automatically when the variable is used. So we get the correct type
|
||||
// provided that we get it from `use` rather than from `var`.
|
||||
useType = use.getType().getUnspecifiedType())
|
||||
useType = use.getUnspecifiedType())
|
||||
or
|
||||
// Accessing the field of a class, struct, or union.
|
||||
exists (FieldAccess access, Class classType
|
||||
| use = access and useType = access.getType().getUnspecifiedType()
|
||||
| use = access and useType = access.getUnspecifiedType()
|
||||
| // Handle both x.f and x->f:
|
||||
stackReferenceFlowsToUse(access.getQualifier(), classType, source, isLocal) or
|
||||
stackPointerFlowsToUse(access.getQualifier(), classType, source, isLocal))
|
||||
@@ -216,7 +216,7 @@ predicate stackReferenceFlowsToDef_Impl(
|
||||
|
||||
/** The type of the variable is a reference type, such as int&. */
|
||||
predicate isReferenceVariable(LocalScopeVariable var) {
|
||||
var.getType().getUnspecifiedType() instanceof ReferenceType
|
||||
var.getUnspecifiedType() instanceof ReferenceType
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -118,7 +118,7 @@ module FlowVar_internal {
|
||||
// The SSA library has a theoretically accurate treatment of reference types,
|
||||
// treating them as immutable, but for data flow it gives better results in
|
||||
// practice to make the variable synonymous with its contents.
|
||||
not v.getType().getUnspecifiedType() instanceof ReferenceType
|
||||
not v.getUnspecifiedType() instanceof ReferenceType
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -146,7 +146,7 @@ class FieldAccess extends VariableAccess {
|
||||
class PointerFieldAccess extends FieldAccess {
|
||||
PointerFieldAccess() {
|
||||
exists (PointerType t
|
||||
| t = getQualifier().getFullyConverted().getType().getUnspecifiedType() and
|
||||
| t = getQualifier().getFullyConverted().getUnspecifiedType() and
|
||||
t.getBaseType() instanceof Class)
|
||||
}
|
||||
}
|
||||
@@ -160,7 +160,7 @@ class PointerFieldAccess extends FieldAccess {
|
||||
class DotFieldAccess extends FieldAccess {
|
||||
DotFieldAccess() {
|
||||
exists (Class c
|
||||
| c = getQualifier().getFullyConverted().getType().getUnspecifiedType())
|
||||
| c = getQualifier().getFullyConverted().getUnspecifiedType())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -58,19 +58,19 @@ module CastSanity {
|
||||
// Every cast should have exactly one semantic conversion kind
|
||||
count(cast.getSemanticConversionString()) > 1 and
|
||||
kind = cast.getSemanticConversionString() and
|
||||
fromType = cast.getExpr().getType().getUnspecifiedType()
|
||||
fromType = cast.getExpr().getUnspecifiedType()
|
||||
}
|
||||
|
||||
query predicate missingSemanticConversionString(Cast cast, Type fromType) {
|
||||
// Every cast should have exactly one semantic conversion kind
|
||||
not exists(cast.getSemanticConversionString()) and
|
||||
fromType = cast.getExpr().getType().getUnspecifiedType()
|
||||
fromType = cast.getExpr().getUnspecifiedType()
|
||||
}
|
||||
|
||||
query predicate unknownSemanticConversionString(Cast cast, Type fromType) {
|
||||
// Every cast should have a known semantic conversion kind
|
||||
cast.getSemanticConversionString() = "unknown conversion" and
|
||||
fromType = cast.getExpr().getType().getUnspecifiedType()
|
||||
fromType = cast.getExpr().getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -137,8 +137,8 @@ private predicate isPointerToMemberOrNullPointer(Type type) {
|
||||
class ArithmeticConversion extends Cast {
|
||||
ArithmeticConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
isArithmeticOrEnum(getType().getUnspecifiedType()) and
|
||||
isArithmeticOrEnum(getExpr().getType().getUnspecifiedType())
|
||||
isArithmeticOrEnum(getUnspecifiedType()) and
|
||||
isArithmeticOrEnum(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -151,8 +151,8 @@ class ArithmeticConversion extends Cast {
|
||||
*/
|
||||
class IntegralConversion extends ArithmeticConversion {
|
||||
IntegralConversion() {
|
||||
isIntegralOrEnum(getType().getUnspecifiedType()) and
|
||||
isIntegralOrEnum(getExpr().getType().getUnspecifiedType())
|
||||
isIntegralOrEnum(getUnspecifiedType()) and
|
||||
isIntegralOrEnum(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -165,8 +165,8 @@ class IntegralConversion extends ArithmeticConversion {
|
||||
*/
|
||||
class FloatingPointConversion extends ArithmeticConversion {
|
||||
FloatingPointConversion() {
|
||||
getType().getUnspecifiedType() instanceof FloatingPointType and
|
||||
getExpr().getType().getUnspecifiedType() instanceof FloatingPointType
|
||||
getUnspecifiedType() instanceof FloatingPointType and
|
||||
getExpr().getUnspecifiedType() instanceof FloatingPointType
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -179,8 +179,8 @@ class FloatingPointConversion extends ArithmeticConversion {
|
||||
*/
|
||||
class FloatingPointToIntegralConversion extends ArithmeticConversion {
|
||||
FloatingPointToIntegralConversion() {
|
||||
isIntegralOrEnum(getType().getUnspecifiedType()) and
|
||||
getExpr().getType().getUnspecifiedType() instanceof FloatingPointType
|
||||
isIntegralOrEnum(getUnspecifiedType()) and
|
||||
getExpr().getUnspecifiedType() instanceof FloatingPointType
