temp

hvitved · hvitved · commit a001ca0e4a26 · 2024-06-13T19:01:36.000+02:00
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -1051,6 +1051,23 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       /* End: Stage 1 logic. */
     }
 
+    private newtype TContentOrNode =
+      TContentOrNodeContent(Content c) { Stage1::revFlowIsReadAndStored(c) } or
+      TContentOrNodeNode(NodeEx n) { Stage1::revFlow(n) }
+
+    /** A `Content` or a `NodeEx`. */
+    private class ContentOrNodeContent extends TContentOrNode {
+      Content asContent() { this = TContentOrNodeContent(result) }
+
+      NodeEx asNodeEx() { this = TContentOrNodeNode(result) }
+
+      string toString() {
+        result = this.asContent().toString()
+        or
+        result = this.asNodeEx().toString()
+      }
+    }
+
     private predicate sinkNode = Stage1::sinkNode/2;
 
     private predicate sourceModel(NodeEx node, string model) {
@@ -2364,7 +2381,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
         }
 
         pragma[nomagic]
-        predicate storeStepCand(
+        private predicate storeStepCand0(
           NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType,
           DataFlowType containerType
         ) {
@@ -2375,7 +2392,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           )
         }
 
-        predicate readStepCand(NodeEx node1, Content c, NodeEx node2) {
+        private predicate readStepCand0(NodeEx node1, Content c, NodeEx node2) {
           exists(Ap ap1, Ap ap2 |
             revFlow(node2, _, _, _, pragma[only_bind_into](ap2)) and
             readStepFwd(node1, ap1, c, node2, ap2) and
@@ -2395,10 +2412,11 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
 
         private predicate fwdConsCand(Content c, Typ t, Ap ap) { storeStepFwd(_, t, ap, c, _, _) }
 
-        private predicate revConsCand(Content c, Typ t, Ap ap) {
-          exists(Ap ap2 |
-            revFlowStore(ap2, c, ap, t, _, _, _, _, _) and
-            revFlowConsCand(_, ap2, c, ap)
+        private predicate revConsCand(NodeEx readTarget, Content c, Typ t, Ap ap) {
+          exists(NodeEx storeSource, Ap ap2 |
+            revFlowStore(ap2, c, ap, t, storeSource, _, _, _, _) and
+            revFlowConsCand(readTarget, ap2, c, ap) and
+            storeReachesRead(storeSource, readTarget)
           )
         }
 
@@ -2412,7 +2430,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
         }
 
         additional predicate consCand(Content c, Typ t, Ap ap) {
-          revConsCand(c, t, ap) and
+          revConsCand(_, c, t, ap) and
           validAp(ap)
         }
 
@@ -2501,14 +2519,23 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           callEdgeReturn(call, c, _, _, _, _, _)
         }
 
-        private signature predicate storeReachesReadSig(NodeEx node1, NodeEx node2);
-
-        private module StoreReachesRead<storeReachesReadSig/2 storeReachesReadIn> {
+        /**
+         * Provides logic for computing compatible and (likely) reachable store-read pairs.
+         *
+         * In order to determine whether a store can reach a compatible read, we first compute
+         * the set of contents that may be both stored and read.
+         *
+         * The implementation is based on `doublyBoundedFastTC`, and in order to avoid poor
+         * performance through recursion, we unroll the recursion manually 4 times, in order to
+         * be able to handle access paths of maximum length 5.
+         */
+        private module StoreReadReachability {
           pragma[nomagic]
-          private predicate step(NodeEx node1, NodeEx node2) {
+          private predicate valueStep(NodeEx node1, NodeEx node2) {
             exists(FlowState state, Ap ap, ApOption returnAp1, ApOption returnAp2 |
               revFlow(node1, pragma[only_bind_into](state), _, returnAp1, pragma[only_bind_into](ap)) and
-              revFlow(node2, pragma[only_bind_into](state), _, returnAp2, pragma[only_bind_into](ap))
+              revFlow(node2, pragma[only_bind_into](state), _, returnAp2, pragma[only_bind_into](ap)) and
+              not ap instanceof ApNil
             |
               localStep(node1, state, node2, state, true, _, _) and
               returnAp1 = returnAp2
@@ -2518,57 +2545,139 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
               callEdgeArgParam(_, _, node1, node2, _, _)
               or
               callEdgeReturn(_, _, node1, _, node2, _, _)
-              or
-              storeReachesReadIn(node1, node2)
             )
           }
 
