Merge pull request #14667 from MathiasVP/more-function-input-and-output-ipa-numbers

C++: Allocate more `FunctionInput` and `FunctionOutput`s

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3) and
+    output.isParameterDeref(3, 2) and
     description = "address returned by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll

@@ -8,7 +8,7 @@ import semmle.code.cpp.Parameter
 
 private newtype TFunctionInput =
   TInParameter(ParameterIndex i) or
-  TInParameterDeref(ParameterIndex i) or
+  TInParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
   TInQualifierObject() or
   TInQualifierAddress() or
   TInReturnValueDeref()
@@ -245,15 +245,18 @@ class InParameter extends FunctionInput, TInParameter {
  */
 class InParameterDeref extends FunctionInput, TInParameterDeref {
   ParameterIndex index;
+  int indirectionIndex;
 
-  InParameterDeref() { this = TInParameterDeref(index) }
+  InParameterDeref() { this = TInParameterDeref(index, indirectionIndex) }
 
   override string toString() { result = "InParameterDeref " + index.toString() }
 
   /** Gets the zero-based index of the parameter. */
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i) { i = index }
+  override predicate isParameterDeref(ParameterIndex i, int indirection) {
+    i = index and indirectionIndex = indirection
+  }
 }
 
 /**
@@ -321,10 +324,10 @@ class InReturnValueDeref extends FunctionInput, TInReturnValueDeref {
 }
 
 private newtype TFunctionOutput =
-  TOutParameterDeref(ParameterIndex i) or
+  TOutParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
   TOutQualifierObject() or
   TOutReturnValue() or
-  TOutReturnValueDeref()
+  TOutReturnValueDeref(int indirections) { indirections = [1, 2] }
 
 /**
  * An output from a function. This can be:
@@ -498,17 +501,16 @@ class FunctionOutput extends TFunctionOutput {
  */
 class OutParameterDeref extends FunctionOutput, TOutParameterDeref {
   ParameterIndex index;
+  int indirectionIndex;
 
-  OutParameterDeref() { this = TOutParameterDeref(index) }
+  OutParameterDeref() { this = TOutParameterDeref(index, indirectionIndex) }
 
   override string toString() { result = "OutParameterDeref " + index.toString() }
 
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i) { i = index }
-
   override predicate isParameterDeref(ParameterIndex i, int ind) {
-    this.isParameterDeref(i) and ind = 1
+    i = index and ind = indirectionIndex
   }
 }
 
@@ -572,4 +574,8 @@ class OutReturnValueDeref extends FunctionOutput, TOutReturnValueDeref {
   override string toString() { result = "OutReturnValueDeref" }
 
   override predicate isReturnValueDeref() { any() }
+
+  override predicate isReturnValueDeref(int indirectionIndex) {
+    this = TOutReturnValueDeref(indirectionIndex)
+  }
 }

cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected

@@ -1,2 +1,2 @@
-failures
 testFailures
+failures

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6646,6 +6646,17 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:738:17:738:31 | call to indirect_source | taint.cpp:739:30:739:35 | source |  |
 | taint.cpp:739:22:739:28 | call to realloc | taint.cpp:740:7:740:10 | dest |  |
 | taint.cpp:739:30:739:35 | source | taint.cpp:739:22:739:28 | call to realloc | TAINT |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:744:5:744:10 | buffer |  |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:745:27:745:32 | buffer |  |
+| taint.cpp:744:4:744:10 | * ... | taint.cpp:744:3:744:10 | * ... | TAINT |
+| taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT |
+| taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer |  |
+| taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT |
+| taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT |
+| taint.cpp:746:10:746:15 | buffer | taint.cpp:746:9:746:15 | * ... | TAINT |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -738,4 +738,10 @@ void test_realloc() {
 	char *source = indirect_source();
 	char *dest = (char*)realloc(source, 16);
 	sink(dest); // $ ir MISSING: ast
+}
+
+void test_realloc_2_indirections(int **buffer) {
+  **buffer = source();
+  buffer = (int**)realloc(buffer, 16);
+  sink(**buffer); // $ ir MISSING: ast
 }