C++: Add a model for 'partial updating' and extend models appropriately.

MathiasVP · MathiasVP · commit 7e9bf2a880d9 · 2024-02-16T12:56:19.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -5,6 +5,7 @@ private import DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
 private import semmle.code.cpp.models.interfaces.Taint as Taint
+private import semmle.code.cpp.models.interfaces.PartialFlow as PartialFlow
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
@@ -816,10 +817,15 @@ private predicate inOut(FIO::FunctionInput input, FIO::FunctionOutput output) {
  * flows to `n`).
  */
 private predicate modeledFlowBarrier(Node n) {
-  exists(FIO::FunctionInput input, FIO::FunctionOutput output, CallInstruction call |
+  exists(
+    FIO::FunctionInput input, FIO::FunctionOutput output, CallInstruction call,
+    PartialFlow::PartialFlowFunction partialFlowFunc
+  |
     n = callInput(call, input) and
     inOut(input, output) and
-    exists(callOutput(call, output))
+    exists(callOutput(call, output)) and
+    partialFlowFunc = call.getStaticCallTarget() and
+    not partialFlowFunc.isPartialWrite(output)
   |
     call.getStaticCallTarget().(DataFlow::DataFlowFunction).hasDataFlow(_, output)
     or
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/GetDelim.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/GetDelim.qll
@@ -15,6 +15,8 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF
     i.isParameter(3) and o.isParameterDeref(0)
   }
 
+  override predicate isPartialWrite(FunctionOutput o) { o.isParameterDeref(3) }
+
   override predicate parameterNeverEscapes(int index) { index = [0, 1, 3] }
 
   override predicate parameterEscapesOnlyViaReturn(int index) { none() }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -27,6 +27,8 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
     output.isReturnValue()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(2) }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(2) and
     output.isParameterDeref(0)
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll
@@ -20,6 +20,8 @@ private class InetAton extends TaintFunction, ArrayFunction {
     output.isParameterDeref(1)
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(1) }
+
   override predicate hasArrayInput(int bufParam) { bufParam = 0 }
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 1 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -118,6 +118,8 @@ private class StdSequenceContainerData extends TaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -147,6 +149,8 @@ private class StdSequenceContainerPushModel extends StdSequenceContainerPush, Ta
     input.isParameterDeref(0) and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -207,6 +211,8 @@ private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert
       output.isReturnValue()
     )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -263,6 +269,8 @@ private class StdSequenceContainerAt extends TaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -297,6 +305,8 @@ private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction
       output.isReturnValue()
     )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -335,6 +345,8 @@ private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintF
     input.isParameterDeref([0 .. this.getNumberOfParameters() - 1]) and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMap.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdMap.qll
@@ -3,6 +3,7 @@
  */
 
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Iterator
 
 /**
@@ -53,6 +54,8 @@ private class StdMapInsert extends TaintFunction {
       output.isReturnValue()
     )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -75,6 +78,8 @@ private class StdMapEmplace extends TaintFunction {
     input.isQualifierObject() and
     output.isReturnValue()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -102,6 +107,8 @@ private class StdMapTryEmplace extends TaintFunction {
     input.isQualifierObject() and
     output.isReturnValue()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -115,6 +122,8 @@ private class StdMapMerge extends TaintFunction {
     input.isParameterDeref(0) and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -132,6 +141,8 @@ private class StdMapAt extends TaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll
@@ -61,6 +61,8 @@ private class StdSetInsert extends TaintFunction {
       output.isReturnValue()
     )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -82,6 +84,8 @@ private class StdSetEmplace extends TaintFunction {
