From 854cff5dac69cb1e3bda3c6b894f7b536f8488be Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 1 Aug 2023 13:52:09 +0200 Subject: [PATCH] TEMP: Fix joins. --- .../new/internal/semantic/analysis/RangeAnalysisImpl.qll | 1 + .../InvalidPointerDereference/RangeAnalysisUtil.qll | 9 +++++++-- .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql | 9 +++++++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll index 3c35d60ac5a80..683a3607bacad 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll @@ -83,6 +83,7 @@ private RelativeStage::SemReason relativeReason(SemReason reason) { import Public module Public { + pragma[nomagic] predicate semBounded( SemExpr e, SemanticBound::SemBound b, float delta, boolean upper, SemReason reason ) { diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll index 72e27d7804c92..aada310fcb32f 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll @@ -14,14 +14,19 @@ private Instruction getABoundIn(SemBound b, IRFunction func) { result.getEnclosingIRFunction() = func } +pragma[nomagic] +private predicate upperBoundedByValue(Instruction i, SemBound bound, int delta) { + semBounded(getSemanticExpr(i), bound, delta, true, + any(SemReason reason | not reason instanceof SemTypeReason)) +} + /** * Holds if `i <= b + delta`. */ pragma[inline] private predicate boundedImpl(Instruction i, Instruction b, int delta) { exists(SemBound bound, IRFunction func | - semBounded(getSemanticExpr(i), bound, delta, true, - any(SemReason reason | not reason instanceof SemTypeReason)) and + upperBoundedByValue(i, bound, delta) and b = getABoundIn(bound, func) and i.getEnclosingIRFunction() = func ) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql index d6a759e9363e4..a49f5c66f0871 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql @@ -22,14 +22,19 @@ Instruction getABoundIn(SemBound b, IRFunction func) { result.getEnclosingIRFunction() = func } +pragma[nomagic] +private predicate upperBoundedByValue(Instruction i, SemBound bound, int delta) { + semBounded(getSemanticExpr(i), bound, delta, true, + any(SemReason reason | not reason instanceof SemTypeReason)) +} + /** * Holds if `i <= b + delta`. */ pragma[inline] predicate boundedImpl(Instruction i, Instruction b, int delta) { exists(SemBound bound, IRFunction func | - semBounded(getSemanticExpr(i), bound, delta, true, - any(SemReason reason | not reason instanceof SemTypeReason)) and + upperBoundedByValue(i, bound, delta) and b = getABoundIn(bound, func) and pragma[only_bind_out](i.getEnclosingIRFunction()) = func )