C++: Post-update flow through &, *, +, ...

Flow from a definition by reference of a field into its object was
working inconsistently and in a very syntax-dependent way. For a
function `f` receiving a reference, `f(a->x)` could propagate data back
to `a` via the _reverse read_ mechanism in the shared data-flow library,
but for a function `g` receiving a pointer, `g(&a->x)` would not work.
And `f((*a).x)` would not work either.

In all cases, the issue was that the shared data-flow library propagates
data backwards between `PostUpdateNode`s only, but there is no
`PostUpdateNode` for `a->x` in `g(&a->x)`. This pull request inserts
such post-update nodes where appropriate and links them to their
neighbors. In this exapmle, flow back from the output parameter of `g`
passes first to the `PostUpdateNode` of `&`, then to the (new)
`PostUpdateNode` of `a->x`, and finally, as a _reverse read_ with the
appropriate field projection, to `a`.

Author: jbj

cpp/ql/src/semmle/code/cpp/dataflow/EscapesTree.qll

@@ -4,6 +4,14 @@
  * passed to a function, or similar.
  */
 
+/*
+ * Maintainer note: this file is one of several files that are similar but not
+ * identical. Many changes to this file will also apply to the others:
+ * - AddressConstantExpression.qll
+ * - AddressFlow.qll
+ * - EscapesTree.qll
+ */
+
 private import cpp
 
