CodeQL library for C/C++
codeql/cpp-all 2.0.2-dev (changelog, source)
Search

Predicate BarrierGuard::getAnIndirectBarrierNode

Gets an indirect expression node that is safely guarded by the given guard check.

For example, given the following code:

int* p;
// ...
*p = source();
if(is_safe_pointer(p)) {
  sink(*p);
}

and the following barrier guard check:

predicate myGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
  exists(Call call |
    g.getUnconvertedResultExpression() = call and
    call.getTarget().hasName("is_safe_pointer") and
    e = call.getAnArgument() and
    branch = true
  )
}

implementing isBarrier as:

predicate isBarrier(DataFlow::Node barrier) {
  barrier = DataFlow::BarrierGuard<myGuardChecks/3>::getAnIndirectBarrierNode()
}

will block flow from x = source() to sink(x).

NOTE: If a non-indirect expression is tracked, use getABarrierNode instead.

Import path

import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
Node getAnIndirectBarrierNode()