C++: Properly track smart pointer wrappers.

MathiasVP · MathiasVP · commit 5a8b900394b8 · 2023-02-27T14:57:35.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -186,10 +186,22 @@ private class PointerOrReferenceTypeIndirection extends Indirection instanceof P
   override int getNumberOfIndirections() {
     result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
   }
+}
 
-  override predicate isAdditionalDereference(Instruction deref, Operand address) { none() }
+private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper {
+  PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() }
 
-  override predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) { none() }
+  override int getNumberOfIndirections() {
+    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
+  }
+
+  override predicate isAdditionalDereference(Instruction deref, Operand address) {
+    exists(CallInstruction call |
+      operandForFullyConvertedCall(getAUse(deref), call) and
+      this = call.getStaticCallTarget().getClassAndName("operator*") and
+      address = call.getThisArgumentOperand()
+    )
+  }
 }
 
 private module IteratorIndirections {
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -17,6 +17,8 @@ private class SmartPtr extends Class, PointerWrapper {
   }
 
   override predicate pointsToConst() { this.getTemplateArgument(0).(Type).isConst() }
+
+  override Type getBaseType() { result = this.getTemplateArgument(0) }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/PointerWrapper.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/PointerWrapper.qll
@@ -14,4 +14,7 @@ abstract class PointerWrapper extends Class {
 
   /** Holds if the type of the data that is pointed to by this pointer wrapper is `const`. */
   abstract predicate pointsToConst();
+
+  /** Gets the type pointed to by this pointer wrapper type. */
+  abstract Type getBaseType();
 }
diff --git a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected
@@ -1 +0,0 @@
-| test.cpp:34:13:34:23 | // $ ast,ir | Missing result:ir= |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -85,11 +85,11 @@ struct B {
 
 void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
   p->x = source();
-  sink(p->x); // $ ast MISSING: ir
+  sink(p->x); // $ ast,ir
   sink(p->y);
 
   q->a1.x = source();
-  sink(q->a1.x); // $ ast MISSING: ir
+  sink(q->a1.x); // $ ast,ir
   sink(q->a1.y);
   sink(q->a2.x);
 }
@@ -101,7 +101,7 @@ void taint_x(A* pa) {
 void reverse_taint_smart_pointer() {
   std::unique_ptr<A> p = std::unique_ptr<A>(new A);
   taint_x(p.get());
-  sink(p->x); // $ ast MISSING: ir
+  sink(p->x); // $ ast,ir
 }
 
 struct C {
@@ -131,7 +131,7 @@ int nested_shared_ptr_taint(std::shared_ptr<C> p1, std::unique_ptr<std::shared_p
 
 int nested_shared_ptr_taint_cref(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
   taint_x_shared_cref(p1->q);
-  sink(p1->q->x); // $ ast MISSING: ir
+  sink(p1->q->x); // $ ast,ir
 
   getNumberCRef(*p2);
   sink(**p2); // $ ast,ir

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@ private class SmartPtr extends Class, PointerWrapper {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`override predicate pointsToConst() { this.getTemplateArgument(0).(Type).isConst() }`
	`20`	`+`
	`21`	`+ override Type getBaseType() { result = this.getTemplateArgument(0) }`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,7 @@ abstract class PointerWrapper extends Class {`
`14`	`14`
`15`	`15`	/** Holds if the type of the data that is pointed to by this pointer wrapper is `const`. */
`16`	`16`	`abstract predicate pointsToConst();`
	`17`	`+`
	`18`	`+ /** Gets the type pointed to by this pointer wrapper type. */`
	`19`	`+ abstract Type getBaseType();`
`17`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-\| test.cpp:34:13:34:23 \| // $ ast,ir \| Missing result:ir= \|`