C++: Define DataFlowCallable.getUnderlyingCallable and use it to fix some issues.

geoffw0 · geoffw0 · commit 8faad92cfdcf · 2024-03-01T09:59:31.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -66,8 +66,7 @@ private import Make<DataFlowImplSpecific::CppDataFlow, Input> as Impl
 
 private module StepsInput implements Impl::Private::StepsInputSig {
   DataFlowCall getACall(Public::SummarizedCallable sc) {
-    result.getStaticCallTarget().asSourceCallable() = sc or
-    result.getStaticCallTarget().asSummarizedCallable() = sc // TODO: this should be the only case
+    result.getStaticCallTarget().getUnderlyingCallable() = sc
   }
 }
 
@@ -123,13 +122,10 @@ module SourceSinkInterpretationInput implements
     }
 
     /** Gets the callable that this node corresponds to, if any. */
-    DataFlowCallable asCallable() {
-      result.asSourceCallable() = this.asElement()
-      // TODO: or summary callable?
-    }
+    DataFlowCallable asCallable() { result.getUnderlyingCallable() = this.asElement() }
 
     /** Gets the target of this call, if any. */
-    Element getCallTarget() { result = this.asCall().getStaticCallTarget().asSourceCallable() } // TODO: summarized target???
+    Element getCallTarget() { result = this.asCall().getStaticCallTarget().getUnderlyingCallable() }
 
     /** Gets a textual representation of this node. */
     string toString() {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -24,7 +24,7 @@ DataFlowCallable defaultViableCallable(DataFlowCall call) {
   // that as a potential callee.
   exists(string qualifiedName, int nparams |
     callSignatureWithoutBody(qualifiedName, nparams, call.asCallInstruction()) and
-    functionSignatureWithBody(qualifiedName, nparams, result.asSourceCallable()) and
+    functionSignatureWithBody(qualifiedName, nparams, result.getUnderlyingCallable()) and
     strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
   )
   or
@@ -40,7 +40,9 @@ DataFlowCallable viableCallable(DataFlowCall call) {
   result = defaultViableCallable(call)
   or
   // Additional call targets
-  result = any(AdditionalCallTarget additional).viableTarget(call.asCallInstruction().getUnconvertedResultExpression())
+  result =
+    any(AdditionalCallTarget additional)
+        .viableTarget(call.asCallInstruction().getUnconvertedResultExpression())
 }
 
 /**
@@ -176,7 +178,12 @@ private module VirtualDispatch {
   /** Call to a virtual function. */
   private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall {
     DataSensitiveOverriddenFunctionCall() {
-      exists(this.getStaticCallTarget().asSourceCallable().(VirtualFunction).getAnOverridingFunction())
+      exists(
+        this.getStaticCallTarget()
+            .getUnderlyingCallable()
+            .(VirtualFunction)
+            .getAnOverridingFunction()
+      )
     }
 
     override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) }
@@ -194,7 +201,8 @@ private module VirtualDispatch {
      */
     pragma[noinline]
     private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) {
-      overridingFunction.getAnOverriddenFunction+() = this.getStaticCallTarget().asSourceCallable().(VirtualFunction) and
+      overridingFunction.getAnOverriddenFunction+() =
+        this.getStaticCallTarget().getUnderlyingCallable().(VirtualFunction) and
       overridingFunction.getDeclaringType() = overridingClass
     }
 
@@ -261,7 +269,7 @@ private predicate mayBenefitFromCallContext(
   f = pragma[only_bind_out](call).getEnclosingCallable() and
   exists(InitializeParameterInstruction init |
     not exists(call.getStaticCallTarget()) and
-    init.getEnclosingFunction() = f.asSourceCallable() and
+    init.getEnclosingFunction() = f.getUnderlyingCallable() and
     call.flowsFrom(DataFlow::instructionNode(init), _) and
     init.getParameter().getIndex() = arg
   )
@@ -276,7 +284,11 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
   exists(int i, DataFlowCallable f |
     mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and
     f = ctx.getStaticCallTarget() and
-    result = TSourceCallable(ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget())
+    result =
+      TSourceCallable(ctx.getArgument(i)
+            .getUnconvertedResultExpression()
+            .(FunctionAccess)
+            .getTarget())
   )
 }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -978,6 +978,11 @@ class DataFlowCallable extends TDataFlowCallable {
   Cpp::Declaration asSourceCallable() { this = TSourceCallable(result) }
 
