C++: Add reverse read and more field flow

MathiasVP · MathiasVP · commit 1898d469d1c8 · 2020-05-07T11:07:51.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -13,7 +13,9 @@ private import semmle.code.cpp.models.interfaces.DataFlow
 
 private newtype TIRDataFlowNode =
   TInstructionNode(Instruction i) or
-  TVariableNode(Variable var)
+  TVariableNode(Variable var) or
+  TSynthesizedStoreNode(StoreChain chain) or
+  TSynthesizedLoadNode(LoadChain load)
 
 /**
  * A node in a data flow graph.
@@ -71,9 +73,7 @@ class Node extends TIRDataFlowNode {
    * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
    * a partial definition of `&x`).
    */
-  Expr asPartialDefinition() {
-    result = this.(PartialDefinitionNode).getInstruction().getUnconvertedResultExpression()
-  }
+  Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefiningExpr() }
 
   /**
    * DEPRECATED: See UninitializedNode.
@@ -231,7 +231,7 @@ deprecated class UninitializedNode extends Node {
  * This class exists to match the interface used by Java. There are currently no non-abstract
  * classes that extend it. When we implement field flow, we can revisit this.
  */
-abstract class PostUpdateNode extends InstructionNode {
+abstract class PostUpdateNode extends Node {
   /**
    * Gets the node before the state update.
    */
@@ -251,42 +251,8 @@ abstract class PostUpdateNode extends InstructionNode {
  * setY(&x); // a partial definition of the object `x`.
  * ```
  */
-abstract private class PartialDefinitionNode extends PostUpdateNode, TInstructionNode { }
-
-private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-
-  ExplicitFieldStoreQualifierNode() {
-    not instr.isResultConflated() and
-    exists(StoreInstruction store, FieldInstruction field |
-      instr.getPartial() = store and field = store.getDestinationAddress()
-    )
-  }
-
-  // There might be multiple `ChiInstructions` that has a particular instruction as
-  // the total operand - so this definition gives consistency errors in
-  // DataFlowImplConsistency::Consistency. However, it's not clear what (if any) implications
-  // this consistency failure has.
-  override Node getPreUpdateNode() { result.asInstruction() = instr.getTotal() }
-}
-
-/**
- * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. For these cases we
- * attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
- * (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
- */
-private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
-  override StoreInstruction instr;
-
-  ExplicitSingleFieldStoreQualifierNode() {
-    exists(FieldAddressInstruction field |
-      field = instr.getDestinationAddress() and
-      not exists(ChiInstruction chi | chi.getPartial() = instr)
-    )
-  }
-
-  override Node getPreUpdateNode() { none() }
+abstract private class PartialDefinitionNode extends PostUpdateNode {
+  abstract Expr getDefiningExpr();
 }
 
 /**
@@ -368,18 +334,225 @@ class VariableNode extends Node, TVariableNode {
   override string toString() { result = v.toString() }
 }
 
+/** The target node of a `readStep`. */
 abstract class ReadStepNode extends Node {
+  /** Get the field that is read. */
   abstract Field getAField();
 
+  /** Get the node representing the value that is read. */
   abstract Node getReadValue();
 }
 
+/** The target node of a `storeStep`. */
 abstract class StoreStepNode extends PostUpdateNode {
+  /** Get the field that is stored into. */
   abstract Field getAField();
 
+  /** Get the node representing the value that is stored. */
   abstract Node getStoredValue();
 }
 
+private newtype TStoreChain =
+  TStore(FieldInstruction f, StoreInstruction store, ChiInstruction chi) {
+    not chi.isResultConflated() and
+    chi.getPartial() = store and
+    store.getDestinationAddress() = f
+  } or
+  TStoreCons(FieldInstruction f, TStoreChain next) {
+    next = TStoreCons(f.getAUse().getUse(), _) or
+    next = TStore(f.getAUse().getUse(), _, _)
+  }
+
+private class StoreChain extends TStoreChain {
+  string toString() { none() }
+
+  StoreChainCons getParent() { none() }
+
+  StoreChain getChild() { none() }
+
+  StoreInstruction getStoreInstruction() { none() }
+
+  ChiInstruction getChiInstruction() { none() }
+
+  FieldInstruction getFieldInstruction() { none() }
+}
+
+private class StoreChainNil extends StoreChain, TStore {
+  FieldInstruction f;
+  StoreInstruction store;
+  ChiInstruction chi;
+
+  StoreChainNil() { this = TStore(f, store, chi) }
+
+  override string toString() { result = f.getField().toString() }
+
+  override StoreChainCons getParent() { result = TStoreCons(_, this) }
+
+  override StoreInstruction getStoreInstruction() { result = store }
+
+  override ChiInstruction getChiInstruction() { result = chi }
+
+  override FieldInstruction getFieldInstruction() { result = f }
+}
+
+private class StoreChainCons extends StoreChain, TStoreCons {
+  FieldInstruction f;
+  StoreChain next;
+
+  StoreChainCons() { this = TStoreCons(f, next) }
+
+  override string toString() { result = f.getField().toString() + "." + next.toString() }
+
+  override StoreChainCons getParent() { result.getChild() = this }
+
+  override StoreChain getChild() { result = next }
+
+  override FieldInstruction getFieldInstruction() { result = f }
+
+  override StoreInstruction getStoreInstruction() { result = next.getStoreInstruction() }
