C++: More QLDoc.

MathiasVP · MathiasVP · commit dc00643ad100 · 2022-09-16T17:14:29.000+01:00
diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll b/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
@@ -13,6 +13,12 @@ module ProductFlow {
      */
     predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) { none() }
 
+    /**
+     * Holds if `(source1, source2)` is a relevant data flow source with initial states `state1`
+     * and `state2`, respectively.
+     *
+     * `source1` and `source2` must belong to the same callable.
+     */
     predicate isSourcePair(
       DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
     ) {
@@ -28,6 +34,12 @@ module ProductFlow {
      */
     predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) { none() }
 
+    /**
+     * Holds if `(sink1, sink2)` is a relevant data flow sink with final states `state1`
+     * and `state2`, respectively.
+     *
+     * `sink1` and `sink2` must belong to the same callable.
+     */
     predicate isSinkPair(
       DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
       DataFlow::FlowState state2
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -86,14 +86,19 @@ predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
  *
  * The goal of this query is to find patterns such as:
  * ```cpp
- * char* p = (char*)malloc(size);
- * char* end = p + size;
- * use(*end);
+ * 1. char* begin = (char*)malloc(size);
+ * 2. char* end = begin + size;
+ * 3. for(int *p = begin; p <= end; p++) {
+ * 4.   use(*p);
+ * 5. }
  * ```
  *
  * We do this by splitting the task up into two configurations:
- * 1. `AllocToInvalidPointerConf` find flow from `malloc(size)` to `p + size`, and
- * 2. `InvalidPointerToDerefConf` finds flow from `p + size` to `*end`.
+ * 1. `AllocToInvalidPointerConf` find flow from `malloc(size)` to `begin + size`, and
+ * 2. `InvalidPointerToDerefConf` finds flow from `begin + size` to an `end` (on line 3).
+ * 
+ * Finally, the range-analysis library will find a load from (or store to) an address that
+ * is non-strictly upper-bounded by `end` (which in this case is `*p`).
  */
 class AllocToInvalidPointerConf extends ProductFlow::Configuration {
   AllocToInvalidPointerConf() { this = "AllocToInvalidPointerConf" }
