C++: Add another column to 'conversionFlow'.

MathiasVP · MathiasVP · commit 7ecc3466cfc2 · 2023-01-30T09:13:42.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -370,7 +370,7 @@ class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
 private Operand fullyConvertedCallStep(Operand op) {
   not exists(getANonConversionUse(op)) and
   exists(Instruction instr |
-    conversionFlow(op, instr, _) and
+    conversionFlow(op, instr, _, _) and
     result = getAUse(instr)
   )
 }
@@ -397,7 +397,7 @@ Operand getAUse(Instruction instr) {
  */
 private Instruction getANonConversionUse(Operand operand) {
   result = getUse(operand) and
-  not conversionFlow(_, result, _)
+  not conversionFlow(_, result, _, _)
 }
 
 /**
@@ -555,7 +555,7 @@ private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand opera
   or
   exists(Operand op, Instruction instr |
     instr = op.getDef() and
-    conversionFlow(operandFrom, instr, _) and
+    conversionFlow(operandFrom, instr, _, _) and
     numberOfLoadsFromOperand(op, operandTo, ind)
   )
 }
@@ -568,7 +568,7 @@ private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandT
   numberOfLoadsFromOperandRec(operandFrom, operandTo, n)
   or
   not Ssa::isDereference(_, operandFrom) and
-  not conversionFlow(operandFrom, _, _) and
+  not conversionFlow(operandFrom, _, _, _) and
   operandFrom = operandTo and
   n = 0
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -77,22 +77,32 @@ class FieldAddress extends Operand {
  *
  * `isPointerArith` is `true` if `instrTo` is a `PointerArithmeticInstruction` and `opFrom`
  * is the left operand.
+ *
+ * `additional` is `true` if the conversion is supplied by an implementation of the
+ * `Indirection` class. It is sometimes useful to exclude such conversions.
  */
-predicate conversionFlow(Operand opFrom, Instruction instrTo, boolean isPointerArith) {
+predicate conversionFlow(
+  Operand opFrom, Instruction instrTo, boolean isPointerArith, boolean additional
+) {
   isPointerArith = false and
   (
-    instrTo.(CopyValueInstruction).getSourceValueOperand() = opFrom
-    or
-    instrTo.(ConvertInstruction).getUnaryOperand() = opFrom
-    or
-    instrTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom
-    or
-    instrTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
+    additional = false and
+    (
+      instrTo.(CopyValueInstruction).getSourceValueOperand() = opFrom
+      or
+      instrTo.(ConvertInstruction).getUnaryOperand() = opFrom
+      or
+      instrTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom
+      or
+      instrTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
+    )
     or
+    additional = true and
     Ssa::isAdditionalConversionFlow(opFrom, instrTo)
   )
   or
   isPointerArith = true and
+  additional = false and
   instrTo.(PointerArithmeticInstruction).getLeftOperand() = opFrom
 }
 
@@ -1365,7 +1375,7 @@ private module Cached {
 
   private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
     // Treat all conversions as flow, even conversions between different numeric types.
-    conversionFlow(opFrom, iTo, false)
+    conversionFlow(opFrom, iTo, false, _)
     or
     iTo.(CopyInstruction).getSourceValueOperand() = opFrom
   }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -469,7 +469,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
     hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
     hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and
     instr = op2.getDef() and
-    conversionFlow(op1, instr, _)
+    conversionFlow(op1, instr, _, _)
   )
 }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -652,7 +652,7 @@ private module Cached {
     exists(Operand mid, Instruction instr |
       isUseImpl(mid, base, ind) and
       instr = operand.getDef() and
-      conversionFlow(mid, instr, false)
+      conversionFlow(mid, instr, false, _)
     )
     or
     exists(int ind0 |
@@ -722,7 +722,7 @@ private module Cached {
     exists(Operand mid, Instruction instr, boolean certain0, boolean isPointerArith |
       isDefImpl(mid, base, ind, certain0) and
       instr = operand.getDef() and
-      conversionFlow(mid, instr, isPointerArith) and
+      conversionFlow(mid, instr, isPointerArith, _) and
       if isPointerArith = true then certain = false else certain = certain0
     )
     or

Original file line number	Diff line number	Diff line change
`@@ -370,7 +370,7 @@ class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {`
`370`	`370`	`private Operand fullyConvertedCallStep(Operand op) {`
`371`	`371`	`not exists(getANonConversionUse(op)) and`
`372`	`372`	`exists(Instruction instr \|`
`373`		`- conversionFlow(op, instr, _) and`
	`373`	`+ conversionFlow(op, instr, _, _) and`
`374`	`374`	`result = getAUse(instr)`
`375`	`375`	`)`
`376`	`376`	`}`
`@@ -397,7 +397,7 @@ Operand getAUse(Instruction instr) {`
`397`	`397`	`*/`
`398`	`398`	`private Instruction getANonConversionUse(Operand operand) {`
`399`	`399`	`result = getUse(operand) and`
`400`		`- not conversionFlow(_, result, _)`
	`400`	`+ not conversionFlow(_, result, _, _)`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`/**`
`@@ -555,7 +555,7 @@ private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand opera`
`555`	`555`	`or`
`556`	`556`	`exists(Operand op, Instruction instr \|`
`557`	`557`	`instr = op.getDef() and`
`558`		`- conversionFlow(operandFrom, instr, _) and`
	`558`	`+ conversionFlow(operandFrom, instr, _, _) and`
`559`	`559`	`numberOfLoadsFromOperand(op, operandTo, ind)`
`560`	`560`	`)`
`561`	`561`	`}`
`@@ -568,7 +568,7 @@ private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandT`
`568`	`568`	`numberOfLoadsFromOperandRec(operandFrom, operandTo, n)`
`569`	`569`	`or`
`570`	`570`	`not Ssa::isDereference(_, operandFrom) and`
`571`		`- not conversionFlow(operandFrom, _, _) and`
	`571`	`+ not conversionFlow(operandFrom, _, _, _) and`
`572`	`572`	`operandFrom = operandTo and`
`573`	`573`	`n = 0`
`574`	`574`	`}`
Original file line number	Diff line number	Diff line change
`@@ -469,7 +469,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {`
`469`	`469`	`hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and`
`470`	`470`	`hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and`
`471`	`471`	`instr = op2.getDef() and`
`472`		`- conversionFlow(op1, instr, _)`
	`472`	`+ conversionFlow(op1, instr, _, _)`
`473`	`473`	`)`
`474`	`474`	`}`
`475`	`475`