@@ -11,13 +11,8 @@ import semmle.code.cpp.models.interfaces.DataFlow
1111/**
1212 * The `std::basic_string` template class.
1313 */
14- private class StdBasicString extends TemplateClass {
15- StdBasicString ( ) { this .hasQualifiedName ( "std" , "basic_string" ) }
16-
17- Declaration getAnInstMemberNamed ( string name ) {
18- result = getAnInstantiation ( ) .getAMember ( ) and
19- result .hasName ( name )
20- }
14+ private class StdBasicString extends ClassTemplateInstantiation {
15+ StdBasicString ( ) { this .getTemplate ( ) .hasQualifiedName ( "std" , "basic_string" ) }
2116}
2217
2318/**
@@ -29,7 +24,7 @@ private class StdBasicString extends TemplateClass {
2924 * ```
3025 */
3126private class StdStringConstructor extends Constructor , TaintFunction {
32- StdStringConstructor ( ) { this = any ( StdBasicString s ) . getAnInstantiation ( ) . getAMember ( ) }
27+ StdStringConstructor ( ) { this . getDeclaringType ( ) instanceof StdBasicString }
3328
3429 /**
3530 * Gets the index of a parameter to this function that is a string (or
@@ -74,7 +69,7 @@ private class StdStringConstructor extends Constructor, TaintFunction {
7469 * The `std::string` function `c_str`.
7570 */
7671private class StdStringCStr extends TaintFunction {
77- StdStringCStr ( ) { this = any ( StdBasicString s ) . getAnInstMemberNamed ( "c_str" ) }
72+ StdStringCStr ( ) { this . getDeclaringType ( ) instanceof StdBasicString and this . hasName ( "c_str" ) }
7873
7974 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
8075 // flow from string itself (qualifier) to return value
@@ -87,7 +82,7 @@ private class StdStringCStr extends TaintFunction {
8782 * The `std::string` function `data`.
8883 */
8984private class StdStringData extends TaintFunction {
90- StdStringData ( ) { this = any ( StdBasicString s ) . getAnInstMemberNamed ( "data" ) }
85+ StdStringData ( ) { this . getDeclaringType ( ) instanceof StdBasicString and this . hasName ( "data" ) }
9186
9287 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
9388 // flow from string itself (qualifier) to return value
@@ -105,7 +100,10 @@ private class StdStringData extends TaintFunction {
105100 * The `std::string` function `push_back`.
106101 */
107102private class StdStringPush extends TaintFunction {
108- StdStringPush ( ) { this = any ( StdBasicString s ) .getAnInstMemberNamed ( "push_back" ) }
103+ StdStringPush ( ) {
104+ this .getDeclaringType ( ) .( ClassTemplateInstantiation ) instanceof StdBasicString and
105+ this .hasName ( "push_back" )
106+ }
109107
110108 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
111109 // flow from parameter to qualifier
@@ -118,7 +116,9 @@ private class StdStringPush extends TaintFunction {
118116 * The `std::string` functions `front` and `back`.
119117 */
120118private class StdStringFrontBack extends TaintFunction {
121- StdStringFrontBack ( ) { this = any ( StdBasicString s ) .getAnInstMemberNamed ( [ "front" , "back" ] ) }
119+ StdStringFrontBack ( ) {
120+ this .getDeclaringType ( ) instanceof StdBasicString and this .hasName ( [ "front" , "back" ] )
121+ }
122122
123123 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
124124 // flow from object to returned reference
@@ -133,7 +133,7 @@ private class StdStringFrontBack extends TaintFunction {
133133private class StdStringPlus extends TaintFunction {
134134 StdStringPlus ( ) {
135135 this .hasQualifiedName ( "std" , "operator+" ) and
136- this .getUnspecifiedType ( ) = any ( StdBasicString s ) . getAnInstantiation ( )
136+ this .getUnspecifiedType ( ) instanceof StdBasicString
137137 }
138138
139139 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
@@ -153,7 +153,8 @@ private class StdStringPlus extends TaintFunction {
153153 */
154154private class StdStringAppend extends TaintFunction {
155155 StdStringAppend ( ) {
156- this = any ( StdBasicString s ) .getAnInstMemberNamed ( [ "operator+=" , "append" , "insert" , "replace" ] )
156+ this .getDeclaringType ( ) instanceof StdBasicString and
157+ this .hasName ( [ "operator+=" , "append" , "insert" , "replace" ] )
157158 }
158159
159160 /**
@@ -195,7 +196,7 @@ private class StdStringAppend extends TaintFunction {
195196 * The standard function `std::string.assign`.
