C++: Introduce 'indirect_sink' in dataflow tests.

MathiasVP · MathiasVP · commit 35e91bafa721 · 2023-05-16T17:39:53.000+01:00
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp
@@ -1,7 +1,7 @@
 // semmle-extractor-options: --edg --clang
 
 int source();
-void sink(int); void sink(const int *); void sink(int **);
+void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);
 
 struct twoIntFields {
   int m1, m2;
@@ -19,7 +19,8 @@ void following_pointers( // $ ast-def=sourceStruct1_ptr
 
   sink(sourceArray1[0]); // no flow
   sink(*sourceArray1); // no flow
-  sink(&sourceArray1); // $ ast,ir // [should probably be taint only]
+  sink(&sourceArray1); // $ ast // [should probably be taint only]
+  indirect_sink(&sourceArray1); // $ ast,ir
 
   sink(sourceStruct1.m1); // no flow
   sink(sourceStruct1_ptr->m1); // no flow
@@ -48,5 +49,6 @@ void following_pointers( // $ ast-def=sourceStruct1_ptr
 
   int stackArray[2] = { source(), source() };
   stackArray[0] = source();
-  sink(stackArray); // $ ast ir ir=49:25 ir=49:35 ir=50:19
+  sink(stackArray); // $ ast,ir
+  indirect_sink(stackArray); // $ ast ir=50:25 ir=50:35 ir=51:19
 }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -28,9 +28,10 @@ postWithInFlow
 | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:22:9:22:20 | sourceArray1 [inner post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:28:22:28:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:50:3:50:12 | stackArray [inner post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:50:3:50:15 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:23:18:23:29 | sourceArray1 [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:29:22:29:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:51:3:51:12 | stackArray [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:51:3:51:15 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:60:3:60:14 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:61:3:61:14 | globalMiddle [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:78:24:78:37 | call to allocateBottom [inner post update] | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -1,5 +1,5 @@
 int source();
-void sink(int); void sink(const int *); void sink(int **);
+void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);
 
 void intraprocedural_with_local_flow() {
   int t2;
@@ -626,7 +626,7 @@ void test_def_via_phi_read(bool b)
     use(buffer);
   }
   intPointerSource(buffer);
-  sink(buffer); // $ ast,ir
+  indirect_sink(buffer); // $ ast,ir
 }
 
 void test_static_local_1() {
@@ -692,7 +692,7 @@ void test_static_local_9() {
 
 void increment_buf(int** buf) { // $ ast-def=buf ir-def=*buf ir-def=**buf
   *buf += 10;
-  sink(buf); // $ SPURIOUS: ast,ir // should only be flow to the indirect argument, but there's also flow to the non-indirect argument
+  sink(buf); // $ SPURIOUS: ast,ir
 }
 
 void call_increment_buf(int** buf) { // $ ast-def=buf
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
@@ -34,7 +34,7 @@ module AstTest {
 
     override predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
-        call.getTarget().getName() = "sink" and
+        call.getTarget().getName() = ["sink", "indirect_sink"] and
         sink.asExpr() = call.getAnArgument()
       )
     }
@@ -83,9 +83,12 @@ module IRTest {
     }
 
     override predicate isSink(DataFlow::Node sink) {
-      exists(FunctionCall call |
+      exists(FunctionCall call, Expr e | e = call.getAnArgument() |
         call.getTarget().getName() = "sink" and
-        call.getAnArgument() in [sink.asExpr(), sink.asIndirectExpr()]
+        sink.asExpr() = e
+        or
+        call.getTarget().getName() = "indirect_sink" and
+        sink.asIndirectExpr() = e
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`int source();`
`2`		`-void sink(int); void sink(const int ); void sink(int *);`
	`2`	`+void sink(int); void sink(const int ); void sink(int *); void indirect_sink(...);`
`3`	`3`
`4`	`4`	`void intraprocedural_with_local_flow() {`
`5`	`5`	`int t2;`
`@@ -626,7 +626,7 @@ void test_def_via_phi_read(bool b)`
`626`	`626`	`use(buffer);`
`627`	`627`	`}`
`628`	`628`	`intPointerSource(buffer);`
`629`		`- sink(buffer); // $ ast,ir`
	`629`	`+ indirect_sink(buffer); // $ ast,ir`
`630`	`630`	`}`
`631`	`631`
`632`	`632`	`void test_static_local_1() {`
`@@ -692,7 +692,7 @@ void test_static_local_9() {`
`692`	`692`
`693`	`693`	`void increment_buf(int** buf) { // $ ast-def=buf ir-def=buf ir-def=*buf`
`694`	`694`	`*buf += 10;`
`695`		`- sink(buf); // $ SPURIOUS: ast,ir // should only be flow to the indirect argument, but there's also flow to the non-indirect argument`
	`695`	`+ sink(buf); // $ SPURIOUS: ast,ir`
`696`	`696`	`}`
`697`	`697`
`698`	`698`	`void call_increment_buf(int** buf) { // $ ast-def=buf`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ module AstTest {`
`34`	`34`
`35`	`35`	`override predicate isSink(DataFlow::Node sink) {`
`36`	`36`	`exists(FunctionCall call \|`
`37`		`- call.getTarget().getName() = "sink" and`
	`37`	`+ call.getTarget().getName() = ["sink", "indirect_sink"] and`
`38`	`38`	`sink.asExpr() = call.getAnArgument()`
`39`	`39`	`)`
`40`	`40`	`}`
`@@ -83,9 +83,12 @@ module IRTest {`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`override predicate isSink(DataFlow::Node sink) {`
`86`		`- exists(FunctionCall call \|`
	`86`	`+ exists(FunctionCall call, Expr e \| e = call.getAnArgument() \|`
`87`	`87`	`call.getTarget().getName() = "sink" and`
`88`		`- call.getAnArgument() in [sink.asExpr(), sink.asIndirectExpr()]`
	`88`	`+ sink.asExpr() = e`
	`89`	`+ or`
	`90`	`+ call.getTarget().getName() = "indirect_sink" and`
	`91`	`+ sink.asIndirectExpr() = e`
`89`	`92`	`)`
`90`	`93`	`}`
`91`	`94`