Merge pull request #1584 from geoffw0/swap

CPP: Model std::swap

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -6,3 +6,4 @@ private import implementations.Pure
 private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strftime
+private import implementations.Swap

cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll

@@ -0,0 +1,23 @@
+import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * The standard function `swap`.
+ */
+class Swap extends DataFlowFunction {
+  Swap() {
+    this.hasQualifiedName("std", "swap")
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isInParameterPointer(0) and
+      output.isOutParameterPointer(1)
+    )
+    or
+    (
+      input.isInParameterPointer(1) and
+      output.isOutParameterPointer(0)
+    )
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -161,3 +161,17 @@
 | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... | TAINT |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
+| taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... |  |
+| taint.cpp:207:6:207:11 | call to source | taint.cpp:210:7:210:7 | x |  |
+| taint.cpp:207:6:207:11 | call to source | taint.cpp:213:12:213:12 | x |  |
+| taint.cpp:207:6:207:11 | call to source | taint.cpp:215:7:215:7 | x |  |
+| taint.cpp:208:6:208:6 | 0 | taint.cpp:208:2:208:6 | ... = ... |  |
+| taint.cpp:208:6:208:6 | 0 | taint.cpp:211:7:211:7 | y |  |
+| taint.cpp:208:6:208:6 | 0 | taint.cpp:213:15:213:15 | y |  |
+| taint.cpp:208:6:208:6 | 0 | taint.cpp:216:7:216:7 | y |  |
+| taint.cpp:213:12:213:12 | ref arg x | taint.cpp:213:12:213:12 | x |  |
+| taint.cpp:213:12:213:12 | ref arg x | taint.cpp:215:7:215:7 | x |  |
+| taint.cpp:213:12:213:12 | x | taint.cpp:213:15:213:15 | ref arg y |  |
+| taint.cpp:213:15:213:15 | ref arg y | taint.cpp:213:15:213:15 | y |  |
+| taint.cpp:213:15:213:15 | ref arg y | taint.cpp:216:7:216:7 | y |  |
+| taint.cpp:213:15:213:15 | y | taint.cpp:213:12:213:12 | ref arg x |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -194,3 +194,24 @@ void test_memcpy(int *source) {
 	memcpy(&x, source, sizeof(int));
 	sink(x);
 }
+
+// --- swap ---
+
+namespace std {
+	template<class T> constexpr void swap(T& a, T& b);
+}
+
+void test_swap() {
+	int x, y;
+
+	x = source();
+	y = 0;
+
+	sink(x); // tainted
+	sink(y);
+
+	std::swap(x, y);
+
+	sink(x); // [FALSE POSITIVE]
+	sink(y); // tainted
+}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -14,3 +14,6 @@
 | taint.cpp:181:8:181:9 | * ... | taint.cpp:185:11:185:16 | call to source |
 | taint.cpp:195:7:195:7 | x | taint.cpp:192:23:192:28 | source |
 | taint.cpp:195:7:195:7 | x | taint.cpp:193:6:193:6 | x |
+| taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source |
+| taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source |
+| taint.cpp:216:7:216:7 | y | taint.cpp:207:6:207:11 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -7,3 +7,5 @@
 | taint.cpp:185:11:185:16 | taint.cpp:181:8:181:9 | AST only |
 | taint.cpp:192:23:192:28 | taint.cpp:195:7:195:7 | AST only |
 | taint.cpp:193:6:193:6 | taint.cpp:195:7:195:7 | AST only |
+| taint.cpp:207:6:207:11 | taint.cpp:215:7:215:7 | AST only |
+| taint.cpp:207:6:207:11 | taint.cpp:216:7:216:7 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

@@ -7,3 +7,4 @@
 | taint.cpp:151:7:151:12 | Call: call to select | taint.cpp:151:20:151:25 | Call: call to source |
 | taint.cpp:167:8:167:13 | Call: call to source | taint.cpp:167:8:167:13 | Call: call to source |
 | taint.cpp:168:8:168:14 | Load: tainted | taint.cpp:164:19:164:24 | Call: call to source |
+| taint.cpp:210:7:210:7 | Load: x | taint.cpp:207:6:207:11 | Call: call to source |