C++: Fix FPs by making 'isArgumentOfCallable' more robust.

2025-12-24 04:36:35 +01:00 · 2023-08-28 14:48:07 +01:00
parent f65fe34513
commit 99cc4171f8
3 changed files with 36 additions and 30 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -684,8 +684,41 @@ predicate ssaFlow(Node nodeFrom, Node nodeTo) {
  )
 }

-private predicate isArgumentOfCallable(DataFlowCall call, ArgumentNode arg) {
-  arg.argumentOf(call, _)
+private predicate isArgumentOfCallableInstruction(DataFlowCall call, Instruction instr) {
+  isArgumentOfCallableOperand(call, unique( | | getAUse(instr)))
+}
+
+private predicate isArgumentOfCallableOperand(DataFlowCall call, Operand operand) {
+  operand.(ArgumentOperand).getCall() = call
+  or
+  exists(FieldAddressInstruction fai |
+    fai.getObjectAddressOperand() = operand and
+    isArgumentOfCallableInstruction(call, fai)
+  )
+  or
+  exists(Instruction deref |
+    isArgumentOfCallableInstruction(call, deref) and
+    isDereference(deref, operand, _)
+  )
+  or
+  exists(Instruction instr |
+    isArgumentOfCallableInstruction(call, instr) and
+    conversionFlow(operand, instr, _, _)
+  )
+}
+
+private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
+  isArgumentOfCallableOperand(call, n.asOperand())
+  or
+  exists(Operand op |
+    n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
+    isArgumentOfCallableOperand(call, op)
+  )
+  or
+  exists(Instruction instr |
+    n.(IndirectInstruction).hasInstructionAndIndirectionIndex(instr, _) and
+    isArgumentOfCallableInstruction(call, instr)
+  )
 }

 /** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
@@ -7,7 +7,7 @@ namespace {

  Foo* test_self_argument_flow() {
    Foo *info;
-    acquire(info->string); // $ SPURIOUS: self-arg-flow
+    acquire(info->string); // clean

    return info;
  }
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -267,12 +267,8 @@ edges
 | aliasing.cpp:105:23:105:24 | pa | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument |
 | aliasing.cpp:105:23:105:24 | pa | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument |
 | aliasing.cpp:105:23:105:24 | pa | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument |
-| aliasing.cpp:105:23:105:24 | pa indirection | aliasing.cpp:105:23:105:24 | pa |
 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:105:23:105:24 | pa |
 | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument | aliasing.cpp:122:8:122:12 | access to array |
-| aliasing.cpp:126:15:126:20 | ... - ... indirection | aliasing.cpp:105:23:105:24 | pa indirection |
-| aliasing.cpp:126:15:126:20 | ... - ... indirection | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument |
-| aliasing.cpp:126:15:126:20 | taint_a_ptr output argument | aliasing.cpp:126:15:126:20 | ... - ... indirection |
 | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument | aliasing.cpp:127:8:127:16 | * ... |
 | aliasing.cpp:131:15:131:16 | taint_a_ptr output argument | aliasing.cpp:132:8:132:14 | * ... |
 | aliasing.cpp:136:15:136:17 | taint_a_ptr output argument | aliasing.cpp:137:8:137:11 | * ... |
@@ -297,13 +293,8 @@ edges
 | aliasing.cpp:187:21:187:22 | s indirection [post update] [m1] | aliasing.cpp:187:19:187:19 | s2 indirection [post update] [s, m1] |
 | aliasing.cpp:189:8:189:11 | s2_2 indirection [s, m1] | aliasing.cpp:189:13:189:13 | s indirection [m1] |
 | aliasing.cpp:189:13:189:13 | s indirection [m1] | aliasing.cpp:189:15:189:16 | m1 |
-| aliasing.cpp:200:15:200:24 | & ... indirection | aliasing.cpp:105:23:105:24 | pa indirection |
-| aliasing.cpp:200:15:200:24 | & ... indirection | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument |
 | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument | aliasing.cpp:200:23:200:24 | s indirection [post update] [m1] |
-| aliasing.cpp:200:16:200:18 | ps2 indirection [s, m1] | aliasing.cpp:200:21:200:21 | s indirection [m1] |
-| aliasing.cpp:200:21:200:21 | ps2 indirection [post update] [s, m1] | aliasing.cpp:200:16:200:18 | ps2 indirection [s, m1] |
 | aliasing.cpp:200:21:200:21 | ps2 indirection [post update] [s, m1] | aliasing.cpp:201:8:201:10 | ps2 indirection [s, m1] |
-| aliasing.cpp:200:21:200:21 | s indirection [m1] | aliasing.cpp:200:15:200:24 | & ... indirection |
 | aliasing.cpp:200:23:200:24 | s indirection [post update] [m1] | aliasing.cpp:200:21:200:21 | ps2 indirection [post update] [s, m1] |
 | aliasing.cpp:201:8:201:10 | ps2 indirection [s, m1] | aliasing.cpp:201:13:201:13 | s indirection [m1] |
 | aliasing.cpp:201:13:201:13 | s indirection [m1] | aliasing.cpp:201:15:201:16 | m1 |
@@ -415,7 +406,6 @@ edges
 | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | ... = ... |
 | by_reference.cpp:91:25:91:26 | pa | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument |
 | by_reference.cpp:91:25:91:26 | pa | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument |
-| by_reference.cpp:91:25:91:26 | pa indirection | by_reference.cpp:91:25:91:26 | pa |
 | by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:91:25:91:26 | pa |
 | by_reference.cpp:95:25:95:26 | pa | by_reference.cpp:124:15:124:21 | taint_a_ref output argument |
 | by_reference.cpp:95:25:95:26 | pa | by_reference.cpp:128:15:128:23 | taint_a_ref output argument |
@@ -430,11 +420,7 @@ edges
 | by_reference.cpp:106:30:106:41 | pouter indirection [post update] [inner_nested, a] | by_reference.cpp:114:8:114:13 | pouter indirection [inner_nested, a] |
 | by_reference.cpp:107:29:107:37 | pouter indirection [post update] [inner_ptr indirection, a] | by_reference.cpp:115:8:115:13 | pouter indirection [inner_ptr indirection, a] |
 | by_reference.cpp:107:29:107:37 | taint_inner_a_ptr output argument [a] | by_reference.cpp:107:29:107:37 | pouter indirection [post update] [inner_ptr indirection, a] |
-| by_reference.cpp:108:15:108:24 | & ... indirection | by_reference.cpp:91:25:91:26 | pa indirection |
-| by_reference.cpp:108:15:108:24 | & ... indirection | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument |
 | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument | by_reference.cpp:108:24:108:24 | pouter indirection [post update] [a] |
-| by_reference.cpp:108:16:108:21 | pouter indirection [a] | by_reference.cpp:108:15:108:24 | & ... indirection |
-| by_reference.cpp:108:24:108:24 | pouter indirection [post update] [a] | by_reference.cpp:108:16:108:21 | pouter indirection [a] |
 | by_reference.cpp:108:24:108:24 | pouter indirection [post update] [a] | by_reference.cpp:116:8:116:13 | pouter indirection [a] |
 | by_reference.cpp:110:8:110:12 | outer indirection [inner_nested, a] | by_reference.cpp:110:14:110:25 | inner_nested indirection [a] |
 | by_reference.cpp:110:14:110:25 | inner_nested indirection [a] | by_reference.cpp:110:27:110:27 | a |
@@ -1104,12 +1090,9 @@ nodes
 | aliasing.cpp:101:14:101:19 | s_copy indirection [m1] | semmle.label | s_copy indirection [m1] |
 | aliasing.cpp:102:8:102:10 | * ... | semmle.label | * ... |
 | aliasing.cpp:105:23:105:24 | pa | semmle.label | pa |
-| aliasing.cpp:105:23:105:24 | pa | semmle.label | pa |
-| aliasing.cpp:105:23:105:24 | pa indirection | semmle.label | pa indirection |
 | aliasing.cpp:106:9:106:18 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
 | aliasing.cpp:122:8:122:12 | access to array | semmle.label | access to array |
-| aliasing.cpp:126:15:126:20 | ... - ... indirection | semmle.label | ... - ... indirection |
 | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
 | aliasing.cpp:127:8:127:16 | * ... | semmle.label | * ... |
