C++: Implement Argument + Parameter indirection.

2026-04-27 17:55:19 +02:00 · 2024-03-14 18:38:42 +00:00
parent 638bfff09d
commit 14deb06e80
4 changed files with 38 additions and 20 deletions
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -52,25 +52,33 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {

  bindingset[token]
  ParameterPosition decodeUnknownParameterPosition(AccessPath::AccessPathTokenBase token) {
-    // needed to support `Argument[x..y]` ranges and `Argument[-1]`
-    token.getName() = "Argument" and
-    exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
-      pos >= 0 and result = TDirectPosition(pos)
-      or
-      // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
-      pos = -1 and result = TIndirectionPosition(pos, 1)
+    // needed to support `Argument[x..y]` ranges, `Argument[-1]`, and indirections `*Argument[0]`.
+    exists(int indirection |
+      token.getName() = indirectionString(indirection) + "Argument" and
+      exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
+        pos >= 0 and indirection = 0 and result = TDirectPosition(pos)
+        or
+        pos >= 0 and indirection > 0 and result = TIndirectionPosition(pos, indirection)
+        or
+        // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
+        pos = -1 and result = TIndirectionPosition(pos, indirection + 1)
+      )
    )
  }

  bindingset[token]
  ArgumentPosition decodeUnknownArgumentPosition(AccessPath::AccessPathTokenBase token) {
-    // needed to support `Parameter[x..y]` ranges and `Parameter[-1]`
-    token.getName() = "Parameter" and
-    exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
-      pos >= 0 and result = TDirectPosition(pos)
-      or
-      // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
-      pos = -1 and result = TIndirectionPosition(pos, 1)
+    // needed to support `Argument[x..y]` ranges, `Argument[-1]`, and indirections `*Argument[0]`.
+    exists(int indirection |
+      token.getName() = indirectionString(indirection) + "Parameter" and
+      exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
+        pos >= 0 and indirection = 0 and result = TDirectPosition(pos)
+        or
+        pos >= 0 and indirection > 0 and result = TIndirectionPosition(pos, indirection)
+        or
+        // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
+        pos = -1 and result = TIndirectionPosition(pos, indirection + 1)
+      )
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -455,7 +455,7 @@ class IndirectionPosition extends Position, TIndirectionPosition {
 }

 newtype TPosition =
-  TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
+  TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or
  TIndirectionPosition(int argumentIndex, int indirectionIndex) {
    Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),
      indirectionIndex)