Merge branch 'main' into better-syntax-for-false-positives-and-negatives-inline-expectation

cpp/ql/src/semmle/code/cpp/PrintAST.qll

@@ -114,9 +114,47 @@ class PrintASTNode extends TPrintASTNode {
 
   /**
    * Gets the child node at index `childIndex`. Child indices must be unique,
-   * but need not be contiguous (but see `getChildByRank`).
+   * but need not be contiguous.
    */
-  abstract PrintASTNode getChild(int childIndex);
+  abstract PrintASTNode getChildInternal(int childIndex);
+
+  /**
+   * Gets the child node at index `childIndex`.
+   * Adds edges to fully converted expressions, that are not part of the
+   * regular parent/child relation traversal.
+   */
+  final PrintASTNode getChild(int childIndex) {
+    // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order.
+    result =
+      rank[childIndex](PrintASTNode child, int nonConvertedIndex, boolean isConverted |
+        childAndAccessorPredicate(child, _, nonConvertedIndex, isConverted)
+      |
+        // Unconverted children come first, then sort by original child index within each group.
+        child order by isConverted, nonConvertedIndex
+      )
+  }
+
+  /**
+   * Gets the node for the `.getFullyConverted()` version of the child originally at index
+   * `childIndex`, if that node has any conversions.
+   */
+  private PrintASTNode getConvertedChild(int childIndex) {
+    exists(Expr expr |
+      expr = getChildInternal(childIndex).(ASTNode).getAST() and
+      expr.getFullyConverted() instanceof Conversion and
+      result.(ASTNode).getAST() = expr.getFullyConverted() and
+      not expr instanceof Conversion
+    )
+  }
+
+  /**
+   * Gets the child access predicate for the `.getFullyConverted()` version of the child originally
+   * at index `childIndex`, if that node has any conversions.
+   */
+  private string getConvertedChildAccessorPredicate(int childIndex) {
+    exists(getConvertedChild(childIndex)) and
+    result = getChildAccessorPredicateInternal(childIndex) + ".getFullyConverted()"
+  }
 
   /**
    * Holds if this node should be printed in the output. By default, all nodes
@@ -150,15 +188,46 @@ class PrintASTNode extends TPrintASTNode {
   }
 
   /**
-   * Gets the label for the edge from this node to the specified child. By
-   * default, this is just the index of the child, but subclasses can override
-   * this.
+   * Holds if there is a child node `child` for original child index `nonConvertedIndex` with
+   * predicate name `childPredicate`. If the original child at that index has any conversions, there
+   * will be two result tuples for this predicate: one with the original child and predicate, with
+   * `isConverted = false`, and the other with the `.getFullyConverted()` version of the child and
+   * predicate, with `isConverted = true`. For a child without any conversions, there will be only
+   * one result tuple, with `isConverted = false`.
    */
-  string getChildEdgeLabel(int childIndex) {
-    exists(getChild(childIndex)) and
-    result = childIndex.toString()
+  private predicate childAndAccessorPredicate(
+    PrintASTNode child, string childPredicate, int nonConvertedIndex, boolean isConverted
+  ) {
+    child = getChildInternal(nonConvertedIndex) and
+    childPredicate = getChildAccessorPredicateInternal(nonConvertedIndex) and
+    isConverted = false
+    or
+    child = getConvertedChild(nonConvertedIndex) and
+    childPredicate = getConvertedChildAccessorPredicate(nonConvertedIndex) and
+    isConverted = true
   }
 
+  /**
+   * Gets the QL predicate that can be used to access the child at `childIndex`.
+   * May not always return a QL predicate, see for example `FunctionNode`.
+   */
+  final string getChildAccessorPredicate(int childIndex) {
+    // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order.
+    result =
+      rank[childIndex](string childPredicate, int nonConvertedIndex, boolean isConverted |
+        childAndAccessorPredicate(_, childPredicate, nonConvertedIndex, isConverted)
+      |
+        // Unconverted children come first, then sort by original child index within each group.
+        childPredicate order by isConverted, nonConvertedIndex
+      )
+  }
+
+  /**
+   * Gets the QL predicate that can be used to access the child at `childIndex`.
+   * INTERNAL DO NOT USE: Does not contain accessors for the synthesized nodes for conversions.
+   */
+  abstract string getChildAccessorPredicateInternal(int childIndex);
+
   /**
    * Gets the `Function` that contains this node.
    */
@@ -205,9 +274,7 @@ class ExprNode extends ASTNode {
 