+
+  override ChiInstruction getChiInstruction() { result = next.getChiInstruction() }
+}
+
+private Instruction getAUse(FieldAddressInstruction fa) { result = fa.getAUse().getUse() }
+
+private newtype TLoadChain =
+  TLoad(FieldAddressInstruction f) {
+    not f.getObjectAddress() instanceof FieldInstruction and getAUse*(f) instanceof LoadInstruction
+  } or
+  TLoadChainCons(FieldAddressInstruction f, TLoadChain prev) {
+    prev = TLoadChainCons(f.getObjectAddress(), _) or
+    prev = TLoad(f.getObjectAddress())
+  }
+
+private class LoadChain extends TLoadChain {
+  string toString() { none() }
+
+  LoadInstruction getLoadInstruction() { none() }
+
+  LoadChainCons getParent() { none() }
+
+  LoadChain getChild() { none() }
+
+  FieldInstruction getFieldInstruction() { none() }
+}
+
+private class LoadNil extends LoadChain, TLoad {
+  FieldInstruction f;
+
+  LoadNil() { this = TLoad(f) }
+
+  override string toString() { result = f.getField().toString() }
+
+  override LoadChainCons getParent() { result = TLoadChainCons(_, this) }
+
+  override LoadInstruction getLoadInstruction() {
+    result.getSourceAddressOperand().getAnyDef() = f
+    or
+    result = getParent().getLoadInstruction()
+  }
+
+  override FieldInstruction getFieldInstruction() { result = f }
+}
+
+private class LoadChainCons extends LoadChain, TLoadChainCons {
+  FieldInstruction f;
+  LoadChain prev;
+
+  LoadChainCons() { this = TLoadChainCons(f, prev) }
+
+  override string toString() { result = prev.toString() + "." + f.getField().toString() }
+
+  override LoadInstruction getLoadInstruction() {
+    result.getSourceAddressOperand().getAnyDef() = f
+    or
+    result = getParent().getLoadInstruction()
+  }
+
+  override LoadChainCons getParent() { result.getChild() = this }
+
+  override LoadChain getChild() { result = prev }
+
+  override FieldInstruction getFieldInstruction() { result = f }
+}
+
+private class SynthesizedStoreNode extends TSynthesizedStoreNode, StoreStepNode, ReadStepNode,
+  PartialDefinitionNode {
+  StoreChain storeChain;
+
+  SynthesizedStoreNode() { this = TSynthesizedStoreNode(storeChain) }
+
+  override string toString() { result = "[" + storeChain.toString() + "] (store)" }
+
+  StoreChain getStoreChain() { result = storeChain }
+
+  ChiInstruction getChiInstruction() { result = storeChain.getChiInstruction() }
+
+  StoreInstruction getStoreInstruction() { result = storeChain.getStoreInstruction() }
+
+  override Node getPreUpdateNode() {
+    result.(SynthesizedStoreNode).getStoreChain() = storeChain.getParent()
+    or
+    not exists(storeChain.getParent()) and
+    result.asInstruction() = this.getChiInstruction().getTotal()
+  }
+
+  override Field getAField() { result = storeChain.getFieldInstruction().getField() }
+
+  override Node getStoredValue() {
+    // Only the "end" of the chain stores a value (i.e., can be the target of a store step)
+    not exists(storeChain.getChild()) and result.asInstruction() = this.getStoreInstruction()
+  }
+
+  override Node getReadValue() {
+    result.(SynthesizedStoreNode).getStoreChain() = storeChain.getParent()
+    or
+    not exists(storeChain.getParent()) and
+    result.asInstruction() = this.getChiInstruction().getTotal()
+  }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Function getFunction() { result = this.getStoreInstruction().getEnclosingFunction() }
+
+  override Type getType() { result = this.getStoreInstruction().getResultType() }
+
+  override Location getLocation() { result = this.getStoreInstruction().getLocation() }
+
+  override Expr getDefiningExpr() {
+    result = this.getStoreInstruction().getSourceValue().getUnconvertedResultExpression()
+  }
+}
+
+private class SynthesizedLoadNode extends TSynthesizedLoadNode, ReadStepNode {
+  LoadChain loadChain;
+
+  SynthesizedLoadNode() { this = TSynthesizedLoadNode(loadChain) }
+
+  override Field getAField() { result = loadChain.getFieldInstruction().getField() }
+
+  override Node getReadValue() {
+    result.(SynthesizedLoadNode).getLoadChain() = loadChain.getChild()
+    or
+    not exists(loadChain.getChild()) and
+    result.asInstruction() = this.getLoadInstruction().getSourceValueOperand().getAnyDef()
+  }
+
+  LoadChain getLoadChain() { result = loadChain }
+
+  LoadInstruction getLoadInstruction() { result = loadChain.getLoadInstruction() }
+
+  override string toString() { result = "[" + loadChain.toString() + "] (load)" }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Function getFunction() { result = this.getLoadInstruction().getEnclosingFunction() }
+
+  override Type getType() { result = this.getLoadInstruction().getResultType() }
+
+  override Location getLocation() { result = this.getLoadInstruction().getLocation() }
+}
+
 /**
  * Gets the node corresponding to `instr`.
  */
@@ -433,6 +606,18 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
  */
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
+  or
+  exists(SynthesizedStoreNode synthFrom |
+    synthFrom = nodeFrom and
+    not exists(synthFrom.getStoreChain().getParent()) and
+    synthFrom.getChiInstruction() = nodeTo.asInstruction()
+  )
+  or
+  exists(SynthesizedLoadNode synthFrom |
+    synthFrom = nodeFrom and
+    not exists(synthFrom.getLoadChain().getParent()) and
+    synthFrom.getLoadInstruction() = nodeTo.asInstruction()
+  )
 }
 
 pragma[noinline]
