C++: Don't consider additional loads when reusing dataflow operands.

MathiasVP · MathiasVP · commit c46f9e4572a5 · 2023-08-21T12:51:41.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -692,7 +692,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1,
 private predicate numberOfLoadsFromOperandRec(
   Operand operandFrom, Operand operandTo, int ind, boolean certain
 ) {
-  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
+  exists(Instruction load | Ssa::isDereference(load, operandFrom, _) |
     operandTo = operandFrom and ind = 0 and certain = true
     or
     numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
@@ -716,7 +716,7 @@ private predicate numberOfLoadsFromOperand(
 ) {
   numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
   or
-  not Ssa::isDereference(_, operandFrom) and
+  not Ssa::isDereference(_, operandFrom, _) and
   not conversionFlow(operandFrom, _, _, _) and
   operandFrom = operandTo and
   n = 0 and
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
       hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
       hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
       instr = op2.getDef() and
-      isDereference(instr, op1)
+      isDereference(instr, op1, _)
     )
   )
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -320,10 +320,12 @@ private module IteratorIndirections {
   }
 }
 
-predicate isDereference(Instruction deref, Operand address) {
-  any(Indirection ind).isAdditionalDereference(deref, address)
+predicate isDereference(Instruction deref, Operand address, boolean additional) {
+  any(Indirection ind).isAdditionalDereference(deref, address) and
+  additional = true
   or
-  deref.(LoadInstruction).getSourceAddressOperand() = address
+  deref.(LoadInstruction).getSourceAddressOperand() = address and
+  additional = false
 }
 
 predicate isWrite(Node0Impl value, Operand address, boolean certain) {
@@ -545,7 +547,7 @@ private module Cached {
       isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
       isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
       iteratorBase.getResultType() instanceof Interfaces::Iterator and
-      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
+      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and
       memory = read.getSideEffectOperand().getAnyDef()
     )
   }
@@ -786,7 +788,7 @@ private module Cached {
   ) {
     indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
     exists(Instruction load |
-      isDereference(load, operand) and
+      isDereference(load, operand, false) and
       operandRepr = unique( | | getAUse(load)) and
       indirectionIndexRepr = indirectionIndex - 1
     )
@@ -806,7 +808,7 @@ private module Cached {
     indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
     exists(Instruction load, Operand address |
       address.getDef() = instr and
-      isDereference(load, address) and
+      isDereference(load, address, false) and
       instrRepr = load and
       indirectionIndexRepr = indirectionIndex - 1
     )
@@ -829,7 +831,7 @@ private module Cached {
     or
     exists(int ind0 |
       exists(Operand address |
-        isDereference(operand.getDef(), address) and
+        isDereference(operand.getDef(), address, _) and
         isUseImpl(address, base, ind0)
       )
       or
@@ -899,7 +901,7 @@ private module Cached {
     )
     or
     exists(Operand address, boolean certain0 |
-      isDereference(operand.getDef(), address) and
+      isDereference(operand.getDef(), address, _) and
       isDefImpl(address, base, ind - 1, certain0)
     |
       if isCertainAddress(operand) then certain = certain0 else certain = false
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
   )
   or
   // Taint flow from an address to its dereference.
-  Ssa::isDereference(instrTo, opFrom)
+  Ssa::isDereference(instrTo, opFrom, _)
   or
   // Unary instructions tend to preserve enough information in practice that we
   // want taint to flow through.
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -4,5 +4,4 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
 WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
 testFailures
-| vector.cpp:532:10:532:12 | call to operator[] | Unexpected result: ir= |
 failures

Original file line number	Diff line number	Diff line change
`@@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {`
`610`	`610`	`hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and`
`611`	`611`	`hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and`
`612`	`612`	`instr = op2.getDef() and`
`613`		`- isDereference(instr, op1)`
	`613`	`+ isDereference(instr, op1, _)`
`614`	`614`	`)`
`615`	`615`	`)`
`616`	`616`	`}`
Original file line number	Diff line number	Diff line change
`@@ -320,10 +320,12 @@ private module IteratorIndirections {`
`320`	`320`	`}`
`321`	`321`	`}`
`322`	`322`
`323`		`-predicate isDereference(Instruction deref, Operand address) {`
`324`		`- any(Indirection ind).isAdditionalDereference(deref, address)`
	`323`	`+predicate isDereference(Instruction deref, Operand address, boolean additional) {`
	`324`	`+ any(Indirection ind).isAdditionalDereference(deref, address) and`
	`325`	`+ additional = true`
`325`	`326`	`or`
`326`		`- deref.(LoadInstruction).getSourceAddressOperand() = address`
	`327`	`+ deref.(LoadInstruction).getSourceAddressOperand() = address and`
	`328`	`+ additional = false`
`327`	`329`	`}`
`328`	`330`
`329`	`331`	`predicate isWrite(Node0Impl value, Operand address, boolean certain) {`
`@@ -545,7 +547,7 @@ private module Cached {`
`545`	`547`	`isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and`
`546`	`548`	`isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and`
`547`	`549`	`iteratorBase.getResultType() instanceof Interfaces::Iterator and`
`548`		`- isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and`
	`550`	`+ isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and`
`549`	`551`	`memory = read.getSideEffectOperand().getAnyDef()`
`550`	`552`	`)`
`551`	`553`	`}`
`@@ -786,7 +788,7 @@ private module Cached {`
`786`	`788`	`) {`
`787`	`789`	`indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and`
`788`	`790`	`exists(Instruction load \|`
`789`		`- isDereference(load, operand) and`
	`791`	`+ isDereference(load, operand, false) and`
`790`	`792`	`operandRepr = unique( \| \| getAUse(load)) and`
`791`	`793`	`indirectionIndexRepr = indirectionIndex - 1`
`792`	`794`	`)`
`@@ -806,7 +808,7 @@ private module Cached {`
`806`	`808`	`indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and`
`807`	`809`	`exists(Instruction load, Operand address \|`
`808`	`810`	`address.getDef() = instr and`
`809`		`- isDereference(load, address) and`
	`811`	`+ isDereference(load, address, false) and`
`810`	`812`	`instrRepr = load and`
`811`	`813`	`indirectionIndexRepr = indirectionIndex - 1`
`812`	`814`	`)`
`@@ -829,7 +831,7 @@ private module Cached {`
`829`	`831`	`or`
`830`	`832`	`exists(int ind0 \|`
`831`	`833`	`exists(Operand address \|`
`832`		`- isDereference(operand.getDef(), address) and`
	`834`	`+ isDereference(operand.getDef(), address, _) and`
`833`	`835`	`isUseImpl(address, base, ind0)`
`834`	`836`	`)`
`835`	`837`	`or`
`@@ -899,7 +901,7 @@ private module Cached {`
`899`	`901`	`)`
`900`	`902`	`or`
`901`	`903`	`exists(Operand address, boolean certain0 \|`
`902`		`- isDereference(operand.getDef(), address) and`
	`904`	`+ isDereference(operand.getDef(), address, _) and`
`903`	`905`	`isDefImpl(address, base, ind - 1, certain0)`
`904`	`906`	`\|`
`905`	`907`	`if isCertainAddress(operand) then certain = certain0 else certain = false`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst`
`57`	`57`	`)`
`58`	`58`	`or`
`59`	`59`	`// Taint flow from an address to its dereference.`
`60`		`- Ssa::isDereference(instrTo, opFrom)`
	`60`	`+ Ssa::isDereference(instrTo, opFrom, _)`
`61`	`61`	`or`
`62`	`62`	`// Unary instructions tend to preserve enough information in practice that we`
`63`	`63`	`// want taint to flow through.`