Skip to content

Commit bbcf0b5

Browse files
MathiasVPMathiasVP
authored
Merge pull request #2941 from jbj/Overflow-stmtDominates
C++: Avoid `iDominates*` in Overflow.qll
2 parents b20afa6 + bbc5787 commit bbcf0b5

File tree

1 file changed

+21
-4
lines changed

1 file changed

+21
-4
lines changed

cpp/ql/src/semmle/code/cpp/security/Overflow.qll

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,19 +13,36 @@ predicate guardedAbs(Operation e, Expr use) {
1313
)
1414
}
1515

16+
/** This is `BasicBlock.getNode`, restricted to `Stmt` for performance. */
17+
pragma[noinline]
18+
private int getStmtIndexInBlock(BasicBlock block, Stmt stmt) { block.getNode(result) = stmt }
19+
20+
pragma[inline]
21+
private predicate stmtDominates(Stmt dominator, Stmt dominated) {
22+
// In same block
23+
exists(BasicBlock block, int dominatorIndex, int dominatedIndex |
24+
dominatorIndex = getStmtIndexInBlock(block, dominator) and
25+
dominatedIndex = getStmtIndexInBlock(block, dominated) and
26+
dominatedIndex >= dominatorIndex
27+
)
28+
or
29+
// In (possibly) different blocks
30+
bbStrictlyDominates(dominator.getBasicBlock(), dominated.getBasicBlock())
31+
}
32+
1633
/** is the size of this use guarded to be less than something? */
1734
pragma[nomagic]
1835
predicate guardedLesser(Operation e, Expr use) {
1936
exists(IfStmt c, RelationalOperation guard |
2037
use = guard.getLesserOperand().getAChild*() and
2138
guard = c.getControllingExpr().getAChild*() and
22-
iDominates*(c.getThen(), e.getEnclosingStmt())
39+
stmtDominates(c.getThen(), e.getEnclosingStmt())
2340
)
2441
or
2542
exists(Loop c, RelationalOperation guard |
2643
use = guard.getLesserOperand().getAChild*() and
2744
guard = c.getControllingExpr().getAChild*() and
28-
iDominates*(c.getStmt(), e.getEnclosingStmt())
45+
stmtDominates(c.getStmt(), e.getEnclosingStmt())
2946
)
3047
or
3148
exists(ConditionalExpr c, RelationalOperation guard |
@@ -43,13 +60,13 @@ predicate guardedGreater(Operation e, Expr use) {
4360
exists(IfStmt c, RelationalOperation guard |
4461
use = guard.getGreaterOperand().getAChild*() and
4562
guard = c.getControllingExpr().getAChild*() and
46-
iDominates*(c.getThen(), e.getEnclosingStmt())
63+
stmtDominates(c.getThen(), e.getEnclosingStmt())
4764
)
4865
or
4966
exists(Loop c, RelationalOperation guard |
5067
use = guard.getGreaterOperand().getAChild*() and
5168
guard = c.getControllingExpr().getAChild*() and
52-
iDominates*(c.getStmt(), e.getEnclosingStmt())
69+
stmtDominates(c.getStmt(), e.getEnclosingStmt())
5370
)
5471
or
5572
exists(ConditionalExpr c, RelationalOperation guard |

0 commit comments

Comments
 (0)