Merge branch 'master' into update-references

2026-04-29 18:55:14 +02:00 · 2020-04-08 11:48:13 +01:00
parent 9db6b8f1e2 965235a3cf
commit eb89851025
5 changed files with 55 additions and 41 deletions
--- a/Bugs/ReturnConstTypeMember.cpp
+++ b/Bugs/ReturnConstTypeMember.cpp
@@ -8,6 +8,6 @@ struct S {
  
  // Whereas here it does make a semantic difference.
  auto getValCorrect() const -> int {
-    return val
+    return val;
  }
 };
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -201,9 +201,22 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
  or
  i2.(UnaryInstruction).getUnary() = i1
  or
-  i2.(ChiInstruction).getPartial() = i1 and
+  // Flow out of definition-by-reference
+  i2.(ChiInstruction).getPartial() = i1.(WriteSideEffectInstruction) and
  not i2.isResultConflated()
  or
+  // Flow from an element to an array or union that contains it.
+  i2.(ChiInstruction).getPartial() = i1 and
+  not i2.isResultConflated() and
+  exists(Type t | i2.getResultLanguageType().hasType(t, false) |
+    t instanceof Union
+    or
+    t instanceof ArrayType
+    or
+    // Buffers or unknown size
+    t instanceof UnknownType
+  )
+  or
  exists(BinaryInstruction bin |
    bin = i2 and
    predictableInstruction(i2.getAnOperand().getDef()) and