-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathElement.qll
More file actions
319 lines (293 loc) · 11.1 KB
/
Element.qll
File metadata and controls
319 lines (293 loc) · 11.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
/**
* Provides the `Element` class, which is the base class for all classes representing C or C++
* program elements.
*/
import semmle.code.cpp.Location
private import semmle.code.cpp.Enclosing
private import semmle.code.cpp.internal.ResolveClass
private import semmle.code.cpp.internal.ResolveGlobalVariable
private import semmle.code.cpp.internal.ResolveFunction
/**
* Get the `Element` that represents this `@element`.
* Normally this will simply be a cast of `e`, but sometimes it is not.
* For example, for an incomplete struct `e` the result may be a
* complete struct with the same name.
*/
pragma[inline]
Element mkElement(@element e) { unresolveElement(result) = e }
/**
* INTERNAL: Do not use.
*
* Gets an `@element` that resolves to the `Element`. This should
* normally only be called from member predicates, where `e` is not
* `this` and you need the result for an argument to a database
* extensional.
* See `underlyingElement` for when `e` is `this`.
*/
pragma[inline]
@element unresolveElement(Element e) {
not result instanceof @usertype and
not result instanceof @variable and
not result instanceof @function and
result = e
or
e = resolveClass(result)
or
e = resolveGlobalVariable(result)
or
e = resolveFunction(result)
}
/**
* INTERNAL: Do not use.
*
* Gets the `@element` that this `Element` extends. This should normally
* only be called from member predicates, where `e` is `this` and you
* need the result for an argument to a database extensional.
* See `unresolveElement` for when `e` is not `this`.
*/
@element underlyingElement(Element e) { result = e }
/**
* A C/C++ element with no member predicates other than `toString`. Not for
* general use. This class does not define a location, so classes wanting to
* change their location without affecting other classes can extend
* `ElementBase` instead of `Element` to create a new rootdef for `getURL`,
* `getLocation`, or `hasLocationInfo`.
*/
class ElementBase extends @element {
/** Gets a textual representation of this element. */
cached
string toString() { none() }
/**
* Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
*/
final string getPrimaryQlClasses() { result = concat(this.getAPrimaryQlClass(), ",") }
/**
* Gets the name of a primary CodeQL class to which this element belongs.
*
* For most elements, this is simply the most precise syntactic category to
* which they belong; for example, `AddExpr` is a primary class, but
* `BinaryOperation` is not.
*
* This predicate can have multiple results if multiple primary classes match.
* For some elements, this predicate may not have a result.
*/
string getAPrimaryQlClass() { none() }
}
/**
* A C/C++ element. This class is the base class for all C/C++
* elements, such as functions, classes, expressions, and so on.
*/
class Element extends ElementBase {
/** Gets the primary file where this element occurs. */
pragma[nomagic]
File getFile() { result = this.getLocation().getFile() }
/**
* Holds if this element may be from source. This predicate holds for all
* elements, except for those in the dummy file, whose name is the empty string.
* The dummy file contains declarations that are built directly into the compiler.
*/
predicate fromSource() { this.getFile().fromSource() }
/** Gets the primary location of this element. */
Location getLocation() { none() }
/**
* Gets the source of this element: either itself or a macro that expanded
* to this element.
*
* If the element is not in a macro expansion, then the "root" is just
* the element itself. Otherwise, it is the definition of the innermost
* macro whose expansion the element is in.
*
* This method is useful for filtering macro results in checks: simply
* blame `e.findRootCause` rather than `e`. This will report only bugs
* that are not in macros, and in addition report macros that (somewhere)
* expand to a bug.
*/
Element findRootCause() {
if exists(MacroInvocation mi | this = mi.getAGeneratedElement())
then
exists(MacroInvocation mi |
this = mi.getAGeneratedElement() and
not hasCloserMacroInvocation(this, mi) and
result = mi.getMacro()
)
else result = this
}
/**
* Gets the parent scope of this `Element`, if any.
* A scope is a `Type` (`Class` / `Enum`), a `Namespace`, a `BlockStmt`, a `Function`,
* or certain kinds of `Statement`.
