C++: Pivot ReturnKind solution to derive types from SSA + AST, rather than SSA + MAD.

2026-04-24 00:05:14 +02:00 · 2024-04-09 13:38:49 +01:00
parent 13734d4e62
commit 4d5f158652
2 changed files with 17 additions and 23 deletions
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -262,25 +262,3 @@ module Private {
 }

 module Public = Impl::Public;
-
-/**
- * Gets a number of indirections that can be returned by a function
- * modelled using models-as-data.
- */
-int returnIndirectionForModelledFunction() {
-  exists(string inputOutput |
-    (
-      sourceModel(_, _, _, _, _, _, inputOutput, _, _) or
-      sinkModel(_, _, _, _, _, _, inputOutput, _, _) or
-      summaryModel(_, _, _, _, _, _, inputOutput, _, _, _) or
-      summaryModel(_, _, _, _, _, _, _, inputOutput, _, _)
-    ) and (
-      // Return the number of stars in `ReturnValue[...]`
-      result = inputOutput.regexpCapture("ReturnValue\\[(\\*+)\\]", 1).length()
-      or
-      // There are no brackets the result is 0
-      inputOutput = "ReturnValue" and
-      result = 0
-    )
-  )
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -457,16 +457,32 @@ newtype TPosition =

 private newtype TReturnKind =
  TNormalReturnKind(int indirectionIndex) {
+    // derive a possible return indirection from SSA
+    // (this is a more durable approach if SSA infers additional indirections for any reason)
    Ssa::hasIndirectOperand(any(ReturnValueInstruction ret).getReturnAddressOperand(),
      indirectionIndex + 1) // We subtract one because the return loads the value.
    or
-    indirectionIndex = FlowSummaryImpl::returnIndirectionForModelledFunction()
+    // derive a possible return kind from the AST
+    // (this approach includes functions declared that have no body; they may still have flow summaries)
+    indirectionIndex =
+      [0 .. max(Ssa::Function f |
+          |
+          Ssa::getMaxIndirectionsForType(f.getUnspecifiedType()) - 1 // -1 because a returned value is a prvalue not a glvalue
+        )]
  } or
  TIndirectReturnKind(int argumentIndex, int indirectionIndex) {
+    // derive a possible return argument from SSA
    exists(Ssa::FinalParameterUse use |
      use.getIndirectionIndex() = indirectionIndex and
      use.getArgumentIndex() = argumentIndex
    )
+    or
+    // derive a possible return argument from the AST
+    indirectionIndex =
+      [0 .. max(Ssa::Function f |
+          |
+          Ssa::getMaxIndirectionsForType(f.getParameter(argumentIndex).getUnspecifiedType()) - 1 // -1 because an argument is a prvalue not a glvalue
+        )]
  }

 /**