|
10 | 10 | */ |
11 | 11 |
|
12 | 12 | import cpp |
| 13 | +import semmle.code.cpp.dataflow.EscapesTree |
| 14 | +import semmle.code.cpp.dataflow.DataFlow |
13 | 15 |
|
14 | | -// an expression is possibly stack allocated if it is an aggregate literal |
15 | | -// or accesses a possibly stack allocated local variables |
16 | | -predicate exprMaybeStackAllocated(Expr e) { |
17 | | - e instanceof AggregateLiteral or |
18 | | - varMaybeStackAllocated(e.(VariableAccess).getTarget()) or |
19 | | - exprMayPointToStack(e.(ArrayExpr).getArrayBase()) |
20 | | -} |
21 | | - |
22 | | -// a local variable is possibly stack allocated if it is not static and |
23 | | -// is initialized to/assigned a possibly stack allocated expression |
24 | | -predicate varMaybeStackAllocated(LocalVariable lv) { |
25 | | - not lv.isStatic() and |
26 | | - not lv.getType() instanceof ReferenceType |
| 16 | +/** |
| 17 | + * Holds if `n1` may flow to `n2`, ignoring flow through fields because these |
| 18 | + * are currently modeled as an overapproximation that assumes all objects may |
| 19 | + * alias. |
| 20 | + */ |
| 21 | +predicate conservativeDataFlowStep(DataFlow::Node n1, DataFlow::Node n2) { |
| 22 | + DataFlow::localFlowStep(n1, n2) and |
| 23 | + not n2.asExpr() instanceof FieldAccess |
27 | 24 | } |
28 | 25 |
|
29 | | -// an expression possibly points to the stack if it takes the address of |
30 | | -// a possibly stack allocated expression, if it is a reference to a local variable |
31 | | -// that possibly points to the stack, or if it is a possibly stack allocated array |
32 | | -// that is converted (implicitly or explicitly) to a pointer |
33 | | -predicate exprMayPointToStack(Expr e) { |
34 | | - exprMaybeStackAllocated(e.(AddressOfExpr).getAnOperand()) |
35 | | - or |
36 | | - varMayPointToStack(e.(VariableAccess).getTarget()) |
37 | | - or |
| 26 | +from LocalScopeVariable var, VariableAccess va, ReturnStmt r |
| 27 | +where |
| 28 | + not var.isStatic() and |
| 29 | + not var.getType().getUnspecifiedType() instanceof ReferenceType and |
| 30 | + not r.isFromUninstantiatedTemplate(_) and |
| 31 | + va = var.getAnAccess() and |
38 | 32 | ( |
39 | | - exprMaybeStackAllocated(e) and |
40 | | - e.getType() instanceof ArrayType and |
41 | | - e.getFullyConverted().getType() instanceof PointerType |
| 33 | + // To check if the address escapes directly from `e` in `return e`, we need |
| 34 | + // to check the fully-converted `e` in case there are implicit |
| 35 | + // array-to-pointer conversions or reference conversions. |
| 36 | + variableAddressEscapesTree(va, r.getExpr().getFullyConverted()) |
| 37 | + or |
| 38 | + // The data flow library doesn't support conversions, so here we check that |
| 39 | + // the address escapes into some expression `pointerToLocal`, which flows |
| 40 | + // in a non-trivial way (one or more steps) to a returned expression. |
| 41 | + exists(Expr pointerToLocal | |
| 42 | + variableAddressEscapesTree(va, pointerToLocal.getFullyConverted()) and |
| 43 | + conservativeDataFlowStep+( |
| 44 | + DataFlow::exprNode(pointerToLocal), |
| 45 | + DataFlow::exprNode(r.getExpr()) |
| 46 | + ) |
| 47 | + ) |
42 | 48 | ) |
43 | | -} |
44 | | - |
45 | | -// a local variable possibly points to the stack if it is initialized to/assigned to |
46 | | -// an expression that possibly points to the stack |
47 | | -predicate varMayPointToStack(LocalVariable lv) { |
48 | | - exprMayPointToStack(lv.getInitializer().getExpr()) |
49 | | - or |
50 | | - exists(AssignExpr a | |
51 | | - a.getLValue().(VariableAccess).getTarget() = lv and |
52 | | - exprMayPointToStack(a.getRValue()) |
53 | | - ) |
54 | | -} |
55 | | - |
56 | | -from ReturnStmt r |
57 | | -where exprMayPointToStack(r.getExpr()) |
58 | 49 | select r, "May return stack-allocated memory." |
0 commit comments