   FlowSummaryImpl::Public::SummarizedCallable asSummarizedCallable() { this = TSummarizedCallable(result) }
+
+  Cpp::Declaration getUnderlyingCallable() {
+    result = this.asSummarizedCallable() or // SummarizedCallable = Function (in CPP)
+    result = this.asSourceCallable()
+  }
 }
 
 private class SourceCallable extends DataFlowCallable, TSourceCallable {
@@ -1031,7 +1036,7 @@ class DataFlowCall extends TDataFlowCall {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  DataFlowCallable getStaticCallTarget() { none() } // TODO: should this return DataFlowCallable?
+  DataFlowCallable getStaticCallTarget() { none() }
 
   /**
    * Gets the `index`'th argument operand. The qualifier is considered to have index `-1`.
@@ -1104,7 +1109,7 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
 
 //  override ArgumentOperand getArgumentOperand(int index) TODO
 
-  override DataFlowCallable getEnclosingCallable() { result = TSummarizedCallable(c) }
+  override DataFlowCallable getEnclosingCallable() { result = TSummarizedCallable(c) } // TODO: is this right?
 
   override string toString() { result = "[summary] call to " + receiver + " in " + c }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1010,7 +1010,9 @@ private module RawIndirectNodes {
       result = this.getOperand().getDef().getEnclosingFunction()
     }
 
-    override DataFlowCallable getEnclosingCallable() { result = TSourceCallable(this.getFunction()) }
+    override DataFlowCallable getEnclosingCallable() {
+      result = TSourceCallable(this.getFunction())
+    }
 
     override predicate isGLValue() { this.getOperand().isGLValue() }
 
@@ -1054,7 +1056,9 @@ private module RawIndirectNodes {
 
     override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
 
-    override DataFlowCallable getEnclosingCallable() { result = TSourceCallable(this.getFunction()) }
+    override DataFlowCallable getEnclosingCallable() {
+      result = TSourceCallable(this.getFunction())
+    }
 
     override predicate isGLValue() { this.getInstruction().isGLValue() }
 
@@ -1672,7 +1676,8 @@ private class ExplicitParameterNode extends ParameterNode, DirectParameterNode {
   ExplicitParameterNode() { exists(instr.getParameter()) }
 
   override predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) {
-    f.asSourceCallable().(Function).getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
+    f.getUnderlyingCallable().(Function).getParameter(pos.(DirectPosition).getIndex()) =
+      instr.getParameter()
   }
 
   override string toStringImpl() { result = instr.getParameter().toString() }
@@ -1685,7 +1690,8 @@ class ThisParameterNode extends ParameterNode, DirectParameterNode {
   ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }
 
   override predicate isParameterOf(DataFlowCallable f, ParameterPosition pos) {
-    pos.(DirectPosition).getIndex() = -1 and instr.getEnclosingFunction() = f.asSourceCallable()
+    pos.(DirectPosition).getIndex() = -1 and
+    instr.getEnclosingFunction() = f.getUnderlyingCallable()
   }
 
   override string toStringImpl() { result = "this" }
@@ -1704,7 +1710,7 @@ class SummaryParameterNode extends ParameterNode, FlowSummaryNode {
   }
 
   override predicate isParameterOf(DataFlowCallable c, ParameterPosition p) {
-    c.asSummarizedCallable() = this.getSummarizedCallable() and
+    c.getUnderlyingCallable() = this.getSummarizedCallable() and
     p = this.getPosition()
   }
 }
