C++: Model implied dataflow

MathiasVP · MathiasVP · commit 32b5c7fe06a6 · 2021-01-27T16:53:21.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -920,6 +920,27 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
       )
     )
   )
+  or
+  impliedModelFlow(opFrom, iTo)
+}
+
+/**
+ * When a `DataFlowFunction` specifies dataflow from a parameter `p` to the return value there should
+ * also be dataflow from the parameter dereference (i.e., `*p`) to the return value dereference.
+ */
+private predicate impliedModelFlow(Operand opFrom, Instruction iTo) {
+  exists(
+    CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut,
+    int index
+  |
+    call.getStaticCallTarget() = func and
+    func.hasDataFlow(modelIn, modelOut)
+  |
+    modelIn.isParameterOrQualifierAddress(index) and
+    modelOut.isReturnValue() and
+    opFrom = getSideEffectFor(call, index).(ReadSideEffectInstruction).getSideEffectOperand() and
+    iTo = call // TODO: Add write side effects for return values
+  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll
@@ -108,6 +108,16 @@ class FunctionInput extends TFunctionInput {
    */
   predicate isQualifierAddress() { none() }
 
+  /**
+   * Holds if `i >= 0` and `isParameter(i)` holds for this value, or
+   * if `i = -1` and `isQualifierAddress()` holds for this value.
+   */
+  final predicate isParameterOrQualifierAddress(ParameterIndex i) {
+    i >= 0 and this.isParameter(i)
+    or
+    i = -1 and this.isQualifierAddress()
+  }
+
   /**
    * Holds if this is the input value pointed to by the return value of a
    * function, if the function returns a pointer, or the input value referred
@@ -134,7 +144,7 @@ class FunctionInput extends TFunctionInput {
   predicate isReturnValueDeref() { none() }
 
   /**
-   * Holds if `i >= 0` and `isParameterDeref(i)` holds for this is value, or
+   * Holds if `i >= 0` and `isParameterDeref(i)` holds for this value, or
    * if `i = -1` and `isQualifierObject()` holds for this value.
    */
   final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {
