C++: use qualifiers in string constructor model

Robert Marsh · Robert Marsh · commit 556ace004f0a · 2020-09-17T17:39:50.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -47,7 +47,11 @@ class StdStringConstructor extends Constructor, TaintFunction {
       input.isParameterDeref(getAStringParameterIndex()) or
       input.isParameter(getAnIteratorParameterIndex())
     ) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+      or
+      output.isQualifierObject()
+    )
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -28,91 +28,48 @@
 | standalone_iterators.cpp:42:10:42:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
 | standalone_iterators.cpp:47:10:47:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
 | standalone_iterators.cpp:48:10:48:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
-| string.cpp:30:7:30:7 | string.cpp:26:16:26:21 | AST only |
 | string.cpp:32:9:32:13 | string.cpp:26:16:26:21 | AST only |
 | string.cpp:38:13:38:17 | string.cpp:14:10:14:15 | AST only |
 | string.cpp:42:13:42:17 | string.cpp:14:10:14:15 | AST only |
 | string.cpp:45:13:45:17 | string.cpp:14:10:14:15 | AST only |
-| string.cpp:56:7:56:8 | string.cpp:50:19:50:24 | AST only |
 | string.cpp:69:7:69:8 | string.cpp:61:19:61:24 | AST only |
-| string.cpp:70:7:70:8 | string.cpp:61:19:61:24 | AST only |
-| string.cpp:92:8:92:9 | string.cpp:87:18:87:23 | AST only |
-| string.cpp:93:8:93:9 | string.cpp:88:20:88:25 | AST only |
-| string.cpp:113:8:113:9 | string.cpp:109:32:109:37 | AST only |
-| string.cpp:121:8:121:8 | string.cpp:119:16:119:21 | AST only |
-| string.cpp:125:8:125:8 | string.cpp:119:16:119:21 | AST only |
-| string.cpp:129:8:129:8 | string.cpp:119:16:119:21 | AST only |
-| string.cpp:134:8:134:8 | string.cpp:132:28:132:33 | AST only |
-| string.cpp:144:11:144:11 | string.cpp:141:18:141:23 | AST only |
-| string.cpp:145:11:145:11 | string.cpp:141:18:141:23 | AST only |
-| string.cpp:146:11:146:11 | string.cpp:141:18:141:23 | AST only |
-| string.cpp:158:8:158:9 | string.cpp:154:18:154:23 | AST only |
+| string.cpp:125:8:125:11 | string.cpp:119:16:119:21 | IR only |
 | string.cpp:161:11:161:11 | string.cpp:154:18:154:23 | AST only |
-| string.cpp:162:8:162:9 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:165:11:165:11 | string.cpp:165:14:165:19 | AST only |
 | string.cpp:166:11:166:11 | string.cpp:165:14:165:19 | AST only |
-| string.cpp:171:8:171:9 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:198:10:198:15 | string.cpp:190:17:190:22 | AST only |
-| string.cpp:199:7:199:8 | string.cpp:190:17:190:22 | AST only |
 | string.cpp:201:10:201:15 | string.cpp:191:11:191:25 | AST only |
-| string.cpp:205:7:205:8 | string.cpp:193:17:193:22 | AST only |
 | string.cpp:219:10:219:15 | string.cpp:210:17:210:22 | AST only |
-| string.cpp:220:7:220:8 | string.cpp:210:17:210:22 | AST only |
 | string.cpp:223:10:223:15 | string.cpp:210:17:210:22 | AST only |
-| string.cpp:224:7:224:8 | string.cpp:210:17:210:22 | AST only |
 | string.cpp:227:10:227:15 | string.cpp:211:11:211:25 | AST only |
 | string.cpp:242:10:242:16 | string.cpp:233:17:233:22 | AST only |
-| string.cpp:243:7:243:8 | string.cpp:233:17:233:22 | AST only |
 | string.cpp:246:10:246:16 | string.cpp:233:17:233:22 | AST only |
-| string.cpp:247:7:247:8 | string.cpp:233:17:233:22 | AST only |
 | string.cpp:250:10:250:16 | string.cpp:234:11:234:25 | AST only |
-| string.cpp:264:7:264:8 | string.cpp:258:17:258:22 | AST only |
-| string.cpp:274:7:274:8 | string.cpp:269:17:269:22 | AST only |
-| string.cpp:276:7:276:8 | string.cpp:271:17:271:22 | AST only |
-| string.cpp:281:7:281:8 | string.cpp:269:17:269:22 | AST only |
-| string.cpp:282:7:282:8 | string.cpp:269:17:269:22 | AST only |
-| string.cpp:283:7:283:8 | string.cpp:271:17:271:22 | AST only |
-| string.cpp:284:7:284:8 | string.cpp:271:17:271:22 | AST only |
-| string.cpp:292:7:292:8 | string.cpp:288:17:288:22 | AST only |
-| string.cpp:293:7:293:8 | string.cpp:289:17:289:22 | AST only |
-| string.cpp:294:7:294:8 | string.cpp:290:17:290:22 | AST only |
-| string.cpp:300:7:300:8 | string.cpp:288:17:288:22 | AST only |
-| string.cpp:302:7:302:8 | string.cpp:290:17:290:22 | AST only |
 | string.cpp:311:9:311:12 | string.cpp:308:16:308:21 | AST only |
-| string.cpp:322:9:322:14 | string.cpp:319:16:319:21 | AST only |
 | string.cpp:339:7:339:7 | string.cpp:335:9:335:23 | AST only |
 | string.cpp:340:7:340:7 | string.cpp:336:12:336:26 | AST only |
 | string.cpp:341:7:341:7 | string.cpp:335:9:335:23 | AST only |
 | string.cpp:349:7:349:9 | string.cpp:348:18:348:32 | AST only |
 | string.cpp:350:11:350:14 | string.cpp:348:18:348:32 | AST only |
 | string.cpp:361:11:361:16 | string.cpp:356:18:356:23 | AST only |
-| string.cpp:362:8:362:9 | string.cpp:356:18:356:23 | AST only |
-| string.cpp:380:8:380:8 | string.cpp:372:18:372:23 | AST only |
-| string.cpp:381:13:381:13 | string.cpp:372:18:372:23 | AST only |
+| string.cpp:380:8:380:14 | string.cpp:372:18:372:23 | IR only |
+| string.cpp:381:13:381:15 | string.cpp:372:18:372:23 | IR only |
 | string.cpp:394:8:394:8 | string.cpp:387:18:387:23 | AST only |
 | string.cpp:395:8:395:8 | string.cpp:387:18:387:23 | AST only |
 | string.cpp:397:8:397:8 | string.cpp:387:18:387:23 | AST only |
 | string.cpp:399:8:399:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:402:8:402:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:405:8:405:8 | string.cpp:387:18:387:23 | AST only |
+| string.cpp:402:8:402:11 | string.cpp:387:18:387:23 | IR only |
+| string.cpp:405:8:405:11 | string.cpp:387:18:387:23 | IR only |
 | string.cpp:407:8:407:8 | string.cpp:387:18:387:23 | AST only |
 | string.cpp:409:8:409:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:413:8:413:8 | string.cpp:387:18:387:23 | AST only |
+| string.cpp:413:8:413:11 | string.cpp:387:18:387:23 | IR only |
 | string.cpp:427:10:427:15 | string.cpp:422:14:422:19 | AST only |
 | string.cpp:442:10:442:15 | string.cpp:442:32:442:46 | AST only |
 | string.cpp:455:10:455:15 | string.cpp:450:18:450:23 | AST only |
-| string.cpp:456:8:456:8 | string.cpp:450:18:450:23 | AST only |
 | string.cpp:458:11:458:16 | string.cpp:450:18:450:23 | AST only |
-| string.cpp:459:8:459:9 | string.cpp:450:18:450:23 | AST only |
 | string.cpp:471:10:471:15 | string.cpp:466:18:466:23 | AST only |
-| string.cpp:472:8:472:8 | string.cpp:466:18:466:23 | AST only |
 | string.cpp:474:11:474:16 | string.cpp:466:18:466:23 | AST only |
-| string.cpp:475:8:475:9 | string.cpp:466:18:466:23 | AST only |
 | string.cpp:487:10:487:15 | string.cpp:482:18:482:23 | AST only |
-| string.cpp:488:8:488:8 | string.cpp:482:18:482:23 | AST only |
-| string.cpp:491:8:491:9 | string.cpp:482:18:482:23 | AST only |
-| string.cpp:504:7:504:8 | string.cpp:497:14:497:19 | AST only |
-| string.cpp:506:7:506:8 | string.cpp:497:14:497:19 | AST only |
 | string.cpp:515:9:515:13 | string.cpp:514:14:514:28 | AST only |
 | string.cpp:516:9:516:12 | string.cpp:514:14:514:28 | AST only |
 | string.cpp:529:11:529:11 | string.cpp:529:20:529:25 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -53,18 +53,75 @@
 | standalone_iterators.cpp:40:10:40:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:46:10:46:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
 | string.cpp:28:7:28:7 | a | string.cpp:24:12:24:17 | call to source |
+| string.cpp:30:7:30:7 | Argument 0 indirection | string.cpp:26:16:26:21 | call to source |
 | string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:24 | call to source |
+| string.cpp:56:7:56:8 | Argument 0 indirection | string.cpp:50:19:50:24 | call to source |
+| string.cpp:70:7:70:8 | Argument 0 indirection | string.cpp:61:19:61:24 | call to source |
+| string.cpp:92:8:92:9 | Argument 0 indirection | string.cpp:87:18:87:23 | call to source |
+| string.cpp:93:8:93:9 | Argument 0 indirection | string.cpp:88:20:88:25 | call to source |
 | string.cpp:94:8:94:9 | Argument 0 indirection | string.cpp:90:8:90:13 | call to source |
+| string.cpp:113:8:113:9 | Argument 0 indirection | string.cpp:109:32:109:37 | call to source |
 | string.cpp:114:8:114:9 | Argument 0 indirection | string.cpp:111:20:111:25 | call to source |
+| string.cpp:121:8:121:8 | c | string.cpp:119:16:119:21 | call to source |
+| string.cpp:125:8:125:8 | call to operator* | string.cpp:119:16:119:21 | call to source |
+| string.cpp:125:8:125:11 | (reference dereference) | string.cpp:119:16:119:21 | call to source |
+| string.cpp:129:8:129:8 | (reference dereference) | string.cpp:119:16:119:21 | call to source |
+| string.cpp:129:8:129:8 | c | string.cpp:119:16:119:21 | call to source |
+| string.cpp:134:8:134:8 | (reference dereference) | string.cpp:132:28:132:33 | call to source |
+| string.cpp:134:8:134:8 | c | string.cpp:132:28:132:33 | call to source |
+| string.cpp:144:11:144:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
+| string.cpp:145:11:145:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
+| string.cpp:146:11:146:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
 | string.cpp:149:11:149:11 | call to operator+ | string.cpp:149:13:149:18 | call to source |
+| string.cpp:158:8:158:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
+| string.cpp:162:8:162:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
 | string.cpp:167:8:167:9 | Argument 0 indirection | string.cpp:165:14:165:19 | call to source |
+| string.cpp:171:8:171:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
 | string.cpp:176:8:176:9 | Argument 0 indirection | string.cpp:174:13:174:18 | call to source |
 | string.cpp:184:8:184:10 | Argument 0 indirection | string.cpp:181:12:181:26 | call to source |
+| string.cpp:199:7:199:8 | Argument 0 indirection | string.cpp:190:17:190:22 | call to source |
 | string.cpp:202:7:202:8 | Argument 0 indirection | string.cpp:191:11:191:25 | call to source |
+| string.cpp:205:7:205:8 | Argument 0 indirection | string.cpp:193:17:193:22 | call to source |
+| string.cpp:220:7:220:8 | Argument 0 indirection | string.cpp:210:17:210:22 | call to source |
+| string.cpp:224:7:224:8 | Argument 0 indirection | string.cpp:210:17:210:22 | call to source |
 | string.cpp:228:7:228:8 | Argument 0 indirection | string.cpp:211:11:211:25 | call to source |
+| string.cpp:243:7:243:8 | Argument 0 indirection | string.cpp:233:17:233:22 | call to source |
+| string.cpp:247:7:247:8 | Argument 0 indirection | string.cpp:233:17:233:22 | call to source |
 | string.cpp:251:7:251:8 | Argument 0 indirection | string.cpp:234:11:234:25 | call to source |
+| string.cpp:264:7:264:8 | Argument 0 indirection | string.cpp:258:17:258:22 | call to source |
+| string.cpp:274:7:274:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
+| string.cpp:276:7:276:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
+| string.cpp:281:7:281:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
+| string.cpp:282:7:282:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
+| string.cpp:283:7:283:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
+| string.cpp:284:7:284:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
+| string.cpp:292:7:292:8 | Argument 0 indirection | string.cpp:288:17:288:22 | call to source |
+| string.cpp:293:7:293:8 | Argument 0 indirection | string.cpp:289:17:289:22 | call to source |
+| string.cpp:294:7:294:8 | Argument 0 indirection | string.cpp:290:17:290:22 | call to source |
+| string.cpp:300:7:300:8 | Argument 0 indirection | string.cpp:288:17:288:22 | call to source |
+| string.cpp:302:7:302:8 | Argument 0 indirection | string.cpp:290:17:290:22 | call to source |
+| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
+| string.cpp:362:8:362:9 | Argument 0 indirection | string.cpp:356:18:356:23 | call to source |
+| string.cpp:380:8:380:8 | call to operator* | string.cpp:372:18:372:23 | call to source |
+| string.cpp:380:8:380:14 | (reference dereference) | string.cpp:372:18:372:23 | call to source |
+| string.cpp:381:13:381:13 | call to operator[] | string.cpp:372:18:372:23 | call to source |
+| string.cpp:381:13:381:15 | (reference dereference) | string.cpp:372:18:372:23 | call to source |
+| string.cpp:402:8:402:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
+| string.cpp:402:8:402:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
+| string.cpp:405:8:405:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
+| string.cpp:405:8:405:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
+| string.cpp:413:8:413:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
+| string.cpp:413:8:413:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
 | string.cpp:428:7:428:8 | Argument 0 indirection | string.cpp:422:14:422:19 | call to source |
 | string.cpp:443:8:443:8 | Argument 0 indirection | string.cpp:442:32:442:46 | call to source |
+| string.cpp:456:8:456:8 | Argument 0 indirection | string.cpp:450:18:450:23 | call to source |
+| string.cpp:459:8:459:9 | Argument 0 indirection | string.cpp:450:18:450:23 | call to source |
+| string.cpp:472:8:472:8 | Argument 0 indirection | string.cpp:466:18:466:23 | call to source |
+| string.cpp:475:8:475:9 | Argument 0 indirection | string.cpp:466:18:466:23 | call to source |
+| string.cpp:488:8:488:8 | Argument 0 indirection | string.cpp:482:18:482:23 | call to source |
+| string.cpp:491:8:491:9 | Argument 0 indirection | string.cpp:482:18:482:23 | call to source |
+| string.cpp:504:7:504:8 | Argument 0 indirection | string.cpp:497:14:497:19 | call to source |
+| string.cpp:506:7:506:8 | Argument 0 indirection | string.cpp:497:14:497:19 | call to source |
 | string.cpp:535:8:535:8 | Argument 0 indirection | string.cpp:529:20:529:25 | call to source |
 | string.cpp:537:8:537:8 | Argument 0 indirection | string.cpp:531:15:531:20 | call to source |
 | string.cpp:555:8:555:8 | Argument 0 indirection | string.cpp:549:27:549:32 | call to source |

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,11 @@ class StdStringConstructor extends Constructor, TaintFunction {`
`47`	`47`	`input.isParameterDeref(getAStringParameterIndex()) or`
`48`	`48`	`input.isParameter(getAnIteratorParameterIndex())`
`49`	`49`	`) and`
`50`		- output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`50`	`+ (`
	`51`	+ output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
	`52`	`+ or`
	`53`	`+ output.isQualifierObject()`
	`54`	`+ )`
`51`	`55`	`}`
`52`	`56`	`}`
`53`	`57`