C++: Add DefinitionByReferenceNode.getParameter

This commits also adds a test that uses `getParameter`. The new tests
demonstrate that support for array-to-pointer decay works, but we get
data flow to the array rather than its contents.

Author: jbj

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -121,6 +121,13 @@ class DefinitionByReferenceNode extends Node, TDefinitionByReferenceNode {
   override Location getLocation() { result = argument.getLocation() }
   /** Gets the argument corresponding to this node. */
   Expr getArgument() { result = argument }
+  /** Gets the parameter through which this value is assigned. */
+  Parameter getParameter() {
+    exists(FunctionCall call, int i |
+      argument = call.getArgument(i) and
+      result = call.getTarget().getParameter(i)
+    )
+  }
 }
 
 /**

cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll

@@ -12,6 +12,8 @@ class TestAllocationConfig extends DataFlow::Configuration {
     or
     source.asParameter().getName().matches("source%")
     or
+    source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
+    or
     // Track uninitialized variables
     exists(source.asUninitialized())
   }

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -455,3 +455,39 @@ void cleanedByMemcpy_blockvar(int clean1) {
   memcpy(&tmp, &clean1, sizeof tmp);
   sink(tmp); // clean
 }
+
+void intRefSource(int &ref_source);
+void intPointerSource(int *ref_source);
+void intArraySource(int ref_source[], size_t len);
+
+void intRefSourceCaller() {
+  int local;
+  intRefSource(local);
+  sink(local); // tainted
+}
+
+void intPointerSourceCaller() {
+  int local;
+  intPointerSource(&local);
+  sink(local); // tainted
+}
+
+void intPointerSourceCaller2() {
+  int local[1];
+  intPointerSource(local);
+  sink(local); // tainted
+  sink(*local); // clean
+}
+
+void intArraySourceCaller() {
+  int local;
+  intArraySource(&local, 1);
+  sink(local); // tainted
+}
+
+void intArraySourceCaller2() {
+  int local[2];
+  intArraySource(local, 2);
+  sink(local); // tainted
+  sink(*local); // clean
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected

@@ -30,6 +30,11 @@
 | test.cpp:433:8:433:10 | tmp | test.cpp:430:48:430:54 | source1 |
 | test.cpp:440:8:440:10 | tmp | test.cpp:436:53:436:59 | source1 |
 | test.cpp:442:10:442:12 | tmp | test.cpp:436:53:436:59 | source1 |
+| test.cpp:466:8:466:12 | local | test.cpp:465:16:465:20 | ref arg local |
+| test.cpp:472:8:472:12 | local | test.cpp:471:20:471:25 | ref arg & ... |
+| test.cpp:478:8:478:12 | local | test.cpp:477:20:477:24 | ref arg local |
+| test.cpp:485:8:485:12 | local | test.cpp:484:18:484:23 | ref arg & ... |
+| test.cpp:491:8:491:12 | local | test.cpp:490:18:490:22 | ref arg local |
 | true_upon_entry.cpp:21:8:21:8 | x | true_upon_entry.cpp:17:11:17:16 | call to source |
 | true_upon_entry.cpp:29:8:29:8 | x | true_upon_entry.cpp:27:9:27:14 | call to source |
 | true_upon_entry.cpp:39:8:39:8 | x | true_upon_entry.cpp:33:11:33:16 | call to source |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected

@@ -12,6 +12,11 @@
 | test.cpp:430:48:430:54 | test.cpp:433:8:433:10 | AST only |
 | test.cpp:436:53:436:59 | test.cpp:440:8:440:10 | AST only |
 | test.cpp:436:53:436:59 | test.cpp:442:10:442:12 | AST only |
+| test.cpp:465:16:465:20 | test.cpp:466:8:466:12 | AST only |
+| test.cpp:471:20:471:25 | test.cpp:472:8:472:12 | AST only |
+| test.cpp:477:20:477:24 | test.cpp:478:8:478:12 | AST only |
+| test.cpp:484:18:484:23 | test.cpp:485:8:485:12 | AST only |
+| test.cpp:490:18:490:22 | test.cpp:491:8:491:12 | AST only |
 | true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
 | true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
 | true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |