Merge branch 'main' into mathiasvp/read-step-without-memory-operands

2026-05-03 04:39:29 +02:00 · 2020-09-04 18:04:15 +02:00
parent ed7e499b02 eea893483d
commit 208b85c7fc
11 changed files with 368 additions and 33 deletions
--- a/Practices/Hiding/DeclarationHidesParameter.ql
+++ b/Practices/Hiding/DeclarationHidesParameter.ql
@@ -11,6 +11,17 @@

 import cpp

+/**
+ * Gets the template that a function `f` is constructed from, or just `f` if it
+ * is not from a template instantiation.
+ */
+Function getConstructedFrom(Function f) {
+  f.isConstructedFrom(result)
+  or
+  not f.isConstructedFrom(_) and
+  result = f
+}
+
 /**
 * Gets the parameter of `f` with name `name`, which has to come from the
 * _definition_ of `f` and not a prototype declaration.
@@ -18,13 +29,17 @@ import cpp
 * This should not happen in a single application but since we
 * have a system wide view it is likely to happen for instance for
 * the main function.
+ *
+ * Note: we use `getConstructedFrom` to ensure that we look at template
+ * functions rather than their instantiations. We get better results this way
+ * as the instantiation is artificial and may have inherited parameter names
+ * from the declaration rather than the definition.
 */
 ParameterDeclarationEntry functionParameterNames(Function f, string name) {
  exists(FunctionDeclarationEntry fe |
    result.getFunctionDeclarationEntry() = fe and
-    fe.getFunction() = f and
+    getConstructedFrom(f).getDefinition() = fe and
    fe.getLocation() = f.getDefinitionLocation() and
-    result.getFile() = fe.getFile() and // Work around CPP-331
    strictcount(f.getDefinitionLocation()) = 1 and
    result.getName() = name
  )
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -1,6 +1,6 @@
 /**
 * Provides implementation classes modeling `std::string` and other
- * instantiations of`std::basic_string`. See `semmle.code.cpp.models.Models`
+ * instantiations of `std::basic_string`. See `semmle.code.cpp.models.Models`
 * for usage information.
 */

@@ -82,6 +82,32 @@ class StdStringData extends TaintFunction {
  }
 }

+/**
+ * The `std::string` function `push_back`.
+ */
+class StdStringPush extends TaintFunction {
+  StdStringPush() { this.hasQualifiedName("std", "basic_string", "push_back") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::string` functions `front` and `back`.
+ */
+class StdStringFrontBack extends TaintFunction {
+  StdStringFrontBack() { this.hasQualifiedName("std", "basic_string", ["front", "back"]) }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
 * The `std::string` function `operator+`.
 */
@@ -138,6 +164,11 @@ class StdStringAppend extends TaintFunction {
      output.isQualifierObject() or
      output.isReturnValueDeref()
    )
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // the result)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
  }
 }

@@ -173,6 +204,11 @@ class StdStringAssign extends TaintFunction {
      output.isQualifierObject() or
      output.isReturnValueDeref()
    )
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // the result)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
  }
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -461,12 +461,12 @@
 | standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:53:12:53:18 | source1 |  |
 | standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
 | standalone_iterators.cpp:53:12:53:18 | ref arg source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
-| stl.h:172:30:172:40 | call to allocator | stl.h:172:21:172:41 | noexcept(...) | TAINT |
-| stl.h:172:30:172:40 | call to allocator | stl.h:172:21:172:41 | noexcept(...) | TAINT |
