Compare commits

..

24 Commits

Author SHA1 Message Date
Max Schaefer
eb3d0f5b0e Add merlyn.md which explains the changes on this branch. 2021-04-19 15:04:21 +01:00
Max Schaefer
09cf8e8b01 Remove RequestHeaderAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
bd8212c090 Remove RequestInputAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
f106d186e4 Remove MultipartyRemoteFlow. 2021-04-19 15:04:21 +01:00
Max Schaefer
e2c84407b4 Revert changes to Express::RequestInputAccess in c45d84f8f3 and 9cacfab7c6. 2021-04-19 15:04:21 +01:00
Max Schaefer
67b15125c7 Revert changes to Express::RequestInputAccess in d84f1b47c2. 2021-04-19 15:04:21 +01:00
Max Schaefer
caf763a969 Revert changes to Express::RequestInputAccess in ed48efe5b4. 2021-04-19 15:04:21 +01:00
Max Schaefer
4f8f5048f3 Revert changes to Express::RequestInputAccess in 83f0514475. 2021-04-19 15:04:21 +01:00
Max Schaefer
2366679d9b Revert changes to Express::RequestInputAccess in e2fbf8a68c. 2021-04-19 15:04:21 +01:00
Max Schaefer
66399c055e Remove MicroBodyParserCall. 2021-04-19 15:04:21 +01:00
Max Schaefer
85c02a430e Remove ServerRequestDataEvent. 2021-04-19 15:04:20 +01:00
Max Schaefer
29945b8ed0 Remove VueRouterFlowSource. 2021-04-19 15:04:20 +01:00
Max Schaefer
a8ef1bc32a Remove ServerlessHandlerEventAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
0781a138af Remove ReceivedItemAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
6fd67c4d8e Remove ReactRouterSource. 2021-04-19 15:04:19 +01:00
Max Schaefer
89747ecf83 Revert changes to `PostMessageEventHandler in cb7de27. 2021-04-19 15:03:51 +01:00
Max Schaefer
c013e3f9c3 Remove NodeJSNetServerItemAsRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
3b14b27635 Remove NextParams. 2021-04-19 15:03:51 +01:00
Max Schaefer
2ae32be934 Revert changes to ClientRequestData from 0b55aed626. 2021-04-19 15:03:51 +01:00
Max Schaefer
6647f6b9c4 Remove FormidableRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
41ceb291de Remove BusBoyRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
615418d2e3 Remove AngularSource. 2021-04-19 15:03:49 +01:00
Max Schaefer
0ba76f7d0e Revert "JS: Move $() sink into separate dataflow config"
This reverts commit 50a015c73e.
2021-04-19 15:03:11 +01:00
Max Schaefer
d97a10ef8a Revert "JS: Address review comments"
This reverts commit c91cdb5194.
2021-04-19 14:57:18 +01:00
645 changed files with 4343 additions and 9003 deletions

View File

@@ -1,30 +0,0 @@
name: Mark stale issues
on:
workflow_dispatch:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
if: github.repository == 'github/codeql'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
days-before-stale: 14
days-before-close: 7
only-labels: awaiting-response
# do not mark PRs as stale
days-before-pr-stale: -1
days-before-pr-close: -1
# Uncomment for dry-run
# debug-only: true
# operations-per-run: 1000

View File

@@ -70,4 +70,3 @@
## Changes to libraries ## Changes to libraries
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction. * The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.

View File

@@ -56,10 +56,6 @@
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll" "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
], ],
"DataFlow Java/C# Flow Summaries": [
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
],
"SsaReadPosition Java/C#": [ "SsaReadPosition Java/C#": [
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll", "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll" "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"

View File

@@ -1,2 +0,0 @@
lgtm
* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/offset-use-before-range-check * @id cpp/offset-use-before-range-check
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision medium * @precision medium
* @tags reliability * @tags reliability
* security * security

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/descriptor-may-not-be-closed * @id cpp/descriptor-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/descriptor-never-closed * @id cpp/descriptor-never-closed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/file-may-not-be-closed * @id cpp/file-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/file-never-closed * @id cpp/file-never-closed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/inconsistent-nullness-testing * @id cpp/inconsistent-nullness-testing
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/memory-may-not-be-freed * @id cpp/memory-may-not-be-freed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/memory-never-freed * @id cpp/memory-never-freed
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/missing-null-test * @id cpp/missing-null-test
* @problem.severity recommendation * @problem.severity recommendation
* @problem.security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -3,7 +3,6 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'. * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @precision high * @precision high
* @id cpp/new-free-mismatch * @id cpp/new-free-mismatch
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-calculated * @id cpp/overflow-calculated
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-131 * external/cwe/cwe-131

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-destination * @id cpp/overflow-destination
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision low * @precision low
* @tags reliability * @tags reliability
* security * security

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow. * may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision medium * @precision medium
* @id cpp/static-buffer-overflow * @id cpp/static-buffer-overflow
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* an instance of the type of the pointer may result in a buffer overflow * an instance of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision medium * @precision medium
* @id cpp/allocation-too-small * @id cpp/allocation-too-small
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* multiple instances of the type of the pointer may result in a buffer overflow * multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision medium * @precision medium
* @id cpp/suspicious-allocation-size * @id cpp/suspicious-allocation-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/use-after-free * @id cpp/use-after-free
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-416 * external/cwe/cwe-416