   ExprNode() { expr = ast }
 
-  override ASTNode getChild(int childIndex) {
-    result.getAST() = expr.getChild(childIndex).getFullyConverted()
-  }
+  override ASTNode getChildInternal(int childIndex) { result.getAST() = expr.getChild(childIndex) }
 
   override string getProperty(string key) {
     result = super.getProperty(key)
@@ -222,6 +289,10 @@ class ExprNode extends ASTNode {
     result = expr.getValueCategoryString()
   }
 
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAST())
+  }
+
   /**
    * Gets the value of this expression, if it is a constant.
    */
@@ -247,12 +318,11 @@ class ConversionNode extends ExprNode {
 
   ConversionNode() { conv = expr }
 
-  override ASTNode getChild(int childIndex) {
+  override ASTNode getChildInternal(int childIndex) {
     childIndex = 0 and
-    result.getAST() = conv.getExpr()
+    result.getAST() = conv.getExpr() and
+    conv.getExpr() instanceof Conversion
   }
-
-  override string getChildEdgeLabel(int childIndex) { childIndex = 0 and result = "expr" }
 }
 
 /**
@@ -271,6 +341,18 @@ class CastNode extends ConversionNode {
   }
 }
 
+/**
+ * A node representing a `StmtExpr`.
+ */
+class StmtExprNode extends ExprNode {
+  override StmtExpr expr;
+
+  override ASTNode getChildInternal(int childIndex) {
+    childIndex = 0 and
+    result.getAST() = expr.getStmt()
+  }
+}
+
 /**
  * A node representing a `DeclarationEntry`.
  */
@@ -280,7 +362,9 @@ class DeclarationEntryNode extends BaseASTNode, TDeclarationEntryNode {
 
   DeclarationEntryNode() { this = TDeclarationEntryNode(declStmt, ast) }
 
-  override PrintASTNode getChild(int childIndex) { none() }
+  override PrintASTNode getChildInternal(int childIndex) { none() }
+
+  override string getChildAccessorPredicateInternal(int childIndex) { none() }
 
   override string getProperty(string key) {
     result = BaseASTNode.super.getProperty(key)
@@ -296,12 +380,15 @@ class DeclarationEntryNode extends BaseASTNode, TDeclarationEntryNode {
 class VariableDeclarationEntryNode extends DeclarationEntryNode {
   override VariableDeclarationEntry ast;
 
-  override ASTNode getChild(int childIndex) {
+  override ASTNode getChildInternal(int childIndex) {
     childIndex = 0 and
     result.getAST() = ast.getVariable().getInitializer()
   }
 
-  override string getChildEdgeLabel(int childIndex) { childIndex = 0 and result = "init" }
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    childIndex = 0 and
+    result = "getVariable().getInitializer()"
+  }
 }
 
 /**
@@ -312,15 +399,19 @@ class StmtNode extends ASTNode {
 
   StmtNode() { stmt = ast }
 
-  override BaseASTNode getChild(int childIndex) {
+  override BaseASTNode getChildInternal(int childIndex) {
     exists(Locatable child |
       child = stmt.getChild(childIndex) and
       (
-        result.getAST() = child.(Expr).getFullyConverted() or
+        result.getAST() = child.(Expr) or
         result.getAST() = child.(Stmt)
       )
     )
   }
+
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAST())
+  }
 }
 
 /**
@@ -331,7 +422,7 @@ class DeclStmtNode extends StmtNode {
 
   DeclStmtNode() { declStmt = stmt }
 
-  override DeclarationEntryNode getChild(int childIndex) {
+  override DeclarationEntryNode getChildInternal(int childIndex) {
     exists(DeclarationEntry entry |
       declStmt.getDeclarationEntry(childIndex) = entry and
       result = TDeclarationEntryNode(declStmt, entry)
@@ -347,7 +438,9 @@ class ParameterNode extends ASTNode {
 
   ParameterNode() { param = ast }
 
-  final override PrintASTNode getChild(int childIndex) { none() }
+  final override PrintASTNode getChildInternal(int childIndex) { none() }
+
+  final override string getChildAccessorPredicateInternal(int childIndex) { none() }
 
   final override string getProperty(string key) {
     result = super.getProperty(key)
@@ -365,14 +458,14 @@ class InitializerNode extends ASTNode {
 