     input.isQualifierObject() and
     output.isReturnValue()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -95,6 +99,8 @@ private class StdSetMerge extends TaintFunction {
     input.isParameterDeref(0) and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@@ -129,6 +129,8 @@ private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -142,6 +144,8 @@ private class StdStringPush extends StdStringTaintFunction {
     input.isParameter(0) and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -204,6 +208,8 @@ private class StdStringAppend extends StdStringTaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -237,6 +243,8 @@ private class StdStringInsert extends StdStringTaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -305,6 +313,8 @@ private class StdStringAt extends StdStringTaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -338,6 +348,8 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -358,6 +370,8 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from first parameter to second parameter
     input.isParameterDeref(0) and
@@ -403,6 +417,8 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to first parameter
     input.isQualifierObject() and
@@ -442,6 +458,8 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from first parameter (value or pointer) to qualifier
     input.isParameter(0) and
@@ -478,6 +496,8 @@ private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from qualifier to first parameter
     input.isQualifierObject() and
@@ -540,6 +560,8 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from first parameter (value or pointer) to qualifier
     input.isParameter(0) and
@@ -579,6 +601,8 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(0) }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from second parameter to first parameter
     input.isParameterDeref(1) and
@@ -672,6 +696,8 @@ private class StdStreamFunction extends DataFlowFunction, TaintFunction {
     output.isReturnValueDeref()
   }
 
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // reverse flow from returned reference to the qualifier
     input.isReturnValueDeref() and
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcrement.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcrement.qll
@@ -36,6 +36,8 @@ private class Strcrement extends ArrayFunction, TaintFunction, SideEffectFunctio
       input.isParameter(index) and output.isReturnValue()
       or
       input.isParameterDeref(index) and output.isReturnValueDeref()
+      or
+      input.isParameterDeref(index) and output.isParameterDeref(index)
     )
   }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/DataFlow.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/DataFlow.qll
@@ -10,6 +10,7 @@
 import semmle.code.cpp.Function
 import FunctionInputsAndOutputs
 import semmle.code.cpp.models.Models
+import PartialFlow
 
 /**
  * A library function for which a value is or may be copied from a parameter
@@ -18,7 +19,7 @@ import semmle.code.cpp.models.Models
  * Note that this does not include partial copying of values or partial writes
  * to destinations; that is covered by `TaintModel.qll`.
  */
-abstract class DataFlowFunction extends Function {
+abstract class DataFlowFunction extends PartialFlowFunction {
   /**
    * Holds if data can be copied from the argument, qualifier, or buffer
    * represented by `input` to the return value or buffer represented by
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/PartialFlow.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/PartialFlow.qll
@@ -0,0 +1,15 @@
+import semmle.code.cpp.Function
+import FunctionInputsAndOutputs
+import semmle.code.cpp.models.Models
+
+/**
+ * A function that may (but not always) updates (part of) a `FunctionOutput`.
+ */
+abstract class PartialFlowFunction extends Function {
+  /**
+   * Holds if the write to `output` either is:
+   * - Only partially updating the `output`
+   * - Is not unconditional
+   */
+  predicate isPartialWrite(FunctionOutput output) { none() }
+}
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Taint.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Taint.qll
@@ -10,6 +10,7 @@
 import semmle.code.cpp.Function
 import FunctionInputsAndOutputs
 import semmle.code.cpp.models.Models
+import PartialFlow
 
 /**
  * A library function for which a taint-tracking library should propagate taint
@@ -23,7 +24,7 @@ import semmle.code.cpp.models.Models
  * altered (for example copying a string with `strncpy`), this is also considered
  * data flow.