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -193,8 +193,8 @@ class FloatingPointToIntegralConversion extends ArithmeticConversion {
|
||||
*/
|
||||
class IntegralToFloatingPointConversion extends ArithmeticConversion {
|
||||
IntegralToFloatingPointConversion() {
|
||||
getType().getUnspecifiedType() instanceof FloatingPointType and
|
||||
isIntegralOrEnum(getExpr().getType().getUnspecifiedType())
|
||||
getUnspecifiedType() instanceof FloatingPointType and
|
||||
isIntegralOrEnum(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -211,8 +211,8 @@ class IntegralToFloatingPointConversion extends ArithmeticConversion {
|
||||
class PointerConversion extends Cast {
|
||||
PointerConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
isPointerOrNullPointer(getType().getUnspecifiedType()) and
|
||||
isPointerOrNullPointer(getExpr().getType().getUnspecifiedType())
|
||||
isPointerOrNullPointer(getUnspecifiedType()) and
|
||||
isPointerOrNullPointer(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -230,8 +230,8 @@ class PointerToMemberConversion extends Cast {
|
||||
PointerToMemberConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
exists(Type fromType, Type toType |
|
||||
fromType = getExpr().getType().getUnspecifiedType() and
|
||||
toType = getType().getUnspecifiedType() and
|
||||
fromType = getExpr().getUnspecifiedType() and
|
||||
toType = getUnspecifiedType() and
|
||||
isPointerToMemberOrNullPointer(fromType) and
|
||||
isPointerToMemberOrNullPointer(toType) and
|
||||
// A conversion from nullptr to nullptr is a `PointerConversion`, not a
|
||||
@@ -254,8 +254,8 @@ class PointerToMemberConversion extends Cast {
|
||||
class PointerToIntegralConversion extends Cast {
|
||||
PointerToIntegralConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
isIntegralOrEnum(getType().getUnspecifiedType()) and
|
||||
isPointerOrNullPointer(getExpr().getType().getUnspecifiedType())
|
||||
isIntegralOrEnum(getUnspecifiedType()) and
|
||||
isPointerOrNullPointer(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -269,8 +269,8 @@ class PointerToIntegralConversion extends Cast {
|
||||
class IntegralToPointerConversion extends Cast {
|
||||
IntegralToPointerConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
isPointerOrNullPointer(getType().getUnspecifiedType()) and
|
||||
isIntegralOrEnum(getExpr().getType().getUnspecifiedType())
|
||||
isPointerOrNullPointer(getUnspecifiedType()) and
|
||||
isIntegralOrEnum(getExpr().getUnspecifiedType())
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -298,7 +298,7 @@ class BoolConversion extends Cast {
|
||||
class VoidConversion extends Cast {
|
||||
VoidConversion() {
|
||||
conversionkinds(underlyingElement(this), 0) and
|
||||
getType().getUnspecifiedType() instanceof VoidType
|
||||
getUnspecifiedType() instanceof VoidType
|
||||
}
|
||||
|
||||
override string getSemanticConversionString() {
|
||||
@@ -353,7 +353,7 @@ class InheritanceConversion extends Cast {
|
||||
*/
|
||||
private Class getConversionClass(Expr expr) {
|
||||
exists(Type operandType |
|
||||
operandType = expr.getType().getUnspecifiedType() and
|
||||
operandType = expr.getUnspecifiedType() and
|
||||
(
|
||||
result = operandType or
|
||||
result = operandType.(PointerType).getBaseType()
|
||||
|
||||
@@ -164,7 +164,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
|
||||
Class classType;
|
||||
|
||||
ClassAggregateLiteral() {
|
||||
classType = this.getType().getUnspecifiedType()
|
||||
classType = this.getUnspecifiedType()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -223,7 +223,7 @@ class ArrayAggregateLiteral extends AggregateLiteral {
|
||||
ArrayType arrayType;
|
||||
|
||||
ArrayAggregateLiteral() {
|
||||
arrayType = this.getType().getUnspecifiedType()
|
||||
arrayType = this.getUnspecifiedType()
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -132,7 +132,7 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
|
||||
pointerOut instanceof PointerSubExpr
|
||||
) and
|
||||
pointerIn = pointerOut.getAChild().getFullyConverted() and
|
||||
pointerIn.getType().getUnspecifiedType() instanceof PointerType and
|
||||
pointerIn.getUnspecifiedType() instanceof PointerType and
|
||||
// The pointer arg won't be constant in the sense of `hasConstantValue`, so
|
||||
// this will have to match the integer argument.
|
||||
hasConstantValue(pointerOut.getAChild().getFullyConverted())
|
||||
|
||||
@@ -39,7 +39,7 @@ abstract class TranslatedCondition extends TranslatedElement {
|
||||
}
|
||||
|
||||
final Type getResultType() {
|
||||
result = expr.getType().getUnspecifiedType()
|
||||
result = expr.getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -385,7 +385,7 @@ private int getEndOfValueInitializedRange(ArrayAggregateLiteral initList, int af
|
||||
or
|
||||
isFirstValueInitializedElementInRange(initList, afterElementIndex) and
|
||||
not exists(getNextExplicitlyInitializedElementAfter(initList, afterElementIndex)) and
|
||||
result = initList.getType().getUnspecifiedType().(ArrayType).getArraySize()
|
||||
result = initList.getUnspecifiedType().(ArrayType).getArraySize()
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -55,7 +55,7 @@ abstract class TranslatedExpr extends TranslatedElement {
|
||||
* Gets the type of the result produced by this expression.