View File

@@ -6,7 +6,6 @@
* to a larger type. * to a larger type.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 8.1
* @precision very-high * @precision very-high
* @id cpp/bad-addition-overflow-check * @id cpp/bad-addition-overflow-check
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* be a sign that the result can overflow the type converted from. * be a sign that the result can overflow the type converted from.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision high * @precision high
* @id cpp/integer-multiplication-cast-to-long * @id cpp/integer-multiplication-cast-to-long
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,6 @@
* use the width of the base type, leading to misaligned reads. * use the width of the base type, leading to misaligned reads.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision high * @precision high
* @tags correctness * @tags correctness
* reliability * reliability

View File

@@ -6,7 +6,6 @@
* from an untrusted source, this can be used for exploits. * from an untrusted source, this can be used for exploits.
* @kind problem * @kind problem
* @problem.severity recommendation * @problem.severity recommendation
* @problem.security-severity 9.8
* @precision high * @precision high
* @id cpp/non-constant-format * @id cpp/non-constant-format
* @tags maintainability * @tags maintainability

View File

@@ -3,7 +3,6 @@
* @description Using alloca in a loop can lead to a stack overflow * @description Using alloca in a loop can lead to a stack overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @precision high * @precision high
* @id cpp/alloca-in-loop * @id cpp/alloca-in-loop
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/improper-null-termination * @id cpp/improper-null-termination
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @tags security * @tags security
* external/cwe/cwe-170 * external/cwe/cwe-170
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,7 +4,6 @@
* as the third argument may result in a buffer overflow. * as the third argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision medium * @precision medium
* @id cpp/bad-strncpy-size * @id cpp/bad-strncpy-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* as the third argument may result in a buffer overflow. * as the third argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision medium * @precision medium
* @id cpp/unsafe-strncat * @id cpp/unsafe-strncat
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/uninitialized-local * @id cpp/uninitialized-local
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @precision medium * @precision medium
* @tags security * @tags security
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow * may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @precision medium * @precision medium
* @id cpp/unsafe-strcat * @id cpp/unsafe-strcat
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @problem.security-severity 8.6
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -5,7 +5,6 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @problem.security-severity 8.6
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -4,7 +4,6 @@
* attacker to access unexpected resources. * attacker to access unexpected resources.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.8
* @precision medium * @precision medium
* @id cpp/path-injection * @id cpp/path-injection
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* to command injection. * to command injection.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.8
* @precision low * @precision low
* @id cpp/command-line-injection * @id cpp/command-line-injection
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* allows for a cross-site scripting vulnerability. * allows for a cross-site scripting vulnerability.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 6.1
* @precision high * @precision high
* @id cpp/cgi-xss * @id cpp/cgi-xss
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* to SQL Injection. * to SQL Injection.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.8
* @precision high * @precision high
* @id cpp/sql-injection * @id cpp/sql-injection
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* commands. * commands.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.2
* @precision medium * @precision medium
* @id cpp/uncontrolled-process-operation * @id cpp/uncontrolled-process-operation
* @tags security * @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-buffer * @id cpp/overflow-buffer
* @problem.severity recommendation * @problem.severity recommendation
* @problem.security-severity 8.8
* @tags security * @tags security
* external/cwe/cwe-119 * external/cwe/cwe-119
* external/cwe/cwe-121 * external/cwe/cwe-121

View File

@@ -5,7 +5,6 @@
* overflow. * overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.1
* @precision high * @precision high
* @id cpp/badly-bounded-write * @id cpp/badly-bounded-write
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow. * of data written may overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.1
* @precision medium * @precision medium
* @id cpp/overrunning-write * @id cpp/overrunning-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* take extreme values. * take extreme values.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.1
* @precision medium * @precision medium
* @id cpp/overrunning-write-with-float * @id cpp/overrunning-write-with-float
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow. * of data written may overflow.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.1
* @precision medium * @precision medium
* @id cpp/unbounded-write * @id cpp/unbounded-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* a specific value to terminate the argument list. * a specific value to terminate the argument list.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @precision medium * @precision medium
* @id cpp/unterminated-variadic-call * @id cpp/unterminated-variadic-call
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/unclear-array-index-validation * @id cpp/unclear-array-index-validation
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @tags security * @tags security
* external/cwe/cwe-129 * external/cwe/cwe-129
*/ */

View File

@@ -5,7 +5,6 @@
* terminator can cause a buffer overrun. * terminator can cause a buffer overrun.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.8
* @precision high * @precision high
* @id cpp/no-space-for-terminator * @id cpp/no-space-for-terminator
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @precision high * @precision high
* @id cpp/tainted-format-string * @id cpp/tainted-format-string
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @precision high * @precision high
* @id cpp/tainted-format-string-through-global * @id cpp/tainted-format-string-through-global
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/user-controlled-null-termination-tainted * @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 5.5
* @tags security * @tags security
* external/cwe/cwe-170 * external/cwe/cwe-170
*/ */

