C++: make unaliased_ssa IR stage sound

Robert Marsh · Robert Marsh · commit a9d799059654 · 2021-05-06T08:14:33.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -138,3 +138,11 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
 
   final override predicate alwaysEscapes() { none() }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (aliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { none() }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -14,3 +14,11 @@ class Allocation extends IRAutomaticVariable {
     none()
   }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (unaliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { any() }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
@@ -0,0 +1,2 @@
+| defaulttainttracking.cpp:190:14:190:24 | // $ ast,ir | Missing result:ir= |
+| defaulttainttracking.cpp:193:14:193:24 | // $ ast,ir | Missing result:ir= |
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1552,15 +1552,15 @@ ssa.cpp:
 #  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
 #  330|     m330_5(unknown)           = ^CallSideEffect                    : ~m329_6
 #  330|     m330_6(unknown)           = Chi                                : total:m329_6, partial:m330_5
-#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m329_9
+#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m330_6
 #  330|     m330_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r330_3
-#  330|     m330_9(char[1024])        = Chi                                : total:m329_9, partial:m330_8
+#  330|     m330_9(unknown)           = Chi                                : total:m330_6, partial:m330_8
 #  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
 #  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
 #  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
 #  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
-#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_6
-#  331|     m331_6(unknown)           = Chi                                : total:m330_6, partial:m331_5
+#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_9
+#  331|     m331_6(unknown)           = Chi                                : total:m330_9, partial:m331_5
 #  331|     v331_7(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m325_4
 #  331|     m331_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r331_3
 #  331|     m331_9(char *)            = Chi                                : total:m325_4, partial:m331_8
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1389,7 +1389,7 @@ ssa.cpp:
 #  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
 #  321|     mu321_2(char[1024])       = Uninitialized[buffer]              : &:r321_1
 #  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
-#  322|     m322_2(char *)            = Uninitialized[ptr1]                : &:r322_1
+#  322|     mu322_2(char *)           = Uninitialized[ptr1]                : &:r322_1
 #  322|     r322_3(glval<char **>)    = VariableAddress[ptr2]              : 
 #  322|     m322_4(char **)           = Uninitialized[ptr2]                : &:r322_3
 #  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
@@ -1399,7 +1399,7 @@ ssa.cpp:
 #  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
 #  325|     r325_2(char *)            = Convert                            : r325_1
 #  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
-#  325|     m325_4(char *)            = Store[ptr1]                        : &:r325_3, r325_2
+#  325|     mu325_4(char *)           = Store[ptr1]                        : &:r325_3, r325_2
 #  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
 #  326|     r326_2(char **)           = CopyValue                          : r326_1
 #  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
@@ -1425,7 +1425,7 @@ ssa.cpp:
 #  329|     mu329_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r329_3
 #  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
 #  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
-#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, m325_4
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, ~m?
 #  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
 #  330|     mu330_5(unknown)          = ^CallSideEffect                    : ~m?
 #  330|     v330_6(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m?
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -14,3 +14,11 @@ class Allocation extends IRAutomaticVariable {
     none()
   }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (unaliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { any() }
+}

Original file line number	Diff line number	Diff line change
`@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {`
`325`	`325`	`exists(IREscapeAnalysisConfiguration config \|`
`326`	`326`	`config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())`
`327`	`327`	`)`
	`328`	`+ or`
	`329`	`+ exists(Configuration::StageEscapeConfiguration config \|`
	`330`	`+ config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())`
	`331`	`+ )`
`328`	`332`	`}`
`329`	`333`
`330`	`334`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -14,3 +14,11 @@ class Allocation extends IRAutomaticVariable {`
`14`	`14`	`none()`
`15`	`15`	`}`
`16`	`16`	`}`
	`17`	`+`
	`18`	`+class StageEscapeConfiguration extends string {`
	`19`	`+ StageEscapeConfiguration() {`
	`20`	`+ this = "StageEscapeConfiguration (unaliased_ssa)"`
	`21`	`+ }`
	`22`	`+`
	`23`	`+ predicate useSoundEscapeAnalysis() { any() }`
	`24`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| defaulttainttracking.cpp:190:14:190:24 \| // $ ast,ir \| Missing result:ir= \|`
	`2`	`+\| defaulttainttracking.cpp:193:14:193:24 \| // $ ast,ir \| Missing result:ir= \|`