|
||||
*/
|
||||
final Type getResultType() {
|
||||
result = expr.getType().getUnspecifiedType()
|
||||
result = expr.getUnspecifiedType()
|
||||
}
|
||||
|
||||
override final Locatable getAST() {
|
||||
@@ -323,7 +323,7 @@ class TranslatedLoad extends TranslatedExpr, TTranslatedLoad {
|
||||
Type resultType, boolean isGLValue) {
|
||||
tag = LoadTag() and
|
||||
opcode instanceof Opcode::Load and
|
||||
resultType = expr.getType().getUnspecifiedType() and
|
||||
resultType = expr.getUnspecifiedType() and
|
||||
if expr.isGLValueCategory() then
|
||||
isGLValue = true
|
||||
else
|
||||
@@ -763,7 +763,7 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {
|
||||
Type resultType, boolean isGLValue) {
|
||||
tag = OnlyInstructionTag() and
|
||||
opcode instanceof Opcode::CopyValue and
|
||||
resultType = expr.getType().getUnspecifiedType() and
|
||||
resultType = expr.getUnspecifiedType() and
|
||||
isGLValue = false
|
||||
}
|
||||
|
||||
@@ -911,7 +911,7 @@ class TranslatedFunctionAccess extends TranslatedNonConstantExpr {
|
||||
Type resultType, boolean isGLValue) {
|
||||
tag = OnlyInstructionTag() and
|
||||
opcode instanceof Opcode::FunctionAddress and
|
||||
resultType = expr.getType().getUnspecifiedType() and
|
||||
resultType = expr.getUnspecifiedType() and
|
||||
isGLValue = true
|
||||
}
|
||||
|
||||
@@ -1405,7 +1405,7 @@ class TranslatedBinaryOperation extends TranslatedSingleInstructionExpr {
|
||||
// left-to-right.
|
||||
exists(PointerAddExpr ptrAdd, Type rightType |
|
||||
ptrAdd = expr and
|
||||
rightType = ptrAdd.getRightOperand().getType().getUnspecifiedType() and
|
||||
rightType = ptrAdd.getRightOperand().getUnspecifiedType() and
|
||||
rightType instanceof PointerType
|
||||
)
|
||||
}
|
||||
@@ -1767,7 +1767,7 @@ class TranslatedConstantAllocationSize extends TranslatedAllocationSize {
|
||||
Type resultType, boolean isGLValue) {
|
||||
tag = AllocationSizeTag() and
|
||||
opcode instanceof Opcode::Constant and
|
||||
resultType = expr.getAllocator().getParameter(0).getType().getUnspecifiedType() and
|
||||
resultType = expr.getAllocator().getParameter(0).getUnspecifiedType() and
|
||||
isGLValue = false
|
||||
}
|
||||
|
||||
@@ -1813,7 +1813,7 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
|
||||
override final predicate hasInstruction(Opcode opcode, InstructionTag tag,
|
||||
Type resultType, boolean isGLValue) {
|
||||
isGLValue = false and
|
||||
resultType = expr.getAllocator().getParameter(0).getType().getUnspecifiedType() and
|
||||
resultType = expr.getAllocator().getParameter(0).getUnspecifiedType() and
|
||||
(
|
||||
// Convert the extent to `size_t`, because the AST doesn't do this already.
|
||||
tag = AllocationExtentConvertTag() and opcode instanceof Opcode::Convert or
|
||||
@@ -1901,7 +1901,7 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall,
|
||||
}
|
||||
|
||||
override final Type getCallResultType() {
|
||||
result = expr.getAllocator().getType().getUnspecifiedType()
|
||||
result = expr.getAllocator().getUnspecifiedType()
|
||||
}
|
||||
|
||||
override final TranslatedExpr getQualifier() {
|
||||
@@ -1961,7 +1961,7 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr,
|
||||
Type resultType, boolean isGLValue) {
|
||||
tag = OnlyInstructionTag() and
|
||||
opcode instanceof Opcode::FieldAddress and
|
||||
resultType = expr.getTarget().getType().getUnspecifiedType() and
|
||||
resultType = expr.getTarget().getUnspecifiedType() and
|
||||
isGLValue = true
|
||||
}
|
||||
|
||||
@@ -2341,7 +2341,7 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr,
|
||||
}
|
||||
|
||||
private Type getExceptionType() {
|
||||
result = expr.getType().getUnspecifiedType()
|
||||
result = expr.getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -311,7 +311,7 @@ class TranslatedFunction extends TranslatedElement,
|
||||
}
|
||||
|
||||
private final Type getReturnType() {
|
||||
result = func.getType().getUnspecifiedType()
|
||||
result = func.getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -403,7 +403,7 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati
|
||||
*/
|
||||
private predicate zeroInitRange(int startIndex, int elementCount) {
|
||||
exists(int targetCount |
|
||||
startIndex = expr.getType().getUnspecifiedType().(ArrayType).getArraySize() and
|
||||
startIndex = expr.getUnspecifiedType().(ArrayType).getArraySize() and
|
||||
targetCount = getContext().getTargetType().(ArrayType).getArraySize() and
|
||||
elementCount = targetCount - startIndex and
|
||||
elementCount > 0
|
||||
@@ -482,7 +482,7 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
|
||||
override predicate hasInstruction(Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue) {
|
||||
tag = getFieldAddressTag() and
|
||||
opcode instanceof Opcode::FieldAddress and
|
||||
resultType = field.getType().getUnspecifiedType() and
|
||||
resultType = field.getUnspecifiedType() and
|
||||
isGLValue = true
|
||||
}
|
||||
|
||||
@@ -522,7 +522,7 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
|
||||
}
|
||||
|
||||
override Type getTargetType() {
|
||||
result = field.getType().getUnspecifiedType()
|
||||
result = field.getUnspecifiedType()
|
||||
}
|
||||
|
||||
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
|
||||
@@ -565,13 +565,13 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
|
||||
(
|
||||
tag = getFieldDefaultValueTag() and
|
||||
opcode instanceof Opcode::Constant and
|
||||
resultType = field.getType().getUnspecifiedType() and
|
||||
resultType = field.getUnspecifiedType() and
|
||||
isGLValue = false
|
||||
) or
|
||||
(
|
||||
tag = getFieldDefaultValueStoreTag() and
|
||||
opcode instanceof Opcode::Store and
|
||||
resultType = field.getType().getUnspecifiedType() and
|
||||
resultType = field.getUnspecifiedType() and
|
||||
isGLValue = false
|
||||
)
|
||||
}
|
||||
@@ -596,7 +596,7 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
|
||||
|
||||
override string getInstructionConstantValue(InstructionTag tag) {
|
||||
tag = getFieldDefaultValueTag() and
|
||||
result = getZeroValue(field.getType().getUnspecifiedType())
|
||||
result = getZeroValue(field.getUnspecifiedType())
|
||||
}
|
||||
|
||||
override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
|
||||
@@ -711,7 +711,7 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
|
||||
}
|
||||
|
||||
final Type getElementType() {
|
||||
result = initList.getType().getUnspecifiedType().(ArrayType).
