Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

C++: Assume modelled functions always override buffers by default #15633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Feb 22, 2024
Merged

C++: Assume modelled functions always override buffers by default #15633

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
625c47f
C++: Add a testcase.
MathiasVP Feb 14, 2024
24a63ae
C++: Block flow by default.
MathiasVP Feb 15, 2024
7e9bf2a
C++: Add a model for 'partial updating' and extend models appropriately.
MathiasVP Feb 15, 2024
499ab08
C++: Currently, to catch flow in an example such as:
MathiasVP Feb 16, 2024
9b2019d
C++: Accept test changes.
MathiasVP Feb 16, 2024
497592a
C++: Add change note.
MathiasVP Feb 16, 2024
57c1bf5
C++: Add file-level QLDoc.
MathiasVP Feb 16, 2024
b407c86
C++: Make Code Scanning happy.
MathiasVP Feb 16, 2024
be54a41
C++: Accept query test changes.
MathiasVP Feb 16, 2024
aca3970
C++: Fix QLoc on 'isPartialWrite'.
MathiasVP Feb 22, 2024
671904d
C++: Fix QLoc on 'PartialFlowFunction'.
MathiasVP Feb 22, 2024
350d5bf
C++: Update QLDoc on 'modeledFlowBarrier'.
MathiasVP Feb 22, 2024
0bf29f0
Merge branch 'main' into model-experiments
MathiasVP Feb 22, 2024
c7ee5b2
Merge branch 'main' into model-experiments
MathiasVP Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
C++: Accept test changes.
  • Loading branch information
@MathiasVP
MathiasVP committed Feb 16, 2024
commit 9b2019db6b3507d66226e896ba53974bbab27a10
4 changes: 2 additions & 2 deletions 4 cpp/ql/test/include/iterator.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ namespace std {
};

template<class Container>
constexpr back_insert_iterator<Container> back_inserter(Container& x) {
constexpr back_insert_iterator<Container> back_inserter(Container& x) { // $ ir-def=*x
return back_insert_iterator<Container>(x);
}

Expand All @@ -89,7 +89,7 @@ namespace std {
constexpr front_insert_iterator operator++(int);
};
template<class Container>
constexpr front_insert_iterator<Container> front_inserter(Container& x) {
constexpr front_insert_iterator<Container> front_inserter(Container& x) { // $ ir-def=*x
return front_insert_iterator<Container>(x);
}
}
Expand Down
2 changes: 1 addition & 1 deletion 2 cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ void bg_stackstruct(XY s1, XY s2) {
}
}

void bg_structptr(XY *p1, XY *p2) { // $ ast-def=p1 ast-def=p2
void bg_structptr(XY *p1, XY *p2) { // $ ast-def=p1 ast-def=p2 ir-def=*p1 ir-def=*p2
p1->x = source();
if (guarded(p1->x)) {
sink(p1->x); // $ SPURIOUS: ast
Expand Down
2 changes: 1 addition & 1 deletion 2 cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ struct twoIntFields {
int getFirst() { return m1; }
};

void following_pointers( // $ ast-def=sourceStruct1_ptr
void following_pointers( // $ ast-def=sourceStruct1_ptr ir-def=*cleanArray1 ir-def=*sourceArray1 ir-def=*sourceStruct1_ptr
int sourceArray1[],
int cleanArray1[],
twoIntFields sourceStruct1,
Expand Down
12 changes: 6 additions & 6 deletions 12 cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ struct Bottom : Middle {
void notSink(int x) override { }
};

void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottomPtr ast-def=bottomRef
void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottomPtr ast-def=bottomRef ir-def=*bottomPtr ir-def=*bottomRef
Top *topPtr = bottomPtr, &topRef = bottomRef;

sink(topPtr->isSource1()); // $ ir MISSING: ast
Expand Down Expand Up @@ -65,11 +65,11 @@ Top *allocateBottom() {
return new Bottom();
}

void callSinkByPointer(Top *top) { // $ ast-def=top
void callSinkByPointer(Top *top) { // $ ast-def=top ir-def=*top
top->isSink(source()); // leads to MISSING from ast
}

void callSinkByReference(Top &top) { // $ ast-def=top
void callSinkByReference(Top &top) { // $ ast-def=top ir-def=*top
top.isSink(source()); // leads to MISSING from ast
}

