C++: Replace the new rules in DataFlowUtil with a dataflow model for pointer wrapper classes.

2025-12-20 10:46:30 +01:00 · 2021-04-09 14:06:58 +02:00
parent 8382e85901
commit cae0060a89
4 changed files with 36 additions and 20 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -521,22 +521,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
  FieldFlow::fieldFlow(nodeFrom, nodeTo)
 }

-private predicate pointerWrapperFlow(Node nodeFrom, Node nodeTo) {
-  // post-update-smart-pointer-`operator->` -> `post-update`-qualifier
-  exists(PointerWrapper wrapper, Call call |
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
-    nodeTo.asDefiningArgument() = call.getQualifier()
-  )
-  or
-  // smart-pointer-qualifier -> smart-pointer-`operator->`
-  exists(PointerWrapper wrapper, Call call |
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    nodeFrom.asExpr() = call.getQualifier() and
-    nodeTo.asExpr() = call
-  )
-}
-
 /**
 * INTERNAL: do not use.
 *
@@ -602,8 +586,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
    nodeTo.asDefiningArgument() = call.getQualifier()
  )
-  or
-  pointerWrapperFlow(nodeFrom, nodeTo)
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -1,4 +1,5 @@
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.PointerWrapper

 /**
@@ -14,6 +15,20 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
  }
 }

+/** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
+private class PointerWrapperDataFlow extends DataFlowFunction {
+  PointerWrapperDataFlow() { this = any(PointerWrapper wrapper).getAnUnwrapperFunction() }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierAddress() and output.isReturnValue()
+    or
+    input.isQualifierObject() and output.isReturnValueDeref()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
 /**
 * The `std::make_shared` and `std::make_unique` template functions.
 */