Skip to content

Commit 54afed6

Browse files
MathiasVPMathiasVP
committed
C++: Rename 'delta' to 'deltaDerefSourceAndPai'.
1 parent 46832d0 commit 54afed6

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,13 @@
6464
* In order to handle the above false positive, we define a barrier that identifies guards such as `p < end` that ensures that a value
6565
* is less than the pointer-arithmetic instruction that computed the invalid pointer. This is done in the `InvalidPointerToDerefBarrier`
6666
* module. Since the node we are tracking is not necessarily _equal_ to the pointer-arithmetic instruction, but rather satisfies
67-
* `node.asInstruction() <= pai + delta`, we need to account for the delta when checking if a guard is sufficiently strong to infer
68-
* that a future dereference is safe. To do this, we check that the guard guarantees that a node `n` satisfies `n < node + d` where
69-
* `node` is a node we know is equal to the value of the dereference source (i.e., it satisfies `node.asInstruction() <= pai + delta`)
70-
* and `d <= delta`. Combining this we have `n < node + d <= node + delta <= pai + 2*delta` (TODO: Oops. This math doesn't quite work
71-
* out. This is because we need to redefine the `BarrierConfig` to start flow at the pointer-arithmetic instruction instead of at the
72-
* dereference source. When combined with TODO above it's easy to show that this guard ensures that the dereference is safe).
67+
* `node.asInstruction() <= pai + deltaDerefSourceAndPai`, we need to account for the delta when checking if a guard is sufficiently
68+
* strong to infer that a future dereference is safe. To do this, we check that the guard guarantees that a node `n` satisfies
69+
* `n < node + d` where `node` is a node we know is equal to the value of the dereference source (i.e., it satisfies
70+
* `node.asInstruction() <= pai + deltaDerefSourceAndPai`) and `d <= delta`. Combining this we have
71+
* `n < node + d <= node + delta <= pai + 2*delta` (TODO: Oops. This math doesn't quite work out. This is because we need to
72+
* redefine the `BarrierConfig` to start flow at the pointer-arithmetic instruction instead of at the dereference source. When
73+
* combined with TODO above it's easy to show that this guard ensures that the dereference is safe).
7374
*/
7475

7576
private import cpp

0 commit comments

Comments
 (0)