C++: Fix IR Dataflow PR feedback

dave-bartolomeo · dave-bartolomeo · commit e11b4b6c401f · 2018-12-04T07:31:13.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DataFlow.qll
@@ -1,13 +1,15 @@
 /**
  * Provides a library for local (intra-procedural) and global (inter-procedural)
  * data flow analysis: deciding whether data can flow from a _source_ to a
- * _sink_.
+ * _sink_. This library differs from the one in `semmle.code.cpp.dataflow` in that
+ * this library uses the IR (Intermediate Representation) library, which provides
+ * a more precise semantic representation of the program, whereas the other dataflow
+ * library uses the more syntax-oriented ASTs. This library should provide more accurate
+ * results than the AST-based library in most scenarios.
  *
  * Unless configured otherwise, _flow_ means that the exact value of
  * the source may reach the sink. We do not track flow across pointer
- * dereferences or array indexing. To track these types of flow, where the
- * exact value may not be preserved, import
- * `semmle.code.cpp.dataflow.TaintTracking`.
+ * dereferences or array indexing.
  *
  * To use global (interprocedural) data flow, extend the class
  * `DataFlow::Configuration` as documented on that class. To use local
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking.qll
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -3,9 +3,7 @@ private import DataFlowUtil
 
 /**
  * A data flow node that occurs as the argument of a call and is passed as-is
- * to the callable. Arguments that are wrapped in an implicit varargs array
- * creation are not included, but the implicitly created array is.
- * Instance arguments are also included.
+ * to the callable. Instance arguments (`this` pointer) are also included.
  */
 class ArgumentNode extends Node {
   ArgumentNode() {
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -0,0 +1,14 @@
+| test.cpp:6:12:6:17 | test.cpp:21:8:21:9 | IR only |
+| test.cpp:66:30:66:36 | test.cpp:71:8:71:9 | AST only |
+| test.cpp:89:28:89:34 | test.cpp:92:8:92:14 | IR only |
+| test.cpp:100:13:100:18 | test.cpp:103:10:103:12 | AST only |
+| test.cpp:120:9:120:20 | test.cpp:126:8:126:19 | AST only |
+| test.cpp:122:18:122:30 | test.cpp:132:22:132:23 | IR only |
+| test.cpp:122:18:122:30 | test.cpp:140:22:140:23 | IR only |
+| test.cpp:136:27:136:32 | test.cpp:137:27:137:28 | AST only |
+| test.cpp:136:27:136:32 | test.cpp:140:22:140:23 | AST only |
+| test.cpp:395:17:395:22 | test.cpp:397:10:397:18 | AST only |
+| test.cpp:421:13:421:18 | test.cpp:423:10:423:14 | AST only |
+| true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
+| true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
+| true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.ql
@@ -0,0 +1,37 @@
+import cpp
+import DataflowTestCommon as ASTCommon
+import IRDataflowTestCommon as IRCommon
+import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
+import semmle.code.cpp.ir.dataflow.DataFlow as IRDataFlow
+
+predicate astFlow(Location sourceLocation, Location sinkLocation) {
+  exists(ASTDataFlow::DataFlow::Node source, ASTDataFlow::DataFlow::Node sink,
+      ASTCommon::TestAllocationConfig cfg |
+    cfg.hasFlow(source, sink) and
+    sourceLocation = source.getLocation() and
+    sinkLocation = sink.getLocation()
+  )
+}
+
+predicate irFlow(Location sourceLocation, Location sinkLocation) {
+  exists(IRDataFlow::DataFlow::Node source, IRDataFlow::DataFlow::Node sink,
+      IRCommon::TestAllocationConfig cfg |
+    cfg.hasFlow(source, sink) and
+    sourceLocation = source.getLocation() and
+    sinkLocation = sink.getLocation()
+  )
+}
+
+from Location sourceLocation, Location sinkLocation, string note
+where  
+  (
+    astFlow(sourceLocation, sinkLocation) and
+    not irFlow(sourceLocation, sinkLocation) and
+    note = "AST only"
+  ) or
+  (
+    irFlow(sourceLocation, sinkLocation) and
+    not astFlow(sourceLocation, sinkLocation) and
+    note = "IR only"
+  )
+select sourceLocation.toString(), sinkLocation.toString(), note