|
||||
result = initList.getUnspecifiedType().(ArrayType).
|
||||
getBaseType().getUnspecifiedType()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,13 +18,13 @@ private Type getDecayedType(Type type) {
|
||||
*/
|
||||
Type getVariableType(Variable v) {
|
||||
exists(Type declaredType |
|
||||
declaredType = v.getType().getUnspecifiedType() and
|
||||
declaredType = v.getUnspecifiedType() and
|
||||
if v instanceof Parameter then (
|
||||
result = getDecayedType(declaredType) or
|
||||
not exists(getDecayedType(declaredType)) and result = declaredType
|
||||
)
|
||||
else if declaredType instanceof ArrayType and not declaredType.(ArrayType).hasArraySize() then (
|
||||
result = v.getInitializer().getExpr().getType().getUnspecifiedType() or
|
||||
result = v.getInitializer().getExpr().getUnspecifiedType() or
|
||||
not exists(v.getInitializer()) and result = declaredType
|
||||
)
|
||||
else (
|
||||
|
||||
@@ -61,7 +61,7 @@ class Sprintf extends FormattingFunction {
|
||||
}
|
||||
|
||||
override predicate isWideCharDefault() {
|
||||
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
getParameter(getFormatParameterIndex()).getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
}
|
||||
|
||||
override int getFormatParameterIndex() {
|
||||
@@ -121,7 +121,7 @@ class Snprintf extends FormattingFunction {
|
||||
}
|
||||
|
||||
override predicate isWideCharDefault() {
|
||||
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
getParameter(getFormatParameterIndex()).getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
}
|
||||
override int getOutputParameterIndex() { result=0 }
|
||||
|
||||
@@ -183,7 +183,7 @@ class StringCchPrintf extends FormattingFunction {
|
||||
}
|
||||
|
||||
override predicate isWideCharDefault() {
|
||||
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
getParameter(getFormatParameterIndex()).getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
|
||||
}
|
||||
|
||||
override int getOutputParameterIndex() {
|
||||
|
||||
@@ -35,7 +35,7 @@ class PureFunction extends ArrayFunction, TaintFunction {
|
||||
}
|
||||
|
||||
override predicate hasArrayInput(int bufParam) {
|
||||
getParameter(bufParam).getType().getUnspecifiedType() instanceof PointerType
|
||||
getParameter(bufParam).getUnspecifiedType() instanceof PointerType
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
@@ -43,13 +43,13 @@ class PureFunction extends ArrayFunction, TaintFunction {
|
||||
input.isInParameter(i) or
|
||||
(
|
||||
input.isInParameterPointer(i) and
|
||||
getParameter(i).getType().getUnspecifiedType() instanceof PointerType
|
||||
getParameter(i).getUnspecifiedType() instanceof PointerType
|
||||
)
|
||||
) and
|
||||
(
|
||||
(
|
||||
output.isOutReturnPointer() and
|
||||
getType().getUnspecifiedType() instanceof PointerType
|
||||
getUnspecifiedType() instanceof PointerType
|
||||
) or
|
||||
output.isOutReturnValue()
|
||||
)
|
||||
|
||||
@@ -184,7 +184,7 @@ Field getAnInitialField(PaddedType t) {
|
||||
result = t.getAField() or
|
||||
// Initial field of the type of a field of the union
|
||||
result = getAnInitialField(
|
||||
t.getAField().getType().getUnspecifiedType().(PaddedType))
|
||||
t.getAField().getUnspecifiedType().(PaddedType))
|
||||
)
|
||||
else (
|
||||
exists(Field firstField |
|
||||
@@ -193,7 +193,7 @@ Field getAnInitialField(PaddedType t) {
|
||||
result = firstField or
|
||||
// Initial field of the first field of `t`
|
||||
result = getAnInitialField(
|
||||
firstField.getType().getUnspecifiedType().(PaddedType))
|
||||
firstField.getUnspecifiedType().(PaddedType))
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -212,7 +212,7 @@ abstract class UnixArchitecture extends Architecture {
|
||||
if(not exists(cd.getBaseClass().getABaseClass*().getAField()) and
|
||||
not exists(PaddedType fieldType |
|
||||
fieldType = getAnInitialField(cd.getDerivedClass()).
|
||||
getType().getUnspecifiedType() and (
|
||||
getUnspecifiedType() and (
|
||||
// Check if the type of the field is a base type of the class, or
|
||||
// vice versa. This is an approximation of the actual rule, which is
|
||||
// that the field type and the class must not share a common
|
||||
|
||||
@@ -207,8 +207,8 @@ predicate linearAccessImpl(Expr expr, VariableAccess v, float p, float q) {
|
||||
// (larger_type)(p*v+q) == p*v + q
|
||||
exists (Cast cast, ArithmeticType sourceType, ArithmeticType targetType
|
||||
| linearAccess(cast.getExpr(), v, p, q) and
|
||||
sourceType = cast.getExpr().getType().getUnspecifiedType() and
|
||||
targetType = cast.getType().getUnspecifiedType() and
|
||||
sourceType = cast.getExpr().getUnspecifiedType() and
|
||||
targetType = cast.getUnspecifiedType() and
|
||||
// This allows conversion between signed and unsigned, which is technically
|
||||
// lossy but common enough that we'll just have to assume the user knows
|
||||
// what they're doing.
