Compare commits

..

24 Commits

Author SHA1 Message Date
Max Schaefer
eb3d0f5b0e Add merlyn.md which explains the changes on this branch. 2021-04-19 15:04:21 +01:00
Max Schaefer
09cf8e8b01 Remove RequestHeaderAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
bd8212c090 Remove RequestInputAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
f106d186e4 Remove MultipartyRemoteFlow. 2021-04-19 15:04:21 +01:00
Max Schaefer
e2c84407b4 Revert changes to Express::RequestInputAccess in c45d84f8f3 and 9cacfab7c6. 2021-04-19 15:04:21 +01:00
Max Schaefer
67b15125c7 Revert changes to Express::RequestInputAccess in d84f1b47c2. 2021-04-19 15:04:21 +01:00
Max Schaefer
caf763a969 Revert changes to Express::RequestInputAccess in ed48efe5b4. 2021-04-19 15:04:21 +01:00
Max Schaefer
4f8f5048f3 Revert changes to Express::RequestInputAccess in 83f0514475. 2021-04-19 15:04:21 +01:00
Max Schaefer
2366679d9b Revert changes to Express::RequestInputAccess in e2fbf8a68c. 2021-04-19 15:04:21 +01:00
Max Schaefer
66399c055e Remove MicroBodyParserCall. 2021-04-19 15:04:21 +01:00
Max Schaefer
85c02a430e Remove ServerRequestDataEvent. 2021-04-19 15:04:20 +01:00
Max Schaefer
29945b8ed0 Remove VueRouterFlowSource. 2021-04-19 15:04:20 +01:00
Max Schaefer
a8ef1bc32a Remove ServerlessHandlerEventAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
0781a138af Remove ReceivedItemAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
6fd67c4d8e Remove ReactRouterSource. 2021-04-19 15:04:19 +01:00
Max Schaefer
89747ecf83 Revert changes to `PostMessageEventHandler in cb7de27. 2021-04-19 15:03:51 +01:00
Max Schaefer
c013e3f9c3 Remove NodeJSNetServerItemAsRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
3b14b27635 Remove NextParams. 2021-04-19 15:03:51 +01:00
Max Schaefer
2ae32be934 Revert changes to ClientRequestData from 0b55aed626. 2021-04-19 15:03:51 +01:00
Max Schaefer
6647f6b9c4 Remove FormidableRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
41ceb291de Remove BusBoyRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
615418d2e3 Remove AngularSource. 2021-04-19 15:03:49 +01:00
Max Schaefer
0ba76f7d0e Revert "JS: Move $() sink into separate dataflow config"
This reverts commit 50a015c73e.
2021-04-19 15:03:11 +01:00
Max Schaefer
d97a10ef8a Revert "JS: Address review comments"
This reverts commit c91cdb5194.
2021-04-19 14:57:18 +01:00
614 changed files with 3466 additions and 7066 deletions

View File

@@ -1,30 +0,0 @@
name: Mark stale issues
on:
workflow_dispatch:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
if: github.repository == 'github/codeql'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
days-before-stale: 14
days-before-close: 7
only-labels: question
# do not mark PRs as stale
days-before-pr-stale: -1
days-before-pr-close: -1
# Uncomment for dry-run
# debug-only: true
# operations-per-run: 1000

View File

@@ -70,4 +70,3 @@
## Changes to libraries
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.

