C++: Remove FPs from cpp/uninitialized-local when encountered extraction errors #17481
Conversation
calumgrant
force-pushed
the
calumgrant/bmn/uninitialized-local
branch
from
2ee56cd to
afdd26b
Compare
calumgrant
changed the title
| @@ -0,0 +1 @@ | |||
| Likely Bugs/Memory Management/UninitializedLocal.ql | |||
There was a problem hiding this comment.
The tests for this query are located in cpp/test/query-tests/Security/CWE/CWE-457/semmle/tests. We should probably add the test case there.
This is for the same reason as: So we need to be a bit more careful here. We should probably define a predicate that captures this case and also use it in other queries that check for |
That certainly matches what I've observed. Thanks for the pointer. |
|
Note that there's something similar going on with the first argument of a deallocator call of a delete expressions. And I'm now left wondering whether we handle that correctly in the IR (will briefly investigate). |
This does leave me wondering why this expression is emitted at all. I can work around it for now, but a follow-up could be to replace this with something else or avoid it entirely. I've not looked into the IR, but it does seem to me that |
That only makes sense if the IR actually looks at that argument during IR generation, which I'm not sure of.
The expression is an argument to a call, so something needs to be there. Looking briefly at the extractor code it didn't seem completely straightforward to replace this with what it really should be. |
calumgrant
force-pushed
the
calumgrant/bmn/uninitialized-local
branch
from
afdd26b to
4712ae1
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
I was mistaken. We only output the error expression in the case of new, and not delete. The extractor code is pretty difficult to follow here. |
| /** | ||
| * Holds if this error expression is the first argument to a `new` allocation call. | ||
| */ | ||
| predicate isFirstAllocatorCallArgument() { | ||
| this = any(NewOrNewArrayExpr new).getAllocatorCall().getArgument(0) | ||
| } |
There was a problem hiding this comment.
I'm not a particular fan of having this predicate, as it exposes something that shouldn't really be exposed.
There was a problem hiding this comment.
I wasn't sure about this name. You suggested I should encapsulate the functionality from TranslatedElement.qll, but I'm not sure how helpful this really is. Could also rename it to isExpected(), but it's still just a workaround really. Happy to remove this predicate and inline it as it's not really adding much value.
There was a problem hiding this comment.
Sorry for the misunderstanding, I did not suggest encapsulating the functionality from TranslatedElement.qll. I only tried to suggest to do something similar. I don't think we need this predicate for that. It's something that can just be inlined in the hasErrors predicate you introduced.
There was a problem hiding this comment.
I think that would be cleaner.
I couldn't create a test case that generated the deallocator arg, so I decided to ignore it. |
Yup, because: "We only output the error expression in the case of new, and not delete." |
| @@ -89,5 +89,6 @@ from | |||
| where | |||
| conf.hasFlowPath(source, sink) and | |||
| isSinkImpl(sink.getInstruction(), va) and | |||
| v = va.getTarget() | |||
| v = va.getTarget() and | |||
| not v.getFunction().hasErrors() | |||
There was a problem hiding this comment.
Might as well stick this constraint into isSinkImpl to speed up the recursion
| @@ -57,5 +57,5 @@ where | |||
| not declarationHasSideEffects(v) and | |||
| not exists(AsmStmt s | f = s.getEnclosingFunction()) and | |||
| not v.getAnAttribute().getName() = "unused" and | |||
| not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v` | |||
| not f.hasErrors() | |||
There was a problem hiding this comment.
I think the comment should be retained here.
There was a problem hiding this comment.
Or at least something along those lines.
calumgrant
force-pushed
the
calumgrant/bmn/uninitialized-local
branch
from
b4e9131 to
9ceca3e
Compare
calumgrant
force-pushed
the
calumgrant/bmn/uninitialized-local
branch
from
9ceca3e to
cd1f10c
Compare
|
Will add change note. |
Fixes false-positives in standalone extraction mode, whereby local variables may be initialized using function calls to unrecognised functions. These manifest as
ErrorExpr, so we can exclude these from the results.The DCA results are interesting. We lose one FP on abseil (this is good), but also a bunch of results on the samate project, which are due to an
ErrorExprcreeping into one of the C functions, which are all calledgoodB2Gorbad, so seem to identify as the same function. However, the root cause of theErrorExpris unclear as there's nothing obvious in the extractor logs.Questions:
Pull Request checklist
All query authors
A change note is added if necessary. See the documentation in this repository.All new queries have appropriate.qhelp. See the documentation in this repository.New and changed queries have correct query metadata. See the documentation in this repository.Internal query authors only
Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to.ql,.qll, or.qhelpfiles. See the documentation (internal access required).Adding a new query? Consider also adding the query to autofix.