C++: Wire up param/arg indirections in data flow

[jbj]

This PR is based on #3097, which should be merged first. Only b622d62 is unique to this PR (for now).

This PR is an attempt to do a principled version of #2737, conservative enough that it applies to data flow. I thought it would just be a matter of wiring up ReadSideEffectInstruction to InitializeParameterInstruction, but it turns out that the involved operands are imprecise. I hope @dbartol or @rdmarsh2 have perspectives on whether they're supposed to be imprecise and whether the solution in this PR could be improved.

[jbj]

The test failures look similar but not identical to the undesired changes in #2704. I'll investigate, but I'd still like to hear comments on the overall approach of this PR.

[rdmarsh2]

I'd prefer not to expose isParameterOf with negative numbers while hiding ParameterIndirectionNode. I expect that ParameterIndirectionNode would be a fairly popular taint source, so this API would funnel users towards relying on the behavior of isParameterOf.

[jbj]

I've merged #3137 into this PR, hoping it'll fix the test failures.

[rdmarsh2]

re: the operands being imprecise, that was an attempt to represent the uncertainty about what the callee would actually read. I don't think there's a problem with making them precise.

[jbj]

I've started https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/993/

[jbj]

The CPP-Differences job showed many new results on openjdk/jdk. Thanks to #3189 I've been able to see that they were FPs, and I was able to find the cause. I'm guessing #2704 is affected by the same problem.

In code like

mystruct s;
s.x = tainted();
// s := chi(total = Uninitialized[s], partial = tainted())
sink(s.y);

there is (and should be) no taint into sink even though there is taint into the chi instruction. That's because the address through which y is loaded is a fresh VariableAddressInstruction rather than anything derived from the chi instruction, and the load is inexact. But if the last line of the example happens in a separate function, then this PR makes it possible (and it's the intended behaviour) for the taint in the chi instruction to end up in the this pointer, and from there it can then spread through a FieldAddressInstruction (which is a UnaryInstruction) to the address of a LoadInstruction. It's all due to the interaction between these three rules:

https://github.com/Semmle/ql/blob/e5d3286ee9dfafa07db488d0b1590d89722f4073/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll#L187-L193

[jbj]

I've started https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/1014/

[jbj]

I looked through the CPP-Differences. We lost 21 results, and they all look like false positives to me. They were due to field conflation.

I've marked this PR as ready for review. It started out as a PR to add more flow, but in practice it now causes less taint. The extra flow we're adding was (mostly) already present as taint due to #2737. With the latest change to block FieldAddressInstruction we now have less taint than before. This PR should make a difference for field flow, though, since field flow is carried by data flow but not by taint. I hope that merging this PR will also let us remove the workaround from #2737 soon.

[jbj]

I think this PR is essentially ready for merge, but it doesn't provide much value on its own, so we may not even want it in 1.24 unless it's needed for #3118.

The FPs removed with this PR might also get removed by #3219. We're still waiting for the CPP-Differences on that one.

[MathiasVP]

I think this PR is essentially ready for merge, but it doesn't provide much value on its own, so we may not even want it in 1.24 unless it's needed for #3118.

I don't think we'll need it for #3118.

EDIT: It does actually does provide the flow needed to capture field flow of the form:

struct A {
  int x, y;
};

void callSink(A* b) {
  sink(b->x);
}

void foo() {
  A a;
  a.x = user_input();
  callSink(&a);
}

without me doing anything more than merging this PR into #3118.

[jbj]

Now that IR field flow has been merged, this PR makes a difference. There are three new results (plus two duplicates) in fields/ir-flow.expected. Most other result changes are cosmetic.

I've started https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/1114/ to evaluate performance and correctness.

A test is failing in the internal repo because it has some cosmetic differences in the path graph. I think we'll want to revert parts of #2737 at some point to avoid duplicate paths, but it seems to happen only rarely.

[jbj]

I went through all the new CPP-Differences result and found that all were FPs caused by field conflation except two results for cpp/path-injection in php:

• zend_stream.c:174: new TP
• main.c:2564: new TP

I've pushed a fix.

[jbj]

I've started https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/1124/

[jbj]

The CPP-Differences shows two FPs that seem to be caused by field conflation. I'll investigate.

[jbj]

I'm quite confident that the two new FPs are caused by an existing field conflation that's just been amplified by this PR because there's more flow overall. I've opened #3475 with a test case that's independent of this PR.

With that said, I think this PR is still blocked on fixing that field conflation because it introduces two FPs on git/git.

[jbj]

I don't like this rule. It sends flow into a ReadSideEffectInstruction, which actually means there is flow to the result value of that instruction. But it's an instruction without a result!

The rule is here because we need a node to be the ArgumentNode in DataFlowPrivate.qll, and I've chosen the node for the ReadSideEffectInstruction. The alternatives I can see are:

1. Omit this rule and use the most recent definition of the indirection (here named iFrom) as the ArgumentNode. Then a node could be the argument for multiple calls, leading to confusing path explanations.
2. Create a new synthetic node for this purpose.
3. Change the data-flow library so that flow alternates between Instruction and Operand nodes. The list of good reasons to do this is starting to get long.

[jbj]

You can see the effect on path explanations in argvLocal.expected, where many new nodes with the awkward name BufferReadSideEffect are now there.

[jbj]

I've started https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/1168/

[jbj]

There will be a semantic merge conflict with #3602. (resolved)

[jbj]

I think this PR is ready to go.

• I've fixed the semantic merge conflict with C++: Make path-problem versions of ir-flow.ql and flow.ql #3602.
• The CPP-Differences job showed three new results, and they all look like TPs to me in the sense that the library does what it should.
• I've opened https://git.semmle.com/Semmle/code/pull/37069 for the internal changes.

I just added 8f702d4, which improves the toString output for the new nodes.

[MathiasVP]

Could we still get flow from object to field when the type of the field is equal to the parameter type? I'm thinking about a situation with a binary tree like this:

struct Tree { Tree *left, *right; };

Tree source();
void sink(Tree*);

void read_left_subtree(Tree* tree) {
  sink(tree->left);
}
...
Tree tree = source();
read_left_subtree(&tree);

[jbj]

Good point. I'll add a test to find out. But even if the answer is that such conflation is possible, does that mean it's undesirable? If we want conflation between array indexes, don't we then also want conflation between entries in a tree or a linked list?

[MathiasVP]

You're right. It's probably reasonable to have object to field flow in such situations.

[jbj]

After a long day where I made probably every mistake that can be made on a pair of synced PRs, the internal PR is finally green.

[MathiasVP]

LGTM!