View File

@@ -56,10 +56,6 @@
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
],
"DataFlow Java/C# Flow Summaries": [
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
],
"SsaReadPosition Java/C#": [
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"

View File

@@ -3,7 +3,6 @@
* @description If an exception is allocated on the heap, then it should be deleted when caught.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/catch-missing-free
* @tags efficiency

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/offset-use-before-range-check
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @tags reliability
* security

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/inconsistent-nullness-testing
* @problem.severity warning
* @problem.security-severity high
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/memory-may-not-be-freed
* @problem.severity warning
* @problem.security-severity high
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/memory-never-freed
* @problem.severity warning
* @problem.security-severity high
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/missing-null-test
* @problem.severity recommendation
* @problem.security-severity high
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -3,7 +3,6 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/new-free-mismatch
* @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/overflow-calculated
* @problem.severity warning
* @problem.security-severity critical
* @tags reliability
* security
* external/cwe/cwe-131

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/overflow-destination
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @tags reliability
* security

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/static-buffer-overflow
* @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/return-value-ignored
* @problem.severity recommendation
* @problem.security-severity critical
* @precision medium
* @tags reliability
* correctness

View File

@@ -4,7 +4,6 @@
* an instance of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/allocation-too-small
* @tags reliability

View File

@@ -4,7 +4,6 @@
* multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/suspicious-allocation-size
* @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/use-after-free
* @problem.severity warning
* @problem.security-severity high
* @tags reliability
* security
* external/cwe/cwe-416

View File

@@ -7,7 +7,6 @@
* overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/ambiguously-signed-bit-field
* @tags reliability

View File

@@ -6,7 +6,6 @@
* to a larger type.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision very-high
* @id cpp/bad-addition-overflow-check
* @tags reliability

View File

@@ -4,7 +4,6 @@
* be a sign that the result can overflow the type converted from.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability

View File

@@ -6,7 +6,6 @@
* use the width of the base type, leading to misaligned reads.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @tags correctness
* reliability

View File

@@ -6,7 +6,6 @@
* from an untrusted source, this can be used for exploits.
* @kind problem
* @problem.severity recommendation
* @problem.security-severity critical
* @precision high
* @id cpp/non-constant-format
* @tags maintainability

View File

@@ -3,7 +3,6 @@
* @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
* @kind problem
* @problem.severity warning
* @problem.security-severity critical
* @precision medium
* @id cpp/inconsistent-call-on-result
* @tags reliability

View File

@@ -6,7 +6,6 @@
* omitting the check could crash the program.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision medium
* @id cpp/inconsistent-null-check
* @tags reliability

View File

@@ -3,7 +3,6 @@
* @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision high
* @id cpp/inconsistent-loop-direction
* @tags correctness

View File

@@ -3,7 +3,6 @@
* @description Using alloca in a loop can lead to a stack overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/alloca-in-loop
* @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @problem.security-severity high
* @tags security
* external/cwe/cwe-170
* external/cwe/cwe-665

View File

@@ -4,7 +4,6 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/bad-strncpy-size
* @tags reliability

View File

@@ -4,7 +4,6 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/unsafe-strncat
* @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/uninitialized-local
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @tags security
* external/cwe/cwe-665

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity critical
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability

View File

@@ -5,7 +5,6 @@
* it should be moved before the dereference.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @id cpp/redundant-null-check-simple
* @tags reliability
* correctness

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/ignore-return-value-sal
* @problem.severity warning
* @problem.security-severity critical
* @tags reliability
* external/cwe/cwe-573
* external/cwe/cwe-252

View File

@@ -5,7 +5,6 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @problem.security-severity high
* @tags security external/cwe/cwe-20
*/

View File

@@ -5,7 +5,6 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @problem.security-severity high
* @tags security external/cwe/cwe-20
*/

View File

@@ -4,7 +4,6 @@
* attacker to access unexpected resources.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/path-injection
* @tags security

View File

@@ -5,7 +5,6 @@
* to command injection.
* @kind problem
* @problem.severity error
* @problem.security-severity critical
* @precision low
* @id cpp/command-line-injection
* @tags security

View File

@@ -4,7 +4,6 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @problem.security-severity medium
* @precision high
* @id cpp/cgi-xss
* @tags security

View File

@@ -5,7 +5,6 @@
* to SQL Injection.
* @kind path-problem
* @problem.severity error
* @problem.security-severity critical
* @precision high
* @id cpp/sql-injection
* @tags security

