Skip to content

Commit b18de9e

Browse files
MathiasVPMathiasVP
committed
C++: Add a named base case predicate for 'dereferencedByOperation' that can be used in queries.
1 parent ff7ff6d commit b18de9e

File tree

1 file changed

+23
-10
lines changed

1 file changed

+23
-10
lines changed

cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll

+23-10
Original file line numberDiff line numberDiff line change
@@ -26,17 +26,18 @@ predicate callDereferences(FunctionCall fc, int i) {
2626
}
2727

2828
/**
29-
* Holds if evaluation of `op` dereferences `e`.
29+
* Holds if evaluation of `op` dereferences `e` directly.
30+
*
31+
* This predicate does not recurse through function calls or arithmetic operations. To find
32+
* such cases, use `dereferencedByOperation`.
3033
*/
31-
predicate dereferencedByOperation(Expr op, Expr e) {
34+
predicate directDereferencedByOperation(Expr op, Expr e) {
3235
exists(PointerDereferenceExpr deref |
3336
deref.getAChild() = e and
3437
deref = op and
3538
not deref.getParent*() instanceof SizeofOperator
3639
)
3740
or
38-
exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
39-
or
4041
exists(ArrayExpr ae |
4142
(
4243
not ae.getParent() instanceof AddressOfExpr and
@@ -50,6 +51,24 @@ predicate dereferencedByOperation(Expr op, Expr e) {
5051
)
5152
)
5253
or
54+
// ptr->Field
55+
e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
56+
or
57+
// ptr->method()
58+
e = op.(Call).getQualifier() and isClassPointerType(e.getType())
59+
}
60+
61+
/**
62+
* Holds if evaluation of `op` dereferences `e`.
63+
*
64+
* This includes the set of operations identified via `directDereferencedByOperation`, as well
65+
* as calls to function that are known to dereference an argument.
66+
*/
67+
predicate dereferencedByOperation(Expr op, Expr e) {
68+
directDereferencedByOperation(op, e)
69+
or
70+
exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
71+
or
5372
exists(AddressOfExpr addof, ArrayExpr ae |
5473
dereferencedByOperation(addof, op) and
5574
addof.getOperand() = ae and
@@ -74,12 +93,6 @@ predicate dereferencedByOperation(Expr op, Expr e) {
7493
e = fc.getArgument(i) and
7594
op = fc
7695
)
77-
or
78-
// ptr->Field
79-
e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
80-
or
81-
// ptr->method()
82-
e = op.(Call).getQualifier() and isClassPointerType(e.getType())
8396
}
8497

8598
private predicate isClassPointerType(Type t) {

0 commit comments

Comments
 (0)