diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll index 447b59bd326..d036052c14f 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll @@ -6,9 +6,7 @@ private import DataFlowDispatch private Node getInstanceArgument(Call call) { result.asExpr() = call.getQualifier() or - // For constructors, there is no qualifier, so we pretend the call itself - // is the instance argument. - result.asExpr() = call.(ConstructorCall) + result.(PreConstructorCallNode).getConstructorCall() = call // This does not include the implicit `this` argument on auto-generated // base class destructor calls as those do not have an AST element. } diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll index 8ad7e76fbf7..f88c95a74fc 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll @@ -10,7 +10,7 @@ cached private newtype TNode = TExprNode(Expr e) or TPartialDefinitionNode(PartialDefinition pd) or - TPostConstructorCallNode(ConstructorCall call) or + TPreConstructorCallNode(ConstructorCall call) or TExplicitParameterNode(Parameter p) { exists(p.getFunction().getBlock()) } or TInstanceParameterNode(MemberFunction f) { exists(f.getBlock()) and not f.isStatic() } or TUninitializedNode(LocalVariable v) { not v.hasInitializer() } @@ -48,8 +48,8 @@ class Node extends TNode { * * Partial definitions are created for field stores (`x.y = taint();` is a partial * definition of `x`), and for calls that may change the value of an object (so - * `x.set(taint())` is a partial definition of `x`, annd `transfer(&x, taint())` is - * a partial definition of `&x`).s + * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is + * a partial definition of `&x`). */ Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getPartialDefinition().getDefinedExpr() @@ -226,8 +226,6 @@ abstract class PostUpdateNode extends Node { override Type getType() { result = getPreUpdateNode().getType() } override Location getLocation() { result = getPreUpdateNode().getLocation() } - - override string toString() { result = getPreUpdateNode().toString() + " [post update]" } } class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNode { @@ -240,14 +238,36 @@ class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNode { override Location getLocation() { result = pd.getLocation() } PartialDefinition getPartialDefinition() { result = pd } + + override string toString() { result = getPreUpdateNode().toString() + " [post update]" } } -class PostConstructorCallNode extends PostUpdateNode, TPostConstructorCallNode { - ConstructorCall call; +private class PostConstructorCallNode extends PostUpdateNode, TExprNode { + PostConstructorCallNode() { this = TExprNode(any(ConstructorCall c)) } - PostConstructorCallNode() { this = TPostConstructorCallNode(call) } + override PreConstructorCallNode getPreUpdateNode() { + TExprNode(result.getConstructorCall()) = this + } +} - override Node getPreUpdateNode() { result.asExpr() = call } +/** + * INTERNAL: do not use. + * + * A synthetic data-flow node that plays the role of the qualifier (or + * `this`-argument) to a constructor call. + */ +class PreConstructorCallNode extends Node, TPreConstructorCallNode { + PreConstructorCallNode() { this = TPreConstructorCallNode(_) } + + ConstructorCall getConstructorCall() { this = TPreConstructorCallNode(result) } + + override Function getFunction() { result = getConstructorCall().getEnclosingFunction() } + + override Type getType() { result = getConstructorCall().getType() } + + override Location getLocation() { result = getConstructorCall().getLocation() } + + override string toString() { result = getConstructorCall().toString() + " [pre constructor call]" } } /** diff --git a/cpp/ql/test/library-tests/dataflow/fields/flow.expected b/cpp/ql/test/library-tests/dataflow/fields/flow.expected index 99c52b8f2f3..5c627aa6c57 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/flow.expected @@ -7,9 +7,9 @@ edges | A.cpp:55:5:55:5 | b [post update] [c, ... (1)] | A.cpp:56:10:56:10 | b [c, ... (1)] | | A.cpp:55:12:55:19 | new [void] | A.cpp:55:5:55:5 | b [post update] [c, ... (1)] | | A.cpp:56:10:56:10 | b [c, ... (1)] | A.cpp:56:13:56:15 | call to get | -| A.cpp:57:11:57:24 | call to B [post update] [c, ... (1)] | A.cpp:57:11:57:24 | new [c, ... (1)] | +| A.cpp:57:11:57:24 | call to B [c, ... (1)] | A.cpp:57:11:57:24 | new [c, ... (1)] | | A.cpp:57:11:57:24 | new [c, ... (1)] | A.cpp:57:28:57:30 | call to get | -| A.cpp:57:17:57:23 | new [void] | A.cpp:57:11:57:24 | call to B [post update] [c, ... (1)] | +| A.cpp:57:17:57:23 | new [void] | A.cpp:57:11:57:24 | call to B [c, ... (1)] | | A.cpp:64:10:64:15 | call to setOnB [c, ... (1)] | A.cpp:66:10:66:11 | b2 [c, ... (1)] | | A.cpp:64:21:64:28 | new [void] | A.cpp:64:10:64:15 | call to setOnB [c, ... (1)] | | A.cpp:66:10:66:11 | b2 [c, ... (1)] | A.cpp:66:14:66:14 | c | @@ -27,26 +27,26 @@ edges | A.cpp:142:7:142:7 | b [post update] [c, ... (1)] | A.cpp:143:7:143:31 | ... = ... [c, ... (1)] | | A.cpp:142:7:142:20 | ... = ... [void] | A.cpp:142:7:142:7 | b [post update] [c, ... (1)] | | A.cpp:142:14:142:20 | new [void] | A.cpp:142:7:142:20 | ... = ... [void] | -| A.cpp:143:7:143:10 | this [post update] [b, ... (1)] | A.cpp:151:12:151:24 | call to D [post update] [b, ... (1)] | -| A.cpp:143:7:143:10 | this [post update] [b, ... (2)] | A.cpp:151:12:151:24 | call to D [post update] [b, ... (2)] | +| A.cpp:143:7:143:10 | this [post update] [b, ... (1)] | A.cpp:151:12:151:24 | call to D [b, ... (1)] | +| A.cpp:143:7:143:10 | this [post update] [b, ... (2)] | A.cpp:151:12:151:24 | call to D [b, ... (2)] | | A.cpp:143:7:143:31 | ... = ... [c, ... (1)] | A.cpp:143:7:143:10 | this [post update] [b, ... (2)] | | A.cpp:143:7:143:31 | ... = ... [void] | A.cpp:143:7:143:10 | this [post update] [b, ... (1)] | | A.cpp:143:25:143:31 | new [void] | A.cpp:143:7:143:31 | ... = ... [void] | | A.cpp:150:12:150:18 | new [void] | A.cpp:151:18:151:18 | b [void] | -| A.cpp:151:12:151:24 | call to D [post update] [b, ... (1)] | A.cpp:152:10:152:10 | d [b, ... (1)] | -| A.cpp:151:12:151:24 | call to D [post update] [b, ... (2)] | A.cpp:153:10:153:10 | d [b, ... (2)] | -| A.cpp:151:18:151:18 | b [void] | A.cpp:151:12:151:24 | call to D [post update] [b, ... (1)] | +| A.cpp:151:12:151:24 | call to D [b, ... (1)] | A.cpp:152:10:152:10 | d [b, ... (1)] | +| A.cpp:151:12:151:24 | call to D [b, ... (2)] | A.cpp:153:10:153:10 | d [b, ... (2)] | +| A.cpp:151:18:151:18 | b [void] | A.cpp:151:12:151:24 | call to D [b, ... (1)] | | A.cpp:152:10:152:10 | d [b, ... (1)] | A.cpp:152:13:152:13 | b | | A.cpp:153:10:153:10 | d [b, ... (2)] | A.cpp:153:13:153:13 | b [c, ... (1)] | | A.cpp:153:13:153:13 | b [c, ... (1)] | A.cpp:153:16:153:16 | c | | A.cpp:159:12:159:18 | new [void] | A.cpp:160:29:160:29 | b [void] | -| A.cpp:160:18:160:60 | call to MyList [post update] [head, ... (1)] | A.cpp:161:38:161:39 | l1 [head, ... (1)] | -| A.cpp:160:29:160:29 | b [void] | A.cpp:160:18:160:60 | call to MyList [post update] [head, ... (1)] | -| A.cpp:161:18:161:40 | call to MyList [post update] [next, ... (2)] | A.cpp:162:38:162:39 | l2 [next, ... (2)] | -| A.cpp:161:38:161:39 | l1 [head, ... (1)] | A.cpp:161:18:161:40 | call to MyList [post update] [next, ... (2)] | -| A.cpp:162:18:162:40 | call to MyList [post update] [next, ... (3)] | A.cpp:165:10:165:11 | l3 [next, ... (3)] | -| A.cpp:162:18:162:40 | call to MyList [post update] [next, ... (3)] | A.cpp:167:44:167:44 | l [next, ... (3)] | -| A.cpp:162:38:162:39 | l2 [next, ... (2)] | A.cpp:162:18:162:40 | call to MyList [post update] [next, ... (3)] | +| A.cpp:160:18:160:60 | call to MyList [head, ... (1)] | A.cpp:161:38:161:39 | l1 [head, ... (1)] | +| A.cpp:160:29:160:29 | b [void] | A.cpp:160:18:160:60 | call to MyList [head, ... (1)] | +| A.cpp:161:18:161:40 | call to MyList [next, ... (2)] | A.cpp:162:38:162:39 | l2 [next, ... (2)] | +| A.cpp:161:38:161:39 | l1 [head, ... (1)] | A.cpp:161:18:161:40 | call to MyList [next, ... (2)] | +| A.cpp:162:18:162:40 | call to MyList [next, ... (3)] | A.cpp:165:10:165:11 | l3 [next, ... (3)] | +| A.cpp:162:18:162:40 | call to MyList [next, ... (3)] | A.cpp:167:44:167:44 | l [next, ... (3)] | +| A.cpp:162:38:162:39 | l2 [next, ... (2)] | A.cpp:162:18:162:40 | call to MyList [next, ... (3)] | | A.cpp:165:10:165:11 | l3 [next, ... (3)] | A.cpp:165:14:165:17 | next [next, ... (2)] | | A.cpp:165:14:165:17 | next [next, ... (2)] | A.cpp:165:20:165:23 | next [head, ... (1)] | | A.cpp:165:20:165:23 | next [head, ... (1)] | A.cpp:165:26:165:29 | head | @@ -56,28 +56,28 @@ edges | A.cpp:167:47:167:50 | next [next, ... (2)] | A.cpp:167:44:167:44 | l [next, ... (2)] | | A.cpp:169:12:169:12 | l [head, ... (1)] | A.cpp:169:15:169:18 | head | | B.cpp:6:15:6:24 | new [void] | B.cpp:7:25:7:25 | e [void] | -| B.cpp:7:16:7:35 | call to Box1 [post update] [elem1, ... (1)] | B.cpp:8:25:8:26 | b1 [elem1, ... (1)] | -| B.cpp:7:25:7:25 | e [void] | B.cpp:7:16:7:35 | call to Box1 [post update] [elem1, ... (1)] | -| B.cpp:8:16:8:27 | call to Box2 [post update] [box1, ... (2)] | B.cpp:9:10:9:11 | b2 [box1, ... (2)] | -| B.cpp:8:16:8:27 | call to Box2 [post update] [box1, ... (2)] | B.cpp:10:10:10:11 | b2 [box1, ... (2)] | -| B.cpp:8:25:8:26 | b1 [elem1, ... (1)] | B.cpp:8:16:8:27 | call to Box2 [post update] [box1, ... (2)] | +| B.cpp:7:16:7:35 | call to Box1 [elem1, ... (1)] | B.cpp:8:25:8:26 | b1 [elem1, ... (1)] | +| B.cpp:7:25:7:25 | e [void] | B.cpp:7:16:7:35 | call to Box1 [elem1, ... (1)] | +| B.cpp:8:16:8:27 | call to Box2 [box1, ... (2)] | B.cpp:9:10:9:11 | b2 [box1, ... (2)] | +| B.cpp:8:16:8:27 | call to Box2 [box1, ... (2)] | B.cpp:10:10:10:11 | b2 [box1, ... (2)] | +| B.cpp:8:25:8:26 | b1 [elem1, ... (1)] | B.cpp:8:16:8:27 | call to Box2 [box1, ... (2)] | | B.cpp:9:10:9:11 | b2 [box1, ... (2)] | B.cpp:9:14:9:17 | box1 [elem1, ... (1)] | | B.cpp:9:14:9:17 | box1 [elem1, ... (1)] | B.cpp:9:20:9:24 | elem1 | | B.cpp:10:10:10:11 | b2 [box1, ... (2)] | B.cpp:10:14:10:17 | box1 [elem2, ... (1)] | | B.cpp:10:14:10:17 | box1 [elem2, ... (1)] | B.cpp:10:20:10:24 | elem2 | | B.cpp:15:15:15:27 | new [void] | B.cpp:16:37:16:37 | e [void] | -| B.cpp:16:16:16:38 | call to Box1 [post update] [elem2, ... (1)] | B.cpp:17:25:17:26 | b1 [elem2, ... (1)] | -| B.cpp:16:37:16:37 | e [void] | B.cpp:16:16:16:38 | call to Box1 [post update] [elem2, ... (1)] | -| B.cpp:17:16:17:27 | call to Box2 [post update] [box1, ... (2)] | B.cpp:18:10:18:11 | b2 [box1, ... (2)] | -| B.cpp:17:16:17:27 | call to Box2 [post update] [box1, ... (2)] | B.cpp:19:10:19:11 | b2 [box1, ... (2)] | -| B.cpp:17:25:17:26 | b1 [elem2, ... (1)] | B.cpp:17:16:17:27 | call to Box2 [post update] [box1, ... (2)] | +| B.cpp:16:16:16:38 | call to Box1 [elem2, ... (1)] | B.cpp:17:25:17:26 | b1 [elem2, ... (1)] | +| B.cpp:16:37:16:37 | e [void] | B.cpp:16:16:16:38 | call to Box1 [elem2, ... (1)] | +| B.cpp:17:16:17:27 | call to Box2 [box1, ... (2)] | B.cpp:18:10:18:11 | b2 [box1, ... (2)] | +| B.cpp:17:16:17:27 | call to Box2 [box1, ... (2)] | B.cpp:19:10:19:11 | b2 [box1, ... (2)] | +| B.cpp:17:25:17:26 | b1 [elem2, ... (1)] | B.cpp:17:16:17:27 | call to Box2 [box1, ... (2)] | | B.cpp:18:10:18:11 | b2 [box1, ... (2)] | B.cpp:18:14:18:17 | box1 [elem1, ... (1)] | | B.cpp:18:14:18:17 | box1 [elem1, ... (1)] | B.cpp:18:20:18:24 | elem1 | | B.cpp:19:10:19:11 | b2 [box1, ... (2)] | B.cpp:19:14:19:17 | box1 [elem2, ... (1)] | | B.cpp:19:14:19:17 | box1 [elem2, ... (1)] | B.cpp:19:20:19:24 | elem2 | -| C.cpp:18:12:18:18 | call to C [post update] [s3, ... (1)] | C.cpp:19:5:19:5 | c [s3, ... (1)] | +| C.cpp:18:12:18:18 | call to C [s3, ... (1)] | C.cpp:19:5:19:5 | c [s3, ... (1)] | | C.cpp:19:5:19:5 | c [s3, ... (1)] | C.cpp:27:8:27:11 | `this` parameter in func [s3, ... (1)] | -| C.cpp:24:5:24:8 | this [post update] [s3, ... (1)] | C.cpp:18:12:18:18 | call to C [post update] [s3, ... (1)] | +| C.cpp:24:5:24:8 | this [post update] [s3, ... (1)] | C.cpp:18:12:18:18 | call to C [s3, ... (1)] | | C.cpp:24:5:24:25 | ... = ... [void] | C.cpp:24:5:24:8 | this [post update] [s3, ... (1)] | | C.cpp:24:16:24:25 | new [void] | C.cpp:24:5:24:25 | ... = ... [void] | | C.cpp:27:8:27:11 | `this` parameter in func [s3, ... (1)] | file://:0:0:0:0 | this [s3, ... (1)] | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index e764fbd784d..9cca2dffa91 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -87,11 +87,11 @@ void class_field_test() { sink(mc1.a); sink(mc1.b); // tainted [NOT DETECTED] - sink(mc1.c); // tainted [NOT DETECTED] + sink(mc1.c); // tainted [NOT DETECTED with IR] sink(mc1.d); // tainted [NOT DETECTED with IR] sink(mc2.a); sink(mc2.b); // tainted [NOT DETECTED] - sink(mc2.c); // tainted [NOT DETECTED] + sink(mc2.c); // tainted [NOT DETECTED with IR] sink(mc2.d); } diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected index 90b1d9814af..c27bc148c76 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected @@ -4,7 +4,9 @@ | taint.cpp:41:7:41:13 | global7 | taint.cpp:35:12:35:17 | call to source | | taint.cpp:42:7:42:13 | global8 | taint.cpp:35:12:35:17 | call to source | | taint.cpp:43:7:43:13 | global9 | taint.cpp:37:22:37:27 | call to source | +| taint.cpp:90:11:90:11 | c | taint.cpp:72:7:72:12 | call to source | | taint.cpp:91:11:91:11 | d | taint.cpp:77:7:77:12 | call to source | +| taint.cpp:94:11:94:11 | c | taint.cpp:72:7:72:12 | call to source | | taint.cpp:129:7:129:9 | * ... | taint.cpp:120:11:120:16 | call to source | | taint.cpp:134:7:134:9 | * ... | taint.cpp:120:11:120:16 | call to source | | taint.cpp:137:7:137:9 | * ... | taint.cpp:120:11:120:16 | call to source | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected index 8a9fc767613..d86b5b43ef0 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected @@ -1,7 +1,9 @@ | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only | | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only | | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only | +| taint.cpp:90:11:90:11 | taint.cpp:72:7:72:12 | AST only | | taint.cpp:91:11:91:11 | taint.cpp:77:7:77:12 | AST only | +| taint.cpp:94:11:94:11 | taint.cpp:72:7:72:12 | AST only | | taint.cpp:130:7:130:9 | taint.cpp:127:8:127:13 | IR only | | taint.cpp:137:7:137:9 | taint.cpp:120:11:120:16 | AST only | | taint.cpp:173:8:173:13 | taint.cpp:164:19:164:24 | AST only |