|
||||
@@ -338,7 +338,7 @@ float typeUpperBound(ArithmeticType t) {
|
||||
* `exprMinVal(expr.getFullyConverted())`.
|
||||
*/
|
||||
float exprMinVal(Expr expr) {
|
||||
result = typeLowerBound(expr.getType().getUnspecifiedType())
|
||||
result = typeLowerBound(expr.getUnspecifiedType())
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -353,7 +353,7 @@ float exprMinVal(Expr expr) {
|
||||
* `exprMaxVal(expr.getFullyConverted())`.
|
||||
*/
|
||||
float exprMaxVal(Expr expr) {
|
||||
result = typeUpperBound(expr.getType().getUnspecifiedType())
|
||||
result = typeUpperBound(expr.getUnspecifiedType())
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -364,7 +364,7 @@ float exprMaxVal(Expr expr) {
|
||||
* `-2^31`.
|
||||
*/
|
||||
float varMinVal(Variable v) {
|
||||
result = typeLowerBound(v.getType().getUnspecifiedType())
|
||||
result = typeLowerBound(v.getUnspecifiedType())
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -375,5 +375,5 @@ float varMinVal(Variable v) {
|
||||
* `2^31 - 1`.
|
||||
*/
|
||||
float varMaxVal(Variable v) {
|
||||
result = typeUpperBound(v.getType().getUnspecifiedType())
|
||||
result = typeUpperBound(v.getUnspecifiedType())
|
||||
}
|
||||
|
||||
@@ -278,7 +278,7 @@ predicate isRecursiveDef(RangeSsaDefinition def, LocalScopeVariable v) {
|
||||
*/
|
||||
private
|
||||
predicate assignmentDef(RangeSsaDefinition def, LocalScopeVariable v, Expr expr) {
|
||||
v.getType().getUnspecifiedType() instanceof ArithmeticType
|
||||
v.getUnspecifiedType() instanceof ArithmeticType
|
||||
and
|
||||
((def = v.getInitializer().getExpr() and def = expr)
|
||||
or
|
||||
@@ -587,7 +587,7 @@ float getLowerBoundsImpl(Expr expr) {
|
||||
// whether the value of the expression is equal to 0.
|
||||
exists (Conversion convExpr
|
||||
| expr = convExpr
|
||||
| if convExpr.getType().getUnspecifiedType() instanceof BoolType
|
||||
| if convExpr.getUnspecifiedType() instanceof BoolType
|
||||
then result = boolConversionLowerBound(convExpr.getExpr())
|
||||
else result = getTruncatedLowerBounds(convExpr.getExpr()))
|
||||
or
|
||||
@@ -705,7 +705,7 @@ float getUpperBoundsImpl(Expr expr) {
|
||||
// whether the value of the expression is equal to 0.
|
||||
exists (Conversion convExpr
|
||||
| expr = convExpr
|
||||
| if convExpr.getType().getUnspecifiedType() instanceof BoolType
|
||||
| if convExpr.getUnspecifiedType() instanceof BoolType
|
||||
then result = boolConversionUpperBound(convExpr.getExpr())
|
||||
else result = getTruncatedUpperBounds(convExpr.getExpr()))
|
||||
or
|
||||
@@ -730,7 +730,7 @@ private predicate exprIsUsedAsBool(Expr expr) {
|
||||
expr = any(UnaryLogicalOperation op).getOperand().getFullyConverted() or
|
||||
expr = any(ConditionalExpr c).getCondition().getFullyConverted() or
|
||||
exists (Conversion cast
|
||||
| cast.getType().getUnspecifiedType() instanceof BoolType
|
||||
| cast.getUnspecifiedType() instanceof BoolType
|
||||
| expr = cast.getExpr())
|
||||
}
|
||||
|
||||
@@ -944,7 +944,7 @@ float getDefLowerBounds(RangeSsaDefinition def, LocalScopeVariable v) {
|
||||
// recursion from exploding.
|
||||
result =
|
||||
max (float widenLB
|
||||
| widenLB = wideningLowerBounds(v.getType().getUnspecifiedType()) and
|
||||
| widenLB = wideningLowerBounds(v.getUnspecifiedType()) and
|
||||
not (widenLB > truncatedLB)
|
||||
| widenLB)
|
||||
else result = truncatedLB)
|
||||
@@ -970,7 +970,7 @@ float getDefUpperBounds(RangeSsaDefinition def, LocalScopeVariable v) {
|
||||
// from exploding.
