Merge pull request #4766 from criemen/cleanup-flow-tests

C++: Cleanup data/taint flow tests

Author: MathiasVP

cpp/ql/test/TestUtilities/dataflow/FlowTestCommon.qll

@@ -0,0 +1,71 @@
+/**
+ * Helper library for implementing data or taint flow inline expectation tests.
+ * As long as data or taint flow configurations for IR and/or AST based data/taint flow
+ * are in scope, provides inline expectations tests.
+ * All sinks that have flow are annotated with `ast` (or respective `ir`) if there
+ * is a unique source for the flow.
+ * Otherwise, if there are multiple sources that can reach a given sink, the annotations
+ * have the form `ast=lineno:column` (or `ir=lineno:column`).
+ * If a sink is reachable through both AST and IR flow, the annotations have the form
+ * `ast,ir` or `ast,ir=lineno:column`.
+ * Intermediate steps from the source to the sink are not annotated.
+ */
+
+import cpp
+private import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IRDataFlow
+private import semmle.code.cpp.dataflow.DataFlow::DataFlow as ASTDataFlow
+import TestUtilities.InlineExpectationsTest
+
+class IRFlowTest extends InlineExpectationsTest {
+  IRFlowTest() { this = "IRFlowTest" }
+
+  override string getARelevantTag() { result = "ir" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(IRDataFlow::Node source, IRDataFlow::Node sink, IRDataFlow::Configuration conf, int n |
+      tag = "ir" and
+      conf.hasFlow(source, sink) and
+      n = strictcount(IRDataFlow::Node otherSource | conf.hasFlow(otherSource, sink)) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one source for this sink
+        // we specify the source location explicitly.
+        n > 1 and
+        value =
+          source.getLocation().getStartLine().toString() + ":" +
+            source.getLocation().getStartColumn()
+      ) and
+      location = sink.getLocation() and
+      element = sink.toString()
+    )
+  }
+}
+
+class ASTFlowTest extends InlineExpectationsTest {
+  ASTFlowTest() { this = "ASTFlowTest" }
+
+  override string getARelevantTag() { result = "ast" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(
+      ASTDataFlow::Node source, ASTDataFlow::Node sink, ASTDataFlow::Configuration conf, int n
+    |
+      tag = "ast" and
+      conf.hasFlow(source, sink) and
+      n = strictcount(ASTDataFlow::Node otherSource | conf.hasFlow(otherSource, sink)) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one source for this sink
+        // we specify the source location explicitly.
+        n > 1 and
+        value =
+          source.getLocation().getStartLine().toString() + ":" +
+            source.getLocation().getStartColumn()
+      ) and
+      location = sink.getLocation() and
+      element = sink.toString()
+    )
+  }
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll

@@ -1,27 +1,109 @@
-import DataflowTestCommon
+import TestUtilities.dataflow.FlowTestCommon
 
-class ASTDataFlowTest extends InlineExpectationsTest {
-  ASTDataFlowTest() { this = "ASTDataFlowTest" }
+module ASTTest {
+  private import semmle.code.cpp.dataflow.DataFlow
 
-  override string getARelevantTag() { result = "ast" }
+  /**
+   * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
+   * S in `if (guarded(x)) S`.
+   */
+  // This is tested in `BarrierGuard.cpp`.
+  class TestBarrierGuard extends DataFlow::BarrierGuard {
+    TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" }
 
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node source, DataFlow::Node sink, TestAllocationConfig conf, int n |
-      tag = "ast" and
-      conf.hasFlow(source, sink) and
-      n = strictcount(DataFlow::Node otherSource | conf.hasFlow(otherSource, sink)) and
-      (
-        n = 1 and value = ""
+    override predicate checks(Expr checked, boolean isTrue) {
+      checked = this.(FunctionCall).getArgument(0) and
+      isTrue = true
+    }
+  }
+
+  /** Common data flow configuration to be used by tests. */
+  class ASTTestAllocationConfig extends DataFlow::Configuration {
+    ASTTestAllocationConfig() { this = "ASTTestAllocationConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(FunctionCall).getTarget().getName() = "source"
+      or
+      source.asParameter().getName().matches("source%")
+      or
+      source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
+      or
+      // Track uninitialized variables
+      exists(source.asUninitialized())
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call |
+        call.getTarget().getName() = "sink" and
+        sink.asExpr() = call.getAnArgument()
+      )
+    }
+
+    override predicate isBarrier(DataFlow::Node barrier) {
+      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
+    }
+
+    override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
+  }
+}
+
+module IRTest {
+  private import semmle.code.cpp.ir.dataflow.DataFlow
+  private import semmle.code.cpp.ir.IR
+
+  /**
+   * A `BarrierGuard` that stops flow to all occurrences of `x` within statement
+   * S in `if (guarded(x)) S`.
+   */
+  // This is tested in `BarrierGuard.cpp`.
+  class TestBarrierGuard extends DataFlow::BarrierGuard {
+    TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
+
+    override predicate checksInstr(Instruction checked, boolean isTrue) {
+      checked = this.(CallInstruction).getPositionalArgument(0) and
+      isTrue = true
+    }
+  }
+
+  /** Common data flow configuration to be used by tests. */
+  class IRTestAllocationConfig extends DataFlow::Configuration {
+    IRTestAllocationConfig() { this = "IRTestAllocationConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(FunctionCall).getTarget().getName() = "source"
+      or
+      source.asParameter().getName().matches("source%")
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call |
+        call.getTarget().getName() = "sink" and
+        sink.asExpr() = call.getAnArgument()
+      )
+    }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(GlobalOrNamespaceVariable var | var.getName().matches("flowTestGlobal%") |
+        writesVariable(n1.asInstruction(), var) and
+        var = n2.asVariable()
         or
-        // If there is more than one source for this sink
-        // we specify the source location explicitly.
-        n > 1 and
-        value =
-          source.getLocation().getStartLine().toString() + ":" +
-            source.getLocation().getStartColumn()
-      ) and
-      location = sink.getLocation() and
-      element = sink.toString()
-    )
+        readsVariable(n2.asInstruction(), var) and
+        var = n1.asVariable()
+      )
+    }
+
+    override predicate isBarrier(DataFlow::Node barrier) {
+      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
+    }
+
+    override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
+  }
+
+  private predicate readsVariable(LoadInstruction load, Variable var) {
+    load.getSourceAddress().(VariableAddressInstruction).getASTVariable() = var
+  }
+
+  private predicate writesVariable(StoreInstruction store, Variable var) {
+    store.getDestinationAddress().(VariableAddressInstruction).getASTVariable() = var
   }
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll

@@ -1,8 +1,8 @@
 private import semmle.code.cpp.dataflow.DataFlow
 private import DataFlow
 
-class Conf extends Configuration {
-  Conf() { this = "FieldFlowConf" }
+class ASTConf extends Configuration {
+  ASTConf() { this = "ASTFieldFlowConf" }
 
   override predicate isSource(Node src) {
     src.asExpr() instanceof NewExpr

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql

@@ -1,8 +1,8 @@
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlow
 
-class Conf extends Configuration {
-  Conf() { this = "FieldFlowConf" }
+class IRConf extends Configuration {
+  IRConf() { this = "IRFieldFlowConf" }
 
   override predicate isSource(Node src) {
     src.asExpr() instanceof NewExpr