Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d95ef89

Browse files
author
Robert Marsh
committed
C++: add test for IR alias analysis soundness
1 parent 059a5f3 commit d95ef89

5 files changed

Lines changed: 339 additions & 0 deletions

File tree

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1502,3 +1502,90 @@ ssa.cpp:
15021502
# 310| v310_12(void) = ReturnVoid :
15031503
# 310| v310_13(void) = AliasedUse : m310_3
15041504
# 310| v310_14(void) = ExitFunction :
1505+
1506+
# 319| void DoubleIndirectionEscapes(char*)
1507+
# 319| Block 0
1508+
# 319| v319_1(void) = EnterFunction :
1509+
# 319| m319_2(unknown) = AliasedDefinition :
1510+
# 319| m319_3(unknown) = InitializeNonLocal :
1511+
# 319| m319_4(unknown) = Chi : total:m319_2, partial:m319_3
1512+
# 319| r319_5(glval<char *>) = VariableAddress[s] :
1513+
# 319| m319_6(char *) = InitializeParameter[s] : &:r319_5
1514+
# 319| r319_7(char *) = Load[s] : &:r319_5, m319_6
1515+
# 319| m319_8(unknown) = InitializeIndirection[s] : &:r319_7
1516+
# 321| r321_1(glval<char[1024]>) = VariableAddress[buffer] :
1517+
# 321| m321_2(char[1024]) = Uninitialized[buffer] : &:r321_1
1518+
# 321| m321_3(unknown) = Chi : total:m319_4, partial:m321_2
1519+
# 322| r322_1(glval<char *>) = VariableAddress[ptr1] :
1520+
# 322| m322_2(char *) = Uninitialized[ptr1] : &:r322_1
1521+
# 322| m322_3(unknown) = Chi : total:m321_3, partial:m322_2
1522+
# 322| r322_4(glval<char **>) = VariableAddress[ptr2] :
1523+
# 322| m322_5(char **) = Uninitialized[ptr2] : &:r322_4
1524+
# 323| r323_1(glval<char *>) = VariableAddress[ptr3] :
1525+
# 323| m323_2(char *) = Uninitialized[ptr3] : &:r323_1
1526+
# 323| r323_3(glval<char **>) = VariableAddress[ptr4] :
1527+
# 323| m323_4(char **) = Uninitialized[ptr4] : &:r323_3
1528+
# 325| r325_1(glval<char[1024]>) = VariableAddress[buffer] :
1529+
# 325| r325_2(char *) = Convert : r325_1
1530+
# 325| r325_3(glval<char *>) = VariableAddress[ptr1] :
1531+
# 325| m325_4(char *) = Store[ptr1] : &:r325_3, r325_2
1532+
# 325| m325_5(unknown) = Chi : total:m322_3, partial:m325_4
1533+
# 326| r326_1(glval<char *>) = VariableAddress[ptr1] :
1534+
# 326| r326_2(char **) = CopyValue : r326_1
1535+
# 326| r326_3(glval<char **>) = VariableAddress[ptr2] :
1536+
# 326| m326_4(char **) = Store[ptr2] : &:r326_3, r326_2
1537+
# 327| r327_1(glval<unknown>) = FunctionAddress[memcpy] :
1538+
# 327| r327_2(glval<char **>) = VariableAddress[ptr2] :
1539+
# 327| r327_3(char **) = Load[ptr2] : &:r327_2, m326_4
1540+
# 327| r327_4(char *) = Load[?] : &:r327_3, m325_4
1541+
# 327| r327_5(void *) = Convert : r327_4
1542+
# 327| r327_6(glval<char *>) = VariableAddress[s] :
1543+
# 327| r327_7(char *) = Load[s] : &:r327_6, m319_6
1544+
# 327| r327_8(void *) = Convert : r327_7
1545+
# 327| r327_9(int) = Constant[1024] :
1546+
# 327| r327_10(void *) = Call[memcpy] : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
1547+
