C++: Revert the changes to default taint tracking and TaintedAllocationSize.ql

jketema · jketema · commit 6fa95330f628 · 2023-02-08T09:11:39.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
@@ -168,18 +168,16 @@ private predicate hasUpperBoundsCheck(Variable var) {
 private predicate nodeIsBarrierEqualityCandidate(
   DataFlow::Node node, Operand access, Variable checkedVar
 ) {
-  exists(Instruction instr | instr = node.asOperand().getDef() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
-  )
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
 }
 
 cached
 private module Cached {
   cached
   predicate nodeIsBarrier(DataFlow::Node node) {
-    exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
-      readsVariable(instr, checkedVar) and
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
       hasUpperBoundsCheck(checkedVar)
     )
     or
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -46,10 +46,8 @@ predicate hasUpperBoundsCheck(Variable var) {
 }
 
 predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
-  exists(Instruction instr | instr = node.asOperand().getDef() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
-  )
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
 }
 
 predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
@@ -81,8 +79,8 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
       e = any(PointerDiffExpr diff).getAnOperand()
     )
     or
-    exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
-      readsVariable(instr, checkedVar) and
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
       hasUpperBoundsCheck(checkedVar)
     )
     or

Original file line number	Diff line number	Diff line change
`@@ -46,10 +46,8 @@ predicate hasUpperBoundsCheck(Variable var) {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {`
`49`		`- exists(Instruction instr \| instr = node.asOperand().getDef() \|`
`50`		`- readsVariable(instr, checkedVar) and`
`51`		`- any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)`
`52`		`- )`
	`49`	`+ readsVariable(node.asInstruction(), checkedVar) and`
	`50`	`+ any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)`
`53`	`51`	`}`
`54`	`52`
`55`	`53`	`predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }`
`@@ -81,8 +79,8 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {`
`81`	`79`	`e = any(PointerDiffExpr diff).getAnOperand()`
`82`	`80`	`)`
`83`	`81`	`or`
`84`		`- exists(Variable checkedVar, Instruction instr \| instr = node.asOperand().getDef() \|`
`85`		`- readsVariable(instr, checkedVar) and`
	`82`	`+ exists(Variable checkedVar \|`
	`83`	`+ readsVariable(node.asInstruction(), checkedVar) and`
`86`	`84`	`hasUpperBoundsCheck(checkedVar)`
`87`	`85`	`)`
`88`	`86`	`or`