Skip to content

C++: More effective barriers in the bounded predicate for CWE-190 #6159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 12, 2021
Merged

C++: More effective barriers in the bounded predicate for CWE-190 #6159

merged 3 commits into from
Jul 12, 2021

Conversation

MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Jun 25, 2021
edited
Loading

Note: This PR is based on top of #6154. Please start the review at 142b78f. Once #6154 has been merged I'll rebase those commits away. <-- That PR is now merged, and has been rebased out of this PR.

This PR makes % a barrier regardless of whether or not we can bound the right-hand side of the operator using range analysis.

The barrier (with that restriction) was introduced in #5887. At that point, we didn't have a lot of results on the query since it only recognized calls to rand() as random sources.

Now that we have more sources of randomness (i.e., since #6154) we have a lot more results, and it looks like the % barrier doesn't rule out as many results as we want it to. For examples of this, see the first two bullet points I wrote here: https://github.com/github/codeql-c-team/issues/553#issuecomment-867670535.

Here's a difference run on our usual LGTM projects: https://lgtm.com/query/2650148462537684414/. All of the removed results look like false positives to me. It also removes some false positives on the cpp/tainted-arithmetic query, but it's difficult to create an LGTM difference query since cpp/tainted-arithmetic is still using the TaintTrackingConfiguration configuration.

This change has no effect on SAMATE.

@MathiasVP MathiasVP added the C++ label Jun 25, 2021
@MathiasVP MathiasVP requested a review from a team as a code owner June 25, 2021 13:23
@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label Jun 25, 2021
@rdmarsh2
Copy link
Contributor

LGTM once #6154 is merged and the rebase is done.

@MathiasVP MathiasVP force-pushed the more-effective-barriers-in-bounded-predicate branch from 3368f53 to 4fc60ae Compare July 12, 2021 15:40
@MathiasVP
Copy link
Contributor Author

@rdmarsh2 #6154 is now merged and has been rebased out of this PR. I think this one should now be good to go.

@rdmarsh2
Copy link
Contributor

Is there a reason to keep boundedRem rather than just writing e = any(RemExpr r).getLeftOperand()?

@MathiasVP
Copy link
Contributor Author

MathiasVP commented Jul 12, 2021
edited
Loading

Is there a reason to keep boundedRem rather than just writing e = any(RemExpr r).getLeftOperand()?

Not really, no. I suppose we could inline them all at this point. I've done this in 7da7ec6 now.

@rdmarsh2 rdmarsh2 merged commit 61ee4af into github:main Jul 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
C++ documentation no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MathiasVP @rdmarsh2