Skip to content

C++: Fix more pointer/pointee conflation #13246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MathiasVP merged 2 commits into from
May 23, 2023
Merged

C++: Fix more pointer/pointee conflation #13246

MathiasVP merged 2 commits into from
May 23, 2023

Conversation

@MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented May 23, 2023
edited
Loading

When we have IR like:

r1(glval<char **>) = VariableAddress[x]  :
r2(char **)        = Load[x]             : &:r1, m

we reuse the dataflow node for r2 to represent the dataflow node for the indirection node of r1 with indirection index 1 (i.e., the node that represents the value you get from dereferencing r1 once).

This is implemented by this disjunct in the charpred for IndirectOperand on main:

this.(OperandNode).getOperand() = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex)

That is, this is used to represent the dataflow node for the indirect operand whose underlying operand is operand and whose indirection index is indirectionIndex. However, this line is only correct when indirectionIndex is 1 (because in that case the IR may have an instruction that can represent the value). If the indirection index is greater than 1, no LoadInstruction will be able to represent the dataflow node. This wasn't handled in the above disjunct, and we'd simply use the IR instruction to represent the dataflow node irregardless of the indirection index. This meant that an indirect dataflow node was being represented by an IR instruction, and meant that we got pointer/pointee conflation.

This PR fixes the conflation by using the nodeHasInstruction instruction in the above disjunction, which means that we correctly pick an IR instruction node if the indirection index is right, and otherwise we pick an indirect node.

@github-actions github-actions bot added the C++ label May 23, 2023
@MathiasVP MathiasVP force-pushed the fix-pointer-pointee-conflation-2 branch from fa8f72c to b32d55a Compare May 23, 2023 01:26
@MathiasVP
Copy link
Contributor Author

MathiasVP commented May 23, 2023
edited
Loading

Here's the rundown of all the result changes.

Standard suite

dsp-testing__samate-c-cpp

cpp/cleartext-transmission

  • Slight change to where the alert is highlighted. Nothing major (and it looks like this is only in a very specific case involving a strange combination of pointers and stack-buffers)

vim__vim

cpp/path-injection

  • I can't seem to reproduce these two new results locally. However, that particular file has plenty of results anyway, so I'd not be surprised if this is a new TP

git-linux

cpp/use-after-free

  • FP removed 🎉

openjdk-jdk

cpp/use-after-free

  • FPs removed 🎉

systemd-linux

cpp/use-after-free

  • FPs removed 🎉

MCTV suite

vim__vim

cpp/constant-array-overflow

(Lots of!) FPs removed 🎉

torvalds__linux

cpp/constant-array-overflow

FP removed 🎉

@MathiasVP MathiasVP marked this pull request as ready for review May 23, 2023 18:30
@MathiasVP MathiasVP requested a review from a team as a code owner May 23, 2023 18:30
@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label May 23, 2023
rdmarsh2
rdmarsh2 approved these changes May 23, 2023
View reviewed changes
Copy link
Contributor

@rdmarsh2 rdmarsh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MathiasVP MathiasVP merged commit 8daa8d7 into github:main May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

C++ no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MathiasVP @rdmarsh2