Merge pull request github#5336 from MathiasVP/fix-join-order-in-memset-may-be-deleted

jbj · web-flow · commit 767d3141ad95 · 2021-03-05T13:08:10.000+01:00
C++: Fix performance in cpp/memset-may-be-deleted.
diff --git a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -38,24 +38,39 @@ predicate isNonEscapingArgument(Expr escaped) {
   )
 }
 
+pragma[noinline]
+predicate callToMemsetWithRelevantVariable(
+  LocalVariable v, VariableAccess acc, FunctionCall call, MemsetFunction memset
+) {
+  not v.isStatic() and
+  // Reference-typed variables get special treatment in `variableAddressEscapesTree` so we leave them
+  // out of this query.
+  not v.getUnspecifiedType() instanceof ReferenceType and
+  call.getTarget() = memset and
+  acc = v.getAnAccess() and
+  // `v` escapes as the argument to `memset`
+  variableAddressEscapesTree(acc, call.getArgument(0).getFullyConverted())
+}
+
+pragma[noinline]
+predicate relevantVariable(LocalVariable v, FunctionCall call, MemsetFunction memset) {
+  exists(VariableAccess acc, VariableAccess anotherAcc |
+    callToMemsetWithRelevantVariable(v, acc, call, memset) and
+    // `v` is not only just used in the call to `memset`.
+    anotherAcc = v.getAnAccess() and
+    acc != anotherAcc and
+    not anotherAcc.isUnevaluated()
+  )
+}
+
 from FunctionCall call, LocalVariable v, MemsetFunction memset
 where
-  call.getTarget() = memset and
+  relevantVariable(v, call, memset) and
   not isFromMacroDefinition(call) and
-  // `v` escapes as the argument to `memset`
-  variableAddressEscapesTree(v.getAnAccess(), call.getArgument(0).getFullyConverted()) and
-  // ... and `v` doesn't escape anywhere else.
+  // `v` doesn't escape anywhere else.
   forall(Expr escape | variableAddressEscapesTree(v.getAnAccess(), escape) |
     isNonEscapingArgument(escape)
   ) and
-  not v.isStatic() and
-  // Reference-typed variables get special treatment in `variableAddressEscapesTree` so we leave them
-  // out of this query.
-  not v.getUnspecifiedType() instanceof ReferenceType and
-  // `v` is not only just used in the call to `memset`.
-  exists(Access acc |
-    acc = v.getAnAccess() and not call.getArgument(0).getAChild*() = acc and not acc.isUnevaluated()
-  ) and
   // There is no later use of `v`.
   not v.getAnAccess() = call.getASuccessor*() and
   // Not using the `-fno-builtin-memset` flag