View File

@@ -4,7 +4,6 @@
* not validated can cause overflows. * not validated can cause overflows.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision low * @precision low
* @id cpp/tainted-arithmetic * @id cpp/tainted-arithmetic
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* validated can cause overflows. * validated can cause overflows.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision medium * @precision medium
* @id cpp/uncontrolled-arithmetic * @id cpp/uncontrolled-arithmetic
* @tags security * @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/arithmetic-with-extreme-values * @id cpp/arithmetic-with-extreme-values
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision low * @precision low
* @tags security * @tags security
* reliability * reliability

View File

@@ -5,7 +5,6 @@
* @id cpp/comparison-with-wider-type * @id cpp/comparison-with-wider-type
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @precision high * @precision high
* @tags reliability * @tags reliability
* security * security

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/integer-overflow-tainted * @id cpp/integer-overflow-tainted
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-190 * external/cwe/cwe-190

View File

@@ -4,7 +4,6 @@
* user can result in integer overflow. * user can result in integer overflow.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 8.1
* @precision medium * @precision medium
* @id cpp/uncontrolled-allocation-size * @id cpp/uncontrolled-allocation-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/unsigned-difference-expression-compared-zero * @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.2
* @precision medium * @precision medium
* @tags security * @tags security
* correctness * correctness

View File

@@ -5,7 +5,6 @@
* vulnerable to spoofing attacks. * vulnerable to spoofing attacks.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.7
* @precision medium * @precision medium
* @id cpp/user-controlled-bypass * @id cpp/user-controlled-bypass
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* to an attacker. * to an attacker.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-buffer * @id cpp/cleartext-storage-buffer
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* to an attacker. * to an attacker.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 6.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-file * @id cpp/cleartext-storage-file
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* database can expose it to an attacker. * database can expose it to an attacker.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 6.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-database * @id cpp/cleartext-storage-database
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* an attacker to compromise security. * an attacker to compromise security.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 7.5
* @precision medium * @precision medium
* @id cpp/weak-cryptographic-algorithm * @id cpp/weak-cryptographic-algorithm
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* attackers to retrieve portions of memory. * attackers to retrieve portions of memory.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 7.5
* @precision very-high * @precision very-high
* @id cpp/openssl-heartbleed * @id cpp/openssl-heartbleed
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* the two operations. * the two operations.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.0
* @precision medium * @precision medium
* @id cpp/toctou-race-condition * @id cpp/toctou-race-condition
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* @id cpp/unsafe-create-process-call * @id cpp/unsafe-create-process-call
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 7.8
* @precision medium * @precision medium
* @msrc.severity important * @msrc.severity important
* @tags security * @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/incorrect-string-type-conversion * @id cpp/incorrect-string-type-conversion
* @problem.severity error * @problem.severity error
* @problem.security-severity 9.8
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-704 * external/cwe/cwe-704

View File

@@ -3,7 +3,6 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file. * @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.8
* @precision medium * @precision medium
* @id cpp/world-writable-file-creation * @id cpp/world-writable-file-creation
* @tags security * @tags security

View File

@@ -7,7 +7,6 @@
* @id cpp/unsafe-dacl-security-descriptor * @id cpp/unsafe-dacl-security-descriptor
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @problem.security-severity 7.8
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-732 * external/cwe/cwe-732

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @tags security * @tags security
* external/cwe/cwe-835 * external/cwe/cwe-835
*/ */

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/redundant-null-check-param * @id cpp/redundant-null-check-param
* @problem.severity recommendation * @problem.severity recommendation
* @problem.security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/late-check-of-function-argument * @id cpp/late-check-of-function-argument
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.6
* @precision medium * @precision medium
* @tags correctness * @tags correctness
* security * security

View File

@@ -3,7 +3,6 @@
* @description Use of one of the scanf functions without a specified length. * @description Use of one of the scanf functions without a specified length.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 9.8
* @id cpp/memory-unsafe-function-scan * @id cpp/memory-unsafe-function-scan
* @tags reliability * @tags reliability
* security * security

View File

@@ -3,7 +3,6 @@
* @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used. * @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 8.1
* @precision low * @precision low
* @tags security * @tags security
* correctness * correctness

View File

@@ -6,7 +6,6 @@
* from these methods is not checked. * from these methods is not checked.
* @kind problem * @kind problem
* @problem.severity recommendation * @problem.severity recommendation
* @problem.security-severity 9.8
* @id cpp/drop-linux-privileges-outoforder * @id cpp/drop-linux-privileges-outoforder
* @tags security * @tags security
* external/cwe/cwe-273 * external/cwe/cwe-273

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/memory-leak-on-failed-call-to-realloc * @id cpp/memory-leak-on-failed-call-to-realloc
* @problem.severity warning * @problem.severity warning
* @problem.security-severity 7.5
* @precision medium * @precision medium
* @tags correctness * @tags correctness
* security * security

View File

@@ -1,4 +0,0 @@
if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
...
if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
...

View File

@@ -1,28 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
</overview>
<recommendation>
<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
</recommendation>
<example>
<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
</example>
<references>
<li>
CWE Common Weakness Enumeration:
<a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
</li>
</references>
</qhelp>

View File

@@ -1,78 +0,0 @@
/**
* @name Errors When Using Bit Operations
* @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
* operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
* @kind problem
* @id cpp/errors-when-using-bit-operations
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-691
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* Dangerous uses of bit operations.
* For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
* In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
*/
class DangerousBitOperations extends BinaryBitwiseOperation {
FunctionCall bfc;
/**
* The assignment indicates the conscious use of the bit operator.
* Use in comparison, conversion, or return value indicates conscious use of the bit operator.
* The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
*/
DangerousBitOperations() {
bfc = this.getRightOperand() and
not this.getParent*() instanceof Assignment and
not this.getParent*() instanceof Initializer and
not this.getParent*() instanceof ReturnStmt and
not this.getParent*() instanceof EqualityOperation and
not this.getParent*() instanceof UnaryLogicalOperation and
not this.getParent*() instanceof BinaryLogicalOperation and
not this.getAChild*() instanceof BitwiseXorExpr and
not this.getAChild*() instanceof LShiftExpr and
not this.getAChild*() instanceof RShiftExpr
}
/** Holds when part of a bit expression is used in a logical operation. */
predicate useInLogicalOperations() {
exists(BinaryLogicalOperation blop, Expr exp |
blop.getAChild*() = exp and
exp.(FunctionCall).getTarget() = bfc.getTarget() and
not exp.getParent() instanceof ComparisonOperation and
not exp.getParent() instanceof BinaryBitwiseOperation
)
}
/** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
predicate useInOtherCalls() {
bfc.hasQualifier() or
bfc.getTarget() instanceof Operator or
exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
bfc.getTarget() instanceof BuiltInFunction
}
/** Holds when the bit expression contains both arguments and a function call. */
predicate dangerousArgumentChecking() {
not this.getLeftOperand() instanceof Call and
globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
}
/** Holds when function calls are present in the bit expression. */
predicate functionCallsInBitsExpression() {
this.getLeftOperand().getAChild*() instanceof FunctionCall
}
}
from DangerousBitOperations dbo
where
not dbo.useInOtherCalls() and
dbo.useInLogicalOperations() and
(not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."

View File

@@ -1,11 +0,0 @@
if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
...
if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
...
bool a=true;
a++;// BAD: variable `a` does not change its meaning
bool b;
b=-a;// BAD: variable `b` equal `true`
...
a=false;// GOOD: variable `a` equal `false`
b=!a;// GOOD: variable `b` equal `false`

View File

@@ -1,28 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
</overview>
<recommendation>
<p>we recommend making the code simpler.</p>
</recommendation>
<example>
<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
</example>
<references>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
</li>
</references>
</qhelp>

View File

@@ -1,54 +0,0 @@
/**
* @name Operator Precedence Logic Error When Use Bool Type
* @description --Finding places of confusing use of boolean type.
* --For example, a unary minus does not work before a boolean type and an increment always gives true.
* @kind problem
* @id cpp/operator-precedence-logic-error-when-use-bool-type
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-783
* external/cwe/cwe-480
*/
import cpp
import semmle.code.cpp.valuenumbering.HashCons
/** Holds if `exp` increments a boolean value. */
predicate incrementBoolType(IncrementOperation exp) {
exp.getOperand().getType() instanceof BoolType
}
/** Holds if `exp` applies the unary minus operator to a boolean type. */
predicate revertSignBoolType(UnaryMinusExpr exp) {
exp.getAnOperand().getType() instanceof BoolType and
exp.getFullyConverted().getType() instanceof BoolType
}
/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
predicate assignBoolType(Expr exp) {
exists(ComparisonOperation co |
exp.(AssignExpr).getRValue() = co and
exp.isCondition() and
not co.isParenthesised() and
not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
not exists(Expr exbl |
hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
not exbl.isCondition() and
exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
) and
co.getLeftOperand() instanceof FunctionCall and
not co.getRightOperand().getType() instanceof BoolType and
not co.getRightOperand().getValue() = "0" and
not co.getRightOperand().getValue() = "1"
)
}
from Expr exp
where
incrementBoolType(exp) or
revertSignBoolType(exp) or
assignBoolType(exp)
select exp, "this expression needs attention"

View File

@@ -3,7 +3,7 @@
* @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior. * @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
* If terminal zero is present, then the specified expression is meaningless. * If terminal zero is present, then the specified expression is meaningless.
* @kind problem * @kind problem
* @id cpp/access-memory-location-after-end-buffer-strlen * @id cpp/access-memory-location-after-end-buffer
* @problem.severity warning * @problem.severity warning
* @precision medium * @precision medium
* @tags correctness * @tags correctness