196197 */
197198private class StdStringAssign extends TaintFunction {
198- StdStringAssign ( ) { this = any ( StdBasicString s ) . getAnInstMemberNamed ( "assign" ) }
199+ StdStringAssign ( ) { this . getDeclaringType ( ) instanceof StdBasicString and this . hasName ( "assign" ) }
199200
200201 /**
201202 * Gets the index of a parameter to this function that is a string (or
@@ -235,7 +236,7 @@ private class StdStringAssign extends TaintFunction {
235236 * The standard function `std::string.copy`.
236237 */
237238private class StdStringCopy extends TaintFunction {
238- StdStringCopy ( ) { this = any ( StdBasicString s ) . getAnInstMemberNamed ( "copy" ) }
239+ StdStringCopy ( ) { this . getDeclaringType ( ) instanceof StdBasicString and this . hasName ( "copy" ) }
239240
240241 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
241242 // copy(dest, num, pos)
@@ -248,7 +249,7 @@ private class StdStringCopy extends TaintFunction {
248249 * The standard function `std::string.substr`.
249250 */
250251private class StdStringSubstr extends TaintFunction {
251- StdStringSubstr ( ) { this = any ( StdBasicString s ) . getAnInstMemberNamed ( "substr" ) }
252+ StdStringSubstr ( ) { this . getDeclaringType ( ) instanceof StdBasicString and this . hasName ( "substr" ) }
252253
253254 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
254255 // substr(pos, num)
@@ -260,20 +261,17 @@ private class StdStringSubstr extends TaintFunction {
260261/**
261262 * The `std::basic_stringstream` template class.
262263 */
263- private class StdBasicStringStream extends TemplateClass {
264- StdBasicStringStream ( ) { this .hasQualifiedName ( "std" , "basic_stringstream" ) }
265-
266- Declaration getAnInstMemberNamed ( string name ) {
267- result = getAnInstantiation ( ) .getAMember ( ) and
268- result .hasName ( name )
269- }
264+ private class StdBasicStringStream extends ClassTemplateInstantiation {
265+ StdBasicStringStream ( ) { this .getTemplate ( ) .hasQualifiedName ( "std" , "basic_stringstream" ) }
270266}
271267
272268/**
273269 * The `std::string` functions `at` and `operator[]`.
274270 */
275271private class StdStringAt extends TaintFunction {
276- StdStringAt ( ) { this = any ( StdBasicString s ) .getAnInstMemberNamed ( [ "at" , "operator[]" ] ) }
272+ StdStringAt ( ) {
273+ this .getDeclaringType ( ) instanceof StdBasicString and this .hasName ( [ "at" , "operator[]" ] )
274+ }
277275
278276 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
279277 // flow from qualifier to referenced return value
@@ -289,20 +287,17 @@ private class StdStringAt extends TaintFunction {
289287/**
290288 * The `std::basic_istream` template class.
291289 */
292- private class StdBasicIStream extends TemplateClass {
293- StdBasicIStream ( ) { this .hasQualifiedName ( "std" , "basic_istream" ) }
294-
295- Declaration getAnInstMemberNamed ( string name ) {
296- result = getAnInstantiation ( ) .getAMember ( ) and
297- result .hasName ( name )
298- }
290+ private class StdBasicIStream extends ClassTemplateInstantiation {
291+ StdBasicIStream ( ) { this .getTemplate ( ) .hasQualifiedName ( "std" , "basic_istream" ) }
299292}
300293
301294/**
302295 * The `std::istream` function `operator>>` (defined as a member function).
303296 */
304297private class StdIStreamIn extends DataFlowFunction , TaintFunction {
305- StdIStreamIn ( ) { this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( "operator>>" ) }
298+ StdIStreamIn ( ) {
299+ this .getDeclaringType ( ) instanceof StdBasicIStream and this .hasName ( "operator>>" )
300+ }
306301
307302 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
308303 // returns reference to `*this`
@@ -327,8 +322,7 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {
327322private class StdIStreamInNonMember extends DataFlowFunction , TaintFunction {
328323 StdIStreamInNonMember ( ) {
329324 this .hasQualifiedName ( "std" , "operator>>" ) and
330- this .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
331- any ( StdBasicIStream s ) .getAnInstantiation ( )
325+ this .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) instanceof StdBasicIStream
332326 }
333327
334328 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
@@ -353,7 +347,8 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
353347 */
354348private class StdIStreamGet extends TaintFunction {
355349 StdIStreamGet ( ) {
356- this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( [ "get" , "peek" ] ) and
350+ this .getDeclaringType ( ) instanceof StdBasicIStream and
351+ this .hasName ( [ "get" , "peek" ] ) and
357352 this .getNumberOfParameters ( ) = 0
358353 }
359354
@@ -369,7 +364,8 @@ private class StdIStreamGet extends TaintFunction {
369364 */
370365private class StdIStreamRead extends DataFlowFunction , TaintFunction {
371366 StdIStreamRead ( ) {
372- this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( [ "get" , "read" ] ) and
367+ this .getDeclaringType ( ) instanceof StdBasicIStream and
368+ this .hasName ( [ "get" , "read" ] ) and
373369 this .getNumberOfParameters ( ) > 0
374370 }
375371
@@ -394,7 +390,9 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {
394390 * The `std::istream` function `readsome`.
395391 */
396392private class StdIStreamReadSome extends TaintFunction {
397- StdIStreamReadSome ( ) { this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( "readsome" ) }
393+ StdIStreamReadSome ( ) {
394+ this .getDeclaringType ( ) instanceof StdBasicIStream and this .hasName ( "readsome" )
395+ }
398396
399397 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
400398 // flow from qualifier to first parameter
@@ -407,7 +405,9 @@ private class StdIStreamReadSome extends TaintFunction {
407405 * The `std::istream` function `putback`.
408406 */
409407private class StdIStreamPutBack extends DataFlowFunction , TaintFunction {
410- StdIStreamPutBack ( ) { this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( "putback" ) }
408+ StdIStreamPutBack ( ) {
409+ this .getDeclaringType ( ) instanceof StdBasicIStream and this .hasName ( "putback" )
410+ }
411411
412412 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
413413 // returns reference to `*this`
@@ -440,7 +440,9 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
440440 * The `std::istream` function `getline`.
441441 */
442442private class StdIStreamGetLine extends DataFlowFunction , TaintFunction {
443- StdIStreamGetLine ( ) { this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( "getline" ) }
443+ StdIStreamGetLine ( ) {
444+ this .getDeclaringType ( ) instanceof StdBasicIStream and this .hasName ( "getline" )
445+ }
444446
445447 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
446448 // returns reference to `*this`
@@ -485,13 +487,8 @@ private class StdGetLine extends DataFlowFunction, TaintFunction {
485487/**
486488 * The `std::basic_ostream` template class.
