Merge pull request #20249 from MathiasVP/type-tracking-for-cpp-3

C++: Use the shared type-tracking library for virtual dispatch resolution

cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp

@@ -8,7 +8,7 @@ struct Top {
   virtual void isSink(int x) { }
   virtual int notSource1() { return source(); }
   virtual int notSource2() { return source(); }
-  virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast,ir=37:19 ast,ir=45:18
+  virtual void notSink(int x) { sink(x); } // $ SPURIOUS: ast=37:19 ast=45:18
 };
 
 // This class has the correct behavior for just the functions ending in 2.
@@ -32,16 +32,16 @@ void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) { // $ ast-def=bottom
   sink(topPtr->isSource2()); // $ ir MISSING: ast
   topPtr->isSink(source()); // causing a MISSING for ast
 
-  sink(topPtr->notSource1()); // $ SPURIOUS: ast,ir
-  sink(topPtr->notSource2()); // $ SPURIOUS: ast,ir
+  sink(topPtr->notSource1()); // $ SPURIOUS: ast
+  sink(topPtr->notSource2()); // $ SPURIOUS: ast
   topPtr->notSink(source()); // causing SPURIOUS for ast,ir
 
   sink(topRef.isSource1()); // $ ir MISSING: ast
   sink(topRef.isSource2()); // $ ir MISSING: ast
   topRef.isSink(source()); // causing a MISSING for ast
 
-  sink(topRef.notSource1()); // $ SPURIOUS: ast,ir
-  sink(topRef.notSource2()); // $ SPURIOUS: ast,ir
+  sink(topRef.notSource1()); // $ SPURIOUS: ast
+  sink(topRef.notSource2()); // $ SPURIOUS: ast
   topRef.notSink(source()); // causing SPURIOUS for ast,ir
 }
 
@@ -126,8 +126,8 @@ namespace virtual_inheritance {
     // get flow from a `Middle` value to the call qualifier.
     Top *topPtr = bottomPtr, &topRef = bottomRef;
 
-    sink(topPtr->isSource()); // $ MISSING: ast,ir
-    sink(topRef.isSource()); // $ MISSING: ast,ir
+    sink(topPtr->isSource()); // $ ir MISSING: ast
+    sink(topRef.isSource()); // $ ir MISSING: ast
   }
 }
 

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -169,10 +169,6 @@ irFlow
 | clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | *stackArray |
 | clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | *stackArray |
 | clang.cpp:57:21:57:28 | call to source | clang.cpp:59:8:59:8 | d |
-| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 |
-| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 |
-| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 |
-| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:44:15:44:24 | call to notSource2 |
 | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:32:16:32:24 | call to isSource2 |
 | dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:40:15:40:23 | call to isSource2 |
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:31:16:31:24 | call to isSource1 |
@@ -180,13 +176,13 @@ irFlow
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:55:22:55:30 | call to isSource1 |
 | dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:58:28:58:36 | call to isSource1 |
 | dispatch.cpp:33:18:33:23 | call to source | dispatch.cpp:23:38:23:38 | x |
-| dispatch.cpp:37:19:37:24 | call to source | dispatch.cpp:11:38:11:38 | x |
 | dispatch.cpp:41:17:41:22 | call to source | dispatch.cpp:23:38:23:38 | x |
-| dispatch.cpp:45:18:45:23 | call to source | dispatch.cpp:11:38:11:38 | x |
 | dispatch.cpp:69:15:69:20 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:73:14:73:19 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:81:13:81:18 | call to source | dispatch.cpp:23:38:23:38 | x |
 | dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x |
+| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:129:18:129:25 | call to isSource |
+| dispatch.cpp:117:38:117:43 | call to source | dispatch.cpp:130:17:130:24 | call to isSource |
 | dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x |
 | dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x |
 | flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:31:9:31:9 | x |

