C++: Implement SummaryParameterNode.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -80,7 +80,7 @@ private module VirtualDispatch {
         exists(DataFlowCall call, Position i |
           other
               .(DataFlow::ParameterNode)
-              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
+              .isParameterOf(TSourceCallable(pragma[only_bind_into](call).getStaticCallTarget()), i) and
           src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
         ) and
         allowOtherFromArg = true and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -340,7 +340,7 @@ DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCalla
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
 predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c.asSourceCallable(), pos) // TODO: if c is a summary node?
+  p.isParameterOf(c, pos)
 }
 
 /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
@@ -967,10 +967,6 @@ class DataFlowCallable extends TDataFlowCallable {
   Cpp::Declaration asSourceCallable() { this = TSourceCallable(result) }
 
   FlowSummaryImpl::Public::SummarizedCallable asSummarizedCallable() { this = TSummarizedCallable(result) }
-
-/*  Callable::TypeRange getUnderlyingCallable() { TODO
-    result = this.asSummarizedCallable() or result = this.asSourceCallable()
-  }*/
 }
 
 private class SourceCallable extends DataFlowCallable, TSourceCallable {
@@ -1207,7 +1203,9 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
  * by default as a heuristic.
  */
-predicate allowParameterReturnInSelf(ParameterNode p) { p instanceof IndirectParameterNode }
+predicate allowParameterReturnInSelf(ParameterNode p) { p instanceof IndirectParameterNode
+  // TODO: Swift has a case for summarized callables here.
+}
 
 private predicate fieldHasApproxName(Field f, string s) {
   s = f.getName().charAt(0) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1636,6 +1636,8 @@ class ParameterNode extends Node {
     this.asInstruction() instanceof InitializeParameterInstruction
     or
     this instanceof IndirectParameterNode
+    or
+    FlowSummaryImpl::Private::summaryParameterNode(this.(FlowSummaryNode).getSummaryNode(), _)
   }
 
   /**
@@ -1643,7 +1645,7 @@ class ParameterNode extends Node {
    * implicit `this` parameter is considered to have position `-1`, and
    * pointer-indirection parameters are at further negative positions.
    */
-  predicate isParameterOf(Function f, ParameterPosition pos) { none() } // overridden by subclasses
+  predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) { none() } // overridden by subclasses
 
   /** Gets the `Parameter` associated with this node, if it exists. */
   Parameter getParameter() { none() } // overridden by subclasses
@@ -1665,8 +1667,8 @@ class DirectParameterNode extends InstructionNode {
 private class ExplicitParameterNode extends ParameterNode, DirectParameterNode {
   ExplicitParameterNode() { exists(instr.getParameter()) }
 
-  override predicate isParameterOf(Function f, ParameterPosition pos) {
-    f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
+  override predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) {
+    f.asSourceCallable().(Function).getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
   }
 
   override string toStringImpl() { result = instr.getParameter().toString() }
@@ -1678,13 +1680,31 @@ private class ExplicitParameterNode extends ParameterNode, DirectParameterNode {
 class ThisParameterNode extends ParameterNode, DirectParameterNode {
   ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }
 
-  override predicate isParameterOf(Function f, ParameterPosition pos) {
-    pos.(DirectPosition).getIndex() = -1 and instr.getEnclosingFunction() = f
+  override predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) {
+    pos.(DirectPosition).getIndex() = -1 and instr.getEnclosingFunction() = f.asSourceCallable()
   }
 
   override string toStringImpl() { result = "this" }
 }
 
+/**
+ * A parameter node that is part of a summary.
+ */
+class SummaryParameterNode extends ParameterNode, FlowSummaryNode {
+  SummaryParameterNode() {
+    FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), _)
+  }
+
+  private ParameterPosition getPosition() {
+    FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), result)
+  }
+
+  override predicate isParameterOf(DataFlowCallable c, ParameterPosition p) {
+    c.asSummarizedCallable() = this.getSummarizedCallable() and
+    p = this.getPosition()
+  }
+}
+
 pragma[noinline]
 private predicate indirectPositionHasArgumentIndexAndIndex(
   IndirectionPosition pos, int argumentIndex, int indirectionIndex
@@ -1703,8 +1723,8 @@ private predicate indirectParameterNodeHasArgumentIndexAndIndex(
 
 /** A synthetic parameter to model the pointed-to object of a pointer parameter. */
 class ParameterIndirectionNode extends ParameterNode instanceof IndirectParameterNode {
-  override predicate isParameterOf(Function f, ParameterPosition pos) {
-    IndirectParameterNode.super.getEnclosingCallable().asSourceCallable() = f and
+  override predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) {
+    IndirectParameterNode.super.getEnclosingCallable() = f and
     exists(int argumentIndex, int indirectionIndex |
       indirectPositionHasArgumentIndexAndIndex(pos, argumentIndex, indirectionIndex) and
       indirectParameterNodeHasArgumentIndexAndIndex(this, argumentIndex, indirectionIndex)

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected

@@ -1,14 +1,14 @@
-| tests.cpp:115:5:115:19 | [summary param] 0 in madArg0ToReturn |  | madArg0ToReturn | madArg0ToReturn |
+| tests.cpp:115:5:115:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
 | tests.cpp:115:5:115:19 | [summary] to write: ReturnValue in madArg0ToReturn |  | madArg0ToReturn | madArg0ToReturn |
-| tests.cpp:117:5:117:28 | [summary param] 0 in madArg0ToReturnValueFlow |  | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
+| tests.cpp:117:5:117:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:117:5:117:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow |  | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
-| tests.cpp:119:6:119:18 | [summary param] 0 in madArg0ToArg1 |  | madArg0ToArg1 | madArg0ToArg1 |
-| tests.cpp:119:6:119:18 | [summary param] 1 in madArg0ToArg1 |  | madArg0ToArg1 | madArg0ToArg1 |
+| tests.cpp:119:6:119:18 | [summary param] 0 in madArg0ToArg1 | ParameterNode | madArg0ToArg1 | madArg0ToArg1 |
+| tests.cpp:119:6:119:18 | [summary param] 1 in madArg0ToArg1 | ParameterNode | madArg0ToArg1 | madArg0ToArg1 |
 | tests.cpp:119:6:119:18 | [summary] to write: Argument[1] in madArg0ToArg1 |  | madArg0ToArg1 | madArg0ToArg1 |
-| tests.cpp:180:7:180:19 | [summary param] 0 in madArg0ToSelf |  | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:180:7:180:19 | [summary param] this in madArg0ToSelf |  | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:180:7:180:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:180:7:180:19 | [summary param] this in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
 | tests.cpp:180:7:180:19 | [summary] to write: Argument[this] in madArg0ToSelf |  | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:181:6:181:20 | [summary param] this in madSelfToReturn |  | madSelfToReturn | madSelfToReturn |
+| tests.cpp:181:6:181:20 | [summary param] this in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
 | tests.cpp:181:6:181:20 | [summary] to write: ReturnValue in madSelfToReturn |  | madSelfToReturn | madSelfToReturn |
-| tests.cpp:209:7:209:30 | [summary param] this in namespaceMadSelfToReturn |  | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:209:7:209:30 | [summary param] this in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
 | tests.cpp:209:7:209:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn |  | namespaceMadSelfToReturn | namespaceMadSelfToReturn |