Predicate BarrierGuard::getAnIndirectBarrierNode
Gets an indirect expression node that is safely guarded by the given guard check.
For example, given the following code:
int* p;
// ...
*p = source();
if(is_safe_pointer(p)) {
sink(*p);
}
and the following barrier guard check:
predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
exists(Call call |
g.getUnconvertedResultExpression() = call and
call.getTarget().hasName("is_safe_pointer") and
e = call.getAnArgument() and
branch = true
)
}
implementing isBarrier
as:
predicate isBarrier(DataFlow::Node barrier) {
barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getAnIndirectBarrierNode()
}
will block flow from x = source()
to sink(x)
.
NOTE: If a non-indirect expression is tracked, use getABarrierNode
instead.
Import path
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil