@@ -2,7 +2,10 @@ import semmle.code.cpp.models.interfaces.DataFlow
22import semmle.code.cpp.models.interfaces.Taint
33
44/**
5- * The standard function `swap`.
5+ * The standard function `swap`. A use of `swap` looks like this:
6+ * ```
7+ * std::swap(obj1, obj2)
8+ * ```
69 */
710private class Swap extends DataFlowFunction {
811 Swap ( ) { this .hasQualifiedName ( "std" , "swap" ) }
@@ -17,82 +20,23 @@ private class Swap extends DataFlowFunction {
1720}
1821
1922/**
20- * The standard functions `std::string.swap` and `std::stringstream::swap`.
23+ * A `swap` member function that is used as follows:
24+ * ```
25+ * obj1.swap(obj2)
26+ * ```
2127 */
22- private class StdStringSwap extends TaintFunction {
23- StdStringSwap ( ) {
28+ private class MemberSwap extends TaintFunction {
29+ MemberSwap ( ) {
2430 this .hasQualifiedName ( "std" , "basic_string" , "swap" ) or
25- this .hasQualifiedName ( "std" , "basic_stringstream" , "swap" )
31+ this .hasQualifiedName ( "std" , "basic_stringstream" , "swap" ) or
32+ this .hasQualifiedName ( "std" , [ "array" , "vector" , "deque" , "list" , "forward_list" ] , "swap" ) or
33+ this .hasQualifiedName ( "std" , [ "set" , "unordered_set" ] , "swap" ) or
34+ this .hasQualifiedName ( "std" , "pair" , "swap" ) or
35+ this .hasQualifiedName ( "std" , [ "map" , "unordered_map" ] , "swap" ) or
36+ this .hasQualifiedName ( "std" , [ "map" , "unordered_map" ] , "swap" )
2637 }
2738
2839 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
29- // str1.swap(str2)
30- input .isQualifierObject ( ) and
31- output .isParameterDeref ( 0 )
32- or
33- input .isParameterDeref ( 0 ) and
34- output .isQualifierObject ( )
35- }
36- }
37-
38- /**
39- * The standard container `swap` functions.
40- */
41- private class StdSequenceContainerSwap extends TaintFunction {
42- StdSequenceContainerSwap ( ) {
43- this .hasQualifiedName ( "std" , [ "array" , "vector" , "deque" , "list" , "forward_list" ] , "swap" )
44- }
45-
46- override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
47- // container1.swap(container2)
48- input .isQualifierObject ( ) and
49- output .isParameterDeref ( 0 )
50- or
51- input .isParameterDeref ( 0 ) and
52- output .isQualifierObject ( )
53- }
54- }
55-
56- /**
57- * The standard set `swap` functions.
58- */
59- private class StdSetSwap extends TaintFunction {
60- StdSetSwap ( ) { this .hasQualifiedName ( "std" , [ "set" , "unordered_set" ] , "swap" ) }
61-
62- override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
63- // container1.swap(container2)
64- input .isQualifierObject ( ) and
65- output .isParameterDeref ( 0 )
66- or
67- input .isParameterDeref ( 0 ) and
68- output .isQualifierObject ( )
69- }
70- }
71-
72- /**
73- * The standard pair `swap` function.
74- */
75- private class StdPairSwap extends TaintFunction {
76- StdPairSwap ( ) { this .hasQualifiedName ( "std" , "pair" , "swap" ) }
77-
78- override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
79- // container1.swap(container2)
80- input .isQualifierObject ( ) and
81- output .isParameterDeref ( 0 )
82- or
83- input .isParameterDeref ( 0 ) and
84- output .isQualifierObject ( )
85- }
86- }
87-
88- /**
89- * The standard map `swap` function.
90- */
91- private class StdMapSwap extends TaintFunction {
92- StdMapSwap ( ) { this .hasQualifiedName ( "std" , [ "map" , "unordered_map" ] , "swap" ) }
93-
94- override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
95- // container1.swap(container2)
9640 input .isQualifierObject ( ) and
9741 output .isParameterDeref ( 0 )
9842 or
0 commit comments