View File

@@ -2,7 +2,7 @@
* @name Access Of Memory Location After The End Of A Buffer Using Strncat * @name Access Of Memory Location After The End Of A Buffer Using Strncat
* @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer. * @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
* @kind problem * @kind problem
* @id cpp/access-memory-location-after-end-buffer-strncat * @id cpp/access-memory-location-after-end-buffer
* @problem.severity warning * @problem.severity warning
* @precision medium * @precision medium
* @tags correctness * @tags correctness
@@ -11,32 +11,54 @@
*/ */
import cpp import cpp
import semmle.code.cpp.models.implementations.Strcat
import semmle.code.cpp.valuenumbering.GlobalValueNumbering import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/** /**
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and * A call to `strncat` of the form `strncat(buff, str, someExpr - strlen(buf))`, for some expression `someExpr` equal to `sizeof(buff)`.
* destination arguments, respectively.
*/ */
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) { class WrongCallStrncat extends FunctionCall {
exists(StrcatFunction strcat | Expr leftsomeExpr;
strcat = call.getTarget() and
sizeArg = call.getArgument(strcat.getParamSize()) and WrongCallStrncat() {
destArg = call.getArgument(strcat.getParamDest()) this.getTarget().hasGlobalOrStdName("strncat") and
) // the expression of the first argument in `strncat` and `strnlen` is identical
globalValueNumber(this.getArgument(0)) =
globalValueNumber(this.getArgument(2).(SubExpr).getRightOperand().(StrlenCall).getStringExpr()) and
// using a string constant often speaks of manually calculating the length of the required buffer.
(
not this.getArgument(1) instanceof StringLiteral and
not this.getArgument(1) instanceof CharLiteral
) and
// for use in predicates
leftsomeExpr = this.getArgument(2).(SubExpr).getLeftOperand()
}
/**
* Holds if the left side of the expression `someExpr` equal to `sizeof(buf)`.
*/
predicate isExpressionEqualSizeof() {
// the left side of the expression `someExpr` is `sizeof(buf)`.
globalValueNumber(this.getArgument(0)) =
globalValueNumber(leftsomeExpr.(SizeofExprOperator).getExprOperand())
or
// value of the left side of the expression `someExpr` equal `sizeof(buf)` value, and `buf` is array.
leftsomeExpr.getValue().toInt() = this.getArgument(0).getType().getSize()
}
/**
* Holds if the left side of the expression `someExpr` equal to variable containing the length of the memory allocated for the buffer.
*/
predicate isVariableEqualValueSizegBuffer() {
// the left side of expression `someExpr` is the variable that was used in the function of allocating memory for the buffer`.
exists(AllocationExpr alc |
leftsomeExpr.(VariableAccess).getTarget() =
alc.(FunctionCall).getArgument(0).(VariableAccess).getTarget()
)
}
} }
from FunctionCall call, Expr sizeArg, Expr destArg, SubExpr sub, int n from WrongCallStrncat sc
where where
interestringCallWithArgs(call, sizeArg, destArg) and sc.isExpressionEqualSizeof() or
// The destination buffer is an array of size n sc.isVariableEqualValueSizegBuffer()
destArg.getUnspecifiedType().(ArrayType).getSize() = n and select sc, "if the used buffer is full, writing out of the buffer is possible"
// The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
// destination buffer.
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
globalValueNumber(destArg).getAnExpr()
select call, "Possible out-of-bounds write due to incorrect size argument."

View File

@@ -15,7 +15,6 @@
*/ */
private import cpp private import cpp
private import semmle.code.cpp.models.interfaces.PointerWrapper
/** /**
* Holds if `f` is an instantiation of the `std::move` or `std::forward` * Holds if `f` is an instantiation of the `std::move` or `std::forward`
@@ -95,12 +94,6 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) { private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
lvalueIn.getConversion() = referenceOut.(ReferenceToExpr) lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
or
exists(PointerWrapper wrapper, Call call | call = referenceOut |
referenceOut.getUnspecifiedType() instanceof ReferenceType and
call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
lvalueIn = call.getQualifier().getFullyConverted()
)
} }
private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) { private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
@@ -113,13 +106,6 @@ private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
stdAddressOf(call.getTarget()) and stdAddressOf(call.getTarget()) and
referenceIn = call.getArgument(0).getFullyConverted() referenceIn = call.getArgument(0).getFullyConverted()
) )
or
exists(CopyConstructor copy, Call call | call = pointerOut |
copy.getDeclaringType() instanceof PointerWrapper and
call.getTarget() = copy and
// The 0'th argument is the value being copied.
referenceIn = call.getArgument(0).getFullyConverted()
)
} }
private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) { private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -204,19 +190,6 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
// See the `lvalueToUpdate` case for an explanation of this conjunct. // See the `lvalueToUpdate` case for an explanation of this conjunct.
call.getType().isDeeplyConstBelow() call.getType().isDeeplyConstBelow()
) )
or
// Pointer wrappers behave as raw pointers for dataflow purposes.
outer = call.getAnArgument().getFullyConverted() and
exists(PointerWrapper wrapper | wrapper = outer.getType().stripTopLevelSpecifiers() |
not wrapper.pointsToConst()
)
or
outer = call.getQualifier().getFullyConverted() and
outer.getUnspecifiedType() instanceof PointerWrapper and
not (
call.getTarget().hasSpecifier("const") and
call.getType().isDeeplyConstBelow()
)
) )
or or
exists(PointerFieldAccess fa | exists(PointerFieldAccess fa |
@@ -245,9 +218,7 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
not stdIdentityFunction(call.getTarget()) and not stdIdentityFunction(call.getTarget()) and
not stdAddressOf(call.getTarget()) and not stdAddressOf(call.getTarget()) and
exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() | exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
not rt.getBaseType().isConst() or not rt.getBaseType().isConst()
rt.getBaseType().getUnspecifiedType() =
any(PointerWrapper wrapper | not wrapper.pointsToConst())
) )
) and ) and
reference = outer reference = outer

