Skip to content

Commit 92a38b3

Browse files
hvitvedhvitved
committed
Data flow: Update documentation on array flow modeling
1 parent 31806b8 commit 92a38b3

File tree

1 file changed

+28
-21
lines changed

1 file changed

+28
-21
lines changed

docs/ql-libraries/dataflow/dataflow.md

Lines changed: 28 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -419,20 +419,31 @@ class Content extends TContent {
419419
420420
newtype TContentSet =
421421
TSingletonContent(Content c) or
422+
TKnownOrUnknownArrayElementContent(TKnownArrayElementContent c) or
422423
TAnyArrayElementContent()
423424
424425
class ContentSet extends TContentSet {
425426
Content getAStoreContent() {
426427
this = TSingletonContent(result)
427428
or
428429
// for reverse stores
430+
this = TKnownOrUnknownArrayElementContent(result)
431+
or
432+
// for reverse stores
429433
this = TAnyArrayElementContent() and
430434
result = TUnknownArrayElementContent()
431435
}
432436
433437
Content getAReadContent() {
434438
this = TSingletonContent(result)
435439
or
440+
exists(TKnownArrayElementContent c |
441+
this = TKnownOrUnknownArrayElementContent(c) |
442+
result = c
443+
or
444+
result = TUnknownArrayElementContent()
445+
)
446+
or
436447
this = TAnyArrayElementContent() and
437448
(result = TUnknownArrayElementContent() or result = TKnownArrayElementContent(_))
438449
}
@@ -447,12 +458,10 @@ a[0] = tainted
447458
# storeStep(not_tainted, TSingletonContent(TKnownArrayElementContent(1)), [post update] a)
448459
a[1] = not_tainted
449460

450-
# readStep(a, TSingletonContent(TKnownArrayElementContent(0)), a[0])
451-
# readStep(a, TSingletonContent(TUnknownArrayElementContent()), a[0])
461+
# readStep(a, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), a[0])
452462
sink(a[0]) # bad
453463

454-
# readStep(a, TSingletonContent(TKnownArrayElementContent(1)), a[1])
455-
# readStep(a, TSingletonContent(TUnknownArrayElementContent()), a[1])
464+
# readStep(a, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(1)), a[1])
456465
sink(a[1]) # good
457466

458467
# readStep(a, TAnyArrayElementContent(), a[unknown])
@@ -461,26 +470,24 @@ sink(a[unknown]) # bad; unknown may be 0
461470
# storeStep(tainted, TSingletonContent(TUnknownArrayElementContent()), [post update] b)
462471
b[unknown] = tainted
463472

464-
# readStep(b, TSingletonContent(TKnownArrayElementContent(0)), b[0])
465-
# readStep(b, TSingletonContent(TUnknownArrayElementContent()), b[0])
473+
# readStep(b, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), b[0])
466474
sink(b[0]) # bad; unknown may be 0
467475

468-
# storeStep(tainted, TSingletonContent(TKnownArrayElementContent(0)), [post update] c[unknown])
469-
# storeStep(not_tainted, TSingletonContent(TKnownArrayElementContent(1)), [post update] c[unknown])
470-
# readStep(c, TAnyArrayElementContent(), c[unknown])
471-
# storeStep([post update] c[unknown], TAnyArrayElementContent(), [post update] c) # auto-generated reverse store (see Example 2)
472-
c[unknown][0] = tainted
473-
c[unknown][1] = not_tainted
474-
475-
476-
# readStep(c[0], TSingletonContent(TKnownArrayElementContent(0)), c[0][0])
477-
# readStep(c[0], TSingletonContent(TUnknownArrayElementContent()), c[0][0])
478-
# readStep(c[0], TSingletonContent(TKnownArrayElementContent(1)), c[0][1])
479-
# readStep(c[0], TSingletonContent(TUnknownArrayElementContent()), c[0][1])
480-
# readStep(c, TSingletonContent(TKnownArrayElementContent(0)), c[0])
481-
# readStep(c, TSingletonContent(TUnknownArrayElementContent()), c[0])
476+
# storeStep(tainted, TSingletonContent(TUnknownArrayElementContent()), [post update] c[0])
477+
# storeStep(not_tainted, TSingletonContent(TUnknownArrayElementContent()), [post update] c[1])
478+
# readStep(c, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), c[0])
479+
# readStep(c, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(1)), c[1])
480+
# storeStep([post update] c[0], TSingletonContent(TKnownArrayElementContent(0)), [post update] c) # auto-generated reverse store (see Example 2)
481+
# storeStep([post update] c[1], TSingletonContent(TKnownArrayElementContent(1)), [post update] c) # auto-generated reverse store (see Example 2)
482+
c[0][unknown] = tainted
483+
c[1][unknown] = not_tainted
484+
485+
# readStep(c[0], TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), c[0][0])
486+
# readStep(c[1], TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), c[1][0])
487+
# readStep(c, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(0)), c[0])
488+
# readStep(c, TKnownOrUnknownArrayElementContent(TKnownArrayElementContent(1)), c[1])
482489
sink(c[0][0]) # bad; unknown may be 0
483-
sink(c[0][1]) # good
490+
sink(c[1][0]) # good
484491
```
485492

486493
### Field flow barriers

0 commit comments

Comments
 (0)