C++: Implement Argument + Parameter indirection.

geoffw0 · geoffw0 · commit 14deb06e8049 · 2024-03-25T11:20:55.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -52,25 +52,33 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
 
   bindingset[token]
   ParameterPosition decodeUnknownParameterPosition(AccessPath::AccessPathTokenBase token) {
-    // needed to support `Argument[x..y]` ranges and `Argument[-1]`
-    token.getName() = "Argument" and
-    exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
-      pos >= 0 and result = TDirectPosition(pos)
-      or
-      // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
-      pos = -1 and result = TIndirectionPosition(pos, 1)
+    // needed to support `Argument[x..y]` ranges, `Argument[-1]`, and indirections `*Argument[0]`.
+    exists(int indirection |
+      token.getName() = indirectionString(indirection) + "Argument" and
+      exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
+        pos >= 0 and indirection = 0 and result = TDirectPosition(pos)
+        or
+        pos >= 0 and indirection > 0 and result = TIndirectionPosition(pos, indirection)
+        or
+        // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
+        pos = -1 and result = TIndirectionPosition(pos, indirection + 1)
+      )
     )
   }
 
   bindingset[token]
   ArgumentPosition decodeUnknownArgumentPosition(AccessPath::AccessPathTokenBase token) {
-    // needed to support `Parameter[x..y]` ranges and `Parameter[-1]`
-    token.getName() = "Parameter" and
-    exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
-      pos >= 0 and result = TDirectPosition(pos)
-      or
-      // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
-      pos = -1 and result = TIndirectionPosition(pos, 1)
+    // needed to support `Argument[x..y]` ranges, `Argument[-1]`, and indirections `*Argument[0]`.
+    exists(int indirection |
+      token.getName() = indirectionString(indirection) + "Parameter" and
+      exists(int pos | pos = AccessPath::parseInt(token.getAnArgument()) |
+        pos >= 0 and indirection = 0 and result = TDirectPosition(pos)
+        or
+        pos >= 0 and indirection > 0 and result = TIndirectionPosition(pos, indirection)
+        or
+        // `Argument[-1]` is the qualifier object `*this`, not the `this` pointer itself
+        pos = -1 and result = TIndirectionPosition(pos, indirection + 1)
+      )
     )
   }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -455,7 +455,7 @@ class IndirectionPosition extends Position, TIndirectionPosition {
 }
 
 newtype TPosition =
-  TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
+  TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or
   TIndirectionPosition(int argumentIndex, int indirectionIndex) {
     Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),
       indirectionIndex)
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -4,6 +4,16 @@
 | tests.cpp:127:6:127:28 | [summary] to write: *ReturnValue in madArg0ToReturnIndirect | ReturnNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
 | tests.cpp:129:5:129:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:129:5:129:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
+| tests.cpp:130:5:130:27 | [summary param] 0 indirection in madArg0IndirectToReturn | ParameterNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
+| tests.cpp:130:5:130:27 | [summary] to write: ReturnValue in madArg0IndirectToReturn | ReturnNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
+| tests.cpp:131:5:131:33 | [summary param] 0 indirection in madArg0DoubleIndirectToReturn | ParameterNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
+| tests.cpp:131:5:131:33 | [summary] to write: ReturnValue in madArg0DoubleIndirectToReturn | ReturnNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
+| tests.cpp:132:6:132:26 | [summary param] 0 in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
+| tests.cpp:132:6:132:26 | [summary param] 1 indirection in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
+| tests.cpp:132:6:132:26 | [summary] to write: Argument[1 indirection] in madArg0ToArg1Indirect | PostUpdateNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
+| tests.cpp:133:6:133:34 | [summary param] 0 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:133:6:133:34 | [summary param] 1 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:133:6:133:34 | [summary] to write: Argument[1 indirection] in madArg0IndirectToArg1Indirect | PostUpdateNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
 | tests.cpp:220:7:220:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
 | tests.cpp:220:7:220:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
 | tests.cpp:220:7:220:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -155,15 +155,15 @@ void test_summaries() {
 
 	a = source();
 	a_ptr = &a;
-	sink(madArg0IndirectToReturn(&a)); // $ MISSING: ir
-	sink(madArg0IndirectToReturn(a_ptr)); // $ MISSING: ir
-	sink(madArg0DoubleIndirectToReturn(&a_ptr)); // $ MISSING: ir
+	sink(madArg0IndirectToReturn(&a)); // $ ir
+	sink(madArg0IndirectToReturn(a_ptr)); // $ ir
+	sink(madArg0DoubleIndirectToReturn(&a_ptr)); // $ ir
 
 	madArg0ToArg1Indirect(source(), b);
-	sink(b); // $ MISSING: ir
+	sink(b); // $ ir
 
 	madArg0IndirectToArg1Indirect(&a, &c);
-	sink(c); // $ MISSING: ir
+	sink(c); // $ ir
 
 	MyContainer mc1, mc2;
 

Original file line number	Diff line number	Diff line change
`@@ -455,7 +455,7 @@ class IndirectionPosition extends Position, TIndirectionPosition {`
`455`	`455`	`}`
`456`	`456`
`457`	`457`	`newtype TPosition =`
`458`		`- TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or`
	`458`	`+ TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or`
`459`	`459`	`TIndirectionPosition(int argumentIndex, int indirectionIndex) {`
`460`	`460`	`Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),`
`461`	`461`	`indirectionIndex)`