C++: Implement ReturnValue indirection (this version only worked with a small change to the shared library parsing to permit '*' in the token name; we no longer need this, so I rebased it out).

geoffw0 · geoffw0 · commit 638bfff09dfb · 2024-03-25T11:20:09.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -12,6 +12,14 @@ private import semmle.code.cpp.dataflow.ExternalFlow
 private import semmle.code.cpp.ir.IR
 
 module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
+  /**
+   * Gets a string representing a level of indirection, for example for
+   * `indirection = 2`, the result is `**`.
+   */
+  private bindingset[indirection] string indirectionString(int indirection) {
+    result = concat(int i | i in [1 .. indirection] | "*")
+  }
+
   class SummarizedCallableBase = Function;
 
   ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
@@ -24,8 +32,8 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
 
   string encodeReturn(ReturnKind rk, string arg) {
     rk != getStandardReturnValueKind() and
-    result = "ReturnValue" and
-    arg = rk.toString()
+    result = indirectionString(rk.(NormalReturnKind).getIndirectionIndex()) + "ReturnValue" and
+    arg = ""
   }
 
   string encodeContent(ContentSet cs, string arg) {
@@ -34,7 +42,6 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
       result = "Field" and
       arg = c.getField().getName()
     )
-    // TODO: indirection support here?
   }
 
   string encodeWithoutContent(ContentSet c, string arg) {
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -1,5 +1,7 @@
 | tests.cpp:126:5:126:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
 | tests.cpp:126:5:126:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
+| tests.cpp:127:6:127:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
+| tests.cpp:127:6:127:28 | [summary] to write: *ReturnValue in madArg0ToReturnIndirect | ReturnNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
 | tests.cpp:129:5:129:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:129:5:129:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:220:7:220:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -148,7 +148,7 @@ void test_summaries() {
 	sink(madArg0ToReturn(0));
 	sink(madArg0ToReturn(source())); // $ ir
 	sink(*madArg0ToReturnIndirect(0));
-	sink(*madArg0ToReturnIndirect(source())); // $ MISSING: ir
+	sink(*madArg0ToReturnIndirect(source())); // $ ir
 	sink(notASummary(source()));
 	sink(madArg0ToReturnValueFlow(0));
 	sink(madArg0ToReturnValueFlow(source())); // $ ir
