C++: Allow flow through (previously missing) summary taint steps.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -6,6 +6,7 @@ private import semmle.code.cpp.models.interfaces.SideEffect
 private import DataFlowUtil
 private import DataFlowPrivate
 private import SsaInternals as Ssa
+private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 
 /**
  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
@@ -37,6 +38,9 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   )
   or
   any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo)
+  or
+  // models-as-data summarized flow
+  FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
 }
 
 /**

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

@@ -129,7 +129,7 @@ void test_summaries() {
 	int a, b, c;
 
 	sink(madArg0ToReturn(0));
-	sink(madArg0ToReturn(source())); // $ MISSING: ir
+	sink(madArg0ToReturn(source())); // $ ir
 	sink(notASummary(source()));
 	sink(madArg0ToReturnValueFlow(0));
 	sink(madArg0ToReturnValueFlow(source())); // $ ir
@@ -158,7 +158,7 @@ void test_summaries() {
 
 	// test source + sinks + summaries together
 
-	madSinkArg0(madArg0ToReturn(remoteMadSource())); // $ MISSING: ir
+	madSinkArg0(madArg0ToReturn(remoteMadSource())); // $ ir
 	madSinkArg0(madArg0ToReturnValueFlow(remoteMadSource())); // $ ir
 	madSinkArg0(madArg0IndirectToReturn(remoteMadSourceIndirect())); // $ MISSING: ir*/
 }
@@ -256,13 +256,13 @@ void test_class_members() {
 	mc3.madArg0ToField(source());
 	sink(mc3.val); // $ MISSING: ir
 
-	sink(source2().madSelfToReturn()); // $ MISSING: ir
+	sink(source2().madSelfToReturn()); // $ ir
 	sink(source2().notASummary());
 
 	mc4.val = source();
 	sink(mc4.madFieldToReturn()); // $ MISSING: ir
 
-	sink(source3().namespaceMadSelfToReturn()); // $ MISSING: ir
+	sink(source3().namespaceMadSelfToReturn()); // $ ir
 
 	// test class member sources + sinks + summaries together