  */
-abstract class TaintFunction extends Function {
+abstract class TaintFunction extends PartialFlowFunction {
   /**
    * Holds if data passed into the argument, qualifier, or buffer represented by
    * `input` influences the return value or buffer represented by `output`
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -6490,6 +6490,7 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:607:10:607:16 | call to _strinc | taint.cpp:609:8:609:12 | dest1 |  |
 | taint.cpp:607:18:607:23 | source | taint.cpp:607:10:607:16 | call to _strinc | TAINT |
 | taint.cpp:607:26:607:31 | locale | taint.cpp:607:10:607:16 | call to _strinc | TAINT |
+| taint.cpp:607:26:607:31 | locale | taint.cpp:607:26:607:31 | ref arg locale | TAINT |
 | taint.cpp:607:26:607:31 | ref arg locale | taint.cpp:606:82:606:87 | locale |  |
 | taint.cpp:607:26:607:31 | ref arg locale | taint.cpp:611:25:611:30 | locale |  |
 | taint.cpp:608:7:608:11 | ref arg dest1 | taint.cpp:606:52:606:56 | dest1 |  |
@@ -6501,6 +6502,7 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:611:10:611:16 | call to _strinc | taint.cpp:613:8:613:12 | dest2 |  |
 | taint.cpp:611:18:611:22 | clean | taint.cpp:611:10:611:16 | call to _strinc | TAINT |
 | taint.cpp:611:25:611:30 | locale | taint.cpp:611:10:611:16 | call to _strinc | TAINT |
+| taint.cpp:611:25:611:30 | locale | taint.cpp:611:25:611:30 | ref arg locale | TAINT |
 | taint.cpp:611:25:611:30 | ref arg locale | taint.cpp:606:82:606:87 | locale |  |
 | taint.cpp:612:7:612:11 | ref arg dest2 | taint.cpp:606:65:606:69 | dest2 |  |
 | taint.cpp:612:7:612:11 | ref arg dest2 | taint.cpp:613:8:613:12 | dest2 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF`
`15`	`15`	`i.isParameter(3) and o.isParameterDeref(0)`
`16`	`16`	`}`
`17`	`17`
	`18`	`+ override predicate isPartialWrite(FunctionOutput o) { o.isParameterDeref(3) }`
	`19`	`+`
`18`	`20`	`override predicate parameterNeverEscapes(int index) { index = [0, 1, 3] }`
`19`	`21`
`20`	`22`	`override predicate parameterEscapesOnlyViaReturn(int index) { none() }`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti`
`27`	`27`	`output.isReturnValue()`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(2) }`
	`31`	`+`
`30`	`32`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`31`	`33`	`input.isParameter(2) and`
`32`	`34`	`output.isParameterDeref(0)`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ private class InetAton extends TaintFunction, ArrayFunction {`
`20`	`20`	`output.isParameterDeref(1)`
`21`	`21`	`}`
`22`	`22`
	`23`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(1) }`
	`24`	`+`
`23`	`25`	`override predicate hasArrayInput(int bufParam) { bufParam = 0 }`
`24`	`26`
`25`	`27`	`override predicate hasArrayOutput(int bufParam) { bufParam = 1 }`
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,8 @@ private class StdSequenceContainerData extends TaintFunction {`
`118`	`118`	`input.isReturnValueDeref() and`
`119`	`119`	`output.isQualifierObject()`
`120`	`120`	`}`
	`121`	`+`
	`122`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`121`	`123`	`}`
`122`	`124`
`123`	`125`	`/**`
`@@ -147,6 +149,8 @@ private class StdSequenceContainerPushModel extends StdSequenceContainerPush, Ta`
`147`	`149`	`input.isParameterDeref(0) and`
`148`	`150`	`output.isQualifierObject()`
`149`	`151`	`}`
	`152`	`+`
	`153`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`150`	`154`	`}`
`151`	`155`
`152`	`156`	`/**`
`@@ -207,6 +211,8 @@ private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert`
`207`	`211`	`output.isReturnValue()`
`208`	`212`	`)`
`209`	`213`	`}`
	`214`	`+`
	`215`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`210`	`216`	`}`
`211`	`217`
`212`	`218`	`/**`
`@@ -263,6 +269,8 @@ private class StdSequenceContainerAt extends TaintFunction {`
`263`	`269`	`input.isReturnValueDeref() and`
`264`	`270`	`output.isQualifierObject()`
`265`	`271`	`}`
	`272`	`+`
	`273`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`266`	`274`	`}`
`267`	`275`
`268`	`276`	`/**`
