C++: Fix flow from this by ref.

jbj · jbj · commit 10b69358aea8 · 2019-09-09T10:36:58.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -19,6 +19,12 @@ private newtype TNode =
   TInstanceParameterNode(MemberFunction f) { exists(f.getBlock()) and not f.isStatic() } or
   TPreConstructorInitThis(ConstructorFieldInit cfi) or
   TPostConstructorInitThis(ConstructorFieldInit cfi) or
+  TThisArgumentPostUpdate(ThisExpr ta) {
+    exists(Call c, int i |
+      ta = c.getArgument(i) and
+      not c.getTarget().getParameter(i).getUnderlyingType().(PointerType).getBaseType().isConst()
+    )
+  } or
   TUninitializedNode(LocalVariable v) { not v.hasInitializer() }
 
 /**
@@ -282,6 +288,16 @@ private class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNo
   override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
 }
 
+private class ThisArgumentPostUpdateNode extends PostUpdateNode, TThisArgumentPostUpdate {
+  ThisExpr thisExpr;
+
+  ThisArgumentPostUpdateNode() { this = TThisArgumentPostUpdate(thisExpr) }
+
+  override Node getPreUpdateNode() { result.asExpr() = thisExpr }
+
+  override string toString() { result = "ref arg this" }
+}
+
 /**
  * A node representing the temporary value of an object that was just
  * constructed by a constructor call or an aggregate initializer. This is only
diff --git a/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp b/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
@@ -60,7 +60,7 @@ void test_setIndirectly() {
 void test_setThroughNonMember() {
   S s;
   s.setThroughNonMember(user_input());
-  sink(s.getThroughNonMember()); // flow [NOT DETECTED]
+  sink(s.getThroughNonMember()); // flow
 }
 
 void test_nonMemberSetA() {
diff --git a/cpp/ql/test/library-tests/dataflow/fields/flow.expected b/cpp/ql/test/library-tests/dataflow/fields/flow.expected
@@ -115,6 +115,9 @@ edges
 | by_reference.cpp:56:3:56:3 | s [post update] [a] | by_reference.cpp:57:8:57:8 | s [a] |
 | by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:56:3:56:3 | s [post update] [a] |
 | by_reference.cpp:57:8:57:8 | s [a] | by_reference.cpp:57:10:57:22 | call to getIndirectly |
+| by_reference.cpp:62:3:62:3 | s [post update] [a] | by_reference.cpp:63:8:63:8 | s [a] |
+| by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:62:3:62:3 | s [post update] [a] |
+| by_reference.cpp:63:8:63:8 | s [a] | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
 | complex.cpp:34:15:34:15 | b [f, a_] | complex.cpp:44:8:44:8 | b [f, a_] |
 | complex.cpp:34:15:34:15 | b [f, b_] | complex.cpp:45:8:45:8 | b [f, b_] |
 | complex.cpp:44:8:44:8 | b [f, a_] | complex.cpp:44:10:44:10 | f [a_] |
@@ -203,6 +206,7 @@ edges
 | aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input | call to user_input |
 | by_reference.cpp:51:10:51:20 | call to getDirectly | by_reference.cpp:50:17:50:26 | call to user_input | by_reference.cpp:51:10:51:20 | call to getDirectly | call to getDirectly flows from $@ | by_reference.cpp:50:17:50:26 | call to user_input | call to user_input |
 | by_reference.cpp:57:10:57:22 | call to getIndirectly | by_reference.cpp:56:19:56:28 | call to user_input | by_reference.cpp:57:10:57:22 | call to getIndirectly | call to getIndirectly flows from $@ | by_reference.cpp:56:19:56:28 | call to user_input | call to user_input |
+| by_reference.cpp:63:10:63:28 | call to getThroughNonMember | by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:63:10:63:28 | call to getThroughNonMember | call to getThroughNonMember flows from $@ | by_reference.cpp:62:25:62:34 | call to user_input | call to user_input |
 | complex.cpp:44:12:44:12 | call to a | complex.cpp:55:13:55:22 | call to user_input | complex.cpp:44:12:44:12 | call to a | call to a flows from $@ | complex.cpp:55:13:55:22 | call to user_input | call to user_input |
 | complex.cpp:44:12:44:12 | call to a | complex.cpp:57:13:57:22 | call to user_input | complex.cpp:44:12:44:12 | call to a | call to a flows from $@ | complex.cpp:57:13:57:22 | call to user_input | call to user_input |
 | complex.cpp:45:12:45:12 | call to b | complex.cpp:56:13:56:22 | call to user_input | complex.cpp:45:12:45:12 | call to b | call to b flows from $@ | complex.cpp:56:13:56:22 | call to user_input | call to user_input |

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ void test_setIndirectly() {`
`60`	`60`	`void test_setThroughNonMember() {`
`61`	`61`	`S s;`
`62`	`62`	`s.setThroughNonMember(user_input());`
`63`		`- sink(s.getThroughNonMember()); // flow [NOT DETECTED]`
	`63`	`+ sink(s.getThroughNonMember()); // flow`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`void test_nonMemberSetA() {`