-          private predicate isStoreTarget(NodeEx node) { storeStepCand(_, _, _, node, _, _) }
+          /** Input from previous iteration. */
+          private signature predicate storeReachesReadSig(NodeEx node1, NodeEx node2);
 
-          private predicate isReadSource(NodeEx node) { readStepCand(node, _, _) }
+          private module StoreReachesRead<storeReachesReadSig/2 storeReachesReadIn> {
+            pragma[nomagic]
+            private predicate step(NodeEx node1, NodeEx node2) {
+              valueStep(node1, node2)
+              or
+              exists(FlowState state, Ap ap |
+                revFlow(node1, pragma[only_bind_into](state), _, _, pragma[only_bind_into](ap)) and
+                revFlow(node2, pragma[only_bind_into](state), _, _, pragma[only_bind_into](ap)) and
+                not ap instanceof ApNil and
+                storeReachesReadIn(node1, node2)
+              )
+            }
 
-          private predicate storeReachesReadTc(NodeEx node1, NodeEx node2) =
-            doublyBoundedFastTC(step/2, isStoreTarget/1, isReadSource/1)(node1, node2)
+            private predicate contentIsStored(ContentOrNodeContent c) {
+              storeStepCand0(_, _, c.asContent(), _, _, _)
+            }
 
-          bindingset[node2, c]
-          pragma[inline_late]
-          private predicate storeStepCand(NodeEx node1, Content c, NodeEx node2) {
-            storeStepCand(node1, _, c, node2, _, _)
-          }
+            private predicate contentIsRead(ContentOrNodeContent c) {
+              readStepCand0(_, c.asContent(), _)
+            }
 
-          pragma[nomagic]
-          predicate storeReachesReadOut(NodeEx node1, NodeEx node2) {
-            exists(Content c, NodeEx storeTarget, NodeEx readSource |
-              storeReachesReadTc(storeTarget, readSource) and
-              storeStepCand(node1, c, storeTarget) and
-              readStepCand(readSource, c, node2)
-            )
-            or
-            exists(Content c, NodeEx storeTargetReadSource |
-              storeStepCand(node1, c, storeTargetReadSource) and
-              readStepCand(storeTargetReadSource, c, node2)
-            )
+            private predicate stepNodeOrContent(ContentOrNodeContent n1, ContentOrNodeContent n2) {
+              step(n1.asNodeEx(), n2.asNodeEx())
+              or
+              storeStepCand0(_, _, n1.asContent(), n2.asNodeEx(), _, _)
+              or
+              readStepCand0(n1.asNodeEx(), n2.asContent(), _)
+            }
+
+            private predicate contentReachesReadTc(
+              ContentOrNodeContent node1, ContentOrNodeContent node2
+            ) =
+              doublyBoundedFastTC(stepNodeOrContent/2, contentIsStored/1, contentIsRead/1)(node1,
+                node2)
+
+            pragma[nomagic]
+            private predicate contentId(ContentOrNodeContent c1, ContentOrNodeContent c2, Content c) {
+              c1.asContent() = c and
+              c2.asContent() = c
+            }
+
+            predicate contentIsReadAndStored(Content c) {
+              exists(ContentOrNodeContent n1, ContentOrNodeContent n2 |
+                contentReachesReadTc(n1, n2) and
+                contentId(n1, n2, c)
+              )
+            }
+
+            private predicate isStoreTarget(NodeEx node) {
+              exists(Content c |
+                contentIsReadAndStored(c) and
+                storeStepCand0(_, _, c, node, _, _)
+              )
+            }
+
+            private predicate isReadSource(NodeEx node) {
+              exists(Content c |
+                contentIsReadAndStored(c) and
+                readStepCand0(node, c, _)
+              )
+            }
+
+            private predicate storeReachesReadTc(NodeEx node1, NodeEx node2) =
+              doublyBoundedFastTC(step/2, isStoreTarget/1, isReadSource/1)(node1, node2)
+
+            pragma[nomagic]
+            private predicate storeStepCandIsReadAndStored(NodeEx node1, Content c, NodeEx node2) {
+              contentIsReadAndStored(c) and
+              storeStepCand0(node1, _, c, node2, _, _)
+            }
+
+            pragma[nomagic]
+            private predicate readStepCandIsReadAndStored(NodeEx node1, Content c, NodeEx node2) {
+              contentIsReadAndStored(c) and
+              readStepCand0(node1, c, node2)
+            }
+
+            pragma[nomagic]
+            predicate storeReachesReadOut(NodeEx storeSource, NodeEx readTarget) {
+              exists(Content c, NodeEx storeTarget, NodeEx readSource |
+                storeReachesReadTc(storeTarget, readSource) and
+                storeStepCandIsReadAndStored(storeSource, c, storeTarget) and
+                readStepCandIsReadAndStored(readSource, c, readTarget)
+              )
+              or
+              exists(Content c, NodeEx storeTargetReadSource |
+                storeStepCandIsReadAndStored(storeSource, c, storeTargetReadSource) and
+                readStepCandIsReadAndStored(storeTargetReadSource, c, readTarget)
+              )
+            }
           }
-        }
 
