C++: Remove flow into ReadSideEffect instructions in simpleInstructionLocalFlowStep

MathiasVP · MathiasVP · commit 8f4982d3f5bf · 2020-10-02T14:10:28.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -7,15 +7,33 @@ private import DataFlowDispatch
  * A data flow node that occurs as the argument of a call and is passed as-is
  * to the callable. Instance arguments (`this` pointer) are also included.
  */
-class ArgumentNode extends InstructionNode {
+class ArgumentNode extends Node {
   ArgumentNode() {
-    exists(CallInstruction call |
-      instr = call.getAnArgument()
-      or
-      instr.(ReadSideEffectInstruction).getPrimaryInstruction() = call
-    )
+    // To avoid making this class abstract, we enumerate its values here.
+    this instanceof PrimaryArgumentNode or
+    this instanceof SideEffectArgumentNode
+  }
+
+  /**
+   * Holds if this argument occurs at the given position in the given call.
+   * The instance argument is considered to have index `-1`.
+   */
+  predicate argumentOf(DataFlowCall call, int pos) {
+    this.(PrimaryArgumentNode).argumentOf(call, pos) or
+    this.(SideEffectArgumentNode).argumentOf(call, pos)
   }
 
+  /** Gets the call in which this node is an argument. */
+  DataFlowCall getCall() { this.argumentOf(result, _) }
+}
+
+/**
+ * A data flow node that occurs as the argument to a call, or an
+ * implicit `this` pointer argument.
+ */
+private class PrimaryArgumentNode extends InstructionNode {
+  PrimaryArgumentNode() { exists(CallInstruction call | instr = call.getAnArgument()) }
+
   /**
    * Holds if this argument occurs at the given position in the given call.
    * The instance argument is considered to have index `-1`.
@@ -24,16 +42,33 @@ class ArgumentNode extends InstructionNode {
     instr = call.getPositionalArgument(pos)
     or
     instr = call.getThisArgument() and pos = -1
-    or
-    exists(ReadSideEffectInstruction read |
-      read = instr and
+  }
+}
+
+/**
+ * A data flow node representing the read side effect of a call on a
+ * specific parameter.
+ */
+private class SideEffectArgumentNode extends OperandNode {
+  override SideEffectOperand op;
+  ReadSideEffectInstruction read;
+
+  SideEffectArgumentNode() {
+    exists(CallInstruction call |
       read.getPrimaryInstruction() = call and
-      pos = getArgumentPosOfSideEffect(read.getIndex())
+      op = read.getSideEffectOperand()
     )
   }
 
-  /** Gets the call in which this node is an argument. */
-  DataFlowCall getCall() { this.argumentOf(result, _) }
+  /**
+   * Holds if this argument occurs at the given position in the given call.
+   * See `getArgumentPosOfSideEffect` for a describing of how read side effects
+   * are assigned an argument position.
+   */
+  predicate argumentOf(DataFlowCall call, int pos) {
+    read.getPrimaryInstruction() = call and
+    pos = getArgumentPosOfSideEffect(read.getIndex())
+  }
 }
 
 private newtype TReturnKind =
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -509,12 +509,15 @@ class DefinitionByReferenceNode extends InstructionNode {
  * A node representing the memory pointed to by a function argument.
  *
  * This class exists only in order to override `toString`, which would
- * otherwise be the default implementation inherited from `InstructionNode`.
+ * otherwise be the default implementation inherited from `OperandNode`.
  */
-private class ArgumentIndirectionNode extends InstructionNode {
-  override ReadSideEffectInstruction instr;
+private class ArgumentIndirectionNode extends OperandNode {
+  override SideEffectOperand op;
+  ReadSideEffectInstruction read;
 
-  override string toString() { result = "Argument " + instr.getIndex() + " indirection" }
+  ArgumentIndirectionNode() { read.getSideEffectOperand() = op }
+
+  override string toString() { result = "Argument " + read.getIndex() + " indirection" }
 }
 
 /**
@@ -680,10 +683,6 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
   or
   iTo.(PhiInstruction).getAnInputOperand() = opFrom
   or
-  // A read side effect is almost never exact since we don't know exactly how
-  // much memory the callee will read.
-  iTo.(ReadSideEffectInstruction).getSideEffectOperand() = opFrom
-  or
   // Treat all conversions as flow, even conversions between different numeric types.
   iTo.(ConvertInstruction).getUnaryOperand() = opFrom
   or
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/IRTaintTestCommon.qll b/cpp/ql/test/library-tests/dataflow/taint-tests/IRTaintTestCommon.qll
@@ -25,13 +25,10 @@ class TestAllocationConfig extends TaintTracking::Configuration {
       sink.(DataFlow::ExprNode).getConvertedExpr() instanceof ReferenceDereferenceExpr
     )
     or
-    sink
-        .asInstruction()
-        .(ReadSideEffectInstruction)
-        .getPrimaryInstruction()
-        .(CallInstruction)
-        .getStaticCallTarget()
-        .hasName("sink")
+    exists(ReadSideEffectInstruction read |
+      read.getSideEffectOperand() = sink.asOperand() and
+      read.getPrimaryInstruction().(CallInstruction).getStaticCallTarget().hasName("sink")
+    )
   }
 
   override predicate isSanitizer(DataFlow::Node barrier) {
