Merge pull request #4784 from MathiasVP/mathiasvp/reverse-read-take-3

C++: Support longer access paths in IR field flow

Author: jbj

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -26,60 +26,21 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
+| dispatch.cpp:15:8:15:8 | Top output argument | PostUpdateNode should have one pre-update node but has 0. |
+| dispatch.cpp:21:8:21:8 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
+| dispatch.cpp:60:18:60:29 | Bottom output argument | PostUpdateNode should have one pre-update node but has 0. |
+| dispatch.cpp:61:18:61:29 | Middle output argument | PostUpdateNode should have one pre-update node but has 0. |
+| dispatch.cpp:65:10:65:21 | Bottom output argument | PostUpdateNode should have one pre-update node but has 0. |
+| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
+| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
+| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
+| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| BarrierGuard.cpp:49:3:49:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| BarrierGuard.cpp:60:3:60:18 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:28:3:28:34 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:34:22:34:27 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:34:32:34:37 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:39:32:39:37 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:39:42:39:47 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:43:35:43:40 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:43:51:43:51 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:49:25:49:30 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:49:35:49:40 | Chi | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:50:3:50:26 | Chi | PostUpdateNode should not be the target of local flow. |
-| example.c:17:19:17:22 | Chi | PostUpdateNode should not be the target of local flow. |
-| example.c:17:21:17:21 | Chi | PostUpdateNode should not be the target of local flow. |
-| example.c:24:2:24:30 | Chi | PostUpdateNode should not be the target of local flow. |
-| example.c:24:13:24:30 | Chi | PostUpdateNode should not be the target of local flow. |
-| example.c:26:2:26:25 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:13:12:13:12 | Chi | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:13:15:13:15 | Chi | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:28:10:31:2 | Chi | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:28:10:31:2 | Chi | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:43:3:43:14 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:11:5:11:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:20:5:20:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:22:7:22:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:24:7:24:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:29:5:29:18 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:31:7:31:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:39:7:39:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:44:5:44:18 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:46:7:46:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:48:7:48:13 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:75:5:75:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:83:5:83:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:87:7:87:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:89:7:89:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:94:5:94:22 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:96:7:96:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:104:7:104:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:109:5:109:22 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:113:7:113:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:115:7:115:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:91:3:91:18 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:115:3:115:17 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:120:3:120:10 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:125:3:125:11 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:359:5:359:20 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:373:5:373:20 | Chi | PostUpdateNode should not be the target of local flow. |
-| test.cpp:465:3:465:15 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -362,7 +362,7 @@ class FlowThroughFields {
   int f() {
     sink(field); // tainted or clean? Not sure.
     taintField();
-    sink(field); // $ ast MISSING: ir
+    sink(field); // $ ast,ir
   }
 
   int calledAfterTaint() {

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -204,4 +204,32 @@ void deep_member_field_arrow(S2 *ps2) {
 void deep_member_field_arrow_different_fields(S2 *ps2) {
   taint_a_ptr(&ps2->s.m1);
   sink(ps2->s.m2);
+}
+
+void test_deep_struct_fields() {
+  S2 s2;
+  s2.s.m1 = user_input();
+  S s = s2.s;
+  sink(s.m1); // $ ast,ir
+}
+
+void test_deep_struct_fields_no_flow() {
+  S2 s2;
+  s2.s.m1 = user_input();
+  S s = s2.s;
+  sink(s.m2);
+}
+
+void test_deep_struct_fields_taint_through_call() {
+  S2 s2;
+  taint_a_ptr(&s2.s.m1);
+  S s = s2.s;
+  sink(s.m1); // $ ast,ir
+}
+
+void test_deep_struct_fields_taint_through_call_no_flow() {
+  S2 s2;
+  taint_a_ptr(&s2.s.m1);
+  S s = s2.s;
+  sink(s.m2);
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1,4 +1,4 @@
-void sink(void *o);
+void sink(void *o); void sink(const char *o);
 void *user_input(void);
 
 struct S {
@@ -135,3 +135,13 @@ void test_outer_with_ref(Outer *pouter) {
   sink(pouter->inner_ptr->a); // $ ast MISSING: ir
   sink(pouter->a); // $ ast,ir
 }
+
+void taint_a_ptr(const char **pa) {
+  *pa = (char*)user_input();
+}
+
+void test_const_char_ref() {
+  const char* s;
+  taint_a_ptr(&s);
+  sink(s); // $ ast ir=140:9 ir=140:16
+}

cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp

@@ -89,6 +89,10 @@ postWithInFlow
 | aliasing.cpp:194:21:194:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:200:23:200:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:205:23:205:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:211:8:211:9 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:218:8:218:9 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:225:21:225:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
+| aliasing.cpp:232:21:232:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:6:3:6:5 | arr [inner post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:6:3:6:8 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 | arrays.cpp:15:3:15:10 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
@@ -119,6 +123,9 @@ postWithInFlow
 | by_reference.cpp:108:24:108:24 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:123:28:123:36 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:127:30:127:38 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:140:3:140:5 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:140:4:140:5 | pa [inner post update] | PostUpdateNode should not be the target of local flow. |
+| by_reference.cpp:145:16:145:16 | s [inner post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:11:22:11:23 | a_ [post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:12:22:12:23 | b_ [post update] | PostUpdateNode should not be the target of local flow. |
 | conflated.cpp:10:3:10:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
@@ -152,5 +159,6 @@ postWithInFlow
 | simple.cpp:65:7:65:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:83:12:83:13 | f1 [post update] | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:104:9:104:9 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:24:11:24:12 | ab [inner post update] | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:36:17:36:24 | nestedAB [inner post update] | PostUpdateNode should not be the target of local flow. |