   InitializerNode() { init = ast }
 
-  override ASTNode getChild(int childIndex) {
+  override ASTNode getChildInternal(int childIndex) {
     childIndex = 0 and
-    result.getAST() = init.getExpr().getFullyConverted()
+    result.getAST() = init.getExpr()
   }
 
-  override string getChildEdgeLabel(int childIndex) {
+  override string getChildAccessorPredicateInternal(int childIndex) {
     childIndex = 0 and
-    result = "expr"
+    result = "getExpr()"
   }
 }
 
@@ -388,7 +481,14 @@ class ParametersNode extends PrintASTNode, TParametersNode {
 
   final override Location getLocation() { result = getRepresentativeLocation(func) }
 
-  override ASTNode getChild(int childIndex) { result.getAST() = func.getParameter(childIndex) }
+  override ASTNode getChildInternal(int childIndex) {
+    result.getAST() = func.getParameter(childIndex)
+  }
+
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    exists(getChildInternal(childIndex)) and
+    result = "getParameter(" + childIndex.toString() + ")"
+  }
 
   /**
    * Gets the `Function` for which this node represents the parameters.
@@ -408,10 +508,15 @@ class ConstructorInitializersNode extends PrintASTNode, TConstructorInitializers
 
   final override Location getLocation() { result = getRepresentativeLocation(ctor) }
 
-  final override ASTNode getChild(int childIndex) {
+  final override ASTNode getChildInternal(int childIndex) {
     result.getAST() = ctor.getInitializer(childIndex)
   }
 
+  final override string getChildAccessorPredicateInternal(int childIndex) {
+    exists(getChildInternal(childIndex)) and
+    result = "getInitializer(" + childIndex.toString() + ")"
+  }
+
   /**
    * Gets the `Constructor` for which this node represents the initializer list.
    */
@@ -430,10 +535,15 @@ class DestructorDestructionsNode extends PrintASTNode, TDestructorDestructionsNo
 
   final override Location getLocation() { result = getRepresentativeLocation(dtor) }
 
-  final override ASTNode getChild(int childIndex) {
+  final override ASTNode getChildInternal(int childIndex) {
     result.getAST() = dtor.getDestruction(childIndex)
   }
 
+  final override string getChildAccessorPredicateInternal(int childIndex) {
+    exists(getChildInternal(childIndex)) and
+    result = "getDestruction(" + childIndex.toString() + ")"
+  }
+
   /**
    * Gets the `Destructor` for which this node represents the destruction list.
    */
@@ -450,7 +560,7 @@ class FunctionNode extends ASTNode {
 
   override string toString() { result = qlClass(func) + getIdentityString(func) }
 
-  override PrintASTNode getChild(int childIndex) {
+  override PrintASTNode getChildInternal(int childIndex) {
     childIndex = 0 and
     result.(ParametersNode).getFunction() = func
     or
@@ -464,14 +574,14 @@ class FunctionNode extends ASTNode {
     result.(DestructorDestructionsNode).getDestructor() = func
   }
 
-  override string getChildEdgeLabel(int childIndex) {
-    childIndex = 0 and result = "params"
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    childIndex = 0 and result = "<params>"
     or
-    childIndex = 1 and result = "initializations"
+    childIndex = 1 and result = "<initializations>"
     or
-    childIndex = 2 and result = "body"
+    childIndex = 2 and result = "getEntryPoint()"
     or
-    childIndex = 3 and result = "destructions"
+    childIndex = 3 and result = "<destructions>"
   }
 
   private int getOrder() {
@@ -496,36 +606,237 @@ class FunctionNode extends ASTNode {
   final Function getFunction() { result = func }
 }
 
-/**
- * A node representing an `ClassAggregateLiteral`.
- */
-class ClassAggregateLiteralNode extends ExprNode {
-  ClassAggregateLiteral list;
-
-  ClassAggregateLiteralNode() { list = ast }
-
-  override string getChildEdgeLabel(int childIndex) {
-    exists(Field field |
-      list.getFieldExpr(field) = list.getChild(childIndex) and
-      result = "." + field.getName()
+private string getChildAccessorWithoutConversions(Locatable parent, Element child) {
+  shouldPrintFunction(getEnclosingFunction(parent)) and
+  (
+    exists(Stmt s | s = parent |
+      namedStmtChildPredicates(s, child, result)
+      or
+      not namedStmtChildPredicates(s, child, _) and
+      exists(int n | s.getChild(n) = child and result = "getChild(" + n + ")")
     )
-  }
+    or
+    exists(Expr expr | expr = parent |
+      namedExprChildPredicates(expr, child, result)
+      or
+      not namedExprChildPredicates(expr, child, _) and
+      exists(int n | expr.getChild(n) = child and result = "getChild(" + n + ")")
+    )
+  )
 }
 
