C++: Add some test cases involving function pointers.

geoffw0 · geoffw0 · commit dbf0b987918a · 2024-03-01T15:56:44.000Z
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -12,3 +12,15 @@
 | tests.cpp:181:6:181:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
 | tests.cpp:209:7:209:30 | [summary param] this in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
 | tests.cpp:209:7:209:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:285:5:285:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn |  | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn |  | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:285:5:285:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:287:6:287:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:287:6:287:25 | [summary] to write: Argument[1] in madCallArg0WithValue |  | madCallArg0WithValue | madCallArg0WithValue |
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
@@ -71,6 +71,9 @@ private class TestSummaries extends SummaryModelCsv {
         ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",
         ";MyClass;true;madFieldToReturn;;;Argument[-1].val;ReturnValue;taint",
         "MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
+        ";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
+        ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.first;value",
+        ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
       ]
   }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -106,7 +106,7 @@ void madSinkParam0(int x) { // $ interpretElement
 	x = source(); // $ MISSING: ir
 }
 
-// --- MAD summaries ---
+// --- global MAD summaries ---
 
 struct MyContainer {
 	int value;
@@ -274,3 +274,28 @@ void test_class_members() {
 	mc6.madArg0ToField(source());
 	sink(mc6.madFieldToReturn()); // $ MISSING: ir
 }
+
+// --- MAD cases involving function pointers ---
+
+struct intPair {
+	int first;
+	int second;
+};
+
+int madCallArg0ReturnToReturn(int (*fun_ptr)()); // $ interpretElement
+intPair madCallArg0ReturnToReturnFirst(int (*fun_ptr)()); // $ interpretElement
+void madCallArg0WithValue(void (*fun_ptr)(int), int value); // $ interpretElement
+
+int getTainted() { return source(); }
+void useValue(int x) { sink(x); }
+
+void test_function_pointers() {
+	sink(madCallArg0ReturnToReturn(&notASource));
+	sink(madCallArg0ReturnToReturn(&getTainted)); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturn(&source)); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturnFirst(&source).first); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturnFirst(&source).second);
+	madCallArg0WithValue(&useValue, 0);
+	madCallArg0WithValue(&useValue, source()); // $ MISSING: ir
+	madCallArg0WithValue(&sink, source()); // $ MISSING: ir
+}

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,9 @@ private class TestSummaries extends SummaryModelCsv {`
`71`	`71`	`";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",`
`72`	`72`	`";MyClass;true;madFieldToReturn;;;Argument[-1].val;ReturnValue;taint",`
`73`	`73`	`"MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",`
	`74`	`+ ";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",`
	`75`	`+ ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.first;value",`
	`76`	`+ ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",`
`74`	`77`	`]`
`75`	`78`	`}`
`76`	`79`	`}`