Skip to content

Commit 656ff4a

Browse files
MathiasVPMathiasVP
committed
C++: Add more QLDoc.
1 parent d70ea5f commit 656ff4a

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

cpp/ql/src/semmle/code/cpp/controlflow/StackVariableReachability.qll

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,17 @@ private Condition getADirectCondition(BasicBlock b) {
145145
result.(LogicalCondition).getCondition().controls(b, result.(LogicalCondition).getTruthValue())
146146
}
147147

148+
/**
149+
* Like the shared dataflow library, the reachability analysis is split into two stages:
150+
* In the first stage, we compute an overapproximation of the possible control-flow paths where we don't
151+
* reason about path conditions. This stage is split into phases: A forward phase (computed by the
152+
* predicates prefixes with `fwd`), and a reverse phase (computed by the predicates prefixed with `rev`).
153+
*
154+
* The forward phease computes the set of control-flow nodes reachable from a given `source` and `v` such
155+
* that `config.isSource(source, v)` holds.
156+
*
157+
* See the QLDoc on `revBbSuccessorEntryReaches0` for a description of what the reverse phase computes.
158+
*/
148159
private predicate fwdBbSuccessorEntryReaches0(
149160
ControlFlowNode source, BasicBlock bb, SemanticStackVariable v,
150161
boolean skipsFirstLoopAlwaysTrueUponEntry, StackVariableReachability config
@@ -162,6 +173,10 @@ private predicate fwdBbSuccessorEntryReaches0(
162173
)
163174
}
164175

176+
/**
177+
* The second phase of the first stages computes, for each `source` and `v` pair such
178+
* that `config.isSource(source, v)`, which sinks are reachable from that `(source, v)` pair.
179+
*/
165180
private predicate revBbSuccessorEntryReaches0(
166181
ControlFlowNode source, BasicBlock bb, SemanticStackVariable v,
167182
boolean skipsFirstLoopAlwaysTrueUponEntry, StackVariableReachability config
@@ -368,7 +383,9 @@ abstract class StackVariableReachability extends string {
368383
}
369384

370385
/**
371-
* Holds if `cond` is a condition with a known truth value in `bb`.
386+
* Gets a condition with a known truth value in `bb` when the control-flow starts at the source
387+
* node `source` and we're tracking reachability using variable `v` (that is,
388+
* `this.isSource(source, v)` holds).
372389
*
373390
* This predicate is `pragma[noopt]` as it seems difficult to get the correct join order for the
374391
* recursive case otherwise:

0 commit comments

Comments
 (0)