Skip to content

Commit 40e02be

Browse files
geoffw0geoffw0
committed
C++: QLDoc Overflow.qll.
1 parent 0102322 commit 40e02be

File tree

1 file changed

+26
-10
lines changed

1 file changed

+26
-10
lines changed

cpp/ql/src/semmle/code/cpp/security/Overflow.qll

Lines changed: 26 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,25 @@
1+
/**
2+
* Provides predicates for reasoning about when the value of an expression is
3+
* guarded by an operation such as `<`, which confines its range.
4+
*/
5+
16
import cpp
27
import semmle.code.cpp.controlflow.Dominance
38

4-
/*
5-
* Guarding
9+
/**
10+
* Holds if the value of `use` is guarded using `abs`.
611
*/
7-
8-
/** is the size of this use guarded using 'abs'? */
912
predicate guardedAbs(Operation e, Expr use) {
1013
exists(FunctionCall fc | fc.getTarget().getName() = "abs" |
1114
fc.getArgument(0).getAChild*() = use and
1215
guardedLesser(e, fc)
1316
)
1417
}
1518

16-
/** This is `BasicBlock.getNode`, restricted to `Stmt` for performance. */
19+
/**
20+
* Gets the result of `BasicBlock.getNode`, but only on a `Stmt` (for
21+
* performance).
22+
*/
1723
pragma[noinline]
1824
private int getStmtIndexInBlock(BasicBlock block, Stmt stmt) { block.getNode(result) = stmt }
1925

@@ -30,7 +36,9 @@ private predicate stmtDominates(Stmt dominator, Stmt dominated) {
3036
bbStrictlyDominates(dominator.getBasicBlock(), dominated.getBasicBlock())
3137
}
3238

33-
/** is the size of this use guarded to be less than something? */
39+
/**
40+
* Holds if the value of `use` is guarded to be less than something.
41+
*/
3442
pragma[nomagic]
3543
predicate guardedLesser(Operation e, Expr use) {
3644
exists(IfStmt c, RelationalOperation guard |
@@ -54,7 +62,9 @@ predicate guardedLesser(Operation e, Expr use) {
5462
guardedAbs(e, use)
5563
}
5664

57-
/** is the size of this use guarded to be greater than something? */
65+
/**
66+
* Holds if the value of `use` is guarded to be greater than something.
67+
*/
5868
pragma[nomagic]
5969
predicate guardedGreater(Operation e, Expr use) {
6070
exists(IfStmt c, RelationalOperation guard |
@@ -78,10 +88,14 @@ predicate guardedGreater(Operation e, Expr use) {
7888
guardedAbs(e, use)
7989
}
8090

81-
/** a use of a given variable */
91+
/**
92+
* Gets a use of a given variable `v`.
93+
*/
8294
VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
8395

84-
/** is e not guarded against overflow by use? */
96+
/**
97+
* Holds if `e` is not guarded against overflow by `use`.
98+
*/
8599
predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
86100
use = e.getAnOperand() and
87101
exists(LocalScopeVariable v | use.getTarget() = v |
@@ -100,7 +114,9 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
100114
)
101115
}
102116

103-
/** is e not guarded against underflow by use? */
117+
/**
118+
* Holds if `e` is not guarded against underflow by `use`.
119+
*/
104120
predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
105121
use = e.getAnOperand() and
106122
exists(LocalScopeVariable v | use.getTarget() = v |

0 commit comments

Comments
 (0)