 | aliasing.cpp:131:15:131:16 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
@@ -1141,11 +1124,8 @@ nodes
 | aliasing.cpp:189:8:189:11 | s2_2 indirection [s, m1] | semmle.label | s2_2 indirection [s, m1] |
 | aliasing.cpp:189:13:189:13 | s indirection [m1] | semmle.label | s indirection [m1] |
 | aliasing.cpp:189:15:189:16 | m1 | semmle.label | m1 |
-| aliasing.cpp:200:15:200:24 | & ... indirection | semmle.label | & ... indirection |
 | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
-| aliasing.cpp:200:16:200:18 | ps2 indirection [s, m1] | semmle.label | ps2 indirection [s, m1] |
 | aliasing.cpp:200:21:200:21 | ps2 indirection [post update] [s, m1] | semmle.label | ps2 indirection [post update] [s, m1] |
-| aliasing.cpp:200:21:200:21 | s indirection [m1] | semmle.label | s indirection [m1] |
 | aliasing.cpp:200:23:200:24 | s indirection [post update] [m1] | semmle.label | s indirection [post update] [m1] |
 | aliasing.cpp:201:8:201:10 | ps2 indirection [s, m1] | semmle.label | ps2 indirection [s, m1] |
 | aliasing.cpp:201:13:201:13 | s indirection [m1] | semmle.label | s indirection [m1] |
@@ -1250,8 +1230,6 @@ nodes
 | by_reference.cpp:88:9:88:9 | inner indirection [post update] [a] | semmle.label | inner indirection [post update] [a] |
 | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:91:25:91:26 | pa | semmle.label | pa |
-| by_reference.cpp:91:25:91:26 | pa | semmle.label | pa |
-| by_reference.cpp:91:25:91:26 | pa indirection | semmle.label | pa indirection |
 | by_reference.cpp:92:9:92:18 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:95:25:95:26 | pa | semmle.label | pa |
 | by_reference.cpp:96:8:96:17 | call to user_input | semmle.label | call to user_input |
@@ -1265,9 +1243,7 @@ nodes
 | by_reference.cpp:106:30:106:41 | pouter indirection [post update] [inner_nested, a] | semmle.label | pouter indirection [post update] [inner_nested, a] |
 | by_reference.cpp:107:29:107:37 | pouter indirection [post update] [inner_ptr indirection, a] | semmle.label | pouter indirection [post update] [inner_ptr indirection, a] |
 | by_reference.cpp:107:29:107:37 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:108:15:108:24 | & ... indirection | semmle.label | & ... indirection |
 | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument | semmle.label | taint_a_ptr output argument |
-| by_reference.cpp:108:16:108:21 | pouter indirection [a] | semmle.label | pouter indirection [a] |
 | by_reference.cpp:108:24:108:24 | pouter indirection [post update] [a] | semmle.label | pouter indirection [post update] [a] |
 | by_reference.cpp:110:8:110:12 | outer indirection [inner_nested, a] | semmle.label | outer indirection [inner_nested, a] |
 | by_reference.cpp:110:14:110:25 | inner_nested indirection [a] | semmle.label | inner_nested indirection [a] |
@@ -1692,8 +1668,6 @@ subpaths
 | D.cpp:22:14:22:20 | call to getBox1 indirection [elem] | D.cpp:10:11:10:17 | this indirection [elem] | D.cpp:10:11:10:17 | getElem indirection | D.cpp:22:10:22:33 | call to getElem |
 | D.cpp:37:21:37:21 | e | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:32 | this indirection [post update] [elem] | D.cpp:37:8:37:10 | setElem output argument [elem] |
 | D.cpp:51:27:51:27 | e | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:32 | this indirection [post update] [elem] | D.cpp:51:8:51:14 | setElem output argument [elem] |
-| aliasing.cpp:126:15:126:20 | ... - ... indirection | aliasing.cpp:105:23:105:24 | pa indirection | aliasing.cpp:105:23:105:24 | pa | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument |
-| aliasing.cpp:200:15:200:24 | & ... indirection | aliasing.cpp:105:23:105:24 | pa indirection | aliasing.cpp:105:23:105:24 | pa | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument |
 | by_reference.cpp:20:23:20:27 | value | by_reference.cpp:15:26:15:30 | value | by_reference.cpp:16:11:16:11 | this indirection [post update] [a] | by_reference.cpp:20:5:20:8 | setDirectly output argument [a] |
 | by_reference.cpp:24:25:24:29 | value | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:8:12:8 | s indirection [post update] [a] | by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] |
 | by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:35:9:35:19 | this indirection [a] | by_reference.cpp:35:9:35:19 | getDirectly indirection | by_reference.cpp:40:18:40:28 | call to getDirectly |
@@ -1706,7 +1680,6 @@ subpaths
 | by_reference.cpp:63:8:63:8 | s indirection [a] | by_reference.cpp:43:9:43:27 | this indirection [a] | by_reference.cpp:43:9:43:27 | getThroughNonMember indirection | by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
 | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:11:48:11:52 | value | by_reference.cpp:12:8:12:8 | s indirection [post update] [a] | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] |
 | by_reference.cpp:69:22:69:23 | & ... indirection [a] | by_reference.cpp:31:46:31:46 | s indirection [a] | by_reference.cpp:31:16:31:28 | nonMemberGetA indirection | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
-| by_reference.cpp:108:15:108:24 | & ... indirection | by_reference.cpp:91:25:91:26 | pa indirection | by_reference.cpp:91:25:91:26 | pa | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument |
 | complex.cpp:42:16:42:16 | f indirection [a_] | complex.cpp:9:7:9:7 | this indirection [a_] | complex.cpp:9:7:9:7 | a indirection | complex.cpp:42:18:42:18 | call to a |
 | complex.cpp:43:16:43:16 | f indirection [b_] | complex.cpp:10:7:10:7 | this indirection [b_] | complex.cpp:10:7:10:7 | b indirection | complex.cpp:43:18:43:18 | call to b |
 | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:23 | this indirection [post update] [a_] | complex.cpp:53:12:53:12 | setA output argument [a_] |