C++: alias and side effect info for pure functions

Robert Marsh · Robert Marsh · commit 41e4d920e340 · 2019-07-08T12:26:58.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -1,17 +1,17 @@
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
 
-class PureFunction extends ArrayFunction, TaintFunction {
-  PureFunction() {
+class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,  SideEffectFunction {
+  PureStrFunction() {
     exists(string name |
       hasName(name) and
       (
-        name = "abs"
-        or name = "atof"
+        name = "atof"
         or name = "atoi"
         or name = "atol"
         or name = "atoll"
-        or name = "labs"
         or name = "strcasestr"
         or name = "strchnul"
         or name = "strchr"
@@ -54,4 +54,51 @@ class PureFunction extends ArrayFunction, TaintFunction {
       output.isOutReturnValue()
     )
   }
+
+  override predicate parameterNeverEscapes(int i) {
+    getParameter(i).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int i) {
+    none()
+  }
+
+  override predicate parameterIsAlwaysReturned(int i) {
+    none()
+  }
+
+  override predicate neverReadsMemory() {
+    none()
+  }
+  
+  override predicate neverWritesMemory() {
+    any()
+  }
+}
+
+class PureFunction extends TaintFunction, SideEffectFunction {
+  PureFunction() {
+    exists(string name |
+      hasName(name) and
+      (
+        name = "abs" or
+        name = "labs"
+      )
+    )
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    exists (ParameterIndex i |
+      input.isInParameter(i)
+    ) and
+    output.isOutReturnValue()
+  }
+
+  override predicate neverReadsMemory() {
+    any()
+  }
+  
+  override predicate neverWritesMemory() {
+    any()
+  }
 }
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -779,24 +779,21 @@ ssa.cpp:
 #  198|     r0_15(char *)         = Load                      : &:r0_14, m0_6
 #  198|     r0_16(char *)         = Convert                   : r0_15
 #  198|     r0_17(int)            = Call                      : func:r0_10, 0:r0_13, 1:r0_16
-#  198|     m0_18(unknown)        = ^CallSideEffect           : ~m0_1
-#  198|     m0_19(unknown)        = Chi                       : total:m0_1, partial:m0_18
-#  198|     m0_20(int)            = Store                     : &:r0_9, r0_17
-#  199|     r0_21(glval<unknown>) = FunctionAddress[abs]      : 
-#  199|     r0_22(glval<int>)     = VariableAddress[x]        : 
-#  199|     r0_23(int)            = Load                      : &:r0_22, m0_8
-#  199|     r0_24(int)            = Call                      : func:r0_21, 0:r0_23
-#  199|     m0_25(unknown)        = ^CallSideEffect           : ~m0_19
-#  199|     m0_26(unknown)        = Chi                       : total:m0_19, partial:m0_25
-#  199|     r0_27(glval<int>)     = VariableAddress[ret]      : 
-#  199|     r0_28(int)            = Load                      : &:r0_27, m0_20
-#  199|     r0_29(int)            = Add                       : r0_28, r0_24
-#  199|     m0_30(int)            = Store                     : &:r0_27, r0_29
-#  200|     r0_31(glval<int>)     = VariableAddress[#return]  : 
-#  200|     r0_32(glval<int>)     = VariableAddress[ret]      : 
-#  200|     r0_33(int)            = Load                      : &:r0_32, m0_30
-#  200|     m0_34(int)            = Store                     : &:r0_31, r0_33
-#  197|     r0_35(glval<int>)     = VariableAddress[#return]  : 
-#  197|     v0_36(void)           = ReturnValue               : &:r0_35, m0_34
-#  197|     v0_37(void)           = UnmodeledUse              : mu*
-#  197|     v0_38(void)           = ExitFunction              : 
+#  198|     v0_18(void)           = ^CallReadSideEffect       : ~m0_1
+#  198|     m0_19(int)            = Store                     : &:r0_9, r0_17