Expand All @@ -81,11 +81,11 @@ void globalVirtualDispatch() {
x->isSink(source()); // $ MISSING: ast,ir
}

Top *identity(Top *top) { // $ ast-def=top
Top *identity(Top *top) { // $ ast-def=top ir-def=*top
return top;
}

void callIdentityFunctions(Top *top, Bottom *bottom) { // $ ast-def=bottom ast-def=top
void callIdentityFunctions(Top *top, Bottom *bottom) { // $ ast-def=bottom ast-def=top ir-def=*bottom ir-def=*top
identity(bottom)->isSink(source()); // $ MISSING: ast,ir
identity(top)->isSink(source()); // no flow
}
Expand Down Expand Up @@ -120,7 +120,7 @@ namespace virtual_inheritance {
struct Bottom : Middle {
};

void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottomPtr ast-def=bottomRef
void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottomPtr ast-def=bottomRef ir-def=*bottomPtr ir-def=*bottomRef
// Because the inheritance from `Top` is virtual, the following casts go
// directly from `Bottom` to `Top`, skipping `Middle`. That means we don't
// get flow from a `Middle` value to the call qualifier.
Expand Down
2 changes: 1 addition & 1 deletion 2 cpp/ql/test/library-tests/dataflow/dataflow-tests/example.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ typedef struct
char isTrue;
} MyBool;

void myTest_with_local_flow(MyBool *b, int pos) // $ ast-def=b
void myTest_with_local_flow(MyBool *b, int pos) // $ ast-def=b ir-def=*b
{
MyCoords coords = {0};

Expand Down
36 changes: 18 additions & 18 deletions 36 cpp/ql/test/library-tests/dataflow/dataflow-tests/flowOut.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ void source_ref(int *toTaint) { // $ ir-def=*toTaint ast-def=toTaint
void source_ref(char *toTaint) { // $ ir-def=*toTaint ast-def=toTaint
*toTaint = source();
}
void modify_copy(int* ptr) { // $ ast-def=ptr
void modify_copy(int* ptr) { // $ ast-def=ptr ir-def=*ptr
int deref = *ptr;
int* other = &deref;
source_ref(other);
Expand All @@ -19,7 +19,7 @@ void test_output_copy() {
sink(x); // clean
}

void modify(int* ptr) { // $ ast-def=ptr
void modify(int* ptr) { // $ ast-def=ptr ir-def=*ptr
int* deref = ptr;
int* other = &*deref;
source_ref(other);
Expand All @@ -31,7 +31,7 @@ void test_output() {
sink(x); // $ ir MISSING: ast
}

void modify_copy_of_pointer(int* p, unsigned len) { // $ ast-def=p
void modify_copy_of_pointer(int* p, unsigned len) { // $ ast-def=p ir-def=*p
int* p2 = new int[len];
for(unsigned i = 0; i < len; ++i) {
p2[i] = p[i];
Expand All @@ -46,7 +46,7 @@ void test_modify_copy_of_pointer() {
sink(x[0]); // $ SPURIOUS: ast // clean
}

void modify_pointer(int* p, unsigned len) { // $ ast-def=p
void modify_pointer(int* p, unsigned len) { // $ ast-def=p ir-def=*p
int** p2 = &p;
for(unsigned i = 0; i < len; ++i) {
*p2[i] = p[i];
Expand All @@ -63,17 +63,17 @@ void test_modify_of_pointer() {

char* strdup(const char* p);

void modify_copy_via_strdup(char* p) { // $ ast-def=p
void modify_copy_via_strdup(char* p) { // $ ast-def=p ir-def=*p
char* p2 = strdup(p);
source_ref(p2);
}

void test_modify_copy_via_strdup(char* p) { // $ ast-def=p
void test_modify_copy_via_strdup(char* p) { // $ ast-def=p ir-def=*p
modify_copy_via_strdup(p);
sink(*p); // clean
}

int* deref(int** p) { // $ ast-def=p
int* deref(int** p) { // $ ast-def=p ir-def=*p ir-def=**p
int* q = *p;
return q;
}
Expand All @@ -90,7 +90,7 @@ void addtaint1(int* q) { // $ ast-def=q ir-def=*q
*q = source();
}

void addtaint2(int** p) { // $ ast-def=p
void addtaint2(int** p) { // $ ast-def=p ir-def=*p ir-def=**p
int* q = *p;
addtaint1(q);
}
Expand All @@ -106,13 +106,13 @@ using size_t = decltype(sizeof(int));

void* memcpy(void* dest, const void* src, size_t);

void modify_copy_via_memcpy(char* p) { // $ ast-def=p
void modify_copy_via_memcpy(char* p) { // $ ast-def=p ir-def=*p
char* dest;
char* p2 = (char*)memcpy(dest, p, 10);
source_ref(p2);
}

void test_modify_copy_via_memcpy(char* p) { // $ ast-def=p
void test_modify_copy_via_memcpy(char* p) { // $ ast-def=p ir-def=*p
modify_copy_via_memcpy(p);
sink(*p); // clean
}
Expand All @@ -134,29 +134,29 @@ void source_ref_ref(char** toTaint) { // $ ast-def=toTaint ir-def=*toTaint ir-de
// This function copies the value of **p into a new location **p2 and then
// taints **p. Thus, **p does not contain tainted data after returning from
// this function.
void modify_copy_via_strdup_ptr_001(char** p) { // $ ast-def=p
void modify_copy_via_strdup_ptr_001(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
// **p -> **p2
char** p2 = strdup_ptr_001(p);
// source -> **p2
source_ref_ref(p2);
}

void test_modify_copy_via_strdup_001(char** p) { // $ ast-def=p
void test_modify_copy_via_strdup_001(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
modify_copy_via_strdup_ptr_001(p);
sink(**p); // clean
}

// This function copies the value of *p into a new location *p2 and then
// taints **p2. Thus, **p contains tainted data after returning from this
// function.
void modify_copy_via_strdup_ptr_011(char** p) { // $ ast-def=p
void modify_copy_via_strdup_ptr_011(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
// **p -> **p2 and *p -> *p2
char** p2 = strdup_ptr_011(p);
// source -> **p2
source_ref_ref(p2);
}

void test_modify_copy_via_strdup_011(char** p) { // $ ast-def=p
void test_modify_copy_via_strdup_011(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
modify_copy_via_strdup_ptr_011(p);
sink(**p); // $ ir MISSING: ast
}
Expand All @@ -171,7 +171,7 @@ void source_ref_2(char** toTaint) { // $ ast-def=toTaint ir-def=*toTaint ir-def=
// This function copies the value of p into a new location p2 and then
// taints *p2. Thus, *p contains tainted data after returning from this
// function.
void modify_copy_via_strdup_ptr_111_taint_ind(char** p) { // $ ast-def=p
void modify_copy_via_strdup_ptr_111_taint_ind(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
// **p -> **p2, *p -> *p2, and p -> p2
char** p2 = strdup_ptr_111(p);
// source -> *p2
Expand All @@ -180,15 +180,15 @@ void modify_copy_via_strdup_ptr_111_taint_ind(char** p) { // $ ast-def=p

void sink(char*);

void test_modify_copy_via_strdup_111_taint_ind(char** p) { // $ ast-def=p
void test_modify_copy_via_strdup_111_taint_ind(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
modify_copy_via_strdup_ptr_111_taint_ind(p);
sink(*p); // $ ir MISSING: ast
}

// This function copies the value of p into a new location p2 and then
// taints **p2. Thus, **p contains tainted data after returning from this
// function.
void modify_copy_via_strdup_ptr_111_taint_ind_ind(char** p) { // $ ast-def=p
void modify_copy_via_strdup_ptr_111_taint_ind_ind(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
// **p -> **p2, *p -> *p2, and p -> p2
char** p2 = strdup_ptr_111(p);
// source -> **p2
Expand All @@ -197,7 +197,7 @@ void modify_copy_via_strdup_ptr_111_taint_ind_ind(char** p) { // $ ast-def=p

void sink(char*);