-/**
- * A node representing an `ArrayAggregateLiteral`.
- */
-class ArrayAggregateLiteralNode extends ExprNode {
-  ArrayAggregateLiteral list;
-
-  ArrayAggregateLiteralNode() { list = ast }
-
-  override string getChildEdgeLabel(int childIndex) {
-    exists(int elementIndex |
-      list.getElementExpr(elementIndex) = list.getChild(childIndex) and
-      result = "[" + elementIndex.toString() + "]"
+private predicate namedStmtChildPredicates(Locatable s, Element e, string pred) {
+  shouldPrintFunction(getEnclosingFunction(s)) and
+  (
+    exists(int n | s.(BlockStmt).getStmt(n) = e and pred = "getStmt(" + n + ")")
+    or
+    s.(ComputedGotoStmt).getExpr() = e and pred = "getExpr()"
+    or
+    s.(ConstexprIfStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(ConstexprIfStmt).getThen() = e and pred = "getThen()"
+    or
+    s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
+    or
+    s.(IfStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(IfStmt).getThen() = e and pred = "getThen()"
+    or
+    s.(IfStmt).getElse() = e and pred = "getElse()"
+    or
+    s.(SwitchStmt).getExpr() = e and pred = "getExpr()"
+    or
+    s.(SwitchStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(DoStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(DoStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(ForStmt).getInitialization() = e and pred = "getInitialization()"
+    or
+    s.(ForStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(ForStmt).getUpdate() = e and pred = "getUpdate()"
+    or
+    s.(ForStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(RangeBasedForStmt).getChild(0) = e and pred = "getChild(0)"
+    or
+    s.(RangeBasedForStmt).getBeginEndDeclaration() = e and pred = "getBeginEndDeclaration()"
+    or
+    s.(RangeBasedForStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(RangeBasedForStmt).getUpdate() = e and pred = "getUpdate()"
+    or
+    s.(RangeBasedForStmt).getChild(4) = e and pred = "getChild(4)"
+    or
+    s.(RangeBasedForStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(WhileStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(WhileStmt).getStmt() = e and pred = "getStmt()"
+    or
+    exists(int n |
+      s.(DeclStmt).getDeclarationEntry(n) = e and pred = "getDeclarationEntry(" + n.toString() + ")"
     )
-  }
+    or
+    // EmptyStmt does not have children
+    s.(ExprStmt).getExpr() = e and pred = "getExpr()"
+    or
+    s.(Handler).getBlock() = e and pred = "getBlock()"
+    or
+    s.(JumpStmt).getTarget() = e and pred = "getTarget()"
+    or
+    s.(MicrosoftTryStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(MicrosoftTryExceptStmt).getCondition() = e and pred = "getCondition()"
+    or
+    s.(MicrosoftTryExceptStmt).getExcept() = e and pred = "getExcept()"
+    or
+    s.(MicrosoftTryFinallyStmt).getFinally() = e and pred = "getFinally()"
+    or
+    s.(ReturnStmt).getExpr() = e and pred = "getExpr()"
+    or
+    s.(SwitchCase).getExpr() = e and pred = "getExpr()"
+    or
+    s.(SwitchCase).getEndExpr() = e and pred = "getEndExpr()"
+    or
+    s.(TryStmt).getStmt() = e and pred = "getStmt()"
+    or
+    s.(VlaDimensionStmt).getDimensionExpr() = e and pred = "getDimensionExpr()"
+  )
+}
+
+private predicate namedExprChildPredicates(Expr expr, Element ele, string pred) {
+  shouldPrintFunction(expr.getEnclosingFunction()) and
+  (
+    expr.(Access).getTarget() = ele and pred = "getTarget()"
+    or
+    expr.(VariableAccess).getQualifier() = ele and pred = "getQualifier()"
+    or
+    exists(Field f |
+      expr.(ClassAggregateLiteral).getFieldExpr(f) = ele and
+      pred = "getFieldExpr(" + f.toString() + ")"
+    )
+    or
+    exists(int n |
+      expr.(ArrayOrVectorAggregateLiteral).getElementExpr(n) = ele and
+      pred = "getElementExpr(" + n.toString() + ")"
+    )
+    or
+    expr.(AlignofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"
+    or
+    expr.(ArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
+    or
+    expr.(ArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
+    or
+    expr.(AssumeExpr).getOperand() = ele and pred = "getOperand()"
+    or
+    expr.(BuiltInComplexOperation).getRealOperand() = ele and pred = "getRealOperand()"
+    or
+    expr.(BuiltInComplexOperation).getImaginaryOperand() = ele and pred = "getImaginaryOperand()"
+    or
+    expr.(BuiltInVarArg).getVAList() = ele and pred = "getVAList()"
+    or
+    expr.(BuiltInVarArgCopy).getDestinationVAList() = ele and pred = "getDestinationVAList()"
+    or
+    expr.(BuiltInVarArgCopy).getSourceVAList() = ele and pred = "getSourceVAList()"
+    or
+    expr.(BuiltInVarArgsEnd).getVAList() = ele and pred = "getVAList()"
+    or
+    expr.(BuiltInVarArgsStart).getVAList() = ele and pred = "getVAList()"
+    or
+    expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
+    or
+    expr.(Call).getQualifier() = ele and pred = "getQualifier()"
+    or
+    exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")
+    or
+    expr.(ExprCall).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
+    or
+    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
+    or
+    expr.(OverloadedPointerDereferenceExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(CommaExpr).getLeftOperand() = ele and pred = "getLeftOperand()"
+    or
+    expr.(CommaExpr).getRightOperand() = ele and pred = "getRightOperand()"
+    or
+    expr.(ConditionDeclExpr).getVariableAccess() = ele and pred = "getVariableAccess()"
+    or
+    expr.(ConstructorFieldInit).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(Conversion).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(DeleteArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    or
+    expr.(DeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
+    or
+    expr.(DeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(DeleteExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    or
+    expr.(DeleteExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
+    or
+    expr.(DeleteExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(FoldExpr).getInitExpr() = ele and pred = "getInitExpr()"
+    or
+    expr.(FoldExpr).getPackExpr() = ele and pred = "getPackExpr()"
+    or
+    expr.(LambdaExpression).getInitializer() = ele and pred = "getInitializer()"
+    or
+    expr.(NewOrNewArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    or
+    expr.(NewOrNewArrayExpr).getAlignmentArgument() = ele and pred = "getAlignmentArgument()"
+    or
+    expr.(NewArrayExpr).getInitializer() = ele and pred = "getInitializer()"
+    or
+    expr.(NewArrayExpr).getExtent() = ele and pred = "getExtent()"
+    or
+    expr.(NewExpr).getInitializer() = ele and pred = "getInitializer()"
+    or
+    expr.(NoExceptExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(Assignment).getLValue() = ele and pred = "getLValue()"
+    or
+    expr.(Assignment).getRValue() = ele and pred = "getRValue()"
+    or
+    not expr instanceof RelationalOperation and
+    expr.(BinaryOperation).getLeftOperand() = ele and
+    pred = "getLeftOperand()"
+    or
+    not expr instanceof RelationalOperation and
+    expr.(BinaryOperation).getRightOperand() = ele and
+    pred = "getRightOperand()"
+    or
+    expr.(RelationalOperation).getGreaterOperand() = ele and pred = "getGreaterOperand()"
+    or
+    expr.(RelationalOperation).getLesserOperand() = ele and pred = "getLesserOperand()"
+    or
+    expr.(ConditionalExpr).getCondition() = ele and pred = "getCondition()"
+    or
+    // If ConditionalExpr is in two-operand form, getThen() = getCondition() holds
+    not expr.(ConditionalExpr).isTwoOperand() and
+    expr.(ConditionalExpr).getThen() = ele and
+    pred = "getThen()"
+    or
+    expr.(ConditionalExpr).getElse() = ele and pred = "getElse()"
+    or
+    expr.(UnaryOperation).getOperand() = ele and pred = "getOperand()"
+    or
+    expr.(SizeofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"
+    or
+    expr.(StmtExpr).getStmt() = ele and pred = "getStmt()"
+    or
+    expr.(ThrowExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(TypeidOperator).getExpr() = ele and pred = "getExpr()"
+  )
 }
 
 /** Holds if `node` belongs to the output tree, and its property `key` has the given `value`. */
@@ -544,7 +855,7 @@ query predicate edges(PrintASTNode source, PrintASTNode target, string key, stri
     target.shouldPrint() and
     target = source.getChild(childIndex) and
     (
-      key = "semmle.label" and value = source.getChildEdgeLabel(childIndex)
+      key = "semmle.label" and value = source.getChildAccessorPredicate(childIndex)
       or
       key = "semmle.order" and value = childIndex.toString()
     )

cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -27,7 +27,7 @@ class VarArgsExpr extends BuiltInOperation, @var_args_expr { }
  * __builtin_va_start(ap, last_named_param);
  * ```
  */
-class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
+class BuiltInVarArgsStart extends VarArgsExpr, @vastartexpr {
   override string toString() { result = "__builtin_va_start" }
 
   override string getAPrimaryQlClass() { result = "BuiltInVarArgsStart" }
@@ -52,7 +52,7 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
  * __builtin_va_end(ap);
  * ```
  */
-class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
+class BuiltInVarArgsEnd extends VarArgsExpr, @vaendexpr {
   override string toString() { result = "__builtin_va_end" }
 
   override string getAPrimaryQlClass() { result = "BuiltInVarArgsEnd" }
@@ -70,7 +70,7 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
  * ap = __builtin_va_arg(ap, long);
  * ```
  */
-class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
+class BuiltInVarArg extends VarArgsExpr, @vaargexpr {
   override string toString() { result = "__builtin_va_arg" }
 
   override string getAPrimaryQlClass() { result = "BuiltInVarArg" }
@@ -90,7 +90,7 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
  * va_copy(aq, ap);
  * ```
  */
-class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
+class BuiltInVarArgCopy extends VarArgsExpr, @vacopyexpr {
   override string toString() { result = "__builtin_va_copy" }
 
   override string getAPrimaryQlClass() { result = "BuiltInVarArgCopy" }

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -303,8 +303,6 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
     )
   or
   // Flow from input argument to output argument
-  // TODO: This won't work in practice as long as all aliased memory is tracked
-  // together in a single virtual variable.
   // TODO: Will this work on the test for `TaintedPath.ql`, where the output arg
   // is a pointer addition expression?
   i2 =

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -218,7 +218,7 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = DynamicInitializationFlagStoreTag() and result = "DynInitFlagStore"
   or
-  tag = ThisAddressTag() and result = "ThisAddres"
+  tag = ThisAddressTag() and result = "ThisAddress"
   or
   tag = ThisLoadTag() and result = "ThisLoad"
 }

cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll

@@ -5,32 +5,9 @@ import semmle.code.cpp.models.interfaces.SideEffect
 
 class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
   PureStrFunction() {
-    exists(string name |
-      hasGlobalOrStdName(name) and
-      (
-        name = "atof" or
-        name = "atoi" or
-        name = "atol" or
-        name = "atoll" or
-        name = "strcasestr" or
-        name = "strchnul" or
-        name = "strchr" or
-        name = "strchrnul" or
-        name = "strstr" or
-        name = "strpbrk" or
-        name = "strcmp" or
-        name = "strcspn" or
-        name = "strncmp" or
-        name = "strrchr" or
-        name = "strspn" or
-        name = "strtod" or
-        name = "strtof" or
-        name = "strtol" or
-        name = "strtoll" or
-        name = "strtoq" or
-        name = "strtoul"
-      )
-    )
+    hasGlobalOrStdName(["atof", "atoi", "atol", "atoll", "strcasestr", "strchnul", "strchr",
+          "strchrnul", "strstr", "strpbrk", "strcmp", "strcspn", "strncmp", "strrchr", "strspn",
+          "strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"])
   }
 
   override predicate hasArrayInput(int bufParam) {
@@ -81,22 +58,9 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
 
 class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   StrLenFunction() {
-    exists(string name |
-      hasGlobalOrStdName(name) and
-      (
-        name = "strlen" or
-        name = "strnlen" or
-        name = "wcslen"
-      )
-      or
-      hasGlobalName(name) and
-      (
-        name = "_mbslen" or
-        name = "_mbslen_l" or
-        name = "_mbstrlen" or
-        name = "_mbstrlen_l"
-      )
-    )
+    hasGlobalOrStdName(["strlen", "strnlen", "wcslen"])
+    or
+    hasGlobalName(["_mbslen", "_mbslen_l", "_mbstrlen", "_mbstrlen_l"])
   }
 
   override predicate hasArrayInput(int bufParam) {
@@ -126,15 +90,7 @@ class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
 }
 
 class PureFunction extends TaintFunction, SideEffectFunction {
-  PureFunction() {
-    exists(string name |
-      hasGlobalOrStdName(name) and
-      (
-        name = "abs" or
-        name = "labs"
-      )
-    )
-  }
+  PureFunction() { hasGlobalOrStdName(["abs", "labs"]) }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     exists(ParameterIndex i |

cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -17,7 +17,7 @@ class MakeUniqueOrShared extends TaintFunction {
     // Exclude the specializations of `std::make_shared` and `std::make_unique` that allocate arrays
     // since these just take a size argument, which we don't want to propagate taint through.
     not this.isArray() and
-    input.isParameter(_) and
+    input.isParameter([0 .. getNumberOfParameters() - 1]) and
     output.isReturnValue()
   }
 

cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Taint
 /**
  * Additional model for `std::pair` constructors.
  */
-class StdPairConstructor extends Constructor, TaintFunction {
+private class StdPairConstructor extends Constructor, TaintFunction {
   StdPairConstructor() { this.hasQualifiedName("std", "pair", "pair") }
 
   /**
@@ -34,7 +34,7 @@ class StdPairConstructor extends Constructor, TaintFunction {
 /**
  * The standard pair `swap` function.
  */
-class StdPairSwap extends TaintFunction {
+private class StdPairSwap extends TaintFunction {
   StdPairSwap() { this.hasQualifiedName("std", "pair", "swap") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

cpp/ql/test/examples/expressions/Conversion4.c

@@ -1,3 +1,11 @@
 void Conversion4(int x) {
   x = ((int)7);
+}
+
+char * retfn(void * v) {
+    return (char*)(void*)(int*)v;
+}
+
+void Conversion4_vardecl(int x) {
+  long y = (long) x;
 }

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp

@@ -208,4 +208,50 @@ void test_field_to_obj_test_pointer_arith(Point* pp) {
   (pp + sizeof(*pp))->x = getenv("VAR")[0];
   sink(pp); // tainted [field -> object]
   sink(pp + sizeof(*pp)); // tainted [field -> object]
-}
+}
+
+void sink(char **);
+
+void test_pointers1()
+{
+	char buffer[1024];
+	char *s = getenv("VAR");
+	char *ptr1, **ptr2;
+	char *ptr3, **ptr4;
+
+	ptr1 = buffer;
+	ptr2 = &ptr1;
+	memcpy(buffer, s, 1024);
+	ptr3 = buffer;
+	ptr4 = &ptr3;
+
+	sink(buffer); // tainted
+	sink(ptr1); // tainted
+	sink(ptr2);
+	sink(*ptr2); // tainted [NOT DETECTED]
+	sink(ptr3); // tainted
+	sink(ptr4);
+	sink(*ptr4); // tainted [NOT DETECTED]
+}
+
+void test_pointers2()
+{
+	char buffer[1024];
+	char *s = getenv("VAR");
+	char *ptr1, **ptr2;
+	char *ptr3, **ptr4;
+
+	ptr1 = buffer;
+	ptr2 = &ptr1;
+	memcpy(*ptr2, s, 1024);
+	ptr3 = buffer;
+	ptr4 = &ptr3;
+
+	sink(buffer); // tainted [NOT DETECTED]
+	sink(ptr1); // tainted [NOT DETECTED]
+	sink(ptr2);
+	sink(*ptr2); // tainted [NOT DETECTED]
+	sink(ptr3); // tainted [NOT DETECTED]
+	sink(ptr4);
+	sink(*ptr4); // tainted [NOT DETECTED]
+}

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/shared.h

@@ -12,3 +12,6 @@ char *strcat(char * s1, const char * s2);
 char *strdup(const char *string);
 char *_strdup(const char *string);
 char *unmodeled_function(const char *const_string);
+
+typedef unsigned long size_t;
+void *memcpy(void *s1, const void *s2, size_t n);

