C++: Implement 'lambdaCreation' and 'lambdaCall' for models-as-data.

MathiasVP · MathiasVP · commit e9cd2dc9e18b · 2024-04-09T14:05:32.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -1290,10 +1290,16 @@ predicate nodeIsHidden(Node n) {
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
+predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
+  creation.asInstruction().(FunctionAddressInstruction).getFunctionSymbol() = c.asSourceCallable() and
+  exists(kind)
+}
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
+predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
+  call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() and
+  exists(kind)
+}
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -437,17 +437,17 @@ void madCallArg0WithValue(void (*fun_ptr)(int), int value); // $ interpretElemen
 int madCallReturnValueIgnoreFunction(void (*fun_ptr)(int), int value); // $ interpretElement
 
 int getTainted() { return source(); }
-void useValue(int x) { sink(x); }
+void useValue(int x) { sink(x); } // $ ir
 void dontUseValue(int x) { }
 
 void test_function_pointers() {
 	sink(madCallArg0ReturnToReturn(&notASource));
-	sink(madCallArg0ReturnToReturn(&getTainted)); // $ MISSING: ir
+	sink(madCallArg0ReturnToReturn(&getTainted)); // $ ir
 	sink(madCallArg0ReturnToReturn(&source)); // $ MISSING: ir
 	sink(madCallArg0ReturnToReturnFirst(&source).first); // $ MISSING: ir
 	sink(madCallArg0ReturnToReturnFirst(&source).second);
 	madCallArg0WithValue(&useValue, 0);
-	madCallArg0WithValue(&useValue, source()); // $ MISSING: ir
+	madCallArg0WithValue(&useValue, source());
 	madCallArg0WithValue(&sink, source()); // $ MISSING: ir
 	madCallReturnValueIgnoreFunction(&sink, source());
 	sink(madCallReturnValueIgnoreFunction(&dontUseValue, source())); // $ ir
