C++: Switch to the shared Guards library #20485
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR switches the C++ CodeQL library from its own guards library to the shared guards library that was introduced previously. The main purpose is to reduce C++-specific QL code maintenance and enable C++ to use the shared "nullness" library. This change also improves query results on existing queries, particularly reducing false positives in the cpp/missing-check-scanf query.
Key changes include:
- Replacing the old C++-specific guards implementation with the shared guards library
- Updating guard value types from
AbstractValuetoGuardValue - Making guards extend
Elementinstead ofExprto support parameters as guards - Improving the guards logic to provide better query results
Reviewed Changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| GuardsEnsure.expected | Updated test expectations showing improved guard inference with more comprehensive results |
| GuardsControl.ql | Changed parameter type from AbstractValue to GuardValue |
| GuardsControl.expected | Expanded test results with additional guard control relationships |
| GuardsCompare.ql | Updated parameter type from AbstractValue to GuardValue |
| GuardsCompare.expected | Extended comparison results with more comprehensive guard comparisons |
| Guards.ql | Removed simple guard selection query |
| Guards.expected | Removed corresponding test expectations |
| tests.ql | Updated parameter types to use GuardValue |
| TOCTOUFilesystemRace.ql | Fixed guard child access by casting to Expr |
| SSLResultConflation.ql | Fixed guard child access by casting to Expr |
| SemanticExprSpecific.qll | Updated method call from controlsEdge to controlsBranchEdge |
| Instruction.qll | Added getAnInput() method to BinaryInstruction |
| EdgeKind.qll | Enhanced switch edge handling with better value range support |
| SsaImpl.qll | Major updates to SSA implementation with improved guard integration |
| IRGuards.qll | Complete rewrite using shared guards library with expanded functionality |
| RangeAnalysis.qll | Updated method call to use controlsBranchEdge |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| private import semmle.code.cpp.dataflow.new.DataFlow::DataFlow as DataFlow | ||
| private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as Private |
Check warning
Code scanning / CodeQL
Names only differing by case Warning
…nIndirectUse'. This will solve a non-monotonic recursion issue later.
…rk after instantiating the shared guards library.
MathiasVP
force-pushed
the
use-shared-guards-library
branch
from
c99ab52 to
6fe3e83
Compare
… a guard condition.
No. Parameters can't be Guards. But |
Oh. I guess there's a subtle thing for C/C++ here then: In the IR world a parameter is an Is that ... bad? |
Sure, I'll take a look (not today, though). |
|
|
||
| private module GuardsImpl = SharedGuards::Make<Cpp::Location, IRCfg, GuardsInput>; | ||
|
|
||
| private module LogicInput_v1 implements GuardsImpl::LogicInputSig { |
There was a problem hiding this comment.
If we only have _v1 then the suffix seems somewhat superfluous, but I assume you perhaps intend to add a _v2, which adds the output from Range Analysis? I.e. let's keep the _v1 suffix.
There was a problem hiding this comment.
Yeah, eventually I will add a _2 😄 However, I wanted to keep things as semantically identical as I could for this first PR.
|
Could you perhaps add a new test with a bunch of complex guard implications to showcase that these are indeed recognized? E.g. something like this and a bunch of other cases: And a test case for data flow that shows that barrier guard wrappers are now supported. |
…itionalImpliesStep.
…senting a gcc case range is a bad idea.
…ent 'rangeGuard'.
MathiasVP
force-pushed
the
use-shared-guards-library
branch
from
dad3413 to
b2269fb
Compare
…n' when detecting return expressions.
MathiasVP
force-pushed
the
use-shared-guards-library
branch
from
74799e5 to
a07d03f
Compare
Thanks a lot for reminding me to add those tests! I've added a bunch in b2269fb. That commit also highlights some missing inferences, and 26a8a4b also demonstrated that something was totally broken with the guard wrapper implementation. Luckily, the fix was easy: a07d03f. With that change the missing inferences are now fixed, and the barrier guard wrappers also work 🎉. I'll start another DCA to see if this has any effects on real-world projects. |
| void test_ternary(void* y) { | ||
| int x = testNotNull1(y) ? 42 : 0; | ||
| if (x != 0) { | ||
| chk(); // $ guarded='... ? ... : ...:not 0' guarded='42:not 0' guarded='call to testNotNull1:true' guarded='x != 0:true' guarded='x:not 0' guarded='y:not null' |
There was a problem hiding this comment.
Hmm, we shouldn't see guarded='42:not 0' as that's a trivial tautology. But I think perhaps the fix for that is tucked away in one of my local branches...
There was a problem hiding this comment.
Yeah, I was wondering whether there was any filtering on such trivial implications as well, but I couldn't find anything in the current library.
| // We use the `Store` instruction that writes the return value instead of the | ||
| // `ReturnValue` instruction since the `ReturnValue` instruction is not always | ||
| // dominated by certain guards. For example: | ||
| // ``` | ||
| // if(b) { | ||
| // return true; | ||
| // } else { | ||
| // return false; | ||
| // } | ||
| // ``` | ||
| // this will be translated into IR like: | ||
| // ``` | ||
| // if(b) { | ||
| // x = true; | ||
| // } else { | ||
| // x = false; | ||
| // } | ||
| // return x; | ||
| // ``` |
There was a problem hiding this comment.
I'm somewhat confused by this. Both code snippets should be equally well supported as wrapper guards, so if the latter doesn't work then something else is missing. Make sure you have test cases for both kinds of wrapper guards.
There was a problem hiding this comment.
Ah, wait. I think I know what was wrong with the old approach. Nothing to see here 🙈! I've deleted the incorrect comment and added a bunch of examples in c1c1f60. They all seem to work perfectly fine 🎉
|
@aschackmull thanks for all the review comments so far! I think I've fixed all of them, and DCA still looks fine. Do you have any other comments before I hand it over to the C team? |
This PR switches C/C++ away from our own guards library and over to the shared guards library which was introduced in #19573.
The main motivation for this is two-fold: It reduces the amount of C/C++ specific QL code that needs to be maintained 1. It also enables C/C++ to instantiate the newly shared "nullness" library which was introduced in #20367. This should hopefully open the doors to better null dereference / use-after-free / double free queries.
On top of that, the improvements to the internal guards logic also means much better query results on existing queries. In particular, the
cpp/missing-check-scanfquery has lost a tons of FPs 🎉.Commit-by-commit review extremely recommended. It's a large PR, but I actually think I managed to make it fairly reviewable 🤞.
This PR does bring a syntactic breaking changes which was just decided a couple of weeks ago would be okay for CodeQL going forward. The breaking change is that the AST wrapper around the IR-based guards library now extends
Elementinstead ofExpr. This is because the shared library also infers thatParameters (which are notExprs in the AST) can be guards if the parameter determines a condition.In fact, whereas the old library only made the condition (and certain subexpressions inside the condition) were
Guards, the new library makes every expression aGuard, but only some of thoseGuards actually controls conditions. This is a fundamental difference that's always been between the C/C++ guards library and the Java/C# guards library, and we're finally getting rid of that difference which brings some more language consistency 🎉.Footnotes
Although, there is still lots of maintenance required because C/C++ still relies on our own implication of
ensuresEqandensuresLt. Getting rid of those requires switching C/C++ fully over to the shared range analysis library. ↩