*/
Element getParentScope() {
// result instanceof Class
exists(Declaration m |
m = this and
result = m.getDeclaringType() and
not this instanceof EnumConstant
)
or
exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
or
// result instanceof Namespace
exists(Namespace n | result = n and n.getADeclaration() = this)
or
exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
or
exists(Namespace n | this = n and result = n.getParentNamespace())
or
// result instanceof Stmt
exists(LocalVariable v |
this = v and
exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
)
or
exists(Parameter p |
this = p and
(
result = p.getFunction() or
result = p.getCatchBlock().getParent().(Handler).getParent().(TryStmt).getParent() or
result = p.getRequiresExpr().getEnclosingStmt().getParent()
)
)
or
exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
or
exists(TemplateVariable tv | this = tv.getATemplateArgument() and result = tv)
or
exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
or
// result instanceof Block|Function
exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
or
exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
or
// result instanceof Stmt
exists(ControlStructure s | this = s and result = s.getParent())
or
using_container(unresolveElement(result), underlyingElement(this))
}
/**
* Holds if this element comes from a macro expansion. Only elements that
* are entirely generated by a macro are included - for elements that
* partially come from a macro, see `isAffectedByMacro`.
*/
predicate isInMacroExpansion() { inMacroExpansion(this) }
/**
* Holds if this element is affected in any way by a macro. All elements
* that are totally or partially generated by a macro are included, so
* this is a super-set of `isInMacroExpansion`.
*/
predicate isAffectedByMacro() { affectedByMacro(this) }
/**
* INTERNAL: Do not use.
*
* Holds if this element is affected by the expansion of `mi`.
*/
predicate isAffectedByMacro(MacroInvocation mi) {
affectedbymacroexpansion(underlyingElement(this), unresolveElement(mi))
}
private Element getEnclosingElementPref() {
enclosingfunction(underlyingElement(this), unresolveElement(result)) or
result.(Function) = stmtEnclosingElement(this) or
this.(LocalScopeVariable).getFunction() = result or
enumconstants(underlyingElement(this), unresolveElement(result), _, _, _, _) or
derivations(underlyingElement(this), unresolveElement(result), _, _, _) or
stmtparents(underlyingElement(this), _, unresolveElement(result)) or
exprparents(underlyingElement(this), _, unresolveElement(result)) or
namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or
initialisers(underlyingElement(this), unresolveElement(result), _, _) or
exprconv(unresolveElement(result), underlyingElement(this)) or
param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
using_container(unresolveElement(result), underlyingElement(this)) or
static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
}
/** Gets the closest `Element` enclosing this one. */
cached
Element getEnclosingElement() {
result = this.getEnclosingElementPref()
or
not exists(this.getEnclosingElementPref()) and
(
this = result.(Class).getAMember()
or
result = exprEnclosingElement(this)
or
var_decls(underlyingElement(this), unresolveElement(result), _, _, _)
)
}
/**
* Holds if this `Element` is a part of a template instantiation (but not
* the template itself).
*/
predicate isFromTemplateInstantiation(Element instantiation) {
exists(Element e | isFromTemplateInstantiationRec(e, instantiation) |
this = e or
this.(DeclarationEntry).getDeclaration() = e
)
}
/**
* Holds if this `Element` is part of a template `template` (not if it is
* part of an instantiation of `template`). This means it is represented in
* the database purely as syntax and without guarantees on the presence or
* correctness of type-based operations such as implicit conversions.
*
* If an element is nested within several templates, this predicate holds with
* a value of `template` for each containing template.
*/
predicate isFromUninstantiatedTemplate(Element template) {
exists(Element e | isFromUninstantiatedTemplateRec(e, template) |
this = e or
this.(DeclarationEntry).getDeclaration() = e
)
}
}
pragma[noinline]
private predicate hasCloserMacroInvocation(Element elem, MacroInvocation mi) {
exists(MacroInvocation closer |
elem = closer.getAGeneratedElement() and
mi = closer.getParentInvocation()
)
}
private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
instantiation.(Function).isConstructedFrom(_) and
e = instantiation
or
instantiation.(Class).isConstructedFrom(_) and
e = instantiation
or
instantiation.(Variable).isConstructedFrom(_) and
e = instantiation
or
isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
}
private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
is_class_template(unresolveElement(template)) and
e = template
or
is_function_template(unresolveElement(template)) and
e = template
or
is_variable_template(unresolveElement(template)) and
e = template
or
isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
}
/**
* A C++11 `static_assert` or C11 `_Static_assert` construct. For example each
* line in the following example contains a static assert:
* ```
* static_assert(sizeof(MyStruct) <= 4096);
* static_assert(sizeof(MyStruct) <= 4096, "MyStruct is too big!");
* ```
*/
class StaticAssert extends Locatable, @static_assert {
override string toString() { result = "static_assert(..., \"" + this.getMessage() + "\")" }
/**
* Gets the expression which this static assertion ensures is true.
*/
Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
/**
* Gets the message which will be reported by the compiler if this static assertion fails.
*/
string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
}