C++: Fix join order problem in TaintedAllocationSize

jketema · jketema · commit 79fa79a80634 · 2025-01-22T21:03:44.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -685,6 +685,12 @@ class IRGuardCondition extends Instruction {
     unary_compares_eq(valueNumber(this), op, k, areEqual, value)
   }
 
+  bindingset[block, value]
+  pragma[inline_late]
+  private predicate ensuresEqvalueControls(IRBlock block, AbstractValue value) {
+    this.valueControls(block, value)
+  }
+
   /**
    * Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
    * If `areEqual = false` then this implies `left != right + k`.
@@ -693,7 +699,7 @@ class IRGuardCondition extends Instruction {
   predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
     exists(AbstractValue value |
       compares_eq(valueNumber(this), left, right, k, areEqual, value) and
-      this.valueControls(block, value)
+      this.ensuresEqvalueControls(block, value)
     )
   }
 
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -46,10 +46,13 @@ predicate hasUpperBoundsCheck(Variable var) {
   )
 }
 
-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
-  exists(Instruction instr | instr = node.asOperand().getDef() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+predicate nodeHasBarrierEquality(DataFlow::Node node) {
+  exists(Variable checkedVar, Operand access |
+    readsVariable(access.getDef(), checkedVar) and
+    exists(Instruction instr | instr = node.asOperand().getDef() |
+      readsVariable(pragma[only_bind_into](instr), pragma[only_bind_into](checkedVar)) and
+      any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+    )
   )
 }
 
@@ -76,10 +79,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
       hasUpperBoundsCheck(checkedVar)
     )
     or
-    exists(Variable checkedVar, Operand access |
-      readsVariable(access.getDef(), checkedVar) and
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
-    )
+    nodeHasBarrierEquality(node)
     or
     // block flow to inside of identified allocation functions (this flow leads
     // to duplicate results)

Original file line number	Diff line number	Diff line change
`@@ -685,6 +685,12 @@ class IRGuardCondition extends Instruction {`
`685`	`685`	`unary_compares_eq(valueNumber(this), op, k, areEqual, value)`
`686`	`686`	`}`
`687`	`687`
	`688`	`+ bindingset[block, value]`
	`689`	`+ pragma[inline_late]`
	`690`	`+ private predicate ensuresEqvalueControls(IRBlock block, AbstractValue value) {`
	`691`	`+ this.valueControls(block, value)`
	`692`	`+ }`
	`693`	`+`
`688`	`694`	`/**`
`689`	`695`	* Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
`690`	`696`	* If `areEqual = false` then this implies `left != right + k`.
`@@ -693,7 +699,7 @@ class IRGuardCondition extends Instruction {`
`693`	`699`	`predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {`
`694`	`700`	`exists(AbstractValue value \|`
`695`	`701`	`compares_eq(valueNumber(this), left, right, k, areEqual, value) and`
`696`		`- this.valueControls(block, value)`
	`702`	`+ this.ensuresEqvalueControls(block, value)`
`697`	`703`	`)`
`698`	`704`	`}`
`699`	`705`
Original file line number	Diff line number	Diff line change
`@@ -46,10 +46,13 @@ predicate hasUpperBoundsCheck(Variable var) {`
`46`	`46`	`)`
`47`	`47`	`}`
`48`	`48`
`49`		`-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {`
`50`		`- exists(Instruction instr \| instr = node.asOperand().getDef() \|`
`51`		`- readsVariable(instr, checkedVar) and`
`52`		`- any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)`
	`49`	`+predicate nodeHasBarrierEquality(DataFlow::Node node) {`
	`50`	`+ exists(Variable checkedVar, Operand access \|`
	`51`	`+ readsVariable(access.getDef(), checkedVar) and`
	`52`	`+ exists(Instruction instr \| instr = node.asOperand().getDef() \|`
	`53`	`+ readsVariable(pragma[only_bind_into](instr), pragma[only_bind_into](checkedVar)) and`
	`54`	`+ any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)`
	`55`	`+ )`
`53`	`56`	`)`
`54`	`57`	`}`
`55`	`58`
`@@ -76,10 +79,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {`
`76`	`79`	`hasUpperBoundsCheck(checkedVar)`
`77`	`80`	`)`
`78`	`81`	`or`
`79`		`- exists(Variable checkedVar, Operand access \|`
`80`		`- readsVariable(access.getDef(), checkedVar) and`
`81`		`- nodeIsBarrierEqualityCandidate(node, access, checkedVar)`
`82`		`- )`
	`82`	`+ nodeHasBarrierEquality(node)`
`83`	`83`	`or`
`84`	`84`	`// block flow to inside of identified allocation functions (this flow leads`
`85`	`85`	`// to duplicate results)`