C++: (Bugfix 3) Don't conflate summarized callables and source callables in 'nodeGetEnclosingCallable'.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -152,7 +152,7 @@ private module VirtualDispatch {
     ReturnNode node, ReturnKind kind, DataFlowCallable callable
   ) {
     node.getKind() = kind and
-    node.getEnclosingCallable() = callable.getUnderlyingCallable()
+    node.getFunction() = callable.getUnderlyingCallable()
   }
 
   /** Call through a function pointer. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -333,9 +333,7 @@ private module IndirectInstructions {
 import IndirectInstructions
 
 /** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(Node n) {
-  result.getUnderlyingCallable() = n.getEnclosingCallable()
-}
+DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
 predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -147,7 +147,7 @@ class Node extends TIRDataFlowNode {
   /**
    * INTERNAL: Do not use.
    */
-  Declaration getEnclosingCallable() { none() } // overridden in subclasses
+  DataFlowCallable getEnclosingCallable() { none() } // overridden in subclasses
 
   /** Gets the function to which this node belongs, if any. */
   Declaration getFunction() { none() } // overridden in subclasses
@@ -509,7 +509,9 @@ private class Node0 extends Node, TNode0 {
 
   Node0() { this = TNode0(node) }
 
-  override Declaration getEnclosingCallable() { result = node.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = node.getEnclosingCallable()
+  }
 
   override Declaration getFunction() { result = node.getFunction() }
 
@@ -574,7 +576,9 @@ class PostUpdateNodeImpl extends PartialDefinitionNode, TPostUpdateNodeImpl {
 
   override Declaration getFunction() { result = operand.getUse().getEnclosingFunction() }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result = this.getPreUpdateNode().getEnclosingCallable()
+  }
 
   /** Gets the operand associated with this node. */
   Operand getOperand() { result = operand }
@@ -627,7 +631,9 @@ class SsaPhiNode extends Node, TSsaPhiNode {
   /** Gets the phi node associated with this node. */
   Ssa::PhiNode getPhiNode() { result = phi }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
@@ -710,7 +716,9 @@ class SsaPhiInputNode extends Node, TSsaPhiInputNode {
   /** Gets the basic block in which this input originates. */
   IRBlock getBlock() { result = block }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
@@ -739,7 +747,9 @@ class SsaIteratorNode extends Node, TSsaIteratorNode {
   /** Gets the phi node associated with this node. */
   IteratorFlow::IteratorFlowNode getIteratorFlowNode() { result = node }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = node.getFunction() }
 
@@ -774,7 +784,9 @@ class SideEffectOperandNode extends Node instanceof IndirectOperand {
 
   int getArgumentIndex() { result = argumentIndex }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = call.getEnclosingFunction() }
 
@@ -795,7 +807,9 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
   /** Gets the underlying SSA use. */
   Ssa::GlobalUse getGlobalUse() { result = globalUse }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }
 
@@ -825,7 +839,9 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
   /** Gets the underlying SSA definition. */
   Ssa::GlobalDef getGlobalDef() { result = globalDef }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = globalDef.getIRFunction().getFunction() }
 
@@ -856,7 +872,9 @@ class BodyLessParameterNodeImpl extends Node, TBodyLessParameterNodeImpl {
 
   BodyLessParameterNodeImpl() { this = TBodyLessParameterNodeImpl(p, indirectionIndex) }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = p.getFunction() }
 
@@ -902,7 +920,9 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
    * Gets the enclosing callable. For a `FlowSummaryNode` this is always the
    * summarized function this node is part of.
    */
-  override Declaration getEnclosingCallable() { result = this.getSummarizedCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSummarizedCallable() = this.getSummarizedCallable()
+  }
 
   override Location getLocationImpl() { result = this.getSummarizedCallable().getLocation() }
 
