The Wayback Machine - https://web.archive.org/web/20220108160624/https://github.com/github/codeql/pull/7521
Skip to content
Sign up
Sign in
Sign up
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C++: Use Guards library in Overflow.qll #7521

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

C++: Use Guards library in Overflow.qll #7521

wants to merge 5 commits into from

Conversation

@rdmarsh2
Copy link
Contributor

@rdmarsh2 rdmarsh2 commented Jan 5, 2022

This replaces a partial reimplementation of the Guards library in Overflow.qll with uses of GuardCondition::ensuresLt, which handles cases where the controlled expression is not syntactically included in the controlling statement.
@rdmarsh2 rdmarsh2 requested a review from geoffw0 Jan 5, 2022
@rdmarsh2 rdmarsh2 requested a review from as a code owner Jan 5, 2022
@github-actions github-actions bot added the C++ label Jan 5, 2022
geoffw0
geoffw0 reviewed Jan 6, 2022
View changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Code changes LGTM, perhaps we should do a DCA run to check for wider results and performance changes?

cpp/ql/lib/semmle/code/cpp/security/Overflow.qll Outdated
@@ -5,64 +5,27 @@

import cpp
import semmle.code.cpp.controlflow.Dominance
// `GlobalValueNumbering` is only imported to prevent IR re-evaluation.
Copy link
Contributor

@geoffw0 geoffw0 Jan 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this no longer true?

Copy link
Contributor Author

@rdmarsh2 rdmarsh2 Jan 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I experimented with using GVN but it didn't work out well. I'll re-add that line

rdmarsh2 added 2 commits Jan 6, 2022
@rdmarsh2
C++: test for guard-by-return in Overflow.qll
617bdbc
@rdmarsh2
C++: Use Guards library in Overflow.qll
355fc0a 
Replaces the ad-hoc guard handling with the Guards library. Fixes an
observed false positive pattern, and (hopefully) means some pragmas are
no longer necessary for performance.
@rdmarsh2 rdmarsh2 force-pushed the rdmarsh2/cpp/use-guards-in-overflow branch from cc6c418 to 355fc0a Jan 6, 2022
@rdmarsh2
Copy link
Contributor Author

@rdmarsh2 rdmarsh2 commented Jan 6, 2022

DCA run: github/codeql-dca-main#2269

@geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Jan 7, 2022

The DCA run looks fine.

geoffw0
geoffw0 reviewed Jan 7, 2022
View changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Quick diff query here: https://lgtm.com/query/1144214176301359103/

  • the four lost results are exactly what we want to see
  • the new result is a surprise, but I'm not sure its genuinely new - I think I've seen it before. In any case it looks correct up to the lack of understanding the return value of read.

@rdmarsh2
Copy link
Contributor Author

@rdmarsh2 rdmarsh2 commented Jan 7, 2022

The old version used Loop, so the do-while bounds check excluded that new result. With the new version, the first iteration isn't guarded by the bounds check.

MathiasVP
MathiasVP reviewed Jan 7, 2022
View changes
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected Outdated
@@ -63,6 +87,14 @@ nodes
| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:30:17:30:23 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
Copy link
Contributor

@MathiasVP MathiasVP Jan 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a shame we don't catch this one anymore. I remember those imaxabs having a way-too-good influence on the Samate score (even though it's probably quite useful on real-world code).

Copy link
Contributor Author

@rdmarsh2 rdmarsh2 Jan 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's caused by a typo in guardedAbs. Unfortunately we also lose the good result on line 40 by fixing it.

Copy link
Contributor

@MathiasVP MathiasVP Jan 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, great! (I mean, it's not great that we lose the good result on line 40, but it's great that we don't gain any additional FPs 🎉).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MathiasVP MathiasVP

@geoffw0 geoffw0

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet
3 participants
@rdmarsh2 @geoffw0 @MathiasVP
Morty Proxy This is a proxified and sanitized view of the page, visit original site.