-| stl.h:172:30:172:40 | call to allocator | stl.h:172:21:172:41 | noexcept(...) | TAINT |
-| stl.h:172:30:172:40 | call to allocator | stl.h:172:21:172:41 | noexcept(...) | TAINT |
-| stl.h:172:30:172:40 | call to allocator | stl.h:172:21:172:41 | noexcept(...) | TAINT |
-| stl.h:172:53:172:63 | 0 | stl.h:172:46:172:64 | (no string representation) | TAINT |
+| stl.h:179:30:179:40 | call to allocator | stl.h:179:21:179:41 | noexcept(...) | TAINT |
+| stl.h:179:30:179:40 | call to allocator | stl.h:179:21:179:41 | noexcept(...) | TAINT |
+| stl.h:179:30:179:40 | call to allocator | stl.h:179:21:179:41 | noexcept(...) | TAINT |
+| stl.h:179:30:179:40 | call to allocator | stl.h:179:21:179:41 | noexcept(...) | TAINT |
+| stl.h:179:30:179:40 | call to allocator | stl.h:179:21:179:41 | noexcept(...) | TAINT |
+| stl.h:179:53:179:63 | 0 | stl.h:179:46:179:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
 | string.cpp:25:16:25:21 | call to basic_string | string.cpp:29:7:29:7 | b |  |
@@ -624,32 +624,32 @@
 | string.cpp:153:18:153:23 | call to basic_string | string.cpp:173:8:173:9 | s3 |  |
 | string.cpp:154:18:154:23 | call to source | string.cpp:154:18:154:26 | call to basic_string | TAINT |
 | string.cpp:154:18:154:26 | call to basic_string | string.cpp:157:13:157:14 | s4 |  |
-| string.cpp:154:18:154:26 | call to basic_string | string.cpp:161:9:161:10 | s4 |  |
+| string.cpp:154:18:154:26 | call to basic_string | string.cpp:161:14:161:15 | s4 |  |
 | string.cpp:154:18:154:26 | call to basic_string | string.cpp:170:13:170:14 | s4 |  |
 | string.cpp:157:8:157:9 | s3 | string.cpp:157:11:157:11 | call to operator+ | TAINT |
 | string.cpp:157:11:157:11 | call to operator+ | string.cpp:157:3:157:14 | ... = ... |  |
 | string.cpp:157:11:157:11 | call to operator+ | string.cpp:158:8:158:9 | s5 |  |
 | string.cpp:157:13:157:14 | s4 | string.cpp:157:11:157:11 | call to operator+ | TAINT |
 | string.cpp:160:8:160:9 | s3 | string.cpp:160:3:160:9 | ... = ... |  |
-| string.cpp:160:8:160:9 | s3 | string.cpp:161:3:161:4 | s6 |  |
+| string.cpp:160:8:160:9 | s3 | string.cpp:161:8:161:9 | s6 |  |
 | string.cpp:160:8:160:9 | s3 | string.cpp:162:8:162:9 | s6 |  |
-| string.cpp:161:3:161:4 | ref arg s6 | string.cpp:162:8:162:9 | s6 |  |
-| string.cpp:161:3:161:4 | s6 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
-| string.cpp:161:9:161:10 | s4 | string.cpp:161:3:161:4 | ref arg s6 | TAINT |
-| string.cpp:161:9:161:10 | s4 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
+| string.cpp:161:8:161:9 | ref arg s6 | string.cpp:162:8:162:9 | s6 |  |
+| string.cpp:161:8:161:9 | s6 | string.cpp:161:11:161:11 | call to operator+= | TAINT |
+| string.cpp:161:14:161:15 | s4 | string.cpp:161:8:161:9 | ref arg s6 | TAINT |
+| string.cpp:161:14:161:15 | s4 | string.cpp:161:11:161:11 | call to operator+= | TAINT |
 | string.cpp:164:8:164:9 | s3 | string.cpp:164:3:164:9 | ... = ... |  |
-| string.cpp:164:8:164:9 | s3 | string.cpp:165:3:165:4 | s7 |  |
-| string.cpp:164:8:164:9 | s3 | string.cpp:166:3:166:4 | s7 |  |
+| string.cpp:164:8:164:9 | s3 | string.cpp:165:8:165:9 | s7 |  |
+| string.cpp:164:8:164:9 | s3 | string.cpp:166:8:166:9 | s7 |  |
 | string.cpp:164:8:164:9 | s3 | string.cpp:167:8:167:9 | s7 |  |
-| string.cpp:165:3:165:4 | ref arg s7 | string.cpp:166:3:166:4 | s7 |  |
-| string.cpp:165:3:165:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
-| string.cpp:165:3:165:4 | s7 | string.cpp:165:6:165:6 | call to operator+= | TAINT |
-| string.cpp:165:9:165:14 | call to source | string.cpp:165:3:165:4 | ref arg s7 | TAINT |
-| string.cpp:165:9:165:14 | call to source | string.cpp:165:6:165:6 | call to operator+= | TAINT |
-| string.cpp:166:3:166:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
-| string.cpp:166:3:166:4 | s7 | string.cpp:166:6:166:6 | call to operator+= | TAINT |
-| string.cpp:166:9:166:11 |   | string.cpp:166:3:166:4 | ref arg s7 | TAINT |
-| string.cpp:166:9:166:11 |   | string.cpp:166:6:166:6 | call to operator+= | TAINT |
+| string.cpp:165:8:165:9 | ref arg s7 | string.cpp:166:8:166:9 | s7 |  |
+| string.cpp:165:8:165:9 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
+| string.cpp:165:8:165:9 | s7 | string.cpp:165:11:165:11 | call to operator+= | TAINT |
+| string.cpp:165:14:165:19 | call to source | string.cpp:165:8:165:9 | ref arg s7 | TAINT |
+| string.cpp:165:14:165:19 | call to source | string.cpp:165:11:165:11 | call to operator+= | TAINT |
+| string.cpp:166:8:166:9 | ref arg s7 | string.cpp:167:8:167:9 | s7 |  |
+| string.cpp:166:8:166:9 | s7 | string.cpp:166:11:166:11 | call to operator+= | TAINT |
+| string.cpp:166:14:166:16 |   | string.cpp:166:8:166:9 | ref arg s7 | TAINT |
+| string.cpp:166:14:166:16 |   | string.cpp:166:11:166:11 | call to operator+= | TAINT |
 | string.cpp:169:8:169:9 | s3 | string.cpp:169:3:169:9 | ... = ... |  |
 | string.cpp:169:8:169:9 | s3 | string.cpp:170:3:170:4 | s8 |  |
 | string.cpp:169:8:169:9 | s3 | string.cpp:171:8:171:9 | s8 |  |
@@ -1237,6 +1237,125 @@
 | string.cpp:501:29:501:30 | ref arg s2 | string.cpp:504:7:504:8 | s2 |  |
 | string.cpp:501:29:501:30 | s2 | string.cpp:501:32:501:34 | call to end | TAINT |
 | string.cpp:501:32:501:34 | call to end | string.cpp:501:17:501:37 | call to basic_string | TAINT |
+| string.cpp:510:16:510:19 | aa | string.cpp:510:16:510:20 | call to basic_string | TAINT |
+| string.cpp:510:16:510:20 | call to basic_string | string.cpp:512:7:512:7 | a |  |
+| string.cpp:510:16:510:20 | call to basic_string | string.cpp:513:7:513:7 | a |  |
+| string.cpp:510:16:510:20 | call to basic_string | string.cpp:514:2:514:2 | a |  |
+| string.cpp:510:16:510:20 | call to basic_string | string.cpp:515:7:515:7 | a |  |
+| string.cpp:510:16:510:20 | call to basic_string | string.cpp:516:7:516:7 | a |  |
+| string.cpp:512:7:512:7 | a | string.cpp:512:9:512:13 | call to front | TAINT |
+| string.cpp:512:7:512:7 | ref arg a | string.cpp:513:7:513:7 | a |  |
+| string.cpp:512:7:512:7 | ref arg a | string.cpp:514:2:514:2 | a |  |
+| string.cpp:512:7:512:7 | ref arg a | string.cpp:515:7:515:7 | a |  |
+| string.cpp:512:7:512:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:513:7:513:7 | a | string.cpp:513:9:513:12 | call to back | TAINT |
+| string.cpp:513:7:513:7 | ref arg a | string.cpp:514:2:514:2 | a |  |
+| string.cpp:513:7:513:7 | ref arg a | string.cpp:515:7:515:7 | a |  |
+| string.cpp:513:7:513:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:514:2:514:2 | ref arg a | string.cpp:515:7:515:7 | a |  |
+| string.cpp:514:2:514:2 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:514:14:514:28 | call to source | string.cpp:514:2:514:2 | ref arg a | TAINT |
+| string.cpp:515:7:515:7 | a | string.cpp:515:9:515:13 | call to front | TAINT |
+| string.cpp:515:7:515:7 | ref arg a | string.cpp:516:7:516:7 | a |  |
+| string.cpp:516:7:516:7 | a | string.cpp:516:9:516:12 | call to back | TAINT |
+| string.cpp:521:17:521:20 | aa | string.cpp:521:17:521:21 | call to basic_string | TAINT |
+| string.cpp:521:17:521:21 | call to basic_string | string.cpp:528:9:528:9 | a |  |
+| string.cpp:521:17:521:21 | call to basic_string | string.cpp:532:8:532:8 | a |  |
+| string.cpp:522:17:522:20 | bb | string.cpp:522:17:522:21 | call to basic_string | TAINT |
+| string.cpp:522:17:522:21 | call to basic_string | string.cpp:528:15:528:15 | b |  |
+| string.cpp:522:17:522:21 | call to basic_string | string.cpp:533:8:533:8 | b |  |
