Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams

Pick up new test for user-defined swap functions
2026-04-29 10:45:15 +02:00 · 2020-04-01 17:32:55 -07:00
parent b579e6aabe bbb69d524e
commit a061811939
34 changed files with 187 additions and 55 deletions
--- a/cpp/ql/src/jsf/4.13
+++ b/cpp/ql/src/jsf/4.13
@@ -30,7 +30,13 @@ predicate functionsMissingReturnStmt(Function f, ControlFlowNode blame) {
  ) and
  exists(ReturnStmt s |
    f.getAPredecessor() = s and
-    blame = s.getAPredecessor()
+    (
+      blame = s.getAPredecessor() and
+      count(blame.getASuccessor()) = 1
+      or
+      blame = s and
+      exists(ControlFlowNode pred | pred = s.getAPredecessor() | count(pred.getASuccessor()) != 1)
+    )
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

+  int getParameterPos() { p.isParameterOf(_, result) }
+
  override string toString() { result = p + ": " + ap }

  predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
 private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
 ) {
-  exists(PathNodeMid mid, ReturnNodeExt ret |
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
    mid.getNode() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
    config = mid.getConfiguration() and
-    ap = mid.getAp()
+    ap = mid.getAp() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
  )
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -512,3 +512,20 @@
 | taint.cpp:444:7:444:7 | d [post update] | taint.cpp:447:7:447:7 | d |  |
 | taint.cpp:445:2:445:2 | d [post update] | taint.cpp:446:7:446:7 | d |  |
 | taint.cpp:445:2:445:2 | d [post update] | taint.cpp:447:7:447:7 | d |  |
+| taint.cpp:452:16:452:16 | a | taint.cpp:454:10:454:10 | a |  |
+| taint.cpp:452:24:452:24 | b | taint.cpp:455:6:455:6 | b |  |
+| taint.cpp:454:10:454:10 | a | taint.cpp:456:6:456:6 | c |  |
+| taint.cpp:455:6:455:6 | b | taint.cpp:452:16:452:16 | a |  |
+| taint.cpp:455:6:455:6 | b | taint.cpp:455:2:455:6 | ... = ... |  |
+| taint.cpp:456:6:456:6 | c | taint.cpp:452:24:452:24 | b |  |
+| taint.cpp:456:6:456:6 | c | taint.cpp:456:2:456:6 | ... = ... |  |
+| taint.cpp:462:6:462:11 | call to source | taint.cpp:462:2:462:13 | ... = ... |  |
+| taint.cpp:462:6:462:11 | call to source | taint.cpp:465:7:465:7 | x |  |
+| taint.cpp:462:6:462:11 | call to source | taint.cpp:468:7:468:7 | x |  |
+| taint.cpp:462:6:462:11 | call to source | taint.cpp:470:7:470:7 | x |  |
+| taint.cpp:463:6:463:6 | 0 | taint.cpp:463:2:463:6 | ... = ... |  |
+| taint.cpp:463:6:463:6 | 0 | taint.cpp:466:7:466:7 | y |  |
+| taint.cpp:463:6:463:6 | 0 | taint.cpp:468:10:468:10 | y |  |
+| taint.cpp:463:6:463:6 | 0 | taint.cpp:471:7:471:7 | y |  |
+| taint.cpp:468:7:468:7 | ref arg x | taint.cpp:470:7:470:7 | x |  |
+| taint.cpp:468:10:468:10 | ref arg y | taint.cpp:471:7:471:7 | y |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -195,7 +195,7 @@ void test_memcpy(int *source) {
 	sink(x);
 }

-// --- swap ---
+// --- std::swap ---

 namespace std {
 	template<class T> constexpr void swap(T& a, T& b);
@@ -446,3 +446,27 @@ void test_qualifiers()
 	sink(d); // tainted
 	sink(d.getString()); // tainted
 }
+
+// --- non-standard swap ---
+
+void swop(int &a, int &b)
+{
+	int c = a;
+	a = b;
+	b = c;
+}
+
+void test_swop() {
+	int x, y;
+
+	x = source();
+	y = 0;
+
+	sink(x); // tainted
+	sink(y); // clean
+
+	swop(x, y);
+
+	sink(x); // clean [FALSE POSITIVE]
+	sink(y); // tainted
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -58,3 +58,6 @@
 | taint.cpp:439:10:439:18 | call to getMember | taint.cpp:437:15:437:20 | call to source |
 | taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
 | taint.cpp:447:9:447:17 | call to getString | taint.cpp:445:14:445:28 | call to source |
+| taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
+| taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
+| taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -42,3 +42,4 @@
 | taint.cpp:439:10:439:18 | taint.cpp:437:15:437:20 | AST only |
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
+| taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -20,3 +20,5 @@
 | taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
 | taint.cpp:429:7:429:7 | b | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
+| taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
+| taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
--- a/cpp/ql/test/query-tests/jsf/4.13
+++ b/cpp/ql/test/query-tests/jsf/4.13
@@ -4,9 +4,9 @@
 | test.c:25:9:25:14 | ExprStmt | Function f4 should return a value of type int but does not return a value here |
 | test.c:39:9:39:14 | ExprStmt | Function f6 should return a value of type int but does not return a value here |
 | test.cpp:16:1:18:1 | { ... } | Function g2 should return a value of type MyValue but does not return a value here |
-| test.cpp:48:2:48:26 | if (...) ...  | Function g7 should return a value of type MyValue but does not return a value here |
+| test.cpp:52:1:52:1 | return ... | Function g7 should return a value of type MyValue but does not return a value here |
 | test.cpp:74:1:76:1 | { ... } | Function g10 should return a value of type second but does not return a value here |
 | test.cpp:86:1:88:1 | { ... } | Function g12 should return a value of type second but does not return a value here |
-| test.cpp:108:2:111:2 | if (...) ...  | Function g14 should return a value of type int but does not return a value here |
+| test.cpp:112:1:112:1 | return ... | Function g14 should return a value of type int but does not return a value here |
 | test.cpp:134:2:134:36 | ExprStmt | Function g16 should return a value of type int but does not return a value here |
 | test.cpp:141:3:141:37 | ExprStmt | Function g17 should return a value of type int but does not return a value here |
--- a/cpp/ql/test/query-tests/jsf/4.13
+++ b/cpp/ql/test/query-tests/jsf/4.13
@@ -48,7 +48,7 @@ MyValue g7(bool c)
 	if (c) return MyValue(7);
 	DONOTHING
 	DONOTHING
-	// BAD [the alert here is unfortunately placed]
+	// BAD
 }

 typedef void MYVOID;