Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 22381f3

Browse files
MathiasVPMathiasVP
committed
C++: Demonstrate amount of field flow already present
1 parent ac68b62 commit 22381f3

3 files changed

Lines changed: 78 additions & 0 deletions

File tree

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ class Node extends TIRDataFlowNode {
6363
*/
6464
Variable asVariable() { result = this.(VariableNode).getVariable() }
6565

66+
6667
/**
6768
* DEPRECATED: See UninitializedNode.
6869
*

cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
edges
2+
| aliasing.cpp:37:13:37:22 | call to user_input : void | aliasing.cpp:38:11:38:12 | m1 |
3+
| aliasing.cpp:42:11:42:20 | call to user_input : void | aliasing.cpp:43:13:43:14 | m1 |
4+
| aliasing.cpp:79:11:79:20 | call to user_input : void | aliasing.cpp:80:12:80:13 | m1 |
5+
| aliasing.cpp:86:10:86:19 | call to user_input : void | aliasing.cpp:87:12:87:13 | m1 |
6+
| aliasing.cpp:92:12:92:21 | call to user_input : void | aliasing.cpp:93:12:93:13 | m1 |
7+
| struct_init.c:20:20:20:29 | call to user_input : void | struct_init.c:22:11:22:11 | a |
8+
| struct_init.c:27:7:27:16 | call to user_input : void | struct_init.c:31:23:31:23 | a |
9+
nodes
10+
| aliasing.cpp:37:13:37:22 | call to user_input : void | semmle.label | call to user_input : void |
11+
| aliasing.cpp:38:11:38:12 | m1 | semmle.label | m1 |
12+
| aliasing.cpp:42:11:42:20 | call to user_input : void | semmle.label | call to user_input : void |
13+
| aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 |
14+
| aliasing.cpp:79:11:79:20 | call to user_input : void | semmle.label | call to user_input : void |
15+
| aliasing.cpp:80:12:80:13 | m1 | semmle.label | m1 |
16+
| aliasing.cpp:86:10:86:19 | call to user_input : void | semmle.label | call to user_input : void |
17+
| aliasing.cpp:87:12:87:13 | m1 | semmle.label | m1 |
18+
| aliasing.cpp:92:12:92:21 | call to user_input : void | semmle.label | call to user_input : void |
19+
| aliasing.cpp:93:12:93:13 | m1 | semmle.label | m1 |
20+
| struct_init.c:20:20:20:29 | call to user_input : void | semmle.label | call to user_input : void |
21+
| struct_init.c:22:11:22:11 | a | semmle.label | a |
22+
| struct_init.c:27:7:27:16 | call to user_input : void | semmle.label | call to user_input : void |
23+
| struct_init.c:31:23:31:23 | a | semmle.label | a |
24+
#select
25+
| aliasing.cpp:38:11:38:12 | m1 | aliasing.cpp:37:13:37:22 | call to user_input : void | aliasing.cpp:38:11:38:12 | m1 | m1 flows from $@ | aliasing.cpp:37:13:37:22 | call to user_input : void | call to user_input : void |
26+
| aliasing.cpp:43:13:43:14 | m1 | aliasing.cpp:42:11:42:20 | call to user_input : void | aliasing.cpp:43:13:43:14 | m1 | m1 flows from $@ | aliasing.cpp:42:11:42:20 | call to user_input : void | call to user_input : void |
27+
| aliasing.cpp:80:12:80:13 | m1 | aliasing.cpp:79:11:79:20 | call to user_input : void | aliasing.cpp:80:12:80:13 | m1 | m1 flows from $@ | aliasing.cpp:79:11:79:20 | call to user_input : void | call to user_input : void |
28+
| aliasing.cpp:87:12:87:13 | m1 | aliasing.cpp:86:10:86:19 | call to user_input : void | aliasing.cpp:87:12:87:13 | m1 | m1 flows from $@ | aliasing.cpp:86:10:86:19 | call to user_input : void | call to user_input : void |
29+
| aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input : void | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input : void | call to user_input : void |
30+
| struct_init.c:22:11:22:11 | a | struct_init.c:20:20:20:29 | call to user_input : void | struct_init.c:22:11:22:11 | a | a flows from $@ | struct_init.c:20:20:20:29 | call to user_input : void | call to user_input : void |
31+
| struct_init.c:31:23:31:23 | a | struct_init.c:27:7:27:16 | call to user_input : void | struct_init.c:31:23:31:23 | a | a flows from $@ | struct_init.c:27:7:27:16 | call to user_input : void | call to user_input : void |

cpp/ql/test/library-tests/dataflow/fields/ir-flow.ql

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
/**
2+
* @kind path-problem
3+
*/
4+
5+
import semmle.code.cpp.ir.dataflow.DataFlow
6+
import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
7+
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
8+
import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl
9+
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
10+
import semmle.code.cpp.ir.IR
11+
import DataFlow::PathGraph
12+
import cpp
13+
14+
class Conf extends DataFlow::Configuration {
15+
Conf() { this = "FieldFlowConf" }
16+
17+
override predicate isSource(Node src) {
18+
src.asExpr() instanceof NewExpr
19+
or
20+
src.asExpr().(Call).getTarget().hasName("user_input")
21+
or
22+
exists(FunctionCall fc |
23+
fc.getAnArgument() = src.asDefiningArgument() and
24+
fc.getTarget().hasName("argument_source")
25+
)
26+
}
27+
28+
override predicate isSink(Node sink) {
29+
exists(Call c |
30+
c.getTarget().hasName("sink") and
31+
c.getAnArgument() = sink.asExpr()
32+
)
33+
}
34+
35+
override predicate isAdditionalFlowStep(Node a, Node b) {
36+
b.asPartialDefinition() =
37+
any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
38+
.getQualifier()
39+
or
40+
b.asExpr().(AddressOfExpr).getOperand() = a.asExpr()
41+
}
42+
}
43+
44+
from DataFlow::PathNode src, DataFlow::PathNode sink, Conf conf
45+
where conf.hasFlowPath(src, sink)
46+
select sink, src, sink, sink + " flows from $@", src, src.toString()

0 commit comments

Comments
 (0)