Predicate BarrierGuard::getABarrierNode
Gets an expression node that is safely guarded by the given guard check.
For example, given the following code:
int x = source();
// ...
if(is_safe_int(x)) {
sink(x);
}
and the following barrier guard predicate:
predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
exists(Call call |
g.getUnconvertedResultExpression() = call and
call.getTarget().hasName("is_safe_int") and
e = call.getAnArgument() and
branch = true
)
}
implementing isBarrier
as:
predicate isBarrier(DataFlow::Node barrier) {
barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getABarrierNode()
}
will block flow from x = source()
to sink(x)
.
NOTE: If an indirect expression is tracked, use getAnIndirectBarrierNode
instead.
Import path
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil