diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 4a89e91c74e..29da7f7204c 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -931,31 +931,6 @@ private Element interpretElement0( signature = "" and elementSpec(namespace, type, subtypes, name, signature, _) ) - or - // Member variables - elementSpec(namespace, type, subtypes, name, signature, _) and - signature = "" and - exists(Class namedClass, Class classWithMember, MemberVariable member | - member.getName() = name and - member = classWithMember.getAMember() and - namedClass.hasQualifiedName(namespace, type) and - result = member - | - // field declared in the named type or a subtype of it (or an extension of any) - subtypes = true and - classWithMember = namedClass.getADerivedClass*() - or - // field declared directly in the named type (or an extension of it) - subtypes = false and - classWithMember = namedClass - ) - or - // Global or namespace variables - elementSpec(namespace, type, subtypes, name, signature, _) and - signature = "" and - type = "" and - subtypes = false and - result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name)) } cached diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll index d91dc41febe..a980c4312be 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll @@ -218,40 +218,11 @@ module SourceSinkInterpretationInput implements /** Provides additional sink specification logic. */ bindingset[c] - predicate interpretOutput(string c, InterpretNode mid, InterpretNode node) { - // Allow variables to be picked as output nodes. - exists(Node n, Element ast | - n = node.asNode() and - ast = mid.asElement() - | - c = "" and - n.asExpr().(VariableAccess).getTarget() = ast - ) - } + predicate interpretOutput(string c, InterpretNode mid, InterpretNode node) { none() } /** Provides additional source specification logic. */ bindingset[c] - predicate interpretInput(string c, InterpretNode mid, InterpretNode node) { - exists(Node n, Element ast, VariableAccess e | - n = node.asNode() and - ast = mid.asElement() and - e.getTarget() = ast - | - // Allow variables to be picked as input nodes. - // We could simply do this as `e = n.asExpr()`, but that would not allow - // us to pick `x` as a sink in an example such as `x = source()` (but - // only subsequent uses of `x`) since the variable access on `x` doesn't - // actually load the value of `x`. So instead, we pick the instruction - // node corresponding to the generated `StoreInstruction` and use the - // expression associated with the destination instruction. This means - // that the `x` in `x = source()` can be marked as an input. - c = "" and - exists(StoreInstruction store | - store.getDestinationAddress().getUnconvertedResultExpression() = e and - n.asInstruction() = store - ) - ) - } + predicate interpretInput(string c, InterpretNode mid, InterpretNode node) { none() } } module Private { diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected index 0faf016ee41..919972df334 100644 --- a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected +++ b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected @@ -28,6 +28,26 @@ multipleArgumentCall lambdaCallEnclosingCallableMismatch speculativeStepAlreadyHasModel testFailures +| tests.cpp:20:25:20:45 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:21:34:21:54 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:25:34:25:54 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:72:28:72:34 | // $ ir | Missing result: ir | +| tests.cpp:79:49:79:55 | // $ ir | Missing result: ir | +| tests.cpp:99:17:99:37 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:100:26:100:46 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:122:26:122:32 | // $ ir | Missing result: ir | +| tests.cpp:128:35:128:41 | // $ ir | Missing result: ir | +| tests.cpp:167:33:167:53 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:168:41:168:61 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:169:42:169:62 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:272:32:272:52 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:278:24:278:44 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:309:34:309:54 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:310:47:310:67 | // $ interpretElement | Missing result: interpretElement | +| tests.cpp:334:37:334:43 | // $ ir | Missing result: ir | +| tests.cpp:347:34:347:40 | // $ ir | Missing result: ir | +| tests.cpp:351:44:351:50 | // $ ir | Missing result: ir | +| tests.cpp:352:68:352:74 | // $ ir | Missing result: ir | summaryCalls | file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn | | file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |