CPP: Exclude cases where the parameter is written to.

Author: geoffw0

cpp/ql/src/Critical/LargeParameter.ql

@@ -11,6 +11,7 @@
  *       non-attributable
  */
 import cpp
+import semmle.code.cpp.dataflow.EscapesTree
 
 from Function f, Parameter p, Type t, int size
 where f.getAParameter() = p
@@ -19,6 +20,16 @@ where f.getAParameter() = p
   and size > 64
   and not t.getUnderlyingType() instanceof ArrayType
   and not f instanceof CopyAssignmentOperator
+  // exception: p is written to, which may mean the copy is intended
+  and not p.getAnAccess().isAddressOfAccessNonConst()
+  and not exists(Access a |
+    a.getTarget() = p and
+    (
+      exists(Assignment an | an.getLValue().getAChild*() = a) or
+      exists(CrementOperation co | co.getOperand().getAChild*() = a) or
+      exists(FunctionCall fc | fc.getQualifier().getAChild*() = a and not fc.getTarget().hasSpecifier("const"))
+    )
+  )
 select
   p, "This parameter of type $@ is " + size.toString() + " bytes - consider passing a const pointer/reference instead.",
   t, t.toString()

cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.expected

@@ -1,17 +1,9 @@
 | test.cpp:16:13:16:14 | _t | This parameter of type $@ is 4096 bytes - consider passing a const pointer/reference instead. | test.cpp:6:8:6:20 | myLargeStruct | myLargeStruct |
 | test.cpp:24:44:24:48 | mtc_t | This parameter of type $@ is 4096 bytes - consider passing a const pointer/reference instead. | test.cpp:11:7:11:21 | myTemplateClass<myLargeStruct> | myTemplateClass<myLargeStruct> |
 | test.cpp:28:49:28:49 | b | This parameter of type $@ is 4096 bytes - consider passing a const pointer/reference instead. | test.cpp:6:8:6:20 | myLargeStruct | myLargeStruct |
-| test.cpp:78:16:78:16 | a | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:79:16:79:16 | b | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:80:16:80:16 | c | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:81:16:81:16 | d | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:82:16:82:16 | e | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:83:16:83:16 | f | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:84:16:84:16 | g | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:104:16:104:16 | a | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:105:16:105:16 | b | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:106:16:106:16 | c | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:107:16:107:16 | d | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:108:16:108:16 | e | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:109:16:109:16 | f | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
-| test.cpp:144:47:144:49 | lhs | This parameter of type $@ is 1028 bytes - consider passing a const pointer/reference instead. | test.cpp:130:7:130:23 | MyArithmeticClass | MyArithmeticClass |

cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp

@@ -75,13 +75,13 @@ int mlc_get(const MyLargeClass &c) {
 }
 
 void myFunction4(
-		MyLargeClass a, // GOOD: large, but the copy is written to so can't be trivially replaced with a reference [FALSE POSITIVE]
-		MyLargeClass b, // GOOD [FALSE POSITIVE]
-		MyLargeClass c, // GOOD [FALSE POSITIVE]
-		MyLargeClass d, // GOOD [FALSE POSITIVE]
-		MyLargeClass e, // GOOD [FALSE POSITIVE]
-		MyLargeClass f, // GOOD [FALSE POSITIVE]
-		MyLargeClass g // GOOD [FALSE POSITIVE]
+		MyLargeClass a, // GOOD: large, but the copy is written to so can't be trivially replaced with a reference
+		MyLargeClass b, // GOOD
+		MyLargeClass c, // GOOD
+		MyLargeClass d, // GOOD
+		MyLargeClass e, // GOOD
+		MyLargeClass f, // GOOD
+		MyLargeClass g // GOOD
 	)
 {
 	MyLargeClass *mlc_ptr;
@@ -141,7 +141,7 @@ class MyArithmeticClass {
 	char data[1024];
 };
 
-MyArithmeticClass operator+(MyArithmeticClass lhs, const MyArithmeticClass &rhs) { // GOOD [FALSE POSITIVE]
+MyArithmeticClass operator+(MyArithmeticClass lhs, const MyArithmeticClass &rhs) { // GOOD
 	lhs += rhs; // lhs is copied by design
 	return lhs;
 }