Skip to content

Commit 46393c3

Browse files
MathiasVPMathiasVP
committed
C++: Fix bad join orders introduced in previous commit.
1 parent a00bd7a commit 46393c3

File tree

1 file changed

+20
-7
lines changed

1 file changed

+20
-7
lines changed

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -350,7 +350,7 @@ private class InexactLoadOperand extends LoadOperand {
350350
InexactLoadOperand() { this.isDefinitionInexact() }
351351
}
352352

353-
/** Get the result type of an `Instruction` i, if it is a `PointerType`. */
353+
/** Get the result type of `i`, if it is a `PointerType`. */
354354
private PointerType getPointerType(Instruction i) {
355355
// We are done if the type is a pointer type that is not a glvalue
356356
i.getResultLanguageType().hasType(result, false)
@@ -359,16 +359,24 @@ private PointerType getPointerType(Instruction i) {
359359
result = getPointerType(i.(PointerOffsetInstruction).getLeft())
360360
}
361361

362+
pragma[noinline]
363+
private predicate deconstructLoad(
364+
LoadInstruction load, InexactLoadOperand loadOperand, Instruction addressInstr
365+
) {
366+
load.getSourceAddress() = addressInstr and
367+
load.getSourceValueOperand() = loadOperand
368+
}
369+
362370
private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) {
363371
a = TArrayContent() and
364372
// Explicit dereferences such as `*p` or `p[i]` where `p` is a pointer or array.
365-
exists(InexactLoadOperand operand, LoadInstruction load |
366-
load.getSourceValueOperand() = operand and
367-
node1.asInstruction() = operand.getAnyDef() and
373+
exists(InexactLoadOperand loadOperand, LoadInstruction load, Instruction address |
374+
deconstructLoad(load, loadOperand, address) and
375+
node1.asInstruction() = loadOperand.getAnyDef() and
368376
not node1.asInstruction().isResultConflated() and
369-
operand = node2.asOperand() and
377+
loadOperand = node2.asOperand() and
370378
// Ensure that the load is actually loading from an array or a pointer.
371-
getPointerType(load.getSourceAddress()).getBaseType() = load.getResultType()
379+
getPointerType(address).getBaseType() = load.getResultType()
372380
)
373381
}
374382

@@ -423,6 +431,11 @@ private ReferenceType getReferenceType(Instruction i) {
423431
i.getResultLanguageType().hasType(result, false)
424432
}
425433

434+
pragma[noinline]
435+
Type getResultTypeOfSourceValue(CopyValueInstruction copy) {
436+
result = copy.getSourceValue().getResultType()
437+
}
438+
426439
/**
427440
* In cases such as:
428441
* ```cpp
@@ -451,7 +464,7 @@ private predicate innerReadSteap(Node node1, Content a, Node node2) {
451464
node2.asInstruction() = write and
452465
copyValue = call.getArgument(write.getIndex()) and
453466
[getPointerType(copyValue).getBaseType(), getReferenceType(copyValue).getBaseType()] =
454-
copyValue.getSourceValue().getResultType()
467+
getResultTypeOfSourceValue(copyValue)
455468
)
456469
}
457470

0 commit comments

Comments
 (0)