|
||||
result =
|
||||
min (float widenUB
|
||||
| widenUB = wideningUpperBounds(v.getType().getUnspecifiedType()) and
|
||||
| widenUB = wideningUpperBounds(v.getUnspecifiedType()) and
|
||||
not (widenUB < truncatedUB)
|
||||
| widenUB)
|
||||
else result = truncatedUB)
|
||||
@@ -1001,9 +1001,9 @@ predicate unanalyzableDefBounds(
|
||||
*/
|
||||
bindingset[guard, v, branch]
|
||||
predicate nonNanGuardedVariable(ComparisonOperation guard, VariableAccess v, boolean branch) {
|
||||
v.getType().getUnspecifiedType() instanceof IntegralType
|
||||
v.getUnspecifiedType() instanceof IntegralType
|
||||
or
|
||||
v.getType().getUnspecifiedType() instanceof FloatingPointType and v instanceof NonNanVariableAccess
|
||||
v.getUnspecifiedType() instanceof FloatingPointType and v instanceof NonNanVariableAccess
|
||||
or
|
||||
// The reason the following case is here is to ensure that when we say
|
||||
// `if (x > 5) { ...then... } else { ...else... }`
|
||||
@@ -1026,7 +1026,7 @@ predicate lowerBoundFromGuard(
|
||||
| boundFromGuard(guard, v, childLB, true, strictness, branch)
|
||||
| if nonNanGuardedVariable(guard, v, branch)
|
||||
then (if (strictness = Nonstrict() or
|
||||
not (v.getType().getUnspecifiedType() instanceof IntegralType))
|
||||
not (v.getUnspecifiedType() instanceof IntegralType))
|
||||
then lb = childLB
|
||||
else lb = childLB+1)
|
||||
else lb = varMinVal(v.getTarget()))
|
||||
@@ -1045,7 +1045,7 @@ predicate upperBoundFromGuard(
|
||||
| boundFromGuard(guard, v, childUB, false, strictness, branch)
|
||||
| if nonNanGuardedVariable(guard, v, branch)
|
||||
then (if (strictness = Nonstrict() or
|
||||
not (v.getType().getUnspecifiedType() instanceof IntegralType))
|
||||
not (v.getUnspecifiedType() instanceof IntegralType))
|
||||
then ub = childUB
|
||||
else ub = childUB-1)
|
||||
else ub = varMaxVal(v.getTarget()))
|
||||
@@ -1088,7 +1088,7 @@ predicate linearBoundFromGuard(
|
||||
// For the comparison x < RHS, we create two bounds:
|
||||
//
|
||||
// 1. x < upperbound(RHS)
|
||||
// 2. x >= typeLowerBound(RHS.getType().getUnspecifiedType())
|
||||
// 2. x >= typeLowerBound(RHS.getUnspecifiedType())
|
||||
//
|
||||
exists (Expr lhs, Expr rhs, RelationDirection dir, RelationStrictness st
|
||||
| linearAccess(lhs, v, p, q) and
|
||||
@@ -1108,8 +1108,8 @@ predicate linearBoundFromGuard(
|
||||
//
|
||||
// For x != RHS, we create trivial bounds:
|
||||
//
|
||||
// 1. x <= typeUpperBound(RHS.getType().getUnspecifiedType())
|
||||
// 2. x >= typeLowerBound(RHS.getType().getUnspecifiedType())
|
||||
// 1. x <= typeUpperBound(RHS.getUnspecifiedType())
|
||||
// 2. x >= typeLowerBound(RHS.getUnspecifiedType())
|
||||
//
|
||||
or
|
||||
exists (Expr lhs, Expr rhs, boolean isEQ
|
||||
|
||||
@@ -157,7 +157,7 @@ class StrCopyBW extends BufferWriteCall
|
||||
|
||||
override Type getBufferType()
|
||||
{
|
||||
result = this.getTarget().getParameter(getParamSrc()).getType().getUnspecifiedType()
|
||||
result = this.getTarget().getParameter(getParamSrc()).getUnspecifiedType()
|
||||
}
|
||||
|
||||
override Expr getASource()
|
||||
@@ -212,7 +212,7 @@ class StrCatBW extends BufferWriteCall
|
||||
|
||||
override Type getBufferType()
|
||||
{
|
||||
result = this.getTarget().getParameter(getParamSrc()).getType().getUnspecifiedType()
|
||||
result = this.getTarget().getParameter(getParamSrc()).getUnspecifiedType()
|
||||
}
|
||||
|
||||
override Expr getASource()
|
||||
@@ -267,7 +267,7 @@ class SprintfBW extends BufferWriteCall
|
||||
{
|
||||
exists(FormattingFunction f |
|
||||
f = this.getTarget() and
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getType().getUnspecifiedType()
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -355,7 +355,7 @@ class SnprintfBW extends BufferWriteCall
|
||||
{
|
||||
exists(FormattingFunction f |
|
||||
f = this.getTarget() and
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getType().getUnspecifiedType()
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -423,7 +423,7 @@ class GetsBW extends BufferWriteCall
|
||||
|
||||
override Type getBufferType()
|
||||
{
|
||||
result = this.getTarget().getParameter(0).getType().getUnspecifiedType()
|
||||
result = this.getTarget().getParameter(0).getUnspecifiedType()
|
||||
}
|
||||
|
||||
override Expr getASource()
|
||||
@@ -479,7 +479,7 @@ class ScanfBW extends BufferWrite
|
||||
exists(ScanfFunction f, ScanfFunctionCall fc |
|
||||
this = fc.getArgument(_) and
|
||||
f = fc.getTarget() and
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getType().getUnspecifiedType()
|
||||
result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -537,7 +537,7 @@ class RealpathBW extends BufferWriteCall {
|
||||
|
||||
override Type getBufferType()
|
||||
{
|
||||
result = this.getTarget().getParameter(0).getType().getUnspecifiedType()
|
||||
result = this.getTarget().getParameter(0).getUnspecifiedType()
|
||||
}
|
||||
|
||||
override Expr getDest() { result = getArgument(1) }
|
||||
|
||||
@@ -66,7 +66,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
|
||||
// overflow possible if large
|
||||
(e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
|
||||
