Skip to content

Commit aa8f30c

Browse files
jbjjbj
authored
Merge pull request github#3268 from MathiasVP/ql-doc-negativitiy
C++: Add QLDoc to public predicates in Negativity.qll
2 parents bfd80b4 + 3d0ac53 commit aa8f30c

File tree

1 file changed

+61
-0
lines changed

1 file changed

+61
-0
lines changed

cpp/ql/src/Critical/Negativity.qll

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,19 @@
11
import cpp
22

3+
/**
4+
* Holds if `val` is an access to the variable `v`, or if `val`
5+
* is an assignment with an access to `v` on the left-hand side.
6+
*/
37
predicate valueOfVar(Variable v, Expr val) {
48
val = v.getAnAccess() or
59
val.(AssignExpr).getLValue() = v.getAnAccess()
610
}
711

12+
/**
13+
* Holds if either:
14+
* - `cond` is an (in)equality expression that compares the variable `v` to the value `-1`, or
15+
* - `cond` is a relational expression that compares the variable `v` to a constant.
16+
*/
817
predicate boundsCheckExpr(Variable v, Expr cond) {
918
exists(EQExpr eq |
1019
cond = eq and
@@ -43,6 +52,18 @@ predicate boundsCheckExpr(Variable v, Expr cond) {
4352
)
4453
}
4554

55+
/**
56+
* Holds if `node` is an expression in a conditional statement and `succ` is an
57+
* immediate successor of `node` that may be reached after evaluating `node`.
58+
* For example, given
59+
* ```
60+
* if (a < 10 && b) func1();
61+
* else func2();
62+
* ```
63+
* this predicate holds when either:
64+
* - `node` is `a < 10` and `succ` is `func2()` or `b`, or
65+
* - `node` is `b` and `succ` is `func1()` or `func2()`
66+
*/
4667
predicate conditionalSuccessor(ControlFlowNode node, ControlFlowNode succ) {
4768
if node.isCondition()
4869
then succ = node.getATrueSuccessor() or succ = node.getAFalseSuccessor()
@@ -52,6 +73,12 @@ predicate conditionalSuccessor(ControlFlowNode node, ControlFlowNode succ) {
5273
)
5374
}
5475

76+
/**
77+
* Holds if the current value of the variable `v` at control-flow
78+
* node `n` has been used either in:
79+
* - an (in)equality comparison with the value `-1`, or
80+
* - a relational comparison that compares `v` to a constant.
81+
*/
5582
predicate boundsChecked(Variable v, ControlFlowNode node) {
5683
exists(Expr test |
5784
boundsCheckExpr(v, test) and
@@ -63,6 +90,14 @@ predicate boundsChecked(Variable v, ControlFlowNode node) {
6390
)
6491
}
6592

93+
/**
94+
* Holds if `cond` compares `v` to some common error values. Specifically, this
95+
* predicate holds when:
96+
* - `cond` checks that `v` is equal to `-1`, or
97+
* - `cond` checks that `v` is less than `0`, or
98+
* - `cond` checks that `v` is less than or equal to `-1`, or
99+
* - `cond` checks that `v` is not some common success value (see `successCondition`).
100+
*/
66101
predicate errorCondition(Variable v, Expr cond) {
67102
exists(EQExpr eq |
68103
cond = eq and
@@ -88,6 +123,14 @@ predicate errorCondition(Variable v, Expr cond) {
88123
)
89124
}
90125

126+
/**
127+
* Holds if `cond` compares `v` to some common success values. Specifically, this
128+
* predicate holds when:
129+
* - `cond` checks that `v` is not equal to `-1`, or
130+
* - `cond` checks that `v` is greater than or equal than `0`, or
131+
* - `cond` checks that `v` is greater than `-1`, or
132+
* - `cond` checks that `v` is not some common error value (see `errorCondition`).
133+
*/
91134
predicate successCondition(Variable v, Expr cond) {
92135
exists(NEExpr ne |
93136
cond = ne and
@@ -113,6 +156,11 @@ predicate successCondition(Variable v, Expr cond) {
113156
)
114157
}
115158

159+
/**
160+
* Holds if there exists a comparison operation that checks whether `v`
161+
* represents some common *error* values, and `n` may be reached
162+
* immediately following the comparison operation.
163+
*/
116164
predicate errorSuccessor(Variable v, ControlFlowNode n) {
117165
exists(Expr cond |
118166
errorCondition(v, cond) and n = cond.getATrueSuccessor()
@@ -121,6 +169,11 @@ predicate errorSuccessor(Variable v, ControlFlowNode n) {
121169
)
122170
}
123171

172+
/**
173+
* Holds if there exists a comparison operation that checks whether `v`
174+
* represents some common *success* values, and `n` may be reached
175+
* immediately following the comparison operation.
176+
*/
124177
predicate successSuccessor(Variable v, ControlFlowNode n) {
125178
exists(Expr cond |
126179
successCondition(v, cond) and n = cond.getATrueSuccessor()
@@ -129,6 +182,10 @@ predicate successSuccessor(Variable v, ControlFlowNode n) {
129182
)
130183
}
131184

185+
/**
186+
* Holds if the current value of the variable `v` at control-flow node
187+
* `n` may have been checked against a common set of *error* values.
188+
*/
132189
predicate checkedError(Variable v, ControlFlowNode n) {
133190
errorSuccessor(v, n)
134191
or
@@ -139,6 +196,10 @@ predicate checkedError(Variable v, ControlFlowNode n) {
139196
)
140197
}
141198

199+
/**
200+
* Holds if the current value of the variable `v` at control-flow node
201+
* `n` may have been checked against a common set of *success* values.
202+
*/
142203
predicate checkedSuccess(Variable v, ControlFlowNode n) {
143204
successSuccessor(v, n)
144205
or

0 commit comments

Comments
 (0)