C++: Make swap member functions data-flow functions

2026-04-27 17:55:19 +02:00 · 2024-09-03 09:46:58 +02:00
parent 04f4039adc
commit f066f21751
16 changed files with 97 additions and 107 deletions
--- a/cpp/ql/lib/change-notes/2024-09-04-swap-data-flow.md
+++ b/cpp/ql/lib/change-notes/2024-09-04-swap-data-flow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll
@@ -26,7 +26,7 @@ private class Swap extends DataFlowFunction {
 * obj1.swap(obj2)
 * ```
 */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction {
  MemberSwap() {
    this.hasName("swap") and
    this.getNumberOfParameters() = 1 and
@@ -34,7 +34,7 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
      this.getDeclaringType()
  }

-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    input.isQualifierObject() and
    output.isParameterDeref(0)
    or