(e instanceof AssignAddExpr and not guardedLesser(e, varUse(v))) or
|
||||
(e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
|
||||
(e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getUnspecifiedType() instanceof IntegralType) or
|
||||
// overflow possible if large or small
|
||||
(e instanceof MulExpr and
|
||||
not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
|
||||
@@ -81,7 +81,7 @@ predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
|
||||
(use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
|
||||
(use = e.(AssignSubExpr).getLValue() and not guardedGreater(e, varUse(v))) or
|
||||
// underflow possible if small
|
||||
(e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
|
||||
(e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getUnspecifiedType() instanceof IntegralType) or
|
||||
// underflow possible if large or small
|
||||
(e instanceof MulExpr and
|
||||
not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
|
||||
|
||||
@@ -285,25 +285,25 @@ class GVN extends GVNBase {
|
||||
|
||||
private predicate analyzableIntConst(Expr e) {
|
||||
strictcount (e.getValue().toInt()) = 1 and
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1
|
||||
strictcount (e.getUnspecifiedType()) = 1
|
||||
}
|
||||
|
||||
private predicate mk_IntConst(int val, Type t, Expr e) {
|
||||
analyzableIntConst(e) and
|
||||
val = e.getValue().toInt() and
|
||||
t = e.getType().getUnspecifiedType()
|
||||
t = e.getUnspecifiedType()
|
||||
}
|
||||
|
||||
private predicate analyzableFloatConst(Expr e) {
|
||||
strictcount (e.getValue().toFloat()) = 1 and
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount (e.getUnspecifiedType()) = 1 and
|
||||
not analyzableIntConst(e)
|
||||
}
|
||||
|
||||
private predicate mk_FloatConst(float val, Type t, Expr e) {
|
||||
analyzableFloatConst(e) and
|
||||
val = e.getValue().toFloat() and
|
||||
t = e.getType().getUnspecifiedType()
|
||||
t = e.getUnspecifiedType()
|
||||
}
|
||||
|
||||
|
||||
@@ -421,14 +421,14 @@ private predicate mk_OtherVariable(
|
||||
}
|
||||
|
||||
private predicate analyzableConversion(Conversion conv) {
|
||||
strictcount (conv.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount (conv.getUnspecifiedType()) = 1 and
|
||||
strictcount (conv.getExpr()) = 1 and
|
||||
not analyzableConst(conv)
|
||||
}
|
||||
|
||||
private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
|
||||
analyzableConversion(conv) and
|
||||
t = conv.getType().getUnspecifiedType() and
|
||||
t = conv.getUnspecifiedType() and
|
||||
child = globalValueNumber(conv.getExpr())
|
||||
}
|
||||
|
||||
|
||||
@@ -189,7 +189,7 @@ private newtype HC_Args =
|
||||
private newtype HC_Fields =
|
||||
HC_EmptyFields(Class c) {
|
||||
exists(ClassAggregateLiteral cal |
|
||||
c = cal.getType().getUnspecifiedType()
|
||||
c = cal.getUnspecifiedType()
|
||||
)
|
||||
}
|
||||
or
|
||||
@@ -200,7 +200,7 @@ private newtype HC_Fields =
|
||||
private newtype HC_Array =
|
||||
HC_EmptyArray(Type t) {
|
||||
exists(ArrayAggregateLiteral aal |
|
||||
aal.getType().getUnspecifiedType() = t
|
||||
aal.getUnspecifiedType() = t
|
||||
)
|
||||
}
|
||||
or
|
||||
@@ -305,42 +305,42 @@ private string exampleLocationString(Location l) {
|
||||
|
||||
private predicate analyzableIntLiteral(Literal e) {
|
||||
strictcount (e.getValue().toInt()) = 1 and
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1 and
|
||||
e.getType().getUnspecifiedType() instanceof IntegralType
|
||||
strictcount (e.getUnspecifiedType()) = 1 and
|
||||
e.getUnspecifiedType() instanceof IntegralType
|
||||
}
|
||||
|
||||
private predicate mk_IntLiteral(int val, Type t, Expr e) {
|
||||
analyzableIntLiteral(e) and
|
||||
val = e.getValue().toInt() and
|
||||
t = e.getType().getUnspecifiedType()
|
||||
t = e.getUnspecifiedType()
|
||||
}
|
||||
|
||||
private predicate analyzableEnumConstantAccess(EnumConstantAccess e) {
|
||||
strictcount (e.getValue().toInt()) = 1 and
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1 and
|
||||
e.getType().getUnspecifiedType() instanceof Enum
|
||||
strictcount (e.getUnspecifiedType()) = 1 and
|
||||
e.getUnspecifiedType() instanceof Enum
|
||||
}
|
||||
|
||||
private predicate mk_EnumConstantAccess(EnumConstant val, Type t, Expr e) {
|
||||
analyzableEnumConstantAccess(e) and
|
||||
val = e.(EnumConstantAccess).getTarget() and
|
||||
t = e.getType().getUnspecifiedType()
|
||||
t = e.getUnspecifiedType()
|
||||
}
|
||||
|
||||
private predicate analyzableFloatLiteral(Literal e) {
|
||||
strictcount (e.getValue().toFloat()) = 1 and
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1 and
|
||||
e.getType().getUnspecifiedType() instanceof FloatingPointType
|
||||
strictcount (e.getUnspecifiedType()) = 1 and
|
||||
e.getUnspecifiedType() instanceof FloatingPointType
|
||||
}
|
||||
|
||||
private predicate mk_FloatLiteral(float val, Type t, Expr e) {
|
||||
analyzableFloatLiteral(e) and
|
||||
val = e.getValue().toFloat() and
|
||||
t = e.getType().getUnspecifiedType()
|
||||
t = e.getUnspecifiedType()
|
||||
}
|
||||
|
||||
private predicate analyzableNullptr(NullValue e) {
|
||||