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -46,7 +46,7 @@ class Node extends TNode {
/** /**
* INTERNAL: Do not use. Alternative name for `getFunction`. * INTERNAL: Do not use. Alternative name for `getFunction`.
*/ */
final Function getEnclosingCallable() { result = this.getFunction() } final Function getEnclosingCallable() { result = unique(Function f | f = this.getFunction() | f) }
/** Gets the type of this node. */ /** Gets the type of this node. */
Type getType() { none() } // overridden in subclasses Type getType() { none() } // overridden in subclasses
@@ -324,7 +324,7 @@ private class VariablePartialDefinitionNode extends PartialDefinitionNode {
* A synthetic data flow node used for flow into a collection when an iterator * A synthetic data flow node used for flow into a collection when an iterator
* write occurs in a callee. * write occurs in a callee.
*/ */
private class IteratorPartialDefinitionNode extends PartialDefinitionNode { class IteratorPartialDefinitionNode extends PartialDefinitionNode {
override IteratorPartialDefinition pd; override IteratorPartialDefinition pd;
override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) } override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
@@ -715,7 +715,6 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
} }
private module FieldFlow { private module FieldFlow {
private import DataFlowImplCommon
private import DataFlowImplLocal private import DataFlowImplLocal
private import DataFlowPrivate private import DataFlowPrivate
@@ -748,7 +747,7 @@ private module FieldFlow {
exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
// This configuration should not be able to cross function boundaries, but // This configuration should not be able to cross function boundaries, but
// we double-check here just to be sure. // we double-check here just to be sure.
getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2) node1.getEnclosingCallable() = node2.getEnclosingCallable()
} }
} }

View File

@@ -7,7 +7,6 @@ private import semmle.code.cpp.controlflow.SSA
private import semmle.code.cpp.dataflow.internal.SubBasicBlocks private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
private import semmle.code.cpp.dataflow.internal.AddressFlow private import semmle.code.cpp.dataflow.internal.AddressFlow
private import semmle.code.cpp.models.implementations.Iterator private import semmle.code.cpp.models.implementations.Iterator
private import semmle.code.cpp.models.interfaces.PointerWrapper
/** /**
* A conceptual variable that is assigned only once, like an SSA variable. This * A conceptual variable that is assigned only once, like an SSA variable. This
@@ -159,14 +158,18 @@ private module PartialDefinitions {
Expr innerDefinedExpr; Expr innerDefinedExpr;
IteratorPartialDefinition() { IteratorPartialDefinition() {
innerDefinedExpr = getInnerDefinedExpr(this, node) and exists(Expr convertedInner |
( not this instanceof Conversion and
innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection) valueToUpdate(convertedInner, this.getFullyConverted(), node) and
or innerDefinedExpr = convertedInner.getUnconverted() and
innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and (
collection instanceof IteratorParameter innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
) and or
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
collection instanceof IteratorParameter
) and
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
)
or or
// iterators passed by value without a copy constructor // iterators passed by value without a copy constructor
exists(Call call | exists(Call call |
@@ -204,18 +207,16 @@ private module PartialDefinitions {
} }
} }
private Expr getInnerDefinedExpr(Expr e, ControlFlowNode node) {
not e instanceof Conversion and
exists(Expr convertedInner |
valueToUpdate(convertedInner, e.getFullyConverted(), node) and
result = convertedInner.getUnconverted()
)
}
class VariablePartialDefinition extends PartialDefinition { class VariablePartialDefinition extends PartialDefinition {
Expr innerDefinedExpr; Expr innerDefinedExpr;
VariablePartialDefinition() { innerDefinedExpr = getInnerDefinedExpr(this, node) } VariablePartialDefinition() {
not this instanceof Conversion and
exists(Expr convertedInner |
valueToUpdate(convertedInner, this.getFullyConverted(), node) and
innerDefinedExpr = convertedInner.getUnconverted()
)
}
deprecated override predicate partiallyDefines(Variable v) { deprecated override predicate partiallyDefines(Variable v) {
innerDefinedExpr = v.getAnAccess() innerDefinedExpr = v.getAnAccess()
@@ -295,8 +296,7 @@ module FlowVar_internal {
// treating them as immutable, but for data flow it gives better results in // treating them as immutable, but for data flow it gives better results in
// practice to make the variable synonymous with its contents. // practice to make the variable synonymous with its contents.
not v.getUnspecifiedType() instanceof ReferenceType and not v.getUnspecifiedType() instanceof ReferenceType and
not v instanceof IteratorParameter and not v instanceof IteratorParameter
not v instanceof PointerWrapperParameter
} }
/** /**
@@ -644,19 +644,10 @@ module FlowVar_internal {
predicate parameterIsNonConstReference(Parameter p) { predicate parameterIsNonConstReference(Parameter p) {
exists(ReferenceType refType | exists(ReferenceType refType |
refType = p.getUnderlyingType() and refType = p.getUnderlyingType() and
( not refType.getBaseType().isConst()
not refType.getBaseType().isConst()
or
// A field of a parameter of type `const std::shared_ptr<A>& p` can still be changed even though
// the base type of the reference is `const`.
refType.getBaseType().getUnspecifiedType() =
any(PointerWrapper wrapper | not wrapper.pointsToConst())
)
) )
or or
p instanceof IteratorParameter p instanceof IteratorParameter
or
p instanceof PointerWrapperParameter
} }
/** /**
@@ -845,10 +836,6 @@ module FlowVar_internal {
IteratorParameter() { this.getUnspecifiedType() instanceof Iterator } IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
} }
class PointerWrapperParameter extends Parameter {
PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
}
/** /**
* Holds if `v` is initialized to have value `assignedExpr`. * Holds if `v` is initialized to have value `assignedExpr`.
*/ */

