Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 774dcc7

Browse files
author
Robert Marsh
committed
C++: New model class for iterator op* and op[]
1 parent e28a45b commit 774dcc7

3 files changed

Lines changed: 32 additions & 11 deletions

File tree

cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010

1111
private import semmle.code.cpp.models.interfaces.DataFlow
1212
private import semmle.code.cpp.models.interfaces.Taint
13-
private import semmle.code.cpp.models.implementations.Iterator
13+
private import semmle.code.cpp.models.interfaces.Iterator
1414

1515
private module DataFlow {
1616
import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -264,10 +264,4 @@ private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
264264
)
265265
}
266266

267-
private predicate iteratorDereference(Call c) {
268-
c.getTarget() instanceof IteratorArrayMemberOperator
269-
or
270-
c.getTarget() instanceof IteratorPointerDereferenceMemberOperator
271-
or
272-
c.getTarget() instanceof IteratorPointerDereferenceOperator
273-
}
267+
private predicate iteratorDereference(Call c) { c.getTarget() instanceof IteratorReferenceFunction }

cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
import cpp
99
import semmle.code.cpp.models.interfaces.Taint
1010
import semmle.code.cpp.models.interfaces.DataFlow
11+
import semmle.code.cpp.models.interfaces.Iterator
1112

1213
/**
1314
* An instantiation of the `std::iterator_traits` template.
@@ -80,7 +81,7 @@ private FunctionInput getIteratorArgumentInput(Operator op, int index) {
8081
/**
8182
* A non-member prefix `operator*` function for an iterator type.
8283
*/
83-
class IteratorPointerDereferenceOperator extends Operator, TaintFunction {
84+
class IteratorPointerDereferenceOperator extends Operator, TaintFunction, IteratorReferenceFunction {
8485
FunctionInput iteratorInput;
8586

8687
IteratorPointerDereferenceOperator() {
@@ -92,6 +93,8 @@ class IteratorPointerDereferenceOperator extends Operator, TaintFunction {
9293
input = iteratorInput and
9394
output.isReturnValue()
9495
}
96+
97+
override FunctionInput getIteratorInput() { result = iteratorInput }
9598
}
9699

97100
/**
@@ -169,12 +172,15 @@ class IteratorAssignArithmeticOperator extends Operator, DataFlowFunction, Taint
169172
/**
170173
* A prefix `operator*` member function for an iterator type.
171174
*/
172-
class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction {
175+
class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
176+
IteratorReferenceFunction {
173177
IteratorPointerDereferenceMemberOperator() {
174178
this.hasName("operator*") and
175179
this.getDeclaringType() instanceof Iterator
176180
}
177181

182+
override FunctionInput getIteratorInput() { result.isQualifierObject() }
183+
178184
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
179185
input.isQualifierObject() and
180186
output.isReturnValue()
@@ -260,7 +266,7 @@ class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFun
260266
/**
261267
* An `operator[]` member function of an iterator class.
262268
*/
263-
class IteratorArrayMemberOperator extends MemberFunction, TaintFunction {
269+
class IteratorArrayMemberOperator extends MemberFunction, TaintFunction, IteratorReferenceFunction {
264270
IteratorArrayMemberOperator() {
265271
this.hasName("operator[]") and
266272
this.getDeclaringType() instanceof Iterator
@@ -270,6 +276,8 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction {
270276
input.isQualifierObject() and
271277
output.isReturnValue()
272278
}
279+
280+
override FunctionInput getIteratorInput() { result.isQualifierObject() }
273281
}
274282

275283
/**

cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/**
2+
* Provides an abstract class for accurate modeling of flow through output
3+
* iterators. To use this QL library, create a QL class extending
4+
* `IteratorReferenceFunction` with a characteristic predicate that selects the
5+
* function or set of functions you are modeling. Within that class, override
6+
* the predicates provided by `AliasFunction` to match the flow within that
7+
* function.
8+
*/
9+
10+
import cpp
11+
import semmle.code.cpp.models.Models
12+
13+
/**
14+
* A function which takes an iterator argument and returns a reference that
15+
* can be used to write to the iterator's underlying collection.
16+
*/
17+
abstract class IteratorReferenceFunction extends Function {
18+
abstract FunctionInput getIteratorInput();
19+
}

0 commit comments

Comments
 (0)