C++: Since isConstructedFrom only holds for templates we need to explicitly handle the case where the function (or class) is not a template.

MathiasVP · MathiasVP · commit f688470324a5 · 2024-11-27T16:41:16.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -434,18 +434,30 @@ private predicate elementSpec(
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _)
 }
 
+private predicate isClassConstructedFrom(Class c, Class templateClass) {
+  c.isConstructedFrom(templateClass)
+  or
+  not any(Class c_).isConstructedFrom(templateClass) and c = templateClass
+}
+
+private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
+  f.isConstructedFrom(templateFunc)
+  or
+  not any(Function f_).isConstructedFrom(templateFunc) and f = templateFunc
+}
+
 /** Gets the fully templated version of `f`. */
 private Function getFullyTemplatedFunction(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
-      c.isConstructedFrom(templateClass) and
+      isClassConstructedFrom(c, templateClass) and
       f = c.getAMember(i) and
       result = templateClass.getCanonicalMember(i)
     )
     or
     not exists(f.getDeclaringType()) and
-    f.isConstructedFrom(result)
+    isFunctionConstructedFrom(f, result)
   )
 }
 
@@ -489,7 +501,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    f.getDeclaringType().isConstructedFrom(template) and
+    isClassConstructedFrom(f.getDeclaringType(), template) and
     remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -501,7 +513,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    f.getDeclaringType().isConstructedFrom(template) and
+    isClassConstructedFrom(f.getDeclaringType(), template) and
     tp = template.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
   )
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp
@@ -75,12 +75,12 @@ void test__U_STRINGorID() {
   {
     UINT x = source<UINT>();
     _U_STRINGorID u(x);
-    sink(u.m_lpstr); // $ MISSING: ir
+    sink(u.m_lpstr); // $ ir
   }
 
   {
     LPCTSTR y = indirect_source<const char>();
     _U_STRINGorID u(y);
-    sink(u.m_lpstr); // $ MISSING: ir
+    sink(u.m_lpstr); // $ ir
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -75,12 +75,12 @@ void test__U_STRINGorID() {`
`75`	`75`	`{`
`76`	`76`	`UINT x = source<UINT>();`
`77`	`77`	`_U_STRINGorID u(x);`
`78`		`- sink(u.m_lpstr); // $ MISSING: ir`
	`78`	`+ sink(u.m_lpstr); // $ ir`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`{`
`82`	`82`	`LPCTSTR y = indirect_source<const char>();`
`83`	`83`	`_U_STRINGorID u(y);`
`84`		`- sink(u.m_lpstr); // $ MISSING: ir`
	`84`	`+ sink(u.m_lpstr); // $ ir`
`85`	`85`	`}`
`86`	`86`	`}`