View File

@@ -5,7 +5,6 @@
* commands.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/overflow-buffer
* @problem.severity recommendation
* @problem.security-severity high
* @tags security
* external/cwe/cwe-119
* external/cwe/cwe-121

View File

@@ -5,7 +5,6 @@
* overflow.
* @kind problem
* @problem.severity error
* @problem.security-severity critical
* @precision high
* @id cpp/badly-bounded-write
* @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow.
* @kind problem
* @problem.severity error
* @problem.security-severity critical
* @precision medium
* @id cpp/overrunning-write
* @tags reliability

View File

@@ -5,7 +5,6 @@
* take extreme values.
* @kind problem
* @problem.severity error
* @problem.security-severity critical
* @precision medium
* @id cpp/overrunning-write-with-float
* @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow.
* @kind path-problem
* @problem.severity error
* @problem.security-severity critical
* @precision medium
* @id cpp/unbounded-write
* @tags reliability

View File

@@ -5,7 +5,6 @@
* a specific value to terminate the argument list.
* @kind problem
* @problem.severity warning
* @problem.security-severity critical
* @precision medium
* @id cpp/unterminated-variadic-call
* @tags reliability

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/unclear-array-index-validation
* @problem.severity warning
* @problem.security-severity critical
* @tags security
* external/cwe/cwe-129
*/

View File

@@ -5,7 +5,6 @@
* terminator can cause a buffer overrun.
* @kind problem
* @problem.severity error
* @problem.security-severity critical
* @precision high
* @id cpp/no-space-for-terminator
* @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity critical
* @precision high
* @id cpp/tainted-format-string
* @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity critical
* @precision high
* @id cpp/tainted-format-string-through-global
* @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning
* @problem.security-severity medium
* @tags security
* external/cwe/cwe-170
*/

View File

@@ -4,7 +4,6 @@
* not validated can cause overflows.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @id cpp/tainted-arithmetic
* @tags security

View File

@@ -4,7 +4,6 @@
* validated can cause overflows.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/uncontrolled-arithmetic
* @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/arithmetic-with-extreme-values
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @tags security
* reliability

View File

@@ -5,7 +5,6 @@
* @id cpp/comparison-with-wider-type
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @tags reliability
* security

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/integer-overflow-tainted
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @tags security
* external/cwe/cwe-190

View File

@@ -4,7 +4,6 @@
* user can result in integer overflow.
* @kind path-problem
* @problem.severity error
* @problem.security-severity high
* @precision medium
* @id cpp/uncontrolled-allocation-size
* @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem
* @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @tags security
* correctness

View File

@@ -5,7 +5,6 @@
* vulnerable to spoofing attacks.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/user-controlled-bypass
* @tags security

View File

@@ -4,7 +4,6 @@
* to an attacker.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/cleartext-storage-buffer
* @tags security

View File

@@ -4,7 +4,6 @@
* an attacker to compromise security.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision medium
* @id cpp/weak-cryptographic-algorithm
* @tags security

View File

@@ -4,7 +4,6 @@
* attackers to retrieve portions of memory.
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision very-high
* @id cpp/openssl-heartbleed
* @tags security

View File

@@ -5,7 +5,6 @@
* the two operations.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/toctou-race-condition
* @tags security

View File

@@ -4,7 +4,6 @@
* @id cpp/unsafe-create-process-call
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision medium
* @msrc.severity important
* @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/incorrect-string-type-conversion
* @problem.severity error
* @problem.security-severity critical
* @precision high
* @tags security
* external/cwe/cwe-704

View File

@@ -3,7 +3,6 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @id cpp/world-writable-file-creation
* @tags security

View File

@@ -7,7 +7,6 @@
* @id cpp/unsafe-dacl-security-descriptor
* @kind problem
* @problem.severity error
* @problem.security-severity high
* @precision high
* @tags security
* external/cwe/cwe-732

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning
* @problem.security-severity high
* @tags security
* external/cwe/cwe-835
*/

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/redundant-null-check-param
* @problem.severity recommendation
* @problem.security-severity high
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -6,7 +6,6 @@
* @kind problem
* @id cpp/late-check-of-function-argument
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @tags correctness
* security

View File

@@ -3,7 +3,6 @@
* @description Use of one of the scanf functions without a specified length.
* @kind problem
* @problem.severity warning
* @problem.security-severity critical
* @id cpp/memory-unsafe-function-scan
* @tags reliability
* security

View File

@@ -3,7 +3,6 @@
* @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @tags security
* correctness

View File

@@ -6,7 +6,6 @@
* from these methods is not checked.
* @kind problem
* @problem.severity recommendation
* @problem.security-severity critical
* @id cpp/drop-linux-privileges-outoforder
* @tags security
* external/cwe/cwe-273

View File

@@ -5,7 +5,6 @@
* @kind problem
* @id cpp/memory-leak-on-failed-call-to-realloc
* @problem.severity warning
* @problem.security-severity high
* @precision medium
* @tags correctness
* security

View File

@@ -1,4 +0,0 @@
if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
...
if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
...

View File

@@ -1,28 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
</overview>
<recommendation>
<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
</recommendation>
<example>
<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
</example>
<references>
<li>
CWE Common Weakness Enumeration:
<a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
</li>
</references>
</qhelp>

View File

@@ -1,78 +0,0 @@
/**
* @name Errors When Using Bit Operations
* @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
* operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
* @kind problem
* @id cpp/errors-when-using-bit-operations
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-691
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* Dangerous uses of bit operations.
* For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
* In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
*/
class DangerousBitOperations extends BinaryBitwiseOperation {
FunctionCall bfc;
/**
* The assignment indicates the conscious use of the bit operator.
* Use in comparison, conversion, or return value indicates conscious use of the bit operator.
* The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
*/
DangerousBitOperations() {
bfc = this.getRightOperand() and
not this.getParent*() instanceof Assignment and
not this.getParent*() instanceof Initializer and
not this.getParent*() instanceof ReturnStmt and
not this.getParent*() instanceof EqualityOperation and
not this.getParent*() instanceof UnaryLogicalOperation and
not this.getParent*() instanceof BinaryLogicalOperation and
not this.getAChild*() instanceof BitwiseXorExpr and
not this.getAChild*() instanceof LShiftExpr and
not this.getAChild*() instanceof RShiftExpr
}
/** Holds when part of a bit expression is used in a logical operation. */
predicate useInLogicalOperations() {
exists(BinaryLogicalOperation blop, Expr exp |
blop.getAChild*() = exp and
exp.(FunctionCall).getTarget() = bfc.getTarget() and
not exp.getParent() instanceof ComparisonOperation and
not exp.getParent() instanceof BinaryBitwiseOperation
)
}
/** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
predicate useInOtherCalls() {
bfc.hasQualifier() or
bfc.getTarget() instanceof Operator or
exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
bfc.getTarget() instanceof BuiltInFunction
}
/** Holds when the bit expression contains both arguments and a function call. */
predicate dangerousArgumentChecking() {
not this.getLeftOperand() instanceof Call and
globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
}
/** Holds when function calls are present in the bit expression. */
predicate functionCallsInBitsExpression() {
this.getLeftOperand().getAChild*() instanceof FunctionCall
}
}
from DangerousBitOperations dbo
where
not dbo.useInOtherCalls() and
dbo.useInLogicalOperations() and
(not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."