cpp/ql/test/library-tests/dataflow/dispatch/test.cpp

@@ -0,0 +1,127 @@
+struct Base {
+  void f();
+  virtual void virtual_f();
+};
+
+struct Derived : Base {
+  void f();
+  void virtual_f();
+};
+
+void test_simple() {
+  Base b;
+  b.f(); // $ target=2
+  b.virtual_f(); // $ target=3
+
+  Derived d;
+  d.f(); // $ target=7
+  d.virtual_f(); // $ target=8
+
+  Base* b_ptr = &d;
+  b_ptr->f(); // $ target=2
+  b_ptr->virtual_f(); // $ target=8
+
+  Base& b_ref = d;
+  b_ref.f(); // $ target=2
+  b_ref.virtual_f(); // $ target=8
+
+  Base* b_null = nullptr;
+  b_null->f(); // $ target=2
+  b_null->virtual_f(); // $ target=3
+
+  Base* base_is_derived = new Derived();
+  base_is_derived->f(); // $ target=2
+  base_is_derived->virtual_f(); // $ target=8
+
+  Base* base_is_base = new Base();
+  base_is_base->f(); // $ target=2
+  base_is_base->virtual_f(); // $ target=3
+
+  Derived* derived_is_derived = new Derived();
+  derived_is_derived->f(); // $ target=7
+  derived_is_derived->virtual_f(); // $ target=8
+
+  Base& b_ref2 = b;
+  b_ref2 = d;
+  b_ref2.f(); // $ target=2
+  b_ref2.virtual_f(); // $ target=3
+}
+
+struct S {
+  Base* b1;
+  Base* b2;
+};
+
+void test_fields() {
+  S s;
+
+  s.b1 = new Base();
+  s.b2 = new Derived();
+
+  s.b1->virtual_f(); // $ target=3
+  s.b2->virtual_f(); // $ target=8
+
+  s.b1 = new Derived();
+  s.b2 = new Base();
+  s.b1->virtual_f(); // $ target=8 SPURIOUS: target=3 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA
+  s.b2->virtual_f(); // $ target=3 SPURIOUS: target=8 // type-tracking has no 'clearsContent' feature and C/C++ doesn't have field-based SSA
+}
+
+Base* getDerived() {
+  return new Derived();
+}
+
+void test_getDerived() {
+  Base* b = getDerived();
+  b->virtual_f(); // $ target=8
+
+  Derived d = *(Derived*)getDerived();
+  d.virtual_f(); // $ target=8
+}
+
+void write_to_arg(Base* b) {
+  *b = Derived();
+}
+
+void write_to_arg_2(Base** b) {
+	Derived* d = new Derived();
+  *b = d;
+}
+
+void test_write_to_arg() {
+  {
+    Base b;
+    write_to_arg(&b);
+    b.virtual_f(); // $ SPURIOUS: target=3 MISSING: target=8 // missing flow through the copy-constructor in write_to_arg
+  }
+
+  {
+    Base* b;
+    write_to_arg_2(&b);
+    b->virtual_f(); // $ target=8
+  }
+}
+
+Base* global_derived;
+
+void set_global_to_derived() {
+  global_derived = new Derived();
+}
+
+void read_global() {
+  global_derived->virtual_f(); // $ target=8
+}
+
+Base* global_base_or_derived;
+
+void set_global_base_or_derived_1() {
+  global_base_or_derived = new Base();
+}
+
+void set_global_base_or_derived_2() {
+  global_base_or_derived = new Derived();
+}
+
+void read_global_base_or_derived() {
+  global_base_or_derived->virtual_f(); // $ target=3 target=8
+}

cpp/ql/test/library-tests/dataflow/dispatch/test.ql

@@ -0,0 +1,22 @@
+import cpp
+import utils.test.InlineExpectationsTest
+import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch
+import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
+module ResolveDispatchTest implements TestSig {
+  string getARelevantTag() { result = "target" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlowCall call, SourceCallable callable, MemberFunction mf |
+      mf = callable.asSourceCallable() and
+      not mf.isCompilerGenerated() and
+      callable = viableCallable(call) and
+      location = call.getLocation() and
+      element = call.toString() and
+      tag = "target" and
+      value = callable.getLocation().getStartLine().toString()
+    )
+  }
+}
+
+import MakeTest<ResolveDispatchTest>