Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 56adcff

Browse files
geoffw0geoffw0
committed
CPP: Fix for LocalScopeReachability.
1 parent f4b4ddb commit 56adcff

3 files changed

Lines changed: 25 additions & 23 deletions

File tree

cpp/ql/src/semmle/code/cpp/controlflow/LocalScopeVariableReachability.qll

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -131,20 +131,27 @@ private predicate bbLoopEntryConditionAlwaysTrueAt(BasicBlock bb, int i, Control
131131
}
132132

133133
/**
134-
* Basic block `pred` ends with a condition belonging to a loop, and that
135-
* condition is provably true upon entry. Basic block `succ` is a successor
136-
* of `pred`, and `skipsLoop` indicates whether `succ` is the false-successor
137-
* of `pred`.
134+
* Basic block `pred` contains all or part of the condition belonging to a loop,
135+
* and there is an edge from `pred` to `succ` that concludes the condition.
136+
* If the edge corrseponds with the loop condition being found to be `true`, then
137+
* `skipsLoop` is `false`. Otherwise the edge corresponds with the loop condition
138+
* being found to be `false` and `skipsLoop` is `true`. Non-concluding edges
139+
* within a complex loop condition are not matched by this predicate.
138140
*/
139141
private predicate bbLoopConditionAlwaysTrueUponEntrySuccessor(BasicBlock pred, BasicBlock succ, boolean skipsLoop) {
140-
succ = pred.getASuccessor() and
141-
exists(ControlFlowNode last |
142-
last = pred.getEnd() and
143-
loopConditionAlwaysTrueUponEntry(_, last) and
144-
if succ = pred.getAFalseSuccessor() then
145-
skipsLoop = true
146-
else
147-
skipsLoop = false
142+
exists(ControlFlowNode loop |
143+
loopConditionAlwaysTrueUponEntry(loop, _) and
144+
(
145+
(
146+
succ = loop.(Loop).getFollowingStmt() and
147+
pred.getAFalseSuccessor() = succ and
148+
skipsLoop = true
149+
) or (
150+
succ = loop.(Loop).getStmt() and
151+
pred.getATrueSuccessor() = succ and
152+
skipsLoop = false
153+
)
154+
)
148155
)
149156
}
150157

@@ -176,7 +183,7 @@ predicate bbSuccessorEntryReachesLoopInvariant(BasicBlock pred, BasicBlock succ,
176183
// The edge from `pred` to `succ` is _not_ from a loop condition provably
177184
// true upon entry, so the values of `predSkipsFirstLoopAlwaysTrueUponEntry`
178185
// and `succSkipsFirstLoopAlwaysTrueUponEntry` must be the same.
179-
not bbLoopConditionAlwaysTrueUponEntrySuccessor(pred, _, _) and
186+
not bbLoopConditionAlwaysTrueUponEntrySuccessor(pred, succ, _) and
180187
succSkipsFirstLoopAlwaysTrueUponEntry = predSkipsFirstLoopAlwaysTrueUponEntry and
181188
// Moreover, if `pred` contains the entry point of a loop where the
182189
// condition is provably true upon entry, then `succ` is not allowed

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,7 @@
88
| test.cpp:132:9:132:9 | j | The variable $@ may not be initialized here. | test.cpp:126:6:126:6 | j | j |
99
| test.cpp:219:3:219:3 | x | The variable $@ may not be initialized here. | test.cpp:218:7:218:7 | x | x |
1010
| test.cpp:243:13:243:13 | i | The variable $@ may not be initialized here. | test.cpp:241:6:241:6 | i | i |
11-
| test.cpp:268:9:268:11 | val | The variable $@ may not be initialized here. | test.cpp:261:6:261:8 | val | val |
12-
| test.cpp:292:9:292:11 | val | The variable $@ may not be initialized here. | test.cpp:285:6:285:8 | val | val |
13-
| test.cpp:304:9:304:11 | val | The variable $@ may not be initialized here. | test.cpp:297:6:297:8 | val | val |
14-
| test.cpp:316:9:316:11 | val | The variable $@ may not be initialized here. | test.cpp:309:6:309:8 | val | val |
1511
| test.cpp:329:9:329:11 | val | The variable $@ may not be initialized here. | test.cpp:321:6:321:8 | val | val |
1612
| test.cpp:336:10:336:10 | a | The variable $@ may not be initialized here. | test.cpp:333:7:333:7 | a | a |
17-
| test.cpp:342:9:342:11 | val | The variable $@ may not be initialized here. | test.cpp:334:6:334:8 | val | val |
1813
| test.cpp:369:10:369:10 | a | The variable $@ may not be initialized here. | test.cpp:358:7:358:7 | a | a |
1914
| test.cpp:378:9:378:11 | val | The variable $@ may not be initialized here. | test.cpp:359:6:359:8 | val | val |

cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ int test23() {
265265
val = 1;
266266
loop = false;
267267
}
268-
return val; // GOOD [FALSE POSITIVE]
268+
return val; // GOOD
269269
}
270270

271271
int test24() {
@@ -289,7 +289,7 @@ int test25() {
289289
val = 1;
290290
loop = false;
291291
}
292-
return val; // GOOD [FALSE POSITIVE]
292+
return val; // GOOD
293293
}
294294

295295
int test26() {
@@ -301,7 +301,7 @@ int test26() {
301301
val = 1;
302302
loop = false;
303303
}
304-
return val; // GOOD [FALSE POSITIVE]
304+
return val; // GOOD
305305
}
306306

307307
int test27() {
@@ -313,7 +313,7 @@ int test27() {
313313
val = 1;
314314
loop = false;
315315
}
316-
return val; // GOOD [FALSE POSITIVE]
316+
return val; // GOOD
317317
}
318318

319319
int test28() {
@@ -339,7 +339,7 @@ int test29() {
339339
b = false;
340340
c = false;
341341
}
342-
return val; // GOOD [FALSE POSITIVE]
342+
return val; // GOOD
343343
}
344344

345345
int test30() {

0 commit comments

Comments
 (0)