View File

@@ -1,11 +0,0 @@
if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
...
if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
...
bool a=true;
a++;// BAD: variable `a` does not change its meaning
bool b;
b=-a;// BAD: variable `b` equal `true`
...
a=false;// GOOD: variable `a` equal `false`
b=!a;// GOOD: variable `b` equal `false`

View File

@@ -1,28 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
</overview>
<recommendation>
<p>we recommend making the code simpler.</p>
</recommendation>
<example>
<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
</example>
<references>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
</li>
</references>
</qhelp>

View File

@@ -1,54 +0,0 @@
/**
* @name Operator Precedence Logic Error When Use Bool Type
* @description --Finding places of confusing use of boolean type.
* --For example, a unary minus does not work before a boolean type and an increment always gives true.
* @kind problem
* @id cpp/operator-precedence-logic-error-when-use-bool-type
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-783
* external/cwe/cwe-480
*/
import cpp
import semmle.code.cpp.valuenumbering.HashCons
/** Holds if `exp` increments a boolean value. */
predicate incrementBoolType(IncrementOperation exp) {
exp.getOperand().getType() instanceof BoolType
}
/** Holds if `exp` applies the unary minus operator to a boolean type. */
predicate revertSignBoolType(UnaryMinusExpr exp) {
exp.getAnOperand().getType() instanceof BoolType and
exp.getFullyConverted().getType() instanceof BoolType
}
/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
predicate assignBoolType(Expr exp) {
exists(ComparisonOperation co |
exp.(AssignExpr).getRValue() = co and
exp.isCondition() and
not co.isParenthesised() and
not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
not exists(Expr exbl |
hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
not exbl.isCondition() and
exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
) and
co.getLeftOperand() instanceof FunctionCall and
not co.getRightOperand().getType() instanceof BoolType and
not co.getRightOperand().getValue() = "0" and
not co.getRightOperand().getValue() = "1"
)
}
from Expr exp
where
incrementBoolType(exp) or
revertSignBoolType(exp) or
assignBoolType(exp)
select exp, "this expression needs attention"

View File

@@ -3,7 +3,7 @@
* @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
* If terminal zero is present, then the specified expression is meaningless.
* @kind problem
* @id cpp/access-memory-location-after-end-buffer-strlen
* @id cpp/access-memory-location-after-end-buffer
* @problem.severity warning
* @precision medium
* @tags correctness

View File

@@ -2,7 +2,7 @@
* @name Access Of Memory Location After The End Of A Buffer Using Strncat
* @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
* @kind problem
* @id cpp/access-memory-location-after-end-buffer-strncat
* @id cpp/access-memory-location-after-end-buffer
* @problem.severity warning
* @precision medium
* @tags correctness

View File

@@ -3,7 +3,6 @@
* @description All resources acquired by a class should be released by its destructor. Avoid the use of the 'open / close' pattern, since C++ constructors and destructors provide a safer way to handle resource acquisition and release. Best practice in C++ is to use the 'RAII' technique: constructors allocate resources and destructors free them.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision high
* @id cpp/resource-not-released-in-destructor
* @tags efficiency

View File

@@ -4,7 +4,6 @@
* may result in unexpected sign extension or overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity high
* @precision low
* @id cpp/signed-bit-field
* @tags correctness

View File

@@ -15,7 +15,6 @@
*/
private import cpp
private import semmle.code.cpp.models.interfaces.PointerWrapper
/**
* Holds if `f` is an instantiation of the `std::move` or `std::forward`
@@ -95,12 +94,6 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
or
exists(PointerWrapper wrapper, Call call | call = referenceOut |
referenceOut.getUnspecifiedType() instanceof ReferenceType and
call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
lvalueIn = call.getQualifier().getFullyConverted()
)
}
private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
@@ -113,13 +106,6 @@ private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
stdAddressOf(call.getTarget()) and
referenceIn = call.getArgument(0).getFullyConverted()
)
or
exists(CopyConstructor copy, Call call | call = pointerOut |
copy.getDeclaringType() instanceof PointerWrapper and
call.getTarget() = copy and
// The 0'th argument is the value being copied.
referenceIn = call.getArgument(0).getFullyConverted()
)
}
private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -204,19 +190,6 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
// See the `lvalueToUpdate` case for an explanation of this conjunct.
call.getType().isDeeplyConstBelow()
)
or
// Pointer wrappers behave as raw pointers for dataflow purposes.
outer = call.getAnArgument().getFullyConverted() and
exists(PointerWrapper wrapper | wrapper = outer.getType().stripTopLevelSpecifiers() |
not wrapper.pointsToConst()
)
or
outer = call.getQualifier().getFullyConverted() and
outer.getUnspecifiedType() instanceof PointerWrapper and
not (
call.getTarget().hasSpecifier("const") and
call.getType().isDeeplyConstBelow()
)
)
or
exists(PointerFieldAccess fa |
@@ -245,9 +218,7 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
not stdIdentityFunction(call.getTarget()) and
not stdAddressOf(call.getTarget()) and
exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
not rt.getBaseType().isConst() or
rt.getBaseType().getUnspecifiedType() =
any(PointerWrapper wrapper | not wrapper.pointsToConst())
not rt.getBaseType().isConst()
)
) and
reference = outer