`@@ -297,6 +305,8 @@ private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction`
`297`	`305`	`output.isReturnValue()`
`298`	`306`	`)`
`299`	`307`	`}`
	`308`	`+`
	`309`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`300`	`310`	`}`
`301`	`311`
`302`	`312`	`/**`
`@@ -335,6 +345,8 @@ private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintF`
`335`	`345`	`input.isParameterDeref([0 .. this.getNumberOfParameters() - 1]) and`
`336`	`346`	`output.isQualifierObject()`
`337`	`347`	`}`
	`348`	`+`
	`349`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`338`	`350`	`}`
`339`	`351`
`340`	`352`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`*/`
`4`	`4`
`5`	`5`	`import semmle.code.cpp.models.interfaces.Taint`
	`6`	`+import semmle.code.cpp.models.interfaces.DataFlow`
`6`	`7`	`import semmle.code.cpp.models.interfaces.Iterator`
`7`	`8`
`8`	`9`	`/**`
`@@ -53,6 +54,8 @@ private class StdMapInsert extends TaintFunction {`
`53`	`54`	`output.isReturnValue()`
`54`	`55`	`)`
`55`	`56`	`}`
	`57`	`+`
	`58`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`56`	`59`	`}`
`57`	`60`
`58`	`61`	`/**`
`@@ -75,6 +78,8 @@ private class StdMapEmplace extends TaintFunction {`
`75`	`78`	`input.isQualifierObject() and`
`76`	`79`	`output.isReturnValue()`
`77`	`80`	`}`
	`81`	`+`
	`82`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`78`	`83`	`}`
`79`	`84`
`80`	`85`	`/**`
`@@ -102,6 +107,8 @@ private class StdMapTryEmplace extends TaintFunction {`
`102`	`107`	`input.isQualifierObject() and`
`103`	`108`	`output.isReturnValue()`
`104`	`109`	`}`
	`110`	`+`
	`111`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`105`	`112`	`}`
`106`	`113`
`107`	`114`	`/**`
`@@ -115,6 +122,8 @@ private class StdMapMerge extends TaintFunction {`
`115`	`122`	`input.isParameterDeref(0) and`
`116`	`123`	`output.isQualifierObject()`
`117`	`124`	`}`
	`125`	`+`
	`126`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`118`	`127`	`}`
`119`	`128`
`120`	`129`	`/**`
`@@ -132,6 +141,8 @@ private class StdMapAt extends TaintFunction {`
`132`	`141`	`input.isReturnValueDeref() and`
`133`	`142`	`output.isQualifierObject()`
`134`	`143`	`}`
	`144`	`+`
	`145`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`135`	`146`	`}`
`136`	`147`
`137`	`148`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,8 @@ private class StdSetInsert extends TaintFunction {`
`61`	`61`	`output.isReturnValue()`
`62`	`62`	`)`
`63`	`63`	`}`
	`64`	`+`
	`65`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`64`	`66`	`}`
`65`	`67`
`66`	`68`	`/**`
`@@ -82,6 +84,8 @@ private class StdSetEmplace extends TaintFunction {`
`82`	`84`	`input.isQualifierObject() and`
`83`	`85`	`output.isReturnValue()`
`84`	`86`	`}`
	`87`	`+`
	`88`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`85`	`89`	`}`
`86`	`90`
`87`	`91`	`/**`
`@@ -95,6 +99,8 @@ private class StdSetMerge extends TaintFunction {`
`95`	`99`	`input.isParameterDeref(0) and`
`96`	`100`	`output.isQualifierObject()`
`97`	`101`	`}`
	`102`	`+`
	`103`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`98`	`104`	`}`
`99`	`105`
`100`	`106`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,8 @@ private class StdStringDataModel extends StdStringData, StdStringTaintFunction {`
`129`	`129`	`input.isReturnValueDeref() and`
`130`	`130`	`output.isQualifierObject()`
`131`	`131`	`}`
	`132`	`+`
	`133`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`132`	`134`	`}`
`133`	`135`
`134`	`136`	`/**`
`@@ -142,6 +144,8 @@ private class StdStringPush extends StdStringTaintFunction {`
`142`	`144`	`input.isParameter(0) and`
`143`	`145`	`output.isQualifierObject()`
`144`	`146`	`}`
	`147`	`+`
	`148`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`145`	`149`	`}`
`146`	`150`
`147`	`151`	`/**`
`@@ -204,6 +208,8 @@ private class StdStringAppend extends StdStringTaintFunction {`
`204`	`208`	`input.isReturnValueDeref() and`
`205`	`209`	`output.isQualifierObject()`
`206`	`210`	`}`
	`211`	`+`
	`212`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`207`	`213`	`}`
`208`	`214`
`209`	`215`	`/**`
