C++: Pivot ReturnKind solution to derive types from SSA + AST, rather than SSA + MAD.

geoffw0 · geoffw0 · commit 4d5f1586521f · 2024-04-09T13:49:21.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -262,25 +262,3 @@ module Private {
 }
 
 module Public = Impl::Public;
-
-/**
- * Gets a number of indirections that can be returned by a function
- * modelled using models-as-data.
- */
-int returnIndirectionForModelledFunction() {
-  exists(string inputOutput |
-    (
-      sourceModel(_, _, _, _, _, _, inputOutput, _, _) or
-      sinkModel(_, _, _, _, _, _, inputOutput, _, _) or
-      summaryModel(_, _, _, _, _, _, inputOutput, _, _, _) or
-      summaryModel(_, _, _, _, _, _, _, inputOutput, _, _)
-    ) and (
-      // Return the number of stars in `ReturnValue[...]`
-      result = inputOutput.regexpCapture("ReturnValue\\[(\\*+)\\]", 1).length()
-      or
-      // There are no brackets the result is 0
-      inputOutput = "ReturnValue" and
-      result = 0
-    )
-  )
-}
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -457,16 +457,32 @@ newtype TPosition =
 
 private newtype TReturnKind =
   TNormalReturnKind(int indirectionIndex) {
+    // derive a possible return indirection from SSA
+    // (this is a more durable approach if SSA infers additional indirections for any reason)
     Ssa::hasIndirectOperand(any(ReturnValueInstruction ret).getReturnAddressOperand(),
       indirectionIndex + 1) // We subtract one because the return loads the value.
     or
-    indirectionIndex = FlowSummaryImpl::returnIndirectionForModelledFunction()
+    // derive a possible return kind from the AST
+    // (this approach includes functions declared that have no body; they may still have flow summaries)
+    indirectionIndex =
+      [0 .. max(Ssa::Function f |
+          |
+          Ssa::getMaxIndirectionsForType(f.getUnspecifiedType()) - 1 // -1 because a returned value is a prvalue not a glvalue
+        )]
   } or
   TIndirectReturnKind(int argumentIndex, int indirectionIndex) {
+    // derive a possible return argument from SSA
     exists(Ssa::FinalParameterUse use |
       use.getIndirectionIndex() = indirectionIndex and
       use.getArgumentIndex() = argumentIndex
     )
+    or
+    // derive a possible return argument from the AST
+    indirectionIndex =
+      [0 .. max(Ssa::Function f |
+          |
+          Ssa::getMaxIndirectionsForType(f.getParameter(argumentIndex).getUnspecifiedType()) - 1 // -1 because an argument is a prvalue not a glvalue
+        )]
   }
 
 /**
