Merge pull request #11664 from jketema/alloca-in-loop-fix

MathiasVP · web-flow · commit 69155cb69114 · 2022-12-13T11:59:38.000Z
C++: Fix `cpp/alloca-in-loop` regressions with use-use dataflow
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql b/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
@@ -185,6 +185,19 @@ class LoopWithAlloca extends Stmt {
     not this.conditionReachesWithoutUpdate(var, this.(Loop).getCondition())
   }
 
+  /**
+   * Gets an expression associated with a dataflow node.
+   */
+  private Expr getExpr(DataFlow::Node node) {
+    result = node.asInstruction().getAst()
+    or
+    result = node.asOperand().getUse().getAst()
+    or
+    result = node.(DataFlow::RawIndirectInstruction).getInstruction().getAst()
+    or
+    result = node.(DataFlow::RawIndirectOperand).getOperand().getUse().getAst()
+  }
+
   /**
    * Gets a definition that may be the most recent definition of the
    * controlling variable `var` before this loop.
@@ -194,14 +207,10 @@ class LoopWithAlloca extends Stmt {
       va = var.getAnAccess() and
       this.conditionRequiresInequality(va, _, _) and
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
+      // Phi nodes will be preceded by nodes that represent actual definitions
+      not result instanceof DataFlow::SsaPhiNode and
       // A source is outside the loop if it's not inside the loop
-      not exists(Expr e |
-        e = result.asExpr()
-        or
-        e = result.asDefiningArgument()
-      |
-        this = getAnEnclosingLoopOfExpr(e)
-      )
+      not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )
   }
 
@@ -211,7 +220,11 @@ class LoopWithAlloca extends Stmt {
    */
   private int getAControllingVarInitialValue(Variable var, DataFlow::Node source) {
     source = this.getAPrecedingDef(var) and
-    result = source.asExpr().getValue().toInt()
+    (
+      result = getExpr(source).getValue().toInt()
+      or
+      result = getExpr(source).(Assignment).getRValue().getValue().toInt()
+    )
   }
 
   /**
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.expected
@@ -7,22 +7,12 @@
 | AllocaInLoop1ms.cpp:79:19:79:25 | call to _alloca | Stack allocation is inside a $@ loop. | AllocaInLoop1ms.cpp:70:3:87:3 | for(...;...;...) ... | for(...;...;...) ... |
 | AllocaInLoop2.c:39:30:39:35 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | AllocaInLoop2.c:29:5:48:19 | do (...) ... | do (...) ... |
 | AllocaInLoop3.cpp:45:23:45:28 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | AllocaInLoop3.cpp:43:2:49:19 | do (...) ... | do (...) ... |
-| BoundedLoop.cpp:19:5:19:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:18:3:20:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:25:5:25:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:24:3:26:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:32:5:32:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:31:3:33:20 | do (...) ... | do (...) ... |
 | BoundedLoop.cpp:38:5:38:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:37:3:39:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:48:5:48:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:46:3:49:3 | while (...) ... | while (...) ... |
 | BoundedLoop.cpp:55:5:55:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:54:3:59:3 | while (...) ... | while (...) ... |
 | BoundedLoop.cpp:64:5:64:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:63:3:68:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:73:5:73:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:72:3:74:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:85:5:85:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:84:3:86:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:97:5:97:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:96:3:98:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:105:5:105:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:104:3:106:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:112:7:112:12 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:110:3:114:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:112:7:112:12 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:111:5:113:5 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:124:7:124:12 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:120:3:127:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:138:5:138:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:137:3:139:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:156:5:156:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:155:3:157:3 | for(...;...;...) ... | for(...;...;...) ... |
-| BoundedLoop.cpp:164:5:164:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:163:3:165:3 | while (...) ... | while (...) ... |
-| BoundedLoop.cpp:170:5:170:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:169:3:171:3 | for(...;...;...) ... | for(...;...;...) ... |
 | BoundedLoop.cpp:176:5:176:10 | call to __builtin_alloca | Stack allocation is inside a $@ loop. | BoundedLoop.cpp:175:3:177:3 | for(...;...;...) ... | for(...;...;...) ... |
