C++: Join with value number only after joining with 'controls'.

2026-04-11 01:54:00 +02:00 · 2024-12-17 15:25:16 +00:00
parent 8efd870192
commit eea7804b62
1 changed files with 9 additions and 3 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -2275,7 +2275,7 @@ private predicate guardControlsPhiInput(
 */
 signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);

-bindingset[g, n]
+bindingset[g]
 pragma[inline_late]
 private predicate controls(IRGuardCondition g, Node n, boolean edge) {
  g.controls(n.getBasicBlock(), edge)
@@ -2288,6 +2288,13 @@ private predicate controls(IRGuardCondition g, Node n, boolean edge) {
 * in data flow and taint tracking.
 */
 module BarrierGuard<guardChecksSig/3 guardChecks> {
+  bindingset[value, n]
+  pragma[inline_late]
+  private predicate convertedExprHasValueNumber(Expr e, ValueNumber value, Node n) {
+    e = value.getAnInstruction().getConvertedResultExpression() and
+    n.asConvertedExpr() = e
+  }
+
  /**
   * Gets an expression node that is safely guarded by the given guard check.
   *
@@ -2322,8 +2329,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
   */
  Node getABarrierNode() {
    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
-      e = value.getAnInstruction().getConvertedResultExpression() and
-      result.asConvertedExpr() = e and
+      convertedExprHasValueNumber(e, value, result) and
      guardChecks(g,
        pragma[only_bind_into](value.getAnInstruction().getConvertedResultExpression()), edge) and
      controls(g, result, edge)