-        private predicate storeReachesRead0(NodeEx node1, NodeEx node2) { none() }
+          private predicate storeReachesRead0(NodeEx node1, NodeEx node2) { none() }
 
-        private predicate storeReachesRead1 =
-          StoreReachesRead<storeReachesRead0/2>::storeReachesReadOut/2;
+          private predicate storeReachesRead1 =
+            StoreReachesRead<storeReachesRead0/2>::storeReachesReadOut/2;
 
-        private predicate storeReachesRead2 =
-          StoreReachesRead<storeReachesRead1/2>::storeReachesReadOut/2;
+          private predicate storeReachesRead2 =
+            StoreReachesRead<storeReachesRead1/2>::storeReachesReadOut/2;
 
-        private predicate storeReachesRead3 =
-          StoreReachesRead<storeReachesRead2/2>::storeReachesReadOut/2;
+          private predicate storeReachesRead3 =
+            StoreReachesRead<storeReachesRead2/2>::storeReachesReadOut/2;
 
-        private predicate storeReachesRead4 =
-          StoreReachesRead<storeReachesRead3/2>::storeReachesReadOut/2;
+          private predicate storeReachesRead4 =
+            StoreReachesRead<storeReachesRead3/2>::storeReachesReadOut/2;
 
-        private predicate storeReachesRead5 =
-          StoreReachesRead<storeReachesRead4/2>::storeReachesReadOut/2;
+          import StoreReachesRead<storeReachesRead4/2>
+        }
+
+        predicate storeReachesRead = StoreReadReachability::storeReachesReadOut/2;
+
+        pragma[nomagic]
+        predicate storeStepCand(
+          NodeEx node1, Ap ap1, Content c, NodeEx node2, DataFlowType contentType,
+          DataFlowType containerType
+        ) {
+          storeStepCand0(node1, ap1, c, node2, contentType, containerType) and
+          StoreReadReachability::contentIsReadAndStored(c) and
+          storeReachesRead(node1, _)
+        }
 
-        predicate storeReachesRead = storeReachesRead5/2;
+        pragma[nomagic]
+        predicate readStepCand(NodeEx node1, Content c, NodeEx node2) {
+          readStepCand0(node1, c, node2) and
+          StoreReadReachability::contentIsReadAndStored(c) and
+          storeReachesRead(_, node2)
+        }
 
         additional predicate stats(
           boolean fwd, int nodes, int fields, int conscand, int states, int tuples, int calledges,
