C++: Add some test cases involving function pointers.

2026-04-26 01:05:15 +02:00 · 2024-03-01 14:51:53 +00:00
parent f649939d78
commit dbf0b98791
3 changed files with 41 additions and 1 deletions
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -12,3 +12,15 @@
 | tests.cpp:181:6:181:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
 | tests.cpp:209:7:209:30 | [summary param] this in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
 | tests.cpp:209:7:209:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:285:5:285:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn |  | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn |  | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:287:6:287:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[1] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
@@ -71,6 +71,9 @@ private class TestSummaries extends SummaryModelCsv {
        ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",
        ";MyClass;true;madFieldToReturn;;;Argument[-1].val;ReturnValue;taint",
        "MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
+        ";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
+        ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.first;value",
+        ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
      ]
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -106,7 +106,7 @@ void madSinkParam0(int x) { // $ interpretElement
 	x = source(); // $ MISSING: ir
 }

-// --- MAD summaries ---
+// --- global MAD summaries ---

 struct MyContainer {
 	int value;
@@ -274,3 +274,28 @@ void test_class_members() {
 	mc6.madArg0ToField(source());
 	sink(mc6.madFieldToReturn()); // $ MISSING: ir
 }
+
+// --- MAD cases involving function pointers ---
+
+struct intPair {
+	int first;
+	int second;
+};
+
+int madCallArg0ReturnToReturn(int (*fun_ptr)()); // $ interpretElement
+intPair madCallArg0ReturnToReturnFirst(int (*fun_ptr)()); // $ interpretElement
+void madCallArg0WithValue(void (*fun_ptr)(int), int value); // $ interpretElement
+
+int getTainted() { return source(); }
+void useValue(int x) { sink(x); }
+
+void test_function_pointers() {
+	sink(madCallArg0ReturnToReturn(&notASource));
+	sink(madCallArg0ReturnToReturn(&getTainted)); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturn(&source)); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturnFirst(&source).first); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturnFirst(&source).second);
+	madCallArg0WithValue(&useValue, 0);
+	madCallArg0WithValue(&useValue, source()); // $ MISSING: ir
+	madCallArg0WithValue(&sink, source()); // $ MISSING: ir
+}