C++: Test definitions through &, *, ...

cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp

@@ -68,3 +68,70 @@ void test_nonMemberSetA() {
   nonMemberSetA(&s, user_input());
   sink(nonMemberGetA(&s)); // flow
 }
+
+////////////////////
+
+struct Inner {
+  void *a;
+};
+
+struct Outer {
+  Inner inner_nested, *inner_ptr;
+  void *a;
+};
+
+void taint_inner_a_ptr(Inner *inner) {
+  inner->a = user_input();
+}
+
+void taint_inner_a_ref(Inner &inner) {
+  inner.a = user_input();
+}
+
+void taint_a_ptr(void **pa) {
+  *pa = user_input();
+}
+
+void taint_a_ref(void *&pa) {
+  pa = user_input();
+}
+
+void test_outer_with_ptr(Outer *pouter) {
+  Outer outer;
+
+  taint_inner_a_ptr(&outer.inner_nested);
+  taint_inner_a_ptr(outer.inner_ptr);
+  taint_a_ptr(&outer.a);
+
+  taint_inner_a_ptr(&pouter->inner_nested);
+  taint_inner_a_ptr(pouter->inner_ptr);
+  taint_a_ptr(&pouter->a);
+
+  sink(outer.inner_nested.a); // flow [NOT DETECTED by AST]
+  sink(outer.inner_ptr->a); // flow [NOT DETECTED by IR]
+  sink(outer.a); // flow [NOT DETECTED]
+
+  sink(pouter->inner_nested.a); // flow [NOT DETECTED by AST]
+  sink(pouter->inner_ptr->a); // flow [NOT DETECTED by IR]
+  sink(pouter->a); // flow [NOT DETECTED]
+}
+
+void test_outer_with_ref(Outer *pouter) {
+  Outer outer;
+
+  taint_inner_a_ref(outer.inner_nested);
+  taint_inner_a_ref(*outer.inner_ptr);
+  taint_a_ref(outer.a);
+
+  taint_inner_a_ref(pouter->inner_nested);
+  taint_inner_a_ref(*pouter->inner_ptr);
+  taint_a_ref(pouter->a);
+
+  sink(outer.inner_nested.a); // flow
+  sink(outer.inner_ptr->a); // flow [NOT DETECTED]
+  sink(outer.a); // flow [NOT DETECTED by IR]
+
+  sink(pouter->inner_nested.a); // flow
+  sink(pouter->inner_ptr->a); // flow [NOT DETECTED]
+  sink(pouter->a); // flow [NOT DETECTED by IR]
+}