Skip to content

Commit ce9b018

Browse files
MathiasVPMathiasVP
committed
C++: Move bounds checkout out of 'operandGuardChecks' for clarity.
1 parent 8a49077 commit ce9b018

File tree

1 file changed

+15
-17
lines changed

1 file changed

+15
-17
lines changed

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll

Lines changed: 15 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -128,16 +128,13 @@ private module SizeBarrier {
128128
}
129129

130130
/**
131-
* Holds if `left < large + state` holds if `g` evaluates to `edge`, where `large` is some
132-
* value that is equal to the size argument of an allocation.
131+
* Holds if `left < nRight + k` holds if `g` evaluates to `edge`.
133132
*/
134-
private predicate operandGuardChecks(IRGuardCondition g, Operand left, int state, boolean edge) {
135-
exists(DataFlow::Node nLeft, DataFlow::Node nRight, int k |
136-
nLeft.asOperand() = left and
137-
SizeBarrierConfig::isSink(nLeft, nRight, g, k, edge) and
138-
state = getAFlowStateForNode(nRight) and
139-
k <= state
140-
)
133+
private predicate operandGuardChecks(
134+
IRGuardCondition g, Operand left, DataFlow::Node right, int k, boolean edge
135+
) {
136+
flowTo(right) and
137+
SizeBarrierConfig::isSink(DataFlow::operandNode(left), right, g, k, edge)
141138
}
142139

143140
/**
@@ -146,22 +143,23 @@ private module SizeBarrier {
146143
* whether `left <= size` where `size` is the size of an allocation.
147144
*/
148145
Instruction getABarrierInstruction0(int delta, int k) {
149-
exists(IRGuardCondition g, ValueNumber value, Operand use, boolean edge |
150-
use = value.getAUse() and
146+
exists(IRGuardCondition g, ValueNumber value, Operand left, boolean edge, DataFlow::Node right |
147+
left = value.getAUse() and
151148
// We know:
152149
// 1. result <= value + delta (by `bounded`)
153-
// 2. value < size + k + 1 (by `operandGuardChecks`).
154-
// Condition 2 implies: value <= size + k, so if we know
150+
// 2. value < right + k + 1 (by `operandGuardChecks`).
151+
// Condition 2 implies: value <= right + k, so if we know
155152
// that `state >= k + delta` then we have:
156153
// result <= value + delta (by 1.)
157-
// <= size + k + delta (by 2.)
158-
// <= size + state (by the assumption).
154+
// <= right + k + delta (by 2.)
155+
// <= right + state (by the assumption).
159156
// Callers of `getABarrierInstruction0` should ensure that `state >= k + delta`
160157
// is satisfied.
161-
operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](use),
158+
operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](left), right,
162159
pragma[only_bind_into](k + 1), pragma[only_bind_into](edge)) and
163160
bounded(result, value.getAnInstruction(), delta) and
164-
g.controls(result.getBlock(), edge)
161+
g.controls(result.getBlock(), edge) and
162+
k + 1 <= getAFlowStateForNode(right)
165163
)
166164
}
167165

0 commit comments

Comments
 (0)