# 327| v327_11(void) = ^SizedBufferReadSideEffect[1] : &:r327_8, r327_9, ~m319_8
1548+
# 327| m327_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
1549+
# 327| m327_13(unknown) = Chi : total:m325_5, partial:m327_12
1550+
# 329| r329_1(glval<unknown>) = FunctionAddress[sink] :
1551+
# 329| r329_2(glval<char[1024]>) = VariableAddress[buffer] :
1552+
# 329| r329_3(char *) = Convert : r329_2
1553+
# 329| v329_4(void) = Call[sink] : func:r329_1, 0:r329_3
1554+
# 329| m329_5(unknown) = ^CallSideEffect : ~m327_13
1555+
# 329| m329_6(unknown) = Chi : total:m327_13, partial:m329_5
1556+
# 329| v329_7(void) = ^BufferReadSideEffect[0] : &:r329_3, ~m329_6
1557+
# 329| m329_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r329_3
1558+
# 329| m329_9(unknown) = Chi : total:m329_6, partial:m329_8
1559+
# 330| r330_1(glval<unknown>) = FunctionAddress[sink] :
1560+
# 330| r330_2(glval<char *>) = VariableAddress[ptr1] :
1561+
# 330| r330_3(char *) = Load[ptr1] : &:r330_2, ~m329_6
1562+
# 330| v330_4(void) = Call[sink] : func:r330_1, 0:r330_3
1563+
# 330| m330_5(unknown) = ^CallSideEffect : ~m329_9
1564+
# 330| m330_6(unknown) = Chi : total:m329_9, partial:m330_5
1565+
# 330| v330_7(void) = ^BufferReadSideEffect[0] : &:r330_3, ~m330_6
1566+
# 330| m330_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r330_3
1567+
# 330| m330_9(unknown) = Chi : total:m330_6, partial:m330_8
1568+
# 331| r331_1(glval<unknown>) = FunctionAddress[sink] :
1569+
# 331| r331_2(glval<char **>) = VariableAddress[ptr2] :
1570+
# 331| r331_3(char **) = Load[ptr2] : &:r331_2, m326_4
1571+
# 331| v331_4(void) = Call[sink] : func:r331_1, 0:r331_3
1572+
# 331| m331_5(unknown) = ^CallSideEffect : ~m330_9
1573+
# 331| m331_6(unknown) = Chi : total:m330_9, partial:m331_5
1574+
# 331| v331_7(void) = ^BufferReadSideEffect[0] : &:r331_3, ~m331_6
1575+
# 331| m331_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r331_3
1576+
# 331| m331_9(unknown) = Chi : total:m331_6, partial:m331_8
1577+
# 332| r332_1(glval<unknown>) = FunctionAddress[sink] :
1578+
# 332| r332_2(glval<char **>) = VariableAddress[ptr2] :
1579+
# 332| r332_3(char **) = Load[ptr2] : &:r332_2, m326_4
1580+
# 332| r332_4(char *) = Load[?] : &:r332_3, ~m331_9
1581+
# 332| v332_5(void) = Call[sink] : func:r332_1, 0:r332_4
1582+
# 332| m332_6(unknown) = ^CallSideEffect : ~m331_9
1583+
# 332| m332_7(unknown) = Chi : total:m331_9, partial:m332_6
1584+
# 332| v332_8(void) = ^BufferReadSideEffect[0] : &:r332_4, ~m332_7
1585+
# 332| m332_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r332_4
1586+
# 332| m332_10(unknown) = Chi : total:m332_7, partial:m332_9
1587+
# 333| v333_1(void) = NoOp :
1588+
# 319| v319_9(void) = ReturnIndirection[s] : &:r319_7, m319_8
1589+
# 319| v319_10(void) = ReturnVoid :
1590+
# 319| v319_11(void) = AliasedUse : ~m332_10
1591+
# 319| v319_12(void) = ExitFunction :