View File

@@ -11,7 +11,6 @@
private import semmle.code.cpp.models.interfaces.DataFlow private import semmle.code.cpp.models.interfaces.DataFlow
private import semmle.code.cpp.models.interfaces.Taint private import semmle.code.cpp.models.interfaces.Taint
private import semmle.code.cpp.models.interfaces.Iterator private import semmle.code.cpp.models.interfaces.Iterator
private import semmle.code.cpp.models.interfaces.PointerWrapper
private module DataFlow { private module DataFlow {
import semmle.code.cpp.dataflow.internal.DataFlowUtil import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -142,10 +141,7 @@ private predicate noFlowFromChildExpr(Expr e) {
or or
e instanceof LogicalOrExpr e instanceof LogicalOrExpr
or or
// Allow taint from `operator*` on smart pointers. e instanceof Call
exists(Call call | e = call |
not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
)
or or
e instanceof SizeofOperator e instanceof SizeofOperator
or or

View File

@@ -314,7 +314,6 @@ class OverloadedPointerDereferenceFunction extends Function {
* T1 operator*(const T2 &); * T1 operator*(const T2 &);
* T1 a; T2 b; * T1 a; T2 b;
* a = *b; * a = *b;
* ```
*/ */
class OverloadedPointerDereferenceExpr extends FunctionCall { class OverloadedPointerDereferenceExpr extends FunctionCall {
OverloadedPointerDereferenceExpr() { OverloadedPointerDereferenceExpr() {

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2133,8 +2133,11 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and exists(Cc cc0 |
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) cc = pragma[only_bind_into](cc0) and
localFlowEntry(node, config) and
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
)
} }
private predicate localStep( private predicate localStep(
@@ -3129,7 +3132,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -362,22 +362,15 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
/** /**
* Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to. * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
* For instance, an update to a field of a struct containing only one field. Even if the store does * For instance, an update to a field of a struct containing only one field. For these cases we
* have a chi instruction, a subsequent use of the result of the store may be linked directly to the * attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
* result of the store as an inexact definition if the store totally overlaps the use. For these * (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
* cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
* for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
* `none()`.
*/ */
private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode { private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
override StoreInstruction instr; override StoreInstruction instr;
ExplicitSingleFieldStoreQualifierNode() { ExplicitSingleFieldStoreQualifierNode() {
( not exists(ChiInstruction chi | chi.getPartial() = instr) and
instr.getAUse().isDefinitionInexact()
or
not exists(ChiInstruction chi | chi.getPartial() = instr)
) and
// Without this condition any store would create a `PostUpdateNode`. // Without this condition any store would create a `PostUpdateNode`.
instr.getDestinationAddress() instanceof FieldAddressInstruction instr.getDestinationAddress() instanceof FieldAddressInstruction
} }

View File

@@ -6,7 +6,34 @@ private import semmle.code.cpp.ir.ValueNumbering
private import semmle.code.cpp.ir.IR private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.DataFlow private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import PrintIRUtilities
/**
* Gets a short ID for an IR dataflow node.
* - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
* - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
* instruction and a dot (e.g. `m128.left`).
* - For `Variable`s, this is the qualified name of the variable.
*/
private string nodeId(DataFlow::Node node, int order1, int order2) {
exists(Instruction instruction | instruction = node.asInstruction() |
result = instruction.getResultId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
exists(Operand operand, Instruction instruction |
operand = node.asOperand() and
instruction = operand.getUse()
|
result = instruction.getResultId() + "." + operand.getDumpId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
result = "var(" + node.asVariable().getQualifiedName() + ")" and
order1 = 1000000 and
order2 = 0
}
/** /**
* Gets the local dataflow from other nodes in the same function to this node. * Gets the local dataflow from other nodes in the same function to this node.

View File

@@ -1,33 +0,0 @@
/**
* Print the dataflow local store steps in IR dumps.
*/
private import cpp
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
// that the cached IR gets the same checksum here as it does in queries that use
// `ValueNumbering` without `DataFlow`.
private import semmle.code.cpp.ir.ValueNumbering
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import PrintIRUtilities
/**
* Property provider for local IR dataflow store steps.