+| string.cpp:523:17:523:20 | cc | string.cpp:523:17:523:21 | call to basic_string | TAINT |
+| string.cpp:523:17:523:21 | call to basic_string | string.cpp:529:9:529:9 | c |  |
+| string.cpp:523:17:523:21 | call to basic_string | string.cpp:534:8:534:8 | c |  |
+| string.cpp:524:17:524:20 | dd | string.cpp:524:17:524:21 | call to basic_string | TAINT |
+| string.cpp:524:17:524:21 | call to basic_string | string.cpp:529:15:529:15 | d |  |
+| string.cpp:524:17:524:21 | call to basic_string | string.cpp:535:8:535:8 | d |  |
+| string.cpp:525:17:525:20 | ee | string.cpp:525:17:525:21 | call to basic_string | TAINT |
+| string.cpp:525:17:525:21 | call to basic_string | string.cpp:530:10:530:10 | e |  |
+| string.cpp:525:17:525:21 | call to basic_string | string.cpp:536:8:536:8 | e |  |
+| string.cpp:526:17:526:20 | ff | string.cpp:526:17:526:21 | call to basic_string | TAINT |
+| string.cpp:526:17:526:21 | call to basic_string | string.cpp:531:10:531:10 | f |  |
+| string.cpp:526:17:526:21 | call to basic_string | string.cpp:537:8:537:8 | f |  |
+| string.cpp:528:9:528:9 | a | string.cpp:528:11:528:11 | call to operator+= | TAINT |
+| string.cpp:528:9:528:9 | ref arg a | string.cpp:532:8:532:8 | a |  |
+| string.cpp:528:15:528:15 | b | string.cpp:528:17:528:17 | call to operator+= | TAINT |
+| string.cpp:528:15:528:15 | ref arg b | string.cpp:533:8:533:8 | b |  |
+| string.cpp:528:17:528:17 | call to operator+= | string.cpp:528:9:528:9 | ref arg a | TAINT |
+| string.cpp:528:17:528:17 | call to operator+= | string.cpp:528:11:528:11 | call to operator+= | TAINT |
+| string.cpp:528:20:528:23 | bb | string.cpp:528:15:528:15 | ref arg b | TAINT |
+| string.cpp:528:20:528:23 | bb | string.cpp:528:17:528:17 | call to operator+= | TAINT |
+| string.cpp:529:9:529:9 | c | string.cpp:529:11:529:11 | call to operator+= | TAINT |
+| string.cpp:529:9:529:9 | ref arg c | string.cpp:534:8:534:8 | c |  |
+| string.cpp:529:15:529:15 | d | string.cpp:529:17:529:17 | call to operator+= | TAINT |
+| string.cpp:529:15:529:15 | ref arg d | string.cpp:535:8:535:8 | d |  |
+| string.cpp:529:17:529:17 | call to operator+= | string.cpp:529:9:529:9 | ref arg c | TAINT |
+| string.cpp:529:17:529:17 | call to operator+= | string.cpp:529:11:529:11 | call to operator+= | TAINT |
+| string.cpp:529:20:529:25 | call to source | string.cpp:529:15:529:15 | ref arg d | TAINT |
+| string.cpp:529:20:529:25 | call to source | string.cpp:529:17:529:17 | call to operator+= | TAINT |
+| string.cpp:530:10:530:10 | e | string.cpp:530:12:530:12 | call to operator+= | TAINT |
+| string.cpp:530:10:530:10 | ref arg e | string.cpp:536:8:536:8 | e |  |
+| string.cpp:530:12:530:12 | call to operator+= | string.cpp:530:21:530:21 | call to operator+= | TAINT |
+| string.cpp:530:12:530:12 | ref arg call to operator+= | string.cpp:530:10:530:10 | ref arg e | TAINT |
+| string.cpp:530:15:530:18 | ee | string.cpp:530:10:530:10 | ref arg e | TAINT |
+| string.cpp:530:15:530:18 | ee | string.cpp:530:12:530:12 | call to operator+= | TAINT |
+| string.cpp:530:24:530:29 | call to source | string.cpp:530:12:530:12 | ref arg call to operator+= | TAINT |
+| string.cpp:530:24:530:29 | call to source | string.cpp:530:21:530:21 | call to operator+= | TAINT |
+| string.cpp:531:10:531:10 | f | string.cpp:531:12:531:12 | call to operator+= | TAINT |
+| string.cpp:531:10:531:10 | ref arg f | string.cpp:537:8:537:8 | f |  |
+| string.cpp:531:12:531:12 | call to operator+= | string.cpp:531:25:531:25 | call to operator+= | TAINT |
+| string.cpp:531:12:531:12 | ref arg call to operator+= | string.cpp:531:10:531:10 | ref arg f | TAINT |
+| string.cpp:531:15:531:20 | call to source | string.cpp:531:10:531:10 | ref arg f | TAINT |