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1495,3 +1495,87 @@ ssa.cpp:
14951495
# 310| v310_12(void) = ReturnVoid :
14961496
# 310| v310_13(void) = AliasedUse : m310_3
14971497
# 310| v310_14(void) = ExitFunction :
1498+
1499+
# 319| void DoubleIndirectionEscapes(char*)
1500+
# 319| Block 0
1501+
# 319| v319_1(void) = EnterFunction :
1502+
# 319| m319_2(unknown) = AliasedDefinition :
1503+
# 319| m319_3(unknown) = InitializeNonLocal :
1504+
# 319| m319_4(unknown) = Chi : total:m319_2, partial:m319_3
1505+
# 319| r319_5(glval<char *>) = VariableAddress[s] :
1506+
# 319| m319_6(char *) = InitializeParameter[s] : &:r319_5
1507+
# 319| r319_7(char *) = Load[s] : &:r319_5, m319_6
1508+
# 319| m319_8(unknown) = InitializeIndirection[s] : &:r319_7
1509+
# 321| r321_1(glval<char[1024]>) = VariableAddress[buffer] :
1510+
# 321| m321_2(char[1024]) = Uninitialized[buffer] : &:r321_1
1511+
# 322| r322_1(glval<char *>) = VariableAddress[ptr1] :
1512+
# 322| m322_2(char *) = Uninitialized[ptr1] : &:r322_1
1513+
# 322| r322_3(glval<char **>) = VariableAddress[ptr2] :
1514+
# 322| m322_4(char **) = Uninitialized[ptr2] : &:r322_3
1515+
# 323| r323_1(glval<char *>) = VariableAddress[ptr3] :
1516+
# 323| m323_2(char *) = Uninitialized[ptr3] : &:r323_1
1517+
# 323| r323_3(glval<char **>) = VariableAddress[ptr4] :
1518+
# 323| m323_4(char **) = Uninitialized[ptr4] : &:r323_3
1519+
# 325| r325_1(glval<char[1024]>) = VariableAddress[buffer] :
1520+
# 325| r325_2(char *) = Convert : r325_1
1521+
# 325| r325_3(glval<char *>) = VariableAddress[ptr1] :
1522+
# 325| m325_4(char *) = Store[ptr1] : &:r325_3, r325_2
1523+
# 326| r326_1(glval<char *>) = VariableAddress[ptr1] :
1524+
# 326| r326_2(char **) = CopyValue : r326_1
1525+
# 326| r326_3(glval<char **>) = VariableAddress[ptr2] :
1526+
# 326| m326_4(char **) = Store[ptr2] : &:r326_3, r326_2
1527+
# 327| r327_1(glval<unknown>) = FunctionAddress[memcpy] :
1528+
# 327| r327_2(glval<char **>) = VariableAddress[ptr2] :
1529+
# 327| r327_3(char **) = Load[ptr2] : &:r327_2, m326_4
1530+
# 327| r327_4(char *) = Load[?] : &:r327_3, m325_4
1531+
# 327| r327_5(void *) = Convert : r327_4
1532+
# 327| r327_6(glval<char *>) = VariableAddress[s] :
1533+
# 327| r327_7(char *) = Load[s] : &:r327_6, m319_6
1534+
# 327| r327_8(void *) = Convert : r327_7
1535+
# 327| r327_9(int) = Constant[1024] :
1536+
# 327| r327_10(void *) = Call[memcpy] : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
1537+
# 327| v327_11(void) = ^SizedBufferReadSideEffect[1] : &:r327_8, r327_9, ~m319_8
1538+
# 327| m327_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
1539+
# 327| m327_13(unknown) = Chi : total:m319_4, partial:m327_12
1540+
# 329| r329_1(glval<unknown>) = FunctionAddress[sink] :
1541+
# 329| r329_2(glval<char[1024]>) = VariableAddress[buffer] :
1542+
# 329| r329_3(char *) = Convert : r329_2
1543+
# 329| v329_4(void) = Call[sink] : func:r329_1, 0:r329_3
1544+
# 329| m329_5(unknown) = ^CallSideEffect : ~m327_13
1545+