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -46,7 +46,7 @@ class Node extends TNode {
/**
* INTERNAL: Do not use. Alternative name for `getFunction`.
*/
final Function getEnclosingCallable() { result = this.getFunction() }
final Function getEnclosingCallable() { result = unique(Function f | f = this.getFunction() | f) }
/** Gets the type of this node. */
Type getType() { none() } // overridden in subclasses
@@ -324,7 +324,7 @@ private class VariablePartialDefinitionNode extends PartialDefinitionNode {
* A synthetic data flow node used for flow into a collection when an iterator
* write occurs in a callee.
*/
private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
class IteratorPartialDefinitionNode extends PartialDefinitionNode {
override IteratorPartialDefinition pd;
override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
@@ -715,7 +715,6 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
}
private module FieldFlow {
private import DataFlowImplCommon
private import DataFlowImplLocal
private import DataFlowPrivate
@@ -748,7 +747,7 @@ private module FieldFlow {
exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
// This configuration should not be able to cross function boundaries, but
// we double-check here just to be sure.
getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)
node1.getEnclosingCallable() = node2.getEnclosingCallable()
}
}

View File

@@ -7,7 +7,6 @@ private import semmle.code.cpp.controlflow.SSA
private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
private import semmle.code.cpp.dataflow.internal.AddressFlow
private import semmle.code.cpp.models.implementations.Iterator
private import semmle.code.cpp.models.interfaces.PointerWrapper
/**
* A conceptual variable that is assigned only once, like an SSA variable. This
@@ -159,14 +158,18 @@ private module PartialDefinitions {
Expr innerDefinedExpr;
IteratorPartialDefinition() {
innerDefinedExpr = getInnerDefinedExpr(this, node) and
(
innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
or
innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
collection instanceof IteratorParameter
) and
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
exists(Expr convertedInner |
not this instanceof Conversion and
valueToUpdate(convertedInner, this.getFullyConverted(), node) and
innerDefinedExpr = convertedInner.getUnconverted() and
(
innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
or
innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
collection instanceof IteratorParameter
) and
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
)
or
// iterators passed by value without a copy constructor
exists(Call call |
@@ -204,18 +207,16 @@ private module PartialDefinitions {
}
}
private Expr getInnerDefinedExpr(Expr e, ControlFlowNode node) {
not e instanceof Conversion and
exists(Expr convertedInner |
valueToUpdate(convertedInner, e.getFullyConverted(), node) and
result = convertedInner.getUnconverted()
)
}
class VariablePartialDefinition extends PartialDefinition {
Expr innerDefinedExpr;
VariablePartialDefinition() { innerDefinedExpr = getInnerDefinedExpr(this, node) }
VariablePartialDefinition() {
not this instanceof Conversion and
exists(Expr convertedInner |
valueToUpdate(convertedInner, this.getFullyConverted(), node) and
innerDefinedExpr = convertedInner.getUnconverted()
)
}
deprecated override predicate partiallyDefines(Variable v) {
innerDefinedExpr = v.getAnAccess()
@@ -295,8 +296,7 @@ module FlowVar_internal {
// treating them as immutable, but for data flow it gives better results in
// practice to make the variable synonymous with its contents.
not v.getUnspecifiedType() instanceof ReferenceType and
not v instanceof IteratorParameter and
not v instanceof PointerWrapperParameter
not v instanceof IteratorParameter
}
/**
@@ -644,19 +644,10 @@ module FlowVar_internal {
predicate parameterIsNonConstReference(Parameter p) {
exists(ReferenceType refType |
refType = p.getUnderlyingType() and
(
not refType.getBaseType().isConst()
or
// A field of a parameter of type `const std::shared_ptr<A>& p` can still be changed even though
// the base type of the reference is `const`.
refType.getBaseType().getUnspecifiedType() =
any(PointerWrapper wrapper | not wrapper.pointsToConst())
)
not refType.getBaseType().isConst()
)
or
p instanceof IteratorParameter
or
p instanceof PointerWrapperParameter
}
/**
@@ -845,10 +836,6 @@ module FlowVar_internal {
IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
}
class PointerWrapperParameter extends Parameter {
PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
}
/**
* Holds if `v` is initialized to have value `assignedExpr`.
*/