@@ -923,7 +943,7 @@ class IndirectReturnNode extends Node {
         .hasOperandAndIndirectionIndex(any(ReturnValueInstruction ret).getReturnAddressOperand(), _)
   }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override SourceCallable getEnclosingCallable() { result.asSourceCallable() = this.getFunction() }
 
   /**
    * Holds if this node represents the value that is returned to the caller
@@ -1117,11 +1137,11 @@ private module RawIndirectNodes {
     /** Gets the underlying indirection index. */
     int getIndirectionIndex() { result = indirectionIndex }
 
-    override Declaration getFunction() {
-      result = this.getOperand().getDef().getEnclosingFunction()
-    }
+    override Declaration getFunction() { result = node.getFunction() }
 
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
+    override DataFlowCallable getEnclosingCallable() {
+      result.asSourceCallable() = node.getEnclosingCallable()
+    }
 
     override predicate isGLValue() { this.getOperand().isGLValue() }
 
@@ -1163,9 +1183,11 @@ private module RawIndirectNodes {
     /** Gets the underlying indirection index. */
     int getIndirectionIndex() { result = indirectionIndex }
 
-    override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+    override Declaration getFunction() { result = node.getFunction() }
 
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
+    override DataFlowCallable getEnclosingCallable() {
+      result.asSourceCallable() = node.getEnclosingCallable()
+    }
 
     override predicate isGLValue() { this.getInstruction().isGLValue() }
 
@@ -1265,7 +1287,9 @@ class FinalParameterNode extends Node, TFinalParameterNode {
 
   override Declaration getFunction() { result = p.getFunction() }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
 
@@ -1385,12 +1409,14 @@ private class IndirectInstructionParameterNode extends AbstractIndirectParameter
   /** Gets the parameter whose indirection is initialized. */
   override Parameter getParameter() { result = init.getParameter() }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = this.getFunction()
+  }
 
   override Declaration getFunction() { result = init.getEnclosingFunction() }
 
   override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
-    this.getEnclosingCallable() = f and
+    this.getFunction() = f and
     exists(int argumentIndex, int indirectionIndex |
       indirectPositionHasArgumentIndexAndIndex(pos, argumentIndex, indirectionIndex) and
       indirectParameterNodeHasArgumentIndexAndIndex(this, argumentIndex, indirectionIndex)
@@ -1625,13 +1651,13 @@ class VariableNode extends Node, TGlobalLikeVariableNode {
 
   override Declaration getFunction() { none() }
 
-  override Declaration getEnclosingCallable() {
+  override DataFlowCallable getEnclosingCallable() {
     // When flow crosses from one _enclosing callable_ to another, the
     // interprocedural data-flow library discards call contexts and inserts a
     // node in the big-step relation used for human-readable path explanations.
     // Therefore we want a distinct enclosing callable for each `VariableNode`,
     // and that can be the `Variable` itself.
-    result = v
+    result.asSourceCallable() = v
   }
 