`@@ -237,6 +243,8 @@ private class StdStringInsert extends StdStringTaintFunction {`
`237`	`243`	`input.isReturnValueDeref() and`
`238`	`244`	`output.isQualifierObject()`
`239`	`245`	`}`
	`246`	`+`
	`247`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`240`	`248`	`}`
`241`	`249`
`242`	`250`	`/**`
`@@ -305,6 +313,8 @@ private class StdStringAt extends StdStringTaintFunction {`
`305`	`313`	`input.isReturnValueDeref() and`
`306`	`314`	`output.isQualifierObject()`
`307`	`315`	`}`
	`316`	`+`
	`317`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`308`	`318`	`}`
`309`	`319`
`310`	`320`	`/**`
`@@ -338,6 +348,8 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {`
`338`	`348`	`input.isReturnValueDeref() and`
`339`	`349`	`output.isQualifierObject()`
`340`	`350`	`}`
	`351`	`+`
	`352`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
`341`	`353`	`}`
`342`	`354`
`343`	`355`	`/**`
`@@ -358,6 +370,8 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {`
`358`	`370`	`output.isReturnValueDeref()`
`359`	`371`	`}`
`360`	`372`
	`373`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`374`	`+`
`361`	`375`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`362`	`376`	`// flow from first parameter to second parameter`
`363`	`377`	`input.isParameterDeref(0) and`
`@@ -403,6 +417,8 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {`
`403`	`417`	`output.isReturnValueDeref()`
`404`	`418`	`}`
`405`	`419`
	`420`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`421`	`+`
`406`	`422`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`407`	`423`	`// flow from qualifier to first parameter`
`408`	`424`	`input.isQualifierObject() and`
`@@ -442,6 +458,8 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {`
`442`	`458`	`output.isReturnValueDeref()`
`443`	`459`	`}`
`444`	`460`
	`461`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`462`	`+`
`445`	`463`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`446`	`464`	`// flow from first parameter (value or pointer) to qualifier`
`447`	`465`	`input.isParameter(0) and`
`@@ -478,6 +496,8 @@ private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {`
`478`	`496`	`output.isReturnValueDeref()`
`479`	`497`	`}`
`480`	`498`
	`499`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`500`	`+`
`481`	`501`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`482`	`502`	`// flow from qualifier to first parameter`
`483`	`503`	`input.isQualifierObject() and`
`@@ -540,6 +560,8 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {`
`540`	`560`	`output.isReturnValueDeref()`
`541`	`561`	`}`
`542`	`562`
	`563`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`564`	`+`
`543`	`565`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`544`	`566`	`// flow from first parameter (value or pointer) to qualifier`
`545`	`567`	`input.isParameter(0) and`
`@@ -579,6 +601,8 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {`
`579`	`601`	`output.isReturnValueDeref()`
`580`	`602`	`}`
`581`	`603`
	`604`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(0) }`
	`605`	`+`
`582`	`606`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`583`	`607`	`// flow from second parameter to first parameter`
`584`	`608`	`input.isParameterDeref(1) and`
`@@ -672,6 +696,8 @@ private class StdStreamFunction extends DataFlowFunction, TaintFunction {`
`672`	`696`	`output.isReturnValueDeref()`
`673`	`697`	`}`
`674`	`698`
	`699`	`+ override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }`
	`700`	`+`
`675`	`701`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`676`	`702`	`// reverse flow from returned reference to the qualifier`
`677`	`703`	`input.isReturnValueDeref() and`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ private class Strcrement extends ArrayFunction, TaintFunction, SideEffectFunctio`
`36`	`36`	`input.isParameter(index) and output.isReturnValue()`
`37`	`37`	`or`
`38`	`38`	`input.isParameterDeref(index) and output.isReturnValueDeref()`
	`39`	`+ or`
	`40`	`+ input.isParameterDeref(index) and output.isParameterDeref(index)`
`39`	`41`	`)`
`40`	`42`	`}`
`41`	`43`