From d2f5734ac5a572103f6a51b7c38627fb4ba04c69 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 25 Jul 2024 17:08:47 +0100 Subject: [PATCH 1/4] C++: Add FP. --- .../CWE-457/semmle/tests/UninitializedLocal.expected | 2 ++ .../Security/CWE/CWE-457/semmle/tests/test.cpp | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected index d27b2c996b33..aeb5526a0b62 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected @@ -13,6 +13,7 @@ nodes | test.cpp:458:6:458:6 | definition of x | semmle.label | definition of x | | test.cpp:464:6:464:6 | definition of x | semmle.label | definition of x | | test.cpp:471:6:471:6 | definition of x | semmle.label | definition of x | +| test.cpp:592:6:592:8 | definition of quo | semmle.label | definition of quo | #select | test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | | test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | @@ -27,3 +28,4 @@ nodes | test.cpp:460:7:460:7 | x | test.cpp:458:6:458:6 | definition of x | test.cpp:458:6:458:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:458:6:458:6 | x | x | | test.cpp:467:2:467:2 | x | test.cpp:464:6:464:6 | definition of x | test.cpp:464:6:464:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:464:6:464:6 | x | x | | test.cpp:474:7:474:7 | x | test.cpp:471:6:471:6 | definition of x | test.cpp:471:6:471:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:471:6:471:6 | x | x | +| test.cpp:594:6:594:8 | quo | test.cpp:592:6:592:8 | definition of quo | test.cpp:592:6:592:8 | definition of quo | The variable $@ may not be initialized at this access. | test.cpp:592:6:592:8 | quo | quo | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp index 5d0a0529f7ee..dbb85ec0bf85 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp @@ -581,3 +581,15 @@ void test46() *rP = nullptr; use(r); } + +namespace std { + float remquo(float, float, int*); +} + +void test47() { + float x = 1.0f; + float y = 2.0f; + int quo; + std::remquo(x, y, &quo); + use(quo); // GOOD [FALSE POSITIVE] +} \ No newline at end of file From 52f8f04e9dc801d70ddce661610c8a1b6743fd04 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 25 Jul 2024 17:12:56 +0100 Subject: [PATCH 2/4] C++: Add write side effect to 'remquo'. --- .../lib/semmle/code/cpp/models/implementations/StdMath.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll index fb4437787540..253cdff173a2 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll @@ -51,6 +51,12 @@ private class Remquo extends Function, SideEffectFunction { override predicate hasOnlySpecificReadSideEffects() { any() } override predicate hasOnlySpecificWriteSideEffects() { any() } + + override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) { + this.getParameter(i).getUnspecifiedType() instanceof PointerType and + buffer = false and + mustWrite = true + } } private class Fma extends Function, SideEffectFunction { From b640bdccdc28d6290cba1fc50a88a733b1f870a1 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 25 Jul 2024 17:13:10 +0100 Subject: [PATCH 3/4] C++: Accept test changes. --- .../CWE/CWE-457/semmle/tests/UninitializedLocal.expected | 2 -- .../test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected index aeb5526a0b62..d27b2c996b33 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected @@ -13,7 +13,6 @@ nodes | test.cpp:458:6:458:6 | definition of x | semmle.label | definition of x | | test.cpp:464:6:464:6 | definition of x | semmle.label | definition of x | | test.cpp:471:6:471:6 | definition of x | semmle.label | definition of x | -| test.cpp:592:6:592:8 | definition of quo | semmle.label | definition of quo | #select | test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | | test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | @@ -28,4 +27,3 @@ nodes | test.cpp:460:7:460:7 | x | test.cpp:458:6:458:6 | definition of x | test.cpp:458:6:458:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:458:6:458:6 | x | x | | test.cpp:467:2:467:2 | x | test.cpp:464:6:464:6 | definition of x | test.cpp:464:6:464:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:464:6:464:6 | x | x | | test.cpp:474:7:474:7 | x | test.cpp:471:6:471:6 | definition of x | test.cpp:471:6:471:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:471:6:471:6 | x | x | -| test.cpp:594:6:594:8 | quo | test.cpp:592:6:592:8 | definition of quo | test.cpp:592:6:592:8 | definition of quo | The variable $@ may not be initialized at this access. | test.cpp:592:6:592:8 | quo | quo | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp index dbb85ec0bf85..eab71b1aec56 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp @@ -591,5 +591,5 @@ void test47() { float y = 2.0f; int quo; std::remquo(x, y, &quo); - use(quo); // GOOD [FALSE POSITIVE] + use(quo); // GOOD } \ No newline at end of file From 91edf82c8aa0b812fbdd8a2074a62e317faccb52 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 25 Jul 2024 17:13:26 +0100 Subject: [PATCH 4/4] C++: Add more missing overrides. --- cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll index 253cdff173a2..6ee339c9b997 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMath.qll @@ -101,4 +101,8 @@ private class Nan extends Function, SideEffectFunction, AliasFunction { override predicate parameterNeverEscapes(int index) { index = 0 } override predicate parameterEscapesOnlyViaReturn(int index) { none() } + + override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) { + i = 0 and buffer = true + } }