+#  199|     r0_20(glval<unknown>) = FunctionAddress[abs]      : 
+#  199|     r0_21(glval<int>)     = VariableAddress[x]        : 
+#  199|     r0_22(int)            = Load                      : &:r0_21, m0_8
+#  199|     r0_23(int)            = Call                      : func:r0_20, 0:r0_22
+#  199|     r0_24(glval<int>)     = VariableAddress[ret]      : 
+#  199|     r0_25(int)            = Load                      : &:r0_24, m0_19
+#  199|     r0_26(int)            = Add                       : r0_25, r0_23
+#  199|     m0_27(int)            = Store                     : &:r0_24, r0_26
+#  200|     r0_28(glval<int>)     = VariableAddress[#return]  : 
+#  200|     r0_29(glval<int>)     = VariableAddress[ret]      : 
+#  200|     r0_30(int)            = Load                      : &:r0_29, m0_27
+#  200|     m0_31(int)            = Store                     : &:r0_28, r0_30
+#  197|     r0_32(glval<int>)     = VariableAddress[#return]  : 
+#  197|     v0_33(void)           = ReturnValue               : &:r0_32, m0_31
+#  197|     v0_34(void)           = UnmodeledUse              : mu*
+#  197|     v0_35(void)           = ExitFunction              : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -745,22 +745,21 @@ ssa.cpp:
 #  198|     r0_15(char *)         = Load                      : &:r0_14, m0_6
 #  198|     r0_16(char *)         = Convert                   : r0_15
 #  198|     r0_17(int)            = Call                      : func:r0_10, 0:r0_13, 1:r0_16
-#  198|     mu0_18(unknown)       = ^CallSideEffect           : ~mu0_2
+#  198|     v0_18(void)           = ^CallReadSideEffect       : ~mu0_2
 #  198|     m0_19(int)            = Store                     : &:r0_9, r0_17
 #  199|     r0_20(glval<unknown>) = FunctionAddress[abs]      : 
 #  199|     r0_21(glval<int>)     = VariableAddress[x]        : 
 #  199|     r0_22(int)            = Load                      : &:r0_21, m0_8
 #  199|     r0_23(int)            = Call                      : func:r0_20, 0:r0_22
-#  199|     mu0_24(unknown)       = ^CallSideEffect           : ~mu0_2
-#  199|     r0_25(glval<int>)     = VariableAddress[ret]      : 
-#  199|     r0_26(int)            = Load                      : &:r0_25, m0_19
-#  199|     r0_27(int)            = Add                       : r0_26, r0_23
-#  199|     m0_28(int)            = Store                     : &:r0_25, r0_27
-#  200|     r0_29(glval<int>)     = VariableAddress[#return]  : 
-#  200|     r0_30(glval<int>)     = VariableAddress[ret]      : 
-#  200|     r0_31(int)            = Load                      : &:r0_30, m0_28
-#  200|     m0_32(int)            = Store                     : &:r0_29, r0_31
-#  197|     r0_33(glval<int>)     = VariableAddress[#return]  : 
-#  197|     v0_34(void)           = ReturnValue               : &:r0_33, m0_32
-#  197|     v0_35(void)           = UnmodeledUse              : mu*
-#  197|     v0_36(void)           = ExitFunction              : 
+#  199|     r0_24(glval<int>)     = VariableAddress[ret]      : 
+#  199|     r0_25(int)            = Load                      : &:r0_24, m0_19
+#  199|     r0_26(int)            = Add                       : r0_25, r0_23
+#  199|     m0_27(int)            = Store                     : &:r0_24, r0_26
+#  200|     r0_28(glval<int>)     = VariableAddress[#return]  : 
+#  200|     r0_29(glval<int>)     = VariableAddress[ret]      : 
+#  200|     r0_30(int)            = Load                      : &:r0_29, m0_27
+#  200|     m0_31(int)            = Store                     : &:r0_28, r0_30
+#  197|     r0_32(glval<int>)     = VariableAddress[#return]  : 
+#  197|     v0_33(void)           = ReturnValue               : &:r0_32, m0_31
+#  197|     v0_34(void)           = UnmodeledUse              : mu*
+#  197|     v0_35(void)           = ExitFunction              : 
