FilesExpand file tree

 main

/

Overflow.qll

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

137 lines (128 loc) · 4.23 KB

 main

/

Overflow.qll

Copy path

Top

File metadata and controls

• Code
• Blame

137 lines (128 loc) · 4.23 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

/**

* Provides predicates for reasoning about when the value of an expression is

* guarded by an operation such as `<`, which confines its range.

*/

import cpp

import semmle.code.cpp.controlflow.Dominance

/**

* Holds if the value of `use` is guarded using `abs`.

*/

predicate guardedAbs(Operation e, Expr use) {

exists(FunctionCall fc | fc.getTarget().getName() = "abs" |

fc.getArgument(0).getAChild*() = use and

guardedLesser(e, fc)

)

}

/**

* Gets the position of `stmt` in basic block `block` (this is a thin layer

* over `BasicBlock.getNode`, intended to improve performance).

*/

pragma[noinline]

private int getStmtIndexInBlock(BasicBlock block, Stmt stmt) { block.getNode(result) = stmt }

pragma[inline]

private predicate stmtDominates(Stmt dominator, Stmt dominated) {

// In same block

exists(BasicBlock block, int dominatorIndex, int dominatedIndex |

dominatorIndex = getStmtIndexInBlock(block, dominator) and

dominatedIndex = getStmtIndexInBlock(block, dominated) and

dominatedIndex >= dominatorIndex

)

or

// In (possibly) different blocks

bbStrictlyDominates(dominator.getBasicBlock(), dominated.getBasicBlock())

}

/**

* Holds if the value of `use` is guarded to be less than something.

*/

pragma[nomagic]

predicate guardedLesser(Operation e, Expr use) {

exists(IfStmt c, RelationalOperation guard |

use = guard.getLesserOperand().getAChild*() and

guard = c.getControllingExpr().getAChild*() and

stmtDominates(c.getThen(), e.getEnclosingStmt())

)

or

exists(Loop c, RelationalOperation guard |

use = guard.getLesserOperand().getAChild*() and

guard = c.getControllingExpr().getAChild*() and

stmtDominates(c.getStmt(), e.getEnclosingStmt())

)

or

exists(ConditionalExpr c, RelationalOperation guard |

use = guard.getLesserOperand().getAChild*() and

guard = c.getCondition().getAChild*() and

c.getThen().getAChild*() = e

)

or

guardedAbs(e, use)

}

/**

* Holds if the value of `use` is guarded to be greater than something.

*/

pragma[nomagic]

predicate guardedGreater(Operation e, Expr use) {

exists(IfStmt c, RelationalOperation guard |

use = guard.getGreaterOperand().getAChild*() and

guard = c.getControllingExpr().getAChild*() and

stmtDominates(c.getThen(), e.getEnclosingStmt())

)

or

exists(Loop c, RelationalOperation guard |

use = guard.getGreaterOperand().getAChild*() and

guard = c.getControllingExpr().getAChild*() and

stmtDominates(c.getStmt(), e.getEnclosingStmt())

)

or

exists(ConditionalExpr c, RelationalOperation guard |

use = guard.getGreaterOperand().getAChild*() and

guard = c.getCondition().getAChild*() and

c.getThen().getAChild*() = e

)

or

guardedAbs(e, use)

}

/**

* Gets a use of a given variable `v`.

*/

VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }

/**

* Holds if `e` is not guarded against overflow by `use`.

*/

predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {

use = e.getAnOperand() and

exists(LocalScopeVariable v | use.getTarget() = v |

// overflow possible if large

e instanceof AddExpr and not guardedLesser(e, varUse(v))

or

e instanceof AssignAddExpr and not guardedLesser(e, varUse(v))

or

e instanceof IncrementOperation and

not guardedLesser(e, varUse(v)) and

v.getUnspecifiedType() instanceof IntegralType

or

// overflow possible if large or small

e instanceof MulExpr and

not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v)))

)

}

/**

* Holds if `e` is not guarded against underflow by `use`.

*/

predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {

use = e.getAnOperand() and

exists(LocalScopeVariable v | use.getTarget() = v |

// underflow possible if use is left operand and small

use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))

or

use = e.(AssignSubExpr).getLValue() and not guardedGreater(e, varUse(v))

or

// underflow possible if small

e instanceof DecrementOperation and

not guardedGreater(e, varUse(v)) and

v.getUnspecifiedType() instanceof IntegralType

or

// underflow possible if large or small

e instanceof MulExpr and

not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v)))

)

}