# 329| m329_6(unknown) = Chi : total:m327_13, partial:m329_5
1546+
# 329| v329_7(void) = ^BufferReadSideEffect[0] : &:r329_3, ~m321_2
1547+
# 329| m329_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r329_3
1548+
# 329| m329_9(char[1024]) = Chi : total:m321_2, partial:m329_8
1549+
# 330| r330_1(glval<unknown>) = FunctionAddress[sink] :
1550+
# 330| r330_2(glval<char *>) = VariableAddress[ptr1] :
1551+
# 330| r330_3(char *) = Load[ptr1] : &:r330_2, m325_4
1552+
# 330| v330_4(void) = Call[sink] : func:r330_1, 0:r330_3
1553+
# 330| m330_5(unknown) = ^CallSideEffect : ~m329_6
1554+
# 330| m330_6(unknown) = Chi : total:m329_6, partial:m330_5
1555+
# 330| v330_7(void) = ^BufferReadSideEffect[0] : &:r330_3, ~m329_9
1556+
# 330| m330_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r330_3
1557+
# 330| m330_9(char[1024]) = Chi : total:m329_9, partial:m330_8
1558+
# 331| r331_1(glval<unknown>) = FunctionAddress[sink] :
1559+
# 331| r331_2(glval<char **>) = VariableAddress[ptr2] :
1560+
# 331| r331_3(char **) = Load[ptr2] : &:r331_2, m326_4
1561+
# 331| v331_4(void) = Call[sink] : func:r331_1, 0:r331_3
1562+
# 331| m331_5(unknown) = ^CallSideEffect : ~m330_6
1563+
# 331| m331_6(unknown) = Chi : total:m330_6, partial:m331_5
1564+
# 331| v331_7(void) = ^BufferReadSideEffect[0] : &:r331_3, ~m325_4
1565+
# 331| m331_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r331_3
1566+
# 331| m331_9(char *) = Chi : total:m325_4, partial:m331_8
1567+
# 332| r332_1(glval<unknown>) = FunctionAddress[sink] :
1568+
# 332| r332_2(glval<char **>) = VariableAddress[ptr2] :
1569+
# 332| r332_3(char **) = Load[ptr2] : &:r332_2, m326_4
1570+
# 332| r332_4(char *) = Load[?] : &:r332_3, m331_9
1571+
# 332| v332_5(void) = Call[sink] : func:r332_1, 0:r332_4
1572+
# 332| m332_6(unknown) = ^CallSideEffect : ~m331_6
1573+
# 332| m332_7(unknown) = Chi : total:m331_6, partial:m332_6
1574+
# 332| v332_8(void) = ^BufferReadSideEffect[0] : &:r332_4, ~m332_7
1575+
# 332| m332_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r332_4
1576+
# 332| m332_10(unknown) = Chi : total:m332_7, partial:m332_9
1577+
# 333| v333_1(void) = NoOp :
1578+
# 319| v319_9(void) = ReturnIndirection[s] : &:r319_7, m319_8
1579+
# 319| v319_10(void) = ReturnVoid :
1580+
# 319| v319_11(void) = AliasedUse : ~m332_10
1581+
# 319| v319_12(void) = ExitFunction :

cpp/ql/test/library-tests/ir/ssa/ssa.cpp

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -311,3 +311,23 @@ class ThisAliasTest {
311311
this->x = arg;
312312
}
313313
};
314+
315+
void sink(char **);
316+
void sink(char *);
317+
318+
// This test case comes from DefaultTaintTracking.
319+
void DoubleIndirectionEscapes(char *s)
320+
{
321+
char buffer[1024];
322+
char *ptr1, **ptr2;
323+
char *ptr3, **ptr4;
324+
325+
ptr1 = buffer;
326+
ptr2 = &ptr1;
327+
memcpy(*ptr2, s, 1024);
328+
329+
sink(buffer); // $ MISSING: ast,ir
330+
sink(ptr1); // $ ast MISSING: ir
331+
sink(ptr2); // $ SPURIOUS: ast
332+
sink(*ptr2); // $ ast MISSING: ir
333+
}

0 commit comments

Comments
 (0)