C++: use qualifier flow in more models

Robert Marsh · Robert Marsh · commit 3a83cc71fe7b · 2020-09-17T18:03:02.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll
@@ -21,7 +21,11 @@ class ConversionConstructorModel extends Constructor, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from the first constructor argument to the returned object
     input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
   }
 }
 
@@ -32,7 +36,11 @@ class CopyConstructorModel extends CopyConstructor, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // data flow from the first constructor argument to the returned object
     input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
   }
 }
 
@@ -43,7 +51,11 @@ class MoveConstructorModel extends MoveConstructor, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // data flow from the first constructor argument to the returned object
     input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -38,7 +38,9 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
       input.isParameterDeref(getAValueTypeParameterIndex()) or
       input.isParameter(getAnIteratorParameterIndex())
     ) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    output.isReturnValue()
+    or
+    output.isQualifierObject()
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -48,7 +48,7 @@ class StdStringConstructor extends Constructor, TaintFunction {
       input.isParameter(getAnIteratorParameterIndex())
     ) and
     (
-      output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+      output.isReturnValue()
       or
       output.isQualifierObject()
     )
@@ -383,7 +383,9 @@ class StdStringStreamConstructor extends Constructor, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from any parameter of string type to the returned object
     input.isParameterDeref(getAStringParameterIndex()) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    output.isReturnValue()
+    or
+    output.isQualifierObject()
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -15,10 +15,7 @@
 | arrayassignment.cpp:146:7:146:13 | arrayassignment.cpp:144:12:144:17 | IR only |
 | copyableclass.cpp:67:11:67:11 | copyableclass.cpp:67:13:67:18 | AST only |
 | copyableclass.cpp:67:11:67:21 | copyableclass.cpp:67:13:67:18 | IR only |
-| copyableclass_declonly.cpp:40:8:40:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
-| copyableclass_declonly.cpp:41:8:41:9 | copyableclass_declonly.cpp:35:32:35:37 | AST only |
 | copyableclass_declonly.cpp:42:8:42:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
-| copyableclass_declonly.cpp:65:8:65:9 | copyableclass_declonly.cpp:60:56:60:61 | AST only |
 | copyableclass_declonly.cpp:67:11:67:11 | copyableclass_declonly.cpp:67:13:67:18 | AST only |
 | movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
 | movableclass.cpp:65:11:65:21 | movableclass.cpp:65:13:65:18 | IR only |
@@ -97,10 +94,6 @@
 | stringstream.cpp:67:7:67:10 | stringstream.cpp:64:36:64:41 | AST only |
 | stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |
 | stringstream.cpp:100:11:100:11 | stringstream.cpp:100:31:100:36 | AST only |
-| stringstream.cpp:103:7:103:9 | stringstream.cpp:91:19:91:24 | AST only |
-| stringstream.cpp:105:7:105:9 | stringstream.cpp:95:44:95:49 | AST only |
-| stringstream.cpp:121:7:121:9 | stringstream.cpp:113:24:113:29 | AST only |
-| stringstream.cpp:123:7:123:9 | stringstream.cpp:115:24:115:29 | AST only |
 | stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
@@ -134,10 +127,7 @@
 | taint.cpp:431:9:431:17 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
-| vector.cpp:20:8:20:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:24:8:24:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:28:8:28:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:33:8:33:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:24:8:24:11 | vector.cpp:16:43:16:49 | IR only |
 | vector.cpp:52:7:52:8 | vector.cpp:51:10:51:15 | AST only |
 | vector.cpp:53:9:53:9 | vector.cpp:51:10:51:15 | AST only |
 | vector.cpp:54:9:54:9 | vector.cpp:51:10:51:15 | AST only |
@@ -171,4 +161,3 @@
 | vector.cpp:292:7:292:18 | vector.cpp:289:17:289:30 | AST only |
 | vector.cpp:308:9:308:14 | vector.cpp:303:14:303:19 | AST only |
 | vector.cpp:311:9:311:14 | vector.cpp:303:14:303:19 | AST only |
-| vector.cpp:326:7:326:8 | vector.cpp:318:15:318:20 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -24,7 +24,10 @@
 | copyableclass.cpp:65:8:65:9 | s1 | copyableclass.cpp:60:40:60:45 | call to source |
 | copyableclass.cpp:66:8:66:9 | s2 | copyableclass.cpp:63:24:63:29 | call to source |
 | copyableclass.cpp:67:11:67:21 | (reference dereference) | copyableclass.cpp:67:13:67:18 | call to source |
+| copyableclass_declonly.cpp:40:8:40:9 | s1 | copyableclass_declonly.cpp:34:30:34:35 | call to source |
+| copyableclass_declonly.cpp:41:8:41:9 | s2 | copyableclass_declonly.cpp:35:32:35:37 | call to source |
 | copyableclass_declonly.cpp:43:8:43:9 | s4 | copyableclass_declonly.cpp:38:8:38:13 | call to source |