487489 */
488- private class StdBasicOStream extends TemplateClass {
489- StdBasicOStream ( ) { this .hasQualifiedName ( "std" , "basic_ostream" ) }
490-
491- Declaration getAnInstMemberNamed ( string name ) {
492- result = getAnInstantiation ( ) .getAMember ( ) and
493- result .hasName ( name )
494- }
490+ private class StdBasicOStream extends ClassTemplateInstantiation {
491+ StdBasicOStream ( ) { this .getTemplate ( ) .hasQualifiedName ( "std" , "basic_ostream" ) }
495492}
496493
497494/**
@@ -500,7 +497,8 @@ private class StdBasicOStream extends TemplateClass {
500497 */
501498private class StdOStreamOut extends DataFlowFunction , TaintFunction {
502499 StdOStreamOut ( ) {
503- this = any ( StdBasicOStream s ) .getAnInstMemberNamed ( [ "operator<<" , "put" , "write" ] )
500+ this .getDeclaringType ( ) instanceof StdBasicOStream and
501+ this .hasName ( [ "operator<<" , "put" , "write" ] )
504502 }
505503
506504 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
@@ -536,8 +534,7 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {
536534private class StdOStreamOutNonMember extends DataFlowFunction , TaintFunction {
537535 StdOStreamOutNonMember ( ) {
538536 this .hasQualifiedName ( "std" , "operator<<" ) and
539- this .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
540- any ( StdBasicOStream s ) .getAnInstantiation ( )
537+ this .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) instanceof StdBasicOStream
541538 }
542539
543540 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
@@ -566,9 +563,7 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
566563 * input parameter.
567564 */
568565private class StdStringStreamConstructor extends Constructor , TaintFunction {
569- StdStringStreamConstructor ( ) {
570- this = any ( StdBasicStringStream s ) .getAnInstantiation ( ) .getAMember ( )
571- }
566+ StdStringStreamConstructor ( ) { this .getDeclaringType ( ) instanceof StdBasicStringStream }
572567
573568 /**
574569 * Gets the index of a parameter to this function that is a string.
@@ -592,7 +587,9 @@ private class StdStringStreamConstructor extends Constructor, TaintFunction {
592587 * The `std::stringstream` function `str`.
593588 */
594589private class StdStringStreamStr extends TaintFunction {
595- StdStringStreamStr ( ) { this = any ( StdBasicStringStream s ) .getAnInstMemberNamed ( "str" ) }
590+ StdStringStreamStr ( ) {
591+ this .getDeclaringType ( ) instanceof StdBasicStringStream and this .hasName ( "str" )
592+ }
596593
597594 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
598595 // flow from qualifier to return value (if any)
@@ -608,13 +605,8 @@ private class StdStringStreamStr extends TaintFunction {
608605/**
609606 * The `std::basic_ios` template class.
610607 */
611- private class StdBasicIOS extends TemplateClass {
612- StdBasicIOS ( ) { this .hasQualifiedName ( "std" , "basic_ios" ) }
613-
614- Declaration getAnInstMemberNamed ( string name ) {
615- result = getAnInstantiation ( ) .getAMember ( ) and
616- result .hasName ( name )
617- }
608+ private class StdBasicIOS extends ClassTemplateInstantiation {
609+ StdBasicIOS ( ) { this .getTemplate ( ) .hasQualifiedName ( "std" , "basic_ios" ) }
618610}
619611
620612/**
@@ -623,11 +615,12 @@ private class StdBasicIOS extends TemplateClass {
623615 */
624616private class StdStreamFunction extends DataFlowFunction , TaintFunction {
625617 StdStreamFunction ( ) {
626- this = any ( StdBasicIStream s ) .getAnInstMemberNamed ( [ "ignore" , "unget" , "seekg" ] )
618+ this .getDeclaringType ( ) instanceof StdBasicIStream and
619+ this .hasName ( [ "ignore" , "unget" , "seekg" ] )
627620 or
628- this = any ( StdBasicOStream s ) . getAnInstMemberNamed ( [ "seekp" , "flush" ] )
621+ this . getDeclaringType ( ) instanceof StdBasicOStream and this . hasName ( [ "seekp" , "flush" ] )
629622 or
630- this = any ( StdBasicIOS s ) . getAnInstMemberNamed ( "copyfmt" )
623+ this . getDeclaringType ( ) instanceof StdBasicIOS and this . hasName ( "copyfmt" )
631624 }
632625
633626 override predicate hasDataFlow ( FunctionInput input , FunctionOutput output ) {
0 commit comments