+| string.cpp:531:15:531:20 | call to source | string.cpp:531:12:531:12 | call to operator+= | TAINT |
+| string.cpp:531:28:531:31 | ff | string.cpp:531:12:531:12 | ref arg call to operator+= | TAINT |
+| string.cpp:531:28:531:31 | ff | string.cpp:531:25:531:25 | call to operator+= | TAINT |
+| string.cpp:541:17:541:20 | aa | string.cpp:541:17:541:21 | call to basic_string | TAINT |
+| string.cpp:541:17:541:21 | call to basic_string | string.cpp:548:9:548:9 | a |  |
+| string.cpp:541:17:541:21 | call to basic_string | string.cpp:552:8:552:8 | a |  |
+| string.cpp:542:17:542:20 | bb | string.cpp:542:17:542:21 | call to basic_string | TAINT |
+| string.cpp:542:17:542:21 | call to basic_string | string.cpp:548:18:548:18 | b |  |
+| string.cpp:542:17:542:21 | call to basic_string | string.cpp:553:8:553:8 | b |  |
+| string.cpp:543:17:543:20 | cc | string.cpp:543:17:543:21 | call to basic_string | TAINT |
+| string.cpp:543:17:543:21 | call to basic_string | string.cpp:549:9:549:9 | c |  |
+| string.cpp:543:17:543:21 | call to basic_string | string.cpp:554:8:554:8 | c |  |
+| string.cpp:544:17:544:20 | dd | string.cpp:544:17:544:21 | call to basic_string | TAINT |
+| string.cpp:544:17:544:21 | call to basic_string | string.cpp:549:18:549:18 | d |  |
+| string.cpp:544:17:544:21 | call to basic_string | string.cpp:555:8:555:8 | d |  |
+| string.cpp:545:17:545:20 | ee | string.cpp:545:17:545:21 | call to basic_string | TAINT |
+| string.cpp:545:17:545:21 | call to basic_string | string.cpp:550:9:550:9 | e |  |
+| string.cpp:545:17:545:21 | call to basic_string | string.cpp:556:8:556:8 | e |  |
+| string.cpp:546:17:546:20 | ff | string.cpp:546:17:546:21 | call to basic_string | TAINT |
+| string.cpp:546:17:546:21 | call to basic_string | string.cpp:551:9:551:9 | f |  |
+| string.cpp:546:17:546:21 | call to basic_string | string.cpp:557:8:557:8 | f |  |
+| string.cpp:548:9:548:9 | ref arg a | string.cpp:552:8:552:8 | a |  |
+| string.cpp:548:18:548:18 | ref arg b | string.cpp:553:8:553:8 | b |  |
+| string.cpp:548:20:548:25 | call to assign | string.cpp:548:9:548:9 | ref arg a | TAINT |
+| string.cpp:548:20:548:25 | call to assign | string.cpp:548:11:548:16 | call to assign | TAINT |
+| string.cpp:548:27:548:30 | bb | string.cpp:548:27:548:30 | call to basic_string | TAINT |
+| string.cpp:548:27:548:30 | call to basic_string | string.cpp:548:18:548:18 | ref arg b | TAINT |
+| string.cpp:548:27:548:30 | call to basic_string | string.cpp:548:20:548:25 | call to assign | TAINT |
+| string.cpp:549:9:549:9 | ref arg c | string.cpp:554:8:554:8 | c |  |
+| string.cpp:549:18:549:18 | ref arg d | string.cpp:555:8:555:8 | d |  |
+| string.cpp:549:20:549:25 | call to assign | string.cpp:549:9:549:9 | ref arg c | TAINT |
+| string.cpp:549:20:549:25 | call to assign | string.cpp:549:11:549:16 | call to assign | TAINT |
+| string.cpp:549:27:549:32 | call to source | string.cpp:549:27:549:34 | call to basic_string | TAINT |
+| string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:18:549:18 | ref arg d | TAINT |
+| string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:20:549:25 | call to assign | TAINT |
+| string.cpp:550:9:550:9 | ref arg e | string.cpp:556:8:556:8 | e |  |
+| string.cpp:550:11:550:16 | ref arg call to assign | string.cpp:550:9:550:9 | ref arg e | TAINT |
+| string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:9:550:9 | ref arg e | TAINT |
+| string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:11:550:16 | call to assign | TAINT |
+| string.cpp:550:18:550:21 | ee | string.cpp:550:18:550:21 | call to basic_string | TAINT |
+| string.cpp:550:31:550:36 | call to source | string.cpp:550:31:550:38 | call to basic_string | TAINT |
+| string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:11:550:16 | ref arg call to assign | TAINT |
+| string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:24:550:29 | call to assign | TAINT |
+| string.cpp:551:9:551:9 | ref arg f | string.cpp:557:8:557:8 | f |  |
+| string.cpp:551:11:551:16 | ref arg call to assign | string.cpp:551:9:551:9 | ref arg f | TAINT |
+| string.cpp:551:18:551:23 | call to source | string.cpp:551:18:551:25 | call to basic_string | TAINT |
+| string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:9:551:9 | ref arg f | TAINT |
+| string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:11:551:16 | call to assign | TAINT |
+| string.cpp:551:35:551:38 | call to basic_string | string.cpp:551:11:551:16 | ref arg call to assign | TAINT |
+| string.cpp:551:35:551:38 | call to basic_string | string.cpp:551:28:551:33 | call to assign | TAINT |
+| string.cpp:551:35:551:38 | ff | string.cpp:551:35:551:38 | call to basic_string | TAINT |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:16:2:16:4 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:22:7:22:9 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:27:7:27:9 | ss1 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -91,6 +91,13 @@ namespace std
 		const_iterator cbegin() const;
 		const_iterator cend() const;

+		void push_back(charT c);
+
+		const charT& front() const;
+		charT& front();
+		const charT& back() const;
+		charT& back();
+
 		const_reference operator[](size_type pos) const;
 		reference operator[](size_type pos);
 		const_reference at(size_type n) const;
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -158,12 +158,12 @@ void test_string_append() {
 		sink(s5); // tainted

 		s6 = s3;
-		s6 += s4;
+		sink(s6 += s4); // tainted
 		sink(s6); // tainted

 		s7 = s3;
-		s7 += source();
-		s7 += " ";
+		sink(s7 += source()); // tainted
+		sink(s7 += " "); // tainted
 		sink(s7); // tainted

 		s8 = s3;
@@ -505,3 +505,55 @@ void test_constructors_more() {
 	sink(s3);
 	sink(s4); // tainted
 }
+
+void test_string_front_back() {
+	std::string a("aa");
+
+	sink(a.front());
+	sink(a.back());
+	a.push_back(ns_char::source());
+	sink(a.front()); // [FALSE POSITIVE]
+	sink(a.back()); // tainted
+}
+
+void test_string_return_assign() {
+	{
+		std::string a("aa");
+		std::string b("bb");
+		std::string c("cc");
+		std::string d("dd");
+		std::string e("ee");
+		std::string f("ff");
+
+		sink( a += (b += "bb") );
+		sink( c += (d += source()) ); // tainted
+		sink( (e += "ee") += source() ); // tainted
+		sink( (f += source()) += "ff" ); // tainted
+		sink(a);
+		sink(b);
+		sink(c); // tainted
+		sink(d); // tainted
+		sink(e); // tainted
+		sink(f); // tainted
+	}
+
+	{
+		std::string a("aa");
+		std::string b("bb");
+		std::string c("cc");
+		std::string d("dd");
+		std::string e("ee");
+		std::string f("ff");
+
+		sink( a.assign(b.assign("bb")) );
+		sink( c.assign(d.assign(source())) ); // tainted
+		sink( e.assign("ee").assign(source()) ); // tainted
+		sink( f.assign(source()).assign("ff") );
+		sink(a);
+		sink(b);
+		sink(c); // tainted
+		sink(d); // tainted
+		sink(e); // tainted
+		sink(f); // [FALSE POSITIVE]
+	}
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -67,8 +67,11 @@
 | string.cpp:146:11:146:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
 | string.cpp:149:11:149:11 | call to operator+ | string.cpp:149:13:149:18 | call to source |
 | string.cpp:158:8:158:9 | s5 | string.cpp:154:18:154:23 | call to source |
+| string.cpp:161:11:161:11 | call to operator+= | string.cpp:154:18:154:23 | call to source |
