CodeQL library for C/C++
codeql/cpp-all 3.2.1-dev (changelog, source)
Search

Predicate BarrierGuard::getABarrierNode

Gets an expression node that is safely guarded by the given guard check.

For example, given the following code:

int x = source();
// ...
if(is_safe_int(x)) {
  sink(x);
}

and the following barrier guard predicate:

predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
  exists(Call call |
    g.getUnconvertedResultExpression() = call and
    call.getTarget().hasName("is_safe_int") and
    e = call.getAnArgument() and
    branch = true
  )
}

implementing isBarrier as:

predicate isBarrier(DataFlow::Node barrier) {
  barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getABarrierNode()
}

will block flow from x = source() to sink(x).

NOTE: If an indirect expression is tracked, use getAnIndirectBarrierNode instead.

Import path

import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
Node getABarrierNode()