*/
class LocalFlowPropertyProvider extends IRPropertyProvider {
override string getInstructionProperty(Instruction instruction, string key) {
exists(DataFlow::Node objectNode, Content content |
key = "content[" + content.toString() + "]" and
instruction = objectNode.asInstruction() and
result =
strictconcat(string element, DataFlow::Node fieldNode |
storeStep(fieldNode, content, objectNode) and
element = nodeId(fieldNode, _, _)
|
element, ", "
)
)
}
}

View File

@@ -1,39 +0,0 @@
/**
* Shared utilities used when printing dataflow annotations in IR dumps.
*/
private import cpp
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
// that the cached IR gets the same checksum here as it does in queries that use
// `ValueNumbering` without `DataFlow`.
private import semmle.code.cpp.ir.ValueNumbering
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.DataFlow
/**
* Gets a short ID for an IR dataflow node.
* - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
* - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
* instruction and a dot (e.g. `m128.left`).
* - For `Variable`s, this is the qualified name of the variable.
*/
string nodeId(DataFlow::Node node, int order1, int order2) {
exists(Instruction instruction | instruction = node.asInstruction() |
result = instruction.getResultId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
exists(Operand operand, Instruction instruction |
operand = node.asOperand() and
instruction = operand.getUse()
|
result = instruction.getResultId() + "." + operand.getDumpId() and
order1 = instruction.getBlock().getDisplayIndex() and
order2 = instruction.getDisplayIndexInBlock()
)
or
result = "var(" + node.asVariable().getQualifiedName() + ")" and
order1 = 1000000 and
order2 = 0
}

View File

@@ -1,109 +0,0 @@
/**
* Predicates to compute the modeled side effects of calls during IR construction.
*
* These are used in `TranslatedElement.qll` to generate the `TTranslatedSideEffect` instances, and
* also in `TranslatedCall.qll` to inject the actual side effect instructions.
*/
private import cpp
private import semmle.code.cpp.ir.implementation.Opcode
private import semmle.code.cpp.models.interfaces.SideEffect
/**
* Holds if the specified call has a side effect that does not come from a `SideEffectFunction`
* model.
*/
private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buffer, boolean isWrite) {
not call.getTarget() instanceof SideEffectFunction and
(
exists(MemberFunction mfunc |
// A non-static member function, including a constructor or destructor, may write to `*this`,
// and may also read from `*this` if it is not a constructor.
i = -1 and
mfunc = call.getTarget() and
not mfunc.isStatic() and
buffer = false and
(
isWrite = false and not mfunc instanceof Constructor
or
isWrite = true and not mfunc instanceof ConstMemberFunction
)
)
or
exists(Expr expr |
// A pointer-like argument is assumed to read from the pointed-to buffer, and may write to the
// buffer as well unless the pointer points to a `const` value.
i >= 0 and
buffer = true and
expr = call.getArgument(i).getFullyConverted() and
exists(Type t | t = expr.getUnspecifiedType() |
t instanceof ArrayType or
t instanceof PointerType or
t instanceof ReferenceType
) and
(
isWrite = true and
not call.getTarget().getParameter(i).getType().isDeeplyConstBelow()
or
isWrite = false
)
)
)
}
/**
* Returns a side effect opcode for parameter index `i` of the specified call.
*
* This predicate will return at most two results: one read side effect, and one write side effect.
*/
Opcode getASideEffectOpcode(Call call, ParameterIndex i) {
exists(boolean buffer |
(
call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(i, buffer)
or
not call.getTarget() instanceof SideEffectFunction and
hasDefaultSideEffect(call, i, buffer, false)
) and
if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
then (
buffer = true and
result instanceof Opcode::SizedBufferReadSideEffect
) else (
buffer = false and result instanceof Opcode::IndirectReadSideEffect
or
buffer = true and result instanceof Opcode::BufferReadSideEffect
)
)
or
exists(boolean buffer, boolean mustWrite |
(
call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(i, buffer, mustWrite)
or
not call.getTarget() instanceof SideEffectFunction and
hasDefaultSideEffect(call, i, buffer, true) and
mustWrite = false
) and
if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
then (
buffer = true and
mustWrite = false and
result instanceof Opcode::SizedBufferMayWriteSideEffect
or
buffer = true and
mustWrite = true and
result instanceof Opcode::SizedBufferMustWriteSideEffect
) else (
buffer = false and
mustWrite = false and
result instanceof Opcode::IndirectMayWriteSideEffect
or
buffer = false and
mustWrite = true and
result instanceof Opcode::IndirectMustWriteSideEffect
or
buffer = true and mustWrite = false and result instanceof Opcode::BufferMayWriteSideEffect
or
buffer = true and mustWrite = true and result instanceof Opcode::BufferMustWriteSideEffect
)
)
}

Some files were not shown because too many files have changed in this diff Show More