 | string.cpp:162:8:162:9 | s6 | string.cpp:154:18:154:23 | call to source |
-| string.cpp:167:8:167:9 | s7 | string.cpp:165:9:165:14 | call to source |
+| string.cpp:165:11:165:11 | call to operator+= | string.cpp:165:14:165:19 | call to source |
+| string.cpp:166:11:166:11 | call to operator+= | string.cpp:165:14:165:19 | call to source |
+| string.cpp:167:8:167:9 | s7 | string.cpp:165:14:165:19 | call to source |
 | string.cpp:171:8:171:9 | s8 | string.cpp:154:18:154:23 | call to source |
 | string.cpp:176:8:176:9 | s9 | string.cpp:174:13:174:18 | call to source |
 | string.cpp:184:8:184:10 | s10 | string.cpp:181:12:181:26 | call to source |
@@ -138,6 +141,21 @@
 | string.cpp:491:8:491:9 | s6 | string.cpp:482:18:482:23 | call to source |
 | string.cpp:504:7:504:8 | s2 | string.cpp:497:14:497:19 | call to source |
 | string.cpp:506:7:506:8 | s4 | string.cpp:497:14:497:19 | call to source |
+| string.cpp:515:9:515:13 | call to front | string.cpp:514:14:514:28 | call to source |
+| string.cpp:516:9:516:12 | call to back | string.cpp:514:14:514:28 | call to source |
+| string.cpp:529:11:529:11 | call to operator+= | string.cpp:529:20:529:25 | call to source |
+| string.cpp:530:21:530:21 | call to operator+= | string.cpp:530:24:530:29 | call to source |
+| string.cpp:531:25:531:25 | call to operator+= | string.cpp:531:15:531:20 | call to source |
+| string.cpp:534:8:534:8 | c | string.cpp:529:20:529:25 | call to source |
+| string.cpp:535:8:535:8 | d | string.cpp:529:20:529:25 | call to source |
+| string.cpp:536:8:536:8 | e | string.cpp:530:24:530:29 | call to source |
+| string.cpp:537:8:537:8 | f | string.cpp:531:15:531:20 | call to source |
+| string.cpp:549:11:549:16 | call to assign | string.cpp:549:27:549:32 | call to source |
+| string.cpp:550:24:550:29 | call to assign | string.cpp:550:31:550:36 | call to source |
+| string.cpp:554:8:554:8 | c | string.cpp:549:27:549:32 | call to source |
+| string.cpp:555:8:555:8 | d | string.cpp:549:27:549:32 | call to source |
+| string.cpp:556:8:556:8 | e | string.cpp:550:31:550:36 | call to source |
+| string.cpp:557:8:557:8 | f | string.cpp:551:18:551:23 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -67,8 +67,11 @@
 | string.cpp:146:11:146:11 | string.cpp:141:18:141:23 | AST only |
 | string.cpp:149:11:149:11 | string.cpp:149:13:149:18 | AST only |
 | string.cpp:158:8:158:9 | string.cpp:154:18:154:23 | AST only |
+| string.cpp:161:11:161:11 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:162:8:162:9 | string.cpp:154:18:154:23 | AST only |
-| string.cpp:167:8:167:9 | string.cpp:165:9:165:14 | AST only |
+| string.cpp:165:11:165:11 | string.cpp:165:14:165:19 | AST only |
+| string.cpp:166:11:166:11 | string.cpp:165:14:165:19 | AST only |
+| string.cpp:167:8:167:9 | string.cpp:165:14:165:19 | AST only |
 | string.cpp:171:8:171:9 | string.cpp:154:18:154:23 | AST only |
 | string.cpp:176:8:176:9 | string.cpp:174:13:174:18 | AST only |
 | string.cpp:184:8:184:10 | string.cpp:181:12:181:26 | AST only |
@@ -138,6 +141,21 @@
 | string.cpp:491:8:491:9 | string.cpp:482:18:482:23 | AST only |
 | string.cpp:504:7:504:8 | string.cpp:497:14:497:19 | AST only |
 | string.cpp:506:7:506:8 | string.cpp:497:14:497:19 | AST only |
+| string.cpp:515:9:515:13 | string.cpp:514:14:514:28 | AST only |
+| string.cpp:516:9:516:12 | string.cpp:514:14:514:28 | AST only |
+| string.cpp:529:11:529:11 | string.cpp:529:20:529:25 | AST only |
+| string.cpp:530:21:530:21 | string.cpp:530:24:530:29 | AST only |
+| string.cpp:531:25:531:25 | string.cpp:531:15:531:20 | AST only |
+| string.cpp:534:8:534:8 | string.cpp:529:20:529:25 | AST only |
+| string.cpp:535:8:535:8 | string.cpp:529:20:529:25 | AST only |
+| string.cpp:536:8:536:8 | string.cpp:530:24:530:29 | AST only |
+| string.cpp:537:8:537:8 | string.cpp:531:15:531:20 | AST only |
+| string.cpp:549:11:549:16 | string.cpp:549:27:549:32 | AST only |
+| string.cpp:550:24:550:29 | string.cpp:550:31:550:36 | AST only |
+| string.cpp:554:8:554:8 | string.cpp:549:27:549:32 | AST only |
+| string.cpp:555:8:555:8 | string.cpp:549:27:549:32 | AST only |
+| string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
+| string.cpp:557:8:557:8 | string.cpp:551:18:551:23 | AST only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
 | swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |
--- a/Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.expected
+++ b/Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.expected
@@ -1,2 +1,7 @@
 | hiding.cpp:4:17:4:18 | ii | Local variable 'ii' hides a $@. | hiding.cpp:2:12:2:13 | definition of ii | parameter of the same name |
 | hiding.cpp:15:15:15:16 | kk | Local variable 'kk' hides a $@. | hiding.cpp:12:25:12:26 | definition of kk | parameter of the same name |
+| hiding.cpp:28:7:28:7 | a | Local variable 'a' hides a $@. | hiding.cpp:26:21:26:21 | definition of a | parameter of the same name |
+| hiding.cpp:45:7:45:7 | a | Local variable 'a' hides a $@. | hiding.cpp:43:41:43:41 | definition of a | parameter of the same name |
+| hiding.cpp:64:11:64:11 | i | Local variable 'i' hides a $@. | hiding.cpp:61:20:61:20 | definition of i | parameter of the same name |
+| hiding.cpp:78:7:78:10 | arg1 | Local variable 'arg1' hides a $@. | hiding.cpp:74:28:74:31 | definition of arg1 | parameter of the same name |
+| hiding.cpp:79:5:79:8 | arg2 | Local variable 'arg2' hides a $@. | hiding.cpp:74:36:74:39 | definition of arg2 | parameter of the same name |
--- a/Practices/Hiding/DeclarationHidesParameter/hiding.cpp
+++ b/Practices/Hiding/DeclarationHidesParameter/hiding.cpp
@@ -1,7 +1,7 @@

 void f(int ii) {
    if (1) {
-        for(int ii = 1; ii < 10; ii++) {
+        for(int ii = 1; ii < 10; ii++) { // local variable hides parameter of the same name
            ;
        }
    }
@@ -12,7 +12,7 @@ namespace foo {
    void f2(int ii, int kk) {
      try {
        for (ii = 0; ii < 3; ii++) {
-          int kk;
+          int kk; // local variable hides parameter of the same name
        }
      }
      catch (int ee) {
@@ -21,4 +21,61 @@ namespace foo {
  }
 }

+void myFunction(int a, int b, int c);

+void myFunction(int a, int b, int _c) {
+	{
+		int a = a; // local variable hides parameter of the same name
+		int _b = b;
+		int c = _c;
+
+		// ...
+	}
+}
+
+template<class T>
+class MyTemplateClass {
+public:
+	void myMethod(int a, int b, int c);
+};
+
+template<class T>
+void MyTemplateClass<T> :: myMethod(int a, int b, int _c) {
+	{
+		int a = a; // local variable hides parameter of the same name
+		int _b = b;
+		int c = _c;
+
+		// ...
+	}
+}
+
+MyTemplateClass<int> mtc_i;
+
+void test() {
+	mtc_i.myMethod(0, 0, 0);
+}
+
+#define MYMACRO for (int i = 0; i < 10; i++) {}
+
+void testMacro(int i) {
+	MYMACRO;
+
+	for (int i = 0; i < 10; i++) {}; // local variable hides parameter of the same name
+}
+
+#include "hiding.h"
+
+void myClass::myCaller(void) {
+  this->myMethod(5, 6);
+}
+
+template <typename T>
+void myClass::myMethod(int arg1, T arg2) {
+	{
+		int protoArg1;
+		T protoArg2;
+		int arg1; // local variable hides parameter of the same name
+		T arg2; // local variable hides parameter of the same name
+	}
+}
--- a/Practices/Hiding/DeclarationHidesParameter/hiding.h
+++ b/Practices/Hiding/DeclarationHidesParameter/hiding.h
@@ -0,0 +1,7 @@
+
+class myClass {
+public:
+  template <typename T>
+  void myMethod(int protoArg1, T protoArg2);
+  void myCaller(void);
+};