strictcount (e.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount (e.getUnspecifiedType()) = 1 and
|
||||
e.getType() instanceof NullPointerType
|
||||
}
|
||||
|
||||
@@ -350,14 +350,14 @@ private predicate mk_Nullptr(Expr e) {
|
||||
|
||||
private predicate analyzableStringLiteral(Literal e) {
|
||||
strictcount(e.getValue()) = 1 and
|
||||
strictcount(e.getType().getUnspecifiedType()) = 1 and
|
||||
e.getType().getUnspecifiedType().(ArrayType).getBaseType() instanceof CharType
|
||||
strictcount(e.getUnspecifiedType()) = 1 and
|
||||
e.getUnspecifiedType().(ArrayType).getBaseType() instanceof CharType
|
||||
}
|
||||
|
||||
private predicate mk_StringLiteral(string val, Type t, Expr e) {
|
||||
analyzableStringLiteral(e) and
|
||||
val = e.getValue() and
|
||||
t = e.getType().getUnspecifiedType() and
|
||||
t = e.getUnspecifiedType() and
|
||||
t.(ArrayType).getBaseType() instanceof CharType
|
||||
|
||||
}
|
||||
@@ -410,13 +410,13 @@ private predicate mk_Variable(Variable x, VariableAccess access) {
|
||||
}
|
||||
|
||||
private predicate analyzableConversion(Conversion conv) {
|
||||
strictcount (conv.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount (conv.getUnspecifiedType()) = 1 and
|
||||
strictcount (conv.getExpr()) = 1
|
||||
}
|
||||
|
||||
private predicate mk_Conversion(Type t, HashCons child, Conversion conv) {
|
||||
analyzableConversion(conv) and
|
||||
t = conv.getType().getUnspecifiedType() and
|
||||
t = conv.getUnspecifiedType() and
|
||||
child = hashCons(conv.getExpr())
|
||||
}
|
||||
|
||||
@@ -586,7 +586,7 @@ private predicate mk_ArgConsInner(HashCons head, HC_Args tail, int i, HC_Args li
|
||||
private predicate analyzableAllocatorArgZero(ErrorExpr e) {
|
||||
exists(NewOrNewArrayExpr new |
|
||||
new.getAllocatorCall().getChild(0) = e and
|
||||
strictcount(new.getType().getUnspecifiedType()) = 1
|
||||
strictcount(new.getUnspecifiedType()) = 1
|
||||
)
|
||||
and
|
||||
strictcount(NewOrNewArrayExpr new | new.getAllocatorCall().getChild(0) = e) = 1
|
||||
@@ -596,7 +596,7 @@ private predicate mk_AllocatorArgZero(Type t, ErrorExpr e) {
|
||||
analyzableAllocatorArgZero(e) and
|
||||
exists(NewOrNewArrayExpr new |
|
||||
new.getAllocatorCall().getChild(0) = e and
|
||||
t = new.getType().getUnspecifiedType()
|
||||
t = new.getUnspecifiedType()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -691,7 +691,7 @@ private predicate mk_DeleteArrayExpr(HashCons hc, DeleteArrayExpr e) {
|
||||
}
|
||||
|
||||
private predicate analyzableSizeofType(SizeofTypeOperator e) {
|
||||
strictcount(e.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount(e.getUnspecifiedType()) = 1 and
|
||||
strictcount(e.getTypeOperand()) = 1
|
||||
}
|
||||
|
||||
@@ -740,7 +740,7 @@ private predicate mk_TypeidExpr(HashCons child, TypeidOperator e) {
|
||||
}
|
||||
|
||||
private predicate analyzableAlignofType(AlignofTypeOperator e) {
|
||||
strictcount(e.getType().getUnspecifiedType()) = 1 and
|
||||
strictcount(e.getUnspecifiedType()) = 1 and
|
||||
strictcount(e.getTypeOperand()) = 1
|
||||
}
|
||||
|
||||
@@ -761,7 +761,7 @@ private predicate mk_AlignofExpr(HashCons child, AlignofExprOperator e) {
|
||||
private predicate mk_FieldCons(Class c, int i, Field f, HashCons hc, HC_Fields hcf,
|
||||
ClassAggregateLiteral cal) {
|
||||
analyzableClassAggregateLiteral(cal) and
|
||||
cal.getType().getUnspecifiedType() = c and
|
||||
cal.getUnspecifiedType() = c and
|
||||
exists(Expr e |
|
||||
e = cal.getFieldExpr(f).getFullyConverted() and
|
||||
f.getInitializationOrder() = i and
|
||||
@@ -791,7 +791,7 @@ private predicate analyzableClassAggregateLiteral(ClassAggregateLiteral cal) {
|
||||
|
||||
private predicate mk_ClassAggregateLiteral(Class c, HC_Fields hcf, ClassAggregateLiteral cal) {
|
||||
analyzableClassAggregateLiteral(cal) and
|
||||
c = cal.getType().getUnspecifiedType() and
|
||||
c = cal.getUnspecifiedType() and
|
||||
(
|
||||
exists(HC_Fields tail, Expr e, Field f |
|
||||
f.getInitializationOrder() = cal.getNumChild() - 1 and
|
||||
@@ -810,12 +810,12 @@ private predicate analyzableArrayAggregateLiteral(ArrayAggregateLiteral aal) {
|
||||
exists(aal.getChild(i)) |
|
||||
strictcount(aal.getChild(i).getFullyConverted()) = 1
|
||||
) and
|
||||
strictcount(aal.getType().getUnspecifiedType()) = 1
|
||||
strictcount(aal.getUnspecifiedType()) = 1
|
||||
}
|
||||
|
||||
private predicate mk_ArrayCons(Type t, int i, HashCons hc, HC_Array hca, ArrayAggregateLiteral aal) {
|
||||
analyzableArrayAggregateLiteral(aal) and
|
||||
t = aal.getType().getUnspecifiedType() and
|
||||
t = aal.getUnspecifiedType() and
|
||||
hc = hashCons(aal.getChild(i)) and
|
||||
(
|
||||
exists(HC_Array tail, HashCons head |
|
||||
@@ -829,7 +829,7 @@ private predicate mk_ArrayCons(Type t, int i, HashCons hc, HC_Array hca, ArrayAg
|
||||
}
|
||||
|
||||
private predicate mk_ArrayAggregateLiteral(Type t, HC_Array hca, ArrayAggregateLiteral aal) {
|
||||
t = aal.getType().getUnspecifiedType() and
|
||||
t = aal.getUnspecifiedType() and
|
||||
(
|
||||
exists(HashCons head, HC_Array tail |
|
||||
hca = HC_ArrayCons(t, aal.getNumChild() - 1, head, tail) and
|
||||
|
||||
Reference in New Issue
Block a user