C++: Add false positive caused by flowing back into a function after doing reverse reads.

2026-04-29 02:35:15 +02:00 · 2023-08-28 14:45:16 +01:00
parent bb1712b489
commit f65fe34513
4 changed files with 51 additions and 0 deletions
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
@@ -0,0 +1,14 @@
+namespace {
+  struct Foo {
+    char string[10];
+  };
+
+  void acquire(char*);
+
+  Foo* test_self_argument_flow() {
+    Foo *info;
+    acquire(info->string); // $ SPURIOUS: self-arg-flow
+
+    return info;
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.ql
@@ -0,0 +1,33 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.getLocation().getFile().getBaseName() = "self_argument_flow.cpp" and
+    source.asDefiningArgument() =
+      any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asIndirectArgument() = any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
+  }
+}
+
+import DataFlow::Global<TestConfig>
+
+module TestSelfArgumentFlow implements TestSig {
+  string getARelevantTag() { result = "self-arg-flow" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node sink |
+      flowTo(sink) and
+      location = sink.getLocation() and
+      element = sink.toString() and
+      tag = "self-arg-flow" and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<TestSelfArgumentFlow>
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
@@ -14,6 +14,8 @@
 | ref.cpp:120:17:120:18 | x3 | ref.cpp:129:10:129:11 | x3 |
 | ref.cpp:120:21:120:22 | x4 | ref.cpp:131:15:131:16 | x4 |
 | ref.cpp:120:21:120:22 | x4 | ref.cpp:132:10:132:11 | x4 |
+| self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:10:13:10:16 | info |
+| self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:12:12:12:15 | info |
 | test.cpp:75:7:75:8 | u1 | test.cpp:76:8:76:9 | u1 |
 | test.cpp:83:7:83:8 | u2 | test.cpp:84:13:84:14 | u2 |
 | test.cpp:83:7:83:8 | u2 | test.cpp:85:8:85:9 | u2 |