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected

@@ -134,6 +134,26 @@
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:32 | call to getenv |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:42 | (int)... |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:42 | access to array |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:218:8:218:8 | s |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:218:12:218:17 | call to getenv |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:224:2:224:7 | call to memcpy |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:224:17:224:17 | (const void *)... |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:224:17:224:17 | s |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:228:7:228:12 | (const char *)... |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:228:7:228:12 | array to pointer conversion |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:228:7:228:12 | buffer |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:229:7:229:10 | (const char *)... |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:229:7:229:10 | ptr1 |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:232:7:232:10 | (const char *)... |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:232:7:232:10 | ptr3 |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | shared.h:5:23:5:31 | sinkparam |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | shared.h:17:36:17:37 | s2 |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:240:8:240:8 | s |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:240:12:240:17 | call to getenv |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:246:2:246:7 | call to memcpy |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:246:16:246:16 | (const void *)... |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:246:16:246:16 | s |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | shared.h:17:36:17:37 | s2 |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:24:28:27 | call to atoi |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:34 | call to getenv |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:45 | (const char *)... |

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected

@@ -36,6 +36,50 @@
 | defaulttainttracking.cpp:195:11:195:16 | call to getenv | defaulttainttracking.cpp:195:7:195:7 | x | AST only |
 | defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:201:9:201:9 | x | AST only |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:23:208:23 | x | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:213:11:213:14 | (unnamed parameter 0) | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:217:7:217:12 | buffer | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:219:8:219:11 | ptr1 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:219:16:219:19 | ptr2 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:220:8:220:11 | ptr3 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:220:16:220:19 | ptr4 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:222:2:222:5 | ptr1 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:222:9:222:14 | buffer | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:223:2:223:5 | ptr2 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:223:9:223:13 | & ... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:223:10:223:13 | ptr1 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:224:9:224:14 | buffer | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:225:2:225:5 | ptr3 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:225:9:225:14 | buffer | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:226:2:226:5 | ptr4 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:226:9:226:13 | & ... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:226:10:226:13 | ptr3 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:228:7:228:12 | (const char *)... | IR only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:228:7:228:12 | array to pointer conversion | IR only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:230:7:230:10 | ptr2 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:231:7:231:11 | (const char *)... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:231:7:231:11 | * ... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:231:8:231:11 | ptr2 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:233:7:233:10 | ptr4 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:234:7:234:11 | (const char *)... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:234:7:234:11 | * ... | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | defaulttainttracking.cpp:234:8:234:11 | ptr4 | AST only |
+| defaulttainttracking.cpp:218:12:218:17 | call to getenv | shared.h:17:20:17:21 | s1 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:213:11:213:14 | (unnamed parameter 0) | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:241:8:241:11 | ptr1 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:241:16:241:19 | ptr2 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:245:2:245:5 | ptr2 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:245:9:245:13 | & ... | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:245:10:245:13 | ptr1 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:246:9:246:13 | * ... | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:246:10:246:13 | ptr2 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:251:7:251:10 | (const char *)... | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:251:7:251:10 | ptr1 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:252:7:252:10 | ptr2 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:253:7:253:11 | (const char *)... | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:253:7:253:11 | * ... | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | defaulttainttracking.cpp:253:8:253:11 | ptr2 | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | shared.h:5:23:5:31 | sinkparam | AST only |
+| defaulttainttracking.cpp:240:12:240:17 | call to getenv | shared.h:17:20:17:21 | s1 | AST only |
 | globals.cpp:13:15:13:20 | call to getenv | globals.cpp:13:5:13:11 | global1 | AST only |
 | globals.cpp:23:15:23:20 | call to getenv | globals.cpp:23:5:23:11 | global2 | AST only |
 | stl.cpp:62:25:62:30 | call to getenv | stl.cpp:43:78:43:104 | (unnamed parameter 0) | IR only |

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -997,7 +997,7 @@ int PointerDecay(int a[], int fn(float)) {
   return a[0] + fn(1.0);
 }
 
-int ExprStmt(int b, int y, int z) {
+int StmtExpr(int b, int y, int z) {
   int x = ({
     int w;
     if (b) {

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -5532,7 +5532,7 @@ ir.cpp:
 #  996|     v996_13(void)            = AliasedUse               : ~m?
 #  996|     v996_14(void)            = ExitFunction             : 
 
-# 1000| int ExprStmt(int, int, int)
+# 1000| int StmtExpr(int, int, int)
 # 1000|   Block 0
 # 1000|     v1000_1(void)       = EnterFunction          : 
 # 1000|     mu1000_2(unknown)   = AliasedDefinition      :