View File

@@ -11,7 +11,6 @@
private import semmle.code.cpp.models.interfaces.DataFlow
private import semmle.code.cpp.models.interfaces.Taint
private import semmle.code.cpp.models.interfaces.Iterator
private import semmle.code.cpp.models.interfaces.PointerWrapper
private module DataFlow {
import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -142,10 +141,7 @@ private predicate noFlowFromChildExpr(Expr e) {
or
e instanceof LogicalOrExpr
or
// Allow taint from `operator*` on smart pointers.
exists(Call call | e = call |
not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
)
e instanceof Call
or
e instanceof SizeofOperator
or

View File

@@ -314,7 +314,6 @@ class OverloadedPointerDereferenceFunction extends Function {
* T1 operator*(const T2 &);
* T1 a; T2 b;
* a = *b;
* ```
*/
class OverloadedPointerDereferenceExpr extends FunctionCall {
OverloadedPointerDereferenceExpr() {

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
exists(Cc cc0 |
cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
}
private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp()
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -362,22 +362,15 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
/**
* Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
* For instance, an update to a field of a struct containing only one field. Even if the store does
* have a chi instruction, a subsequent use of the result of the store may be linked directly to the
* result of the store as an inexact definition if the store totally overlaps the use. For these
* cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
* for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
* `none()`.
* For instance, an update to a field of a struct containing only one field. For these cases we
* attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
* (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
*/
private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
override StoreInstruction instr;
ExplicitSingleFieldStoreQualifierNode() {
(
instr.getAUse().isDefinitionInexact()
or
not exists(ChiInstruction chi | chi.getPartial() = instr)
) and
not exists(ChiInstruction chi | chi.getPartial() = instr) and
// Without this condition any store would create a `PostUpdateNode`.
instr.getDestinationAddress() instanceof FieldAddressInstruction
}

View File

@@ -6,7 +6,34 @@ private import semmle.code.cpp.ir.ValueNumbering
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import PrintIRUtilities
/**
* Gets a short ID for an IR dataflow node.
* - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
* - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
* instruction and a dot (e.g. `m128.left`).
* - For `Variable`s, this is the qualified name of the variable.
*/
private string nodeId(DataFlow::Node node, int order1, int order2) {
exists(Instruction instruction | instruction = node.asInstruction() |
result = instruction.getResultId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
exists(Operand operand, Instruction instruction |
operand = node.asOperand() and
instruction = operand.getUse()
|
result = instruction.getResultId() + "." + operand.getDumpId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
result = "var(" + node.asVariable().getQualifiedName() + ")" and
order1 = 1000000 and
order2 = 0
}
/**
* Gets the local dataflow from other nodes in the same function to this node.

Some files were not shown because too many files have changed in this diff Show More