   override DataFlowType getType() {

cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected

@@ -102,32 +102,49 @@ sourceCallables
 | tests.cpp:139:6:139:10 | value |
 | tests.cpp:140:6:140:11 | value2 |
 | tests.cpp:141:7:141:9 | ptr |
+| tests.cpp:144:5:144:19 | madArg0ToReturn |
 | tests.cpp:144:25:144:25 | x |
+| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
 | tests.cpp:145:34:145:34 | x |
 | tests.cpp:146:5:146:15 | notASummary |
 | tests.cpp:146:21:146:21 | x |
+| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
 | tests.cpp:147:34:147:34 | x |
+| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
 | tests.cpp:148:34:148:34 | x |
+| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
 | tests.cpp:149:41:149:41 | x |
+| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
 | tests.cpp:150:37:150:37 | x |
+| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
 | tests.cpp:151:32:151:32 | x |
 | tests.cpp:151:40:151:40 | y |
+| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
 | tests.cpp:152:47:152:47 | x |
 | tests.cpp:152:55:152:55 | y |
+| tests.cpp:153:5:153:18 | madArgsComplex |
 | tests.cpp:153:25:153:25 | a |
 | tests.cpp:153:33:153:33 | b |
 | tests.cpp:153:40:153:40 | c |
 | tests.cpp:153:47:153:47 | d |
+| tests.cpp:154:5:154:14 | madArgsAny |
 | tests.cpp:154:20:154:20 | a |
 | tests.cpp:154:28:154:28 | b |
+| tests.cpp:155:5:155:28 | madAndImplementedComplex |
 | tests.cpp:155:34:155:34 | a |
 | tests.cpp:155:41:155:41 | b |
 | tests.cpp:155:48:155:48 | c |
+| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
 | tests.cpp:160:38:160:39 | mc |
+| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
 | tests.cpp:161:47:161:48 | mc |
+| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
 | tests.cpp:162:46:162:47 | mc |
+| tests.cpp:163:13:163:32 | madArg0ToReturnField |
 | tests.cpp:163:38:163:38 | x |
+| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
 | tests.cpp:164:47:164:47 | x |
+| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
 | tests.cpp:165:46:165:46 | x |
 | tests.cpp:167:13:167:30 | madFieldToFieldVar |
 | tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
@@ -160,9 +177,13 @@ sourceCallables
 | tests.cpp:280:7:280:23 | qualifierArg0Sink |
 | tests.cpp:280:29:280:29 | x |
 | tests.cpp:281:7:281:24 | qualifierFieldSink |
+| tests.cpp:284:7:284:19 | madArg0ToSelf |
 | tests.cpp:284:25:284:25 | x |
+| tests.cpp:285:6:285:20 | madSelfToReturn |
 | tests.cpp:286:6:286:16 | notASummary |
+| tests.cpp:287:7:287:20 | madArg0ToField |
 | tests.cpp:287:26:287:26 | x |
+| tests.cpp:288:6:288:21 | madFieldToReturn |
 | tests.cpp:290:6:290:8 | val |
 | tests.cpp:293:7:293:7 | MyDerivedClass |
 | tests.cpp:293:7:293:7 | operator= |
@@ -183,6 +204,7 @@ sourceCallables
 | tests.cpp:308:52:308:52 | x |
 | tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
 | tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
+| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
 | tests.cpp:317:22:317:28 | source3 |
 | tests.cpp:319:6:319:23 | test_class_members |
 | tests.cpp:320:10:320:11 | mc |
@@ -208,10 +230,14 @@ sourceCallables
 | tests.cpp:429:8:429:14 | intPair |
 | tests.cpp:430:6:430:10 | first |
 | tests.cpp:431:6:431:11 | second |
+| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
 | tests.cpp:434:37:434:43 | fun_ptr |
+| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
 | tests.cpp:435:46:435:52 | fun_ptr |
+| tests.cpp:436:6:436:25 | madCallArg0WithValue |
 | tests.cpp:436:34:436:40 | fun_ptr |
 | tests.cpp:436:53:436:57 | value |
+| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
 | tests.cpp:437:45:437:51 | fun_ptr |
 | tests.cpp:437:64:437:68 | value |
 | tests.cpp:439:5:439:14 | getTainted |
@@ -225,13 +251,15 @@ sourceCallables
 | tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
 | tests.cpp:458:12:458:15 | Type |
 | tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
+| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
 | tests.cpp:459:45:459:45 | x |
 | tests.cpp:459:45:459:45 | x |
 | tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
 | tests.cpp:463:6:463:6 | x |
 | tests.cpp:464:36:464:36 | s |
 | tests.cpp:465:6:465:6 | y |
 | tests.cpp:469:7:469:9 | INT |
+| tests.cpp:471:5:471:17 | receive_array |
 | tests.cpp:471:23:471:23 | a |
 | tests.cpp:473:6:473:23 | test_receive_array |
 | tests.cpp:474:6:474:6 | x |