+| copyableclass_declonly.cpp:65:8:65:9 | s1 | copyableclass_declonly.cpp:60:56:60:61 | call to source |
 | copyableclass_declonly.cpp:66:8:66:9 | s2 | copyableclass_declonly.cpp:63:32:63:37 | call to source |
 | format.cpp:57:8:57:13 | Argument 0 indirection | format.cpp:56:36:56:49 | call to source |
 | format.cpp:62:8:62:13 | Argument 0 indirection | format.cpp:61:30:61:43 | call to source |
@@ -142,7 +145,11 @@
 | stringstream.cpp:66:7:66:10 | Argument 0 indirection | stringstream.cpp:63:18:63:23 | call to source |
 | stringstream.cpp:81:7:81:9 | Argument 0 indirection | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:83:11:83:13 | call to str | stringstream.cpp:70:32:70:37 | source |
+| stringstream.cpp:103:7:103:9 | Argument 0 indirection | stringstream.cpp:91:19:91:24 | call to source |
+| stringstream.cpp:105:7:105:9 | Argument 0 indirection | stringstream.cpp:95:44:95:49 | call to source |
 | stringstream.cpp:107:7:107:9 | Argument 0 indirection | stringstream.cpp:100:31:100:36 | call to source |
+| stringstream.cpp:121:7:121:9 | Argument 0 indirection | stringstream.cpp:113:24:113:29 | call to source |
+| stringstream.cpp:123:7:123:9 | Argument 0 indirection | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
 | stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:19 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -224,6 +231,13 @@
 | taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
+| vector.cpp:20:8:20:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:24:8:24:8 | call to operator* | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:24:8:24:11 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | x | vector.cpp:16:43:16:49 | source1 |
 | vector.cpp:70:7:70:8 | Argument 0 indirection | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:83:7:83:8 | Argument 0 indirection | vector.cpp:81:17:81:22 | call to source |
 | vector.cpp:109:7:109:8 | Argument 0 indirection | vector.cpp:106:15:106:20 | call to source |
@@ -251,3 +265,4 @@
 | vector.cpp:309:7:309:7 | Argument 0 indirection | vector.cpp:303:14:303:19 | call to source |
 | vector.cpp:312:7:312:7 | Argument 0 indirection | vector.cpp:303:14:303:19 | call to source |
 | vector.cpp:324:7:324:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |
+| vector.cpp:326:7:326:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,11 @@ class ConversionConstructorModel extends Constructor, TaintFunction {`
`21`	`21`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`22`	`22`	`// taint flow from the first constructor argument to the returned object`
`23`	`23`	`input.isParameter(0) and`
`24`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`24`	`+ (`
	`25`	`+ output.isReturnValue()`
	`26`	`+ or`
	`27`	`+ output.isQualifierObject()`
	`28`	`+ )`
`25`	`29`	`}`
`26`	`30`	`}`
`27`	`31`
`@@ -32,7 +36,11 @@ class CopyConstructorModel extends CopyConstructor, DataFlowFunction {`
`32`	`36`	`override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {`
`33`	`37`	`// data flow from the first constructor argument to the returned object`
`34`	`38`	`input.isParameter(0) and`
`35`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`39`	`+ (`
	`40`	`+ output.isReturnValue()`
	`41`	`+ or`
	`42`	`+ output.isQualifierObject()`
	`43`	`+ )`
`36`	`44`	`}`
`37`	`45`	`}`
`38`	`46`
`@@ -43,7 +51,11 @@ class MoveConstructorModel extends MoveConstructor, DataFlowFunction {`
`43`	`51`	`override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {`
`44`	`52`	`// data flow from the first constructor argument to the returned object`
`45`	`53`	`input.isParameter(0) and`
`46`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`54`	`+ (`
	`55`	`+ output.isReturnValue()`
	`56`	`+ or`
	`57`	`+ output.isQualifierObject()`
	`58`	`+ )`
`47`	`59`	`}`
`48`	`60`	`}`
`49`	`61`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,9 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {`
`38`	`38`	`input.isParameterDeref(getAValueTypeParameterIndex()) or`
`39`	`39`	`input.isParameter(getAnIteratorParameterIndex())`
`40`	`40`	`) and`
`41`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`41`	`+ output.isReturnValue()`
	`42`	`+ or`
	`43`	`+ output.isQualifierObject()`
`42`	`44`	`}`
`43`	`45`	`}`
`44`	`46`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ class StdStringConstructor extends Constructor, TaintFunction {`
`48`	`48`	`input.isParameter(getAnIteratorParameterIndex())`
`49`	`49`	`) and`
`50`	`50`	`(`
`51`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`51`	`+ output.isReturnValue()`
`52`	`52`	`or`
`53`	`53`	`output.isQualifierObject()`
`54`	`54`	`)`
`@@ -383,7 +383,9 @@ class StdStringStreamConstructor extends Constructor, TaintFunction {`
`383`	`383`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`384`	`384`	`// taint flow from any parameter of string type to the returned object`
`385`	`385`	`input.isParameterDeref(getAStringParameterIndex()) and`
`386`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`386`	`+ output.isReturnValue()`
	`387`	`+ or`
	`388`	`+ output.isQualifierObject()`
`387`	`389`	`}`
`388`	`390`	`}`
`389`	`391`