void test_modify_copy_via_strdup_111_taint_ind_ind(char** p) { // $ ast-def=p
void test_modify_copy_via_strdup_111_taint_ind_ind(char** p) { // $ ast-def=p ir-def=*p ir-def=**p
modify_copy_via_strdup_ptr_111_taint_ind_ind(p);
sink(**p); // $ ir MISSING: ast
}
2 changes: 1 addition & 1 deletion 2 cpp/ql/test/library-tests/dataflow/dataflow-tests/lambdas.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ void test_lambdas()
};
d(t, u);

auto e = [](int &a, int &b, int &c) { // $ ast-def=a ast-def=b ast-def=c ir-def=*c
auto e = [](int &a, int &b, int &c) { // $ ast-def=a ast-def=b ast-def=c ir-def=*c ir-def=*a ir-def=*b
sink(a); // $ ast,ir
sink(b);
c = source();
Expand Down
14 changes: 7 additions & 7 deletions 14 cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ namespace withoutFields {
}

template<typename T>
void assignWrapper(T &lhs, T rhs) { // $ ast-def=lhs ast-def=lhs
void assignWrapper(T &lhs, T rhs) { // $ ast-def=lhs ast-def=lhs ir-def=*lhs
assign(lhs, rhs);
}

Expand Down Expand Up @@ -71,15 +71,15 @@ namespace withFields {
int val;
};

void assign(Int &lhs, int rhs) { // $ ast-def=lhs
void assign(Int &lhs, int rhs) { // $ ast-def=lhs ir-def=*lhs
lhs.val = rhs;
}

void assignWrapper(Int &lhs, int rhs) { // $ ast-def=lhs
void assignWrapper(Int &lhs, int rhs) { // $ ast-def=lhs ir-def=*lhs
assign(lhs, rhs);
}

void notAssign(Int &lhs, int rhs) { // $ ast-def=lhs
void notAssign(Int &lhs, int rhs) { // $ ast-def=lhs ir-def=*lhs
lhs.val = rhs;
// Field flow ignores that the field is subsequently overwritten, leading
// to false flow here.
Expand All @@ -90,22 +90,22 @@ namespace withFields {
}
}

void sourceToParam(Int &out) { // $ ast-def=out
void sourceToParam(Int &out) { // $ ast-def=out ir-def=*out
out.val = source();
if (arbitrary) {
out.val = 1;
}
}

void sourceToParamWrapper(Int &out) { // $ ast-def=out
void sourceToParamWrapper(Int &out) { // $ ast-def=out ir-def=*out
if (arbitrary) {
sourceToParam(out);
} else {
out.val = 1;
}
}

void notSource(Int &out) { // $ ast-def=out
void notSource(Int &out) { // $ ast-def=out ir-def=*out
out.val = source();
// Field flow ignores that the field is subsequently overwritten, leading
// to false flow here.
Expand Down
4 changes: 2 additions & 2 deletions 4 cpp/ql/test/library-tests/dataflow/dataflow-tests/self_parameter_flow.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ void incr(unsigned char **ps) // $ ast-def=ps ir-def=*ps ir-def=**ps
*ps += 1;
}

void callincr(unsigned char *s) // $ ast-def=s
void callincr(unsigned char *s) // $ ast-def=s ir-def=*s
{
incr(&s);
}

void test(unsigned char *s) // $ ast-def=s
void test(unsigned char *s) // $ ast-def=s ir-def=*s
{
callincr(s); // $ flow
}
1 change: 1 addition & 0 deletions 1 cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,7 @@ irFlow
| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:568:10:568:19 | * ... |
| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:572:10:572:19 | * ... |
| test.cpp:576:17:576:31 | *call to indirect_source | test.cpp:578:10:578:19 | * ... |
| test.cpp:583:11:583:16 | call to source | test.cpp:590:8:590:8 | x |
| test.cpp:594:12:594:26 | *call to indirect_source | test.cpp:597:8:597:13 | * ... |
| test.cpp:601:20:601:20 | intPointerSource output argument | test.cpp:603:8:603:9 | * ... |
| test.cpp:607:20:607:20 | intPointerSource output argument | test.cpp:609:8:609:9 | * ... |
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.