C++: Fix join orders in 'DataFlowDispatch.qll' and Ssa.qll.

MathiasVP · MathiasVP · commit 2547a8d746e1 · 2021-10-28T12:35:01.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -63,8 +63,10 @@ private module VirtualDispatch {
       |
         // Call argument
         exists(DataFlowCall call, int i |
-          other.(DataFlow::ParameterNode).isParameterOf(call.getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, i)
+          other
+              .(DataFlow::ParameterNode)
+              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
+          src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
         ) and
         allowOtherFromArg = true and
         allowFromArg = true
@@ -128,6 +130,7 @@ private module VirtualDispatch {
    *
    * Used to fix a join ordering issue in flowsFrom.
    */
+  pragma[noinline]
   private predicate returnNodeWithKindAndEnclosingCallable(
     ReturnNode node, ReturnKind kind, DataFlowCallable callable
   ) {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
@@ -436,6 +436,16 @@ private module Cached {
     iTo.(InheritanceConversionInstruction).getUnary() = iFrom
   }
 
+  pragma[noinline]
+  private predicate callTargetHasInputOutput(
+    CallInstruction call, DataFlow::FunctionInput input, DataFlow::FunctionOutput output
+  ) {
+    exists(DataFlow::DataFlowFunction func |
+      call.getStaticCallTarget() = func and
+      func.hasDataFlow(input, output)
+    )
+  }
+
   private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
     // Flow into a read node
     exists(ReadNode readNode | readNode = nTo |
@@ -500,13 +510,12 @@ private module Cached {
     or
     // Flow through a modelled function that has parameter -> return value flow.
     exists(
-      CallInstruction call, DataFlow::DataFlowFunction func, int index,
-      DataFlow::FunctionInput input, DataFlow::FunctionOutput output
+      CallInstruction call, int index, DataFlow::FunctionInput input,
+      DataFlow::FunctionOutput output
     |
-      call.getStaticCallTarget() = func and
+      callTargetHasInputOutput(call, input, output) and
       call.getArgumentOperand(index) = operand and
       not getSideEffectFor(call, index) instanceof ReadSideEffectInstruction and
-      func.hasDataFlow(input, output) and
       input.isParameter(index) and
       output.isReturnValue() and
       flowOutOfAddressStep(call.getAUse(), nTo)
