mirror of
https://github.com/github/codeql.git
synced 2026-03-11 01:56:47 +01:00
2b80aee557
This sort of fixes one FP and causes a new FN, but for the wrong reasons. The IR dataflow is tracking the reference itself, rather than the referred-to object. Once we can better model indirections, we can make this work correctly. This change is still the right thing to do, because it ensures that the dataflow is looking at actual expression being computed by the instruction.
30 lines
846 B
Plaintext
30 lines
846 B
Plaintext
import cpp
|
|
import semmle.code.cpp.ir.dataflow.DataFlow
|
|
|
|
/** Common data flow configuration to be used by tests. */
|
|
class TestAllocationConfig extends DataFlow::Configuration {
|
|
TestAllocationConfig() {
|
|
this = "TestAllocationConfig"
|
|
}
|
|
|
|
override predicate isSource(DataFlow::Node source) {
|
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
|
or
|
|
source.asParameter().getName().matches("source%")
|
|
or
|
|
// Track uninitialized variables
|
|
exists(source.asUninitialized())
|
|
}
|
|
|
|
override predicate isSink(DataFlow::Node sink) {
|
|
exists(FunctionCall call |
|
|
call.getTarget().getName() = "sink" and
|
|
sink.asExpr() = call.getAnArgument().getFullyConverted()
|
|
)
|
|
}
|
|
|
|
override predicate isBarrier(DataFlow::Node barrier) {
|
|
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
|
|
}
|
|
}
|