Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -31,9 +31,19 @@ private class PrimaryArgumentNode extends ArgumentNode {
   override predicate argumentOf(DataFlowCall call, int pos) { op = call.getArgumentOperand(pos) }
 
   override string toString() {
-    result = "Argument " + op.(PositionalArgumentOperand).getIndex()
+    exists(Expr unconverted |
+      unconverted = op.getDef().getUnconvertedResultExpression() and
+      result = unconverted.toString()
+    )
     or
-    op instanceof ThisArgumentOperand and result = "This argument"
+    // Certain instructions don't map to an unconverted result expression. For these cases
+    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
+    not exists(op.getDef().getUnconvertedResultExpression()) and
+    (
+      result = "Argument " + op.(PositionalArgumentOperand).getIndex()
+      or
+      op instanceof ThisArgumentOperand and result = "Argument this"
+    )
   }
 }
 
@@ -52,7 +62,18 @@ private class SideEffectArgumentNode extends ArgumentNode {
     pos = getArgumentPosOfSideEffect(read.getIndex())
   }
 
-  override string toString() { result = "Argument " + read.getIndex() + " indirection" }
+  override string toString() {
+    result = read.getArgumentDef().getUnconvertedResultExpression().toString() + " indirection"
+    or
+    // Some instructions don't map to an unconverted result expression. For these cases
+    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
+    not exists(read.getArgumentDef().getUnconvertedResultExpression()) and
+    (
+      if read.getIndex() = -1
+      then result = "Argument this indirection"
+      else result = "Argument " + read.getIndex() + " indirection"
+    )
+  }
 }
 
 private newtype TReturnKind =

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -658,14 +658,18 @@ newtype TTranslatedElement =
         t instanceof ReferenceType
       ) and
       (
-        isWrite = true or
+        isWrite = true and
+        not call.getTarget().getParameter(n).getType().isDeeplyConstBelow()
+        or
         isWrite = false
       )
       or
       not call.getTarget() instanceof SideEffectFunction and
       n = -1 and
       (
-        isWrite = true or
+        isWrite = true and
+        not call.getTarget() instanceof ConstMemberFunction
+        or
         isWrite = false
       )
     ) and

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -1492,12 +1492,8 @@ postWithInFlow
 | cpp11.cpp:65:19:65:45 | Store | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:45:82:48 | Chi | PostUpdateNode should not be the target of local flow. |
 | defdestructordeleteexpr.cpp:4:9:4:15 | Chi | PostUpdateNode should not be the target of local flow. |
 | deleteexpr.cpp:7:9:7:15 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
-| file://:0:0:0:0 | Chi | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:177:5:177:12 | Chi | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:178:5:178:12 | Chi | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:183:5:183:12 | Chi | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -12,18 +12,18 @@ edges
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | Argument 1 indirection |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
-| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | Argument 0 |
-| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | Argument 0 |
-| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | Argument 0 indirection |
-| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | Argument 0 indirection |
-| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | Argument 0 |
-| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | Argument 0 |
-| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | Argument 0 indirection |
-| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | Argument 0 indirection |
-| search.c:55:5:55:15 | Argument 0 | search.c:14:24:14:28 | query |
-| search.c:55:17:55:25 | Argument 0 indirection | search.c:14:24:14:28 | *query |
-| search.c:57:5:57:15 | Argument 0 | search.c:22:24:22:28 | query |
-| search.c:57:17:57:25 | Argument 0 indirection | search.c:22:24:22:28 | *query |
+| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
+| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
+| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query indirection |
+| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query indirection |
+| search.c:55:5:55:15 | raw_query | search.c:14:24:14:28 | query |
+| search.c:55:17:55:25 | raw_query indirection | search.c:14:24:14:28 | *query |
+| search.c:57:5:57:15 | raw_query | search.c:22:24:22:28 | query |
+| search.c:57:17:57:25 | raw_query indirection | search.c:22:24:22:28 | *query |
 nodes
 | search.c:14:24:14:28 | *query | semmle.label | *query |
 | search.c:14:24:14:28 | query | semmle.label | query |
@@ -43,10 +43,10 @@ nodes
 | search.c:23:39:23:43 | query | semmle.label | query |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
-| search.c:55:5:55:15 | Argument 0 | semmle.label | Argument 0 |
-| search.c:55:17:55:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
-| search.c:57:5:57:15 | Argument 0 | semmle.label | Argument 0 |
-| search.c:57:17:57:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
+| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
+| search.c:55:17:55:25 | raw_query indirection | semmle.label | raw_query indirection |
+| search.c:57:5:57:15 | raw_query | semmle.label | raw_query |
+| search.c:57:17:57:25 | raw_query indirection | semmle.label | raw_query indirection |
 #select
 | search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
 | search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -11,18 +11,18 @@ edges
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | Argument 0 indirection |
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:42:7:42:16 | Argument 0 | test.cpp:24:30:24:36 | command |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | Argument 0 |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | Argument 0 indirection |
-| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:7:42:16 | Argument 0 |
-| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:18:42:34 | Argument 0 indirection |
-| test.cpp:42:18:42:34 | Argument 0 indirection | test.cpp:24:30:24:36 | *command |
-| test.cpp:43:7:43:16 | Argument 0 | test.cpp:29:30:29:36 | command |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:7:43:16 | Argument 0 |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:18:43:34 | Argument 0 indirection |
-| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:7:43:16 | Argument 0 |
-| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:18:43:34 | Argument 0 indirection |
-| test.cpp:43:18:43:34 | Argument 0 indirection | test.cpp:29:30:29:36 | *command |
+| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:7:42:16 | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:18:42:34 | call to getenv indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | *command |
+| test.cpp:43:7:43:16 | call to getenv | test.cpp:29:30:29:36 | command |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:7:43:16 | call to getenv |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:18:43:34 | call to getenv indirection |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:7:43:16 | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:18:43:34 | call to getenv indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | Argument 0 indirection |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
@@ -62,14 +62,14 @@ nodes
 | test.cpp:31:10:31:16 | command | semmle.label | command |
 | test.cpp:31:10:31:16 | command | semmle.label | command |
 | test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:42:7:42:16 | Argument 0 | semmle.label | Argument 0 |
+| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:42:18:42:34 | Argument 0 indirection | semmle.label | Argument 0 indirection |
-| test.cpp:43:7:43:16 | Argument 0 | semmle.label | Argument 0 |
+| test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:43:7:43:16 | call to getenv | semmle.label | call to getenv |
 | test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:43:18:43:34 | Argument 0 indirection | semmle.label | Argument 0 indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
 | test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |