C++: Use variableAccessedAsValue in LargeParameter

jbj · geoffw0 · commit 9d15e67f3c3b · 2019-05-01T13:58:55.000+01:00
Using `variableAccessedAsValue` fixes a FP because we can now
distinguish modifications to the parameter from modifications to data
_reachable from_ the parameter.
diff --git a/cpp/ql/src/Critical/LargeParameter.ql b/cpp/ql/src/Critical/LargeParameter.ql
@@ -22,12 +22,12 @@ where f.getAParameter() = p
   and not f instanceof CopyAssignmentOperator
   // exception: p is written to, which may mean the copy is intended
   and not p.getAnAccess().isAddressOfAccessNonConst()
-  and not exists(Access a |
-    a.getTarget() = p and
+  and not exists(Expr e |
+    variableAccessedAsValue(p.getAnAccess(), e.getFullyConverted()) and
     (
-      exists(Assignment an | an.getLValue().getAChild*() = a) or
-      exists(CrementOperation co | co.getOperand().getAChild*() = a) or
-      exists(FunctionCall fc | fc.getQualifier().getAChild*() = a and not fc.getTarget().hasSpecifier("const"))
+      exists(Assignment an | an.getLValue() = e) or
+      exists(CrementOperation co | co.getOperand() = e) or
+      exists(FunctionCall fc | fc.getQualifier() = e and not fc.getTarget().hasSpecifier("const"))
     )
   )
   // if there's no block, we can't tell how the parameter is used
diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.expected b/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.expected
@@ -7,3 +7,4 @@
 | test.cpp:107:16:107:16 | d | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:108:16:108:16 | e | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
 | test.cpp:109:16:109:16 | f | This parameter of type $@ is 4100 bytes - consider passing a const pointer/reference instead. | test.cpp:58:8:58:19 | MyLargeClass | MyLargeClass |
+| test.cpp:161:7:161:7 | b | This parameter of type $@ is 3208 bytes - consider passing a const pointer/reference instead. | test.cpp:153:8:153:10 | big | big |
diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp b/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp
@@ -158,7 +158,7 @@ struct big
 
 void myFunction7(
 		big a, // GOOD
-		big b // BAD [NOT DETECTED]
+		big b // BAD
 	)
 {
 	a.xs[0]++; // modifies a

Original file line number	Diff line number	Diff line change
`@@ -22,12 +22,12 @@ where f.getAParameter() = p`
`22`	`22`	`and not f instanceof CopyAssignmentOperator`
`23`	`23`	`// exception: p is written to, which may mean the copy is intended`
`24`	`24`	`and not p.getAnAccess().isAddressOfAccessNonConst()`
`25`		`- and not exists(Access a \|`
`26`		`- a.getTarget() = p and`
	`25`	`+ and not exists(Expr e \|`
	`26`	`+ variableAccessedAsValue(p.getAnAccess(), e.getFullyConverted()) and`
`27`	`27`	`(`
`28`		`- exists(Assignment an \| an.getLValue().getAChild*() = a) or`
`29`		`- exists(CrementOperation co \| co.getOperand().getAChild*() = a) or`
`30`		`- exists(FunctionCall fc \| fc.getQualifier().getAChild*() = a and not fc.getTarget().hasSpecifier("const"))`
	`28`	`+ exists(Assignment an \| an.getLValue() = e) or`
	`29`	`+ exists(CrementOperation co \| co.getOperand() = e) or`
	`30`	`+ exists(FunctionCall fc \| fc.getQualifier() = e and not fc.getTarget().hasSpecifier("const"))`
`31`	`31`	`)`
`32`	`32`	`)`
`33`	`33`	`// if there's no block, we can't tell how the parameter is used`
Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,7 @@ struct big`
`158`	`158`
`159`	`159`	`void myFunction7(`
`160`	`160`	`big a, // GOOD`
`161`		`- big b // BAD [NOT DETECTED]`
	`161`	`+ big b // BAD`
`162`	`162`	`)`
`163`	`163`	`{`
`164`	`164`	`a.xs[0]++; // modifies a`