C++: Add a barrier feature to 'MustFlow'.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll

@@ -31,6 +31,8 @@ abstract class MustFlowConfiguration extends string {
    */
   abstract predicate isSink(Operand sink);
 
+  predicate isBarrier(Instruction instr) { none() }
+
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -55,11 +57,14 @@ abstract class MustFlowConfiguration extends string {
 /** Holds if `node` flows from a source. */
 pragma[nomagic]
 private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
-  config.isSource(node)
-  or
-  exists(Instruction mid |
-    step(mid, node, config) and
-    flowsFromSource(mid, pragma[only_bind_into](config))
+  not config.isBarrier(node) and
+  (
+    config.isSource(node)
+    or
+    exists(Instruction mid |
+      step(mid, node, config) and
+      flowsFromSource(mid, pragma[only_bind_into](config))
+    )
   )
 }
 

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -77,6 +77,8 @@ class MustFlow extends MustFlowConfiguration {
   override predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) }
 
   override predicate allowInterproceduralFlow() { none() }
+
+  override predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction }
 }
 
 from

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected

@@ -1,9 +1,5 @@
 | test.cpp:12:6:12:8 | foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
 | test.cpp:113:6:113:8 | foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |
-| test.cpp:121:6:121:8 | foo | The variable $@ may not be initialized at this access. | test.cpp:119:6:119:8 | foo | foo |
-| test.cpp:179:7:179:9 | foo | The variable $@ may not be initialized at this access. | test.cpp:177:7:177:9 | foo | foo |
-| test.cpp:192:7:192:9 | foo | The variable $@ may not be initialized at this access. | test.cpp:190:7:190:9 | foo | foo |
-| test.cpp:213:7:213:7 | x | The variable $@ may not be initialized at this access. | test.cpp:211:7:211:7 | x | x |
 | test.cpp:219:3:219:3 | x | The variable $@ may not be initialized at this access. | test.cpp:218:7:218:7 | x | x |
 | test.cpp:243:13:243:13 | i | The variable $@ may not be initialized at this access. | test.cpp:241:6:241:6 | i | i |
 | test.cpp:336:10:336:10 | a | The variable $@ may not be initialized at this access. | test.cpp:333:7:333:7 | a | a |

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp

@@ -27,7 +27,7 @@ void test4(bool b) {
 	if (b) {
 		foo = 1;
 	}
-	use(foo); // BAD
+	use(foo); // BAD [NOT DETECTED]
 }
 
 void test5() {
@@ -43,7 +43,7 @@ void test5(int count) {
 	for (int i = 0; i < count; i++) {
 		foo = i;
 	}
-	use(foo); // BAD
+	use(foo); // BAD [NOT DETECTED]
 }
 
 void test6(bool b) {
@@ -52,7 +52,7 @@ void test6(bool b) {
 		foo = 42;
 	}
 	if (b) {
-		use(foo); // GOOD (REPORTED, FP)
+		use(foo); // GOOD
 	}
 }
 
@@ -64,7 +64,7 @@ void test7(bool b) {
 		set = true;
 	}
 	if (set) {
-		use(foo); // GOOD (REPORTED, FP)
+		use(foo); // GOOD
 	}
 }
 
@@ -89,7 +89,7 @@ void test9(int count) {
 	if (!set) {
 		foo = 42;
 	}
-	use(foo); // GOOD (REPORTED, FP)
+	use(foo); // GOOD
 }
 
 void test10() {
@@ -129,7 +129,7 @@ int absWrong(int i) {
 	} else if (i < 0) {
 		j = -i;
 	}
-	return j; // wrong: j may not be initialized before use
+	return j; // wrong: j may not be initialized before use [NOT DETECTED]
 }
 
 // Example from qhelp
@@ -326,7 +326,7 @@ int test28() {
 		a = false;
 		c = false;
 	}
-	return val; // GOOD [FALSE POSITIVE]
+	return val; // GOOD
 }
 
 int test29() {