C++: Avoid using nullValue predicate

jbj · jbj · commit 8654ebcbbd6d · 2018-11-29T13:33:45.000+01:00
The `nullValue` predicate performs a slow custom data-flow analysis to
find possible null values. It's so slow that it timed out after 1200s on
Wireshark.

In `UnsafeCreateProcessCall.ql`, the values found with `nullValue` were
used as sources in another data-flow analysis. By using the `NullValue`
class as sink instead of `nullValue`, we avoid the slow-down of doing
data flow twice. The `NullValue` class is essentially the base case of
`nullValue`. Confusing names, yes.
diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -68,7 +68,7 @@ class NullAppNameCreateProcessFunctionConfiguration extends DataFlow::Configurat
   }
 
   override predicate isSource(DataFlow::Node source) {
-    nullValue(source.asExpr()) 
+    source.asExpr() instanceof NullValue
   }
 
   override predicate isSink(DataFlow::Node sink) {

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ class NullAppNameCreateProcessFunctionConfiguration extends DataFlow::Configurat`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`override predicate isSource(DataFlow::Node source) {`
`71`		`- nullValue(source.asExpr())`
	`71`	`+ source.asExpr() instanceof NullValue`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`override predicate isSink(DataFlow::Node sink) {`