 /**

cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll

@@ -0,0 +1,235 @@
+/**
+ * Provides a local analysis for identifying where a variable address
+ * is effectively taken. Array-like offsets are allowed to pass through but
+ * not field-like offsets.
+ *
+ * This library is specialized to meet the needs of `FlowVar.qll`.
+ */
+
+/*
+ * Maintainer note: this file is one of several files that are similar but not
+ * identical. Many changes to this file will also apply to the others:
+ * - AddressConstantExpression.qll
+ * - AddressFlow.qll
+ * - EscapesTree.qll
+ */
+
+private import cpp
+
+/**
+ * Holds if `f` is an instantiation of the `std::move` or `std::forward`
+ * template functions, these functions are essentially casts, so we treat them
+ * as such.
+ */
+private predicate stdIdentityFunction(Function f) {
+  f.getNamespace().getParentNamespace() instanceof GlobalNamespace and
+  f.getNamespace().getName() = "std" and
+  (
+    f.getName() = "move"
+    or
+    f.getName() = "forward"
+  )
+}
+
+private predicate lvalueToLvalueStep(Expr lvalueIn, Expr lvalueOut) {
+  lvalueIn.getConversion() = lvalueOut.(ParenthesisExpr)
+  or
+  // When an object is implicitly converted to a reference to one of its base
+  // classes, it gets two `Conversion`s: there is first an implicit
+  // `CStyleCast` to its base class followed by a `ReferenceToExpr` to a
+  // reference to its base class. Whereas an explicit cast to the base class
+  // would produce an rvalue, which would not be convertible to an lvalue
+  // reference, this implicit cast instead produces an lvalue. The following
+  // case ensures that we propagate the property of being an lvalue through
+  // such casts.
+  lvalueIn.getConversion() = lvalueOut and
+  lvalueOut.(CStyleCast).isImplicit()
+  or
+  // C++ only
+  lvalueIn = lvalueOut.(PrefixCrementOperation).getOperand().getFullyConverted()
+  or
+  // C++ only
+  lvalueIn = lvalueOut.(Assignment).getLValue().getFullyConverted()
+}
+
+private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
+  pointerIn = lvalueOut.(ArrayExpr).getArrayBase().getFullyConverted()
+  or
+  pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
+}
+
+private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
+  lvalueIn.getConversion() = pointerOut.(ArrayToPointerConversion)
+  or
+  lvalueIn = pointerOut.(AddressOfExpr).getOperand().getFullyConverted()
+}
+
+private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
+  (
+    pointerOut instanceof PointerAddExpr
+    or
+    pointerOut instanceof PointerSubExpr
+  ) and
+  pointerIn = pointerOut.getAChild().getFullyConverted() and
+  pointerIn.getUnspecifiedType() instanceof PointerType
+  or
+  pointerIn = pointerOut.(UnaryPlusExpr).getOperand().getFullyConverted()
+  or
+  pointerIn.getConversion() = pointerOut.(Cast)
+  or
+  pointerIn.getConversion() = pointerOut.(ParenthesisExpr)
+  or
+  pointerIn = pointerOut.(ConditionalExpr).getThen().getFullyConverted()
+  or
+  pointerIn = pointerOut.(ConditionalExpr).getElse().getFullyConverted()
+  or
+  pointerIn = pointerOut.(CommaExpr).getRightOperand().getFullyConverted()
+  or
+  pointerIn = pointerOut.(StmtExpr).getResultExpr().getFullyConverted()
+}
+
+private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
+  lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
+}
+
+private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
+  referenceIn.getConversion() = lvalueOut.(ReferenceDereferenceExpr)
+}
+
+private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
+  referenceOut =
+    any(FunctionCall call |
+      stdIdentityFunction(call.getTarget()) and
+      referenceIn = call.getArgument(0).getFullyConverted()
+    )
+  or
+  referenceIn.getConversion() = referenceOut.(Cast)
+  or
+  referenceIn.getConversion() = referenceOut.(ParenthesisExpr)
+}
+
+private predicate assignmentTo(Expr updated, ControlFlowNode node) {
+  updated = node.(Assignment).getLValue().getFullyConverted()
+  or
+  updated = node.(CrementOperation).getOperand().getFullyConverted()
+}
+
+private predicate lvalueToUpdate(Expr lvalue, Expr outer, ControlFlowNode node) {
+  (
+    exists(Call call | node = call |
+      outer = call.getQualifier().getFullyConverted() and
+      outer.getUnspecifiedType() instanceof Class and
+      not call.getTarget().hasSpecifier("const")
+    )
+    or
+    assignmentTo(outer, node)
+    or
+    exists(DotFieldAccess fa |
+      // `fa.otherField = ...` or `f(&fa)` or similar
+      outer = fa.getQualifier().getFullyConverted() and
+      valueToUpdate(fa, _, node)
+    )
+  ) and
+  lvalue = outer
+  or
+  exists(Expr lvalueMid |
+    lvalueToLvalueStep(lvalue, lvalueMid) and
+    lvalueToUpdate(lvalueMid, outer, node)
+  )
+  or
+  exists(Expr pointerMid |
+    lvalueToPointerStep(lvalue, pointerMid) and
+    pointerToUpdate(pointerMid, outer, node)
+  )
+  or
+  exists(Expr referenceMid |
+    lvalueToReferenceStep(lvalue, referenceMid) and
+    referenceToUpdate(referenceMid, outer, node)
+  )
+}
+
+private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node) {
+  (
+    exists(Call call | node = call |
+      outer = call.getAnArgument().getFullyConverted() and
+      exists(PointerType pt | pt = outer.getType().stripTopLevelSpecifiers() |
+        not pt.getBaseType().isConst()
+      )
+      or
+      outer = call.getQualifier().getFullyConverted() and
+      outer.getUnspecifiedType() instanceof PointerType and
+      not call.getTarget().hasSpecifier("const")
+    )
+    or
+    exists(PointerFieldAccess fa |
+      // `fa.otherField = ...` or `f(&fa)` or similar
+      outer = fa.getQualifier().getFullyConverted() and
+      valueToUpdate(fa, _, node)
+    )
+  ) and
+  pointer = outer
+  or
+  exists(Expr lvalueMid |
+    pointerToLvalueStep(pointer, lvalueMid) and
+    lvalueToUpdate(lvalueMid, outer, node)
+  )
+  or
+  exists(Expr pointerMid |
+    pointerToPointerStep(pointer, pointerMid) and
+    pointerToUpdate(pointerMid, outer, node)
+  )
+}
+
+private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode node) {
+  exists(Call call |
+    node = call and
+    outer = call.getAnArgument().getFullyConverted() and
+    not stdIdentityFunction(call.getTarget()) and
+    exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
+      not rt.getBaseType().isConst()
+    )
+  ) and
+  reference = outer
+  or
+  exists(Expr lvalueMid |
+    referenceToLvalueStep(reference, lvalueMid) and
+    lvalueToUpdate(lvalueMid, outer, node)
+  )
+  or
+  exists(Expr referenceMid |
+    referenceToReferenceStep(reference, referenceMid) and
+    referenceToUpdate(referenceMid, outer, node)
+  )
+}
+
+/**
+ * Holds if `node` is a control-flow node that may modify `inner` (or what it
+ * points to) through `outer`. The two expressions may be `Conversion`s. Plain
+ * assignments to variables are not included in this predicate since they are
+ * assumed to be analyzed by SSA or similar means.
+ *
+ * For example, in `f(& (*a).x)`, there are two results:
+ * - `inner` = `... .x`, `outer` = `&...`, `node` = `f(...)`.
+ * - `inner` = `a`, `outer` = `(...)`, `node` = `f(...)`.
+ */
+cached
+predicate valueToUpdate(Expr inner, Expr outer, ControlFlowNode node) {
+  (
+    lvalueToUpdate(inner, outer, node)
+    or
+    pointerToUpdate(inner, outer, node)
+    or
+    referenceToUpdate(inner, outer, node)
+  ) and
+  (
+    inner instanceof VariableAccess and
+    // Don't track non-field assignments
+    (assignmentTo(outer, _) implies inner instanceof FieldAccess)
+    or
+    inner instanceof ThisExpr
+    or
+    inner instanceof Call
+    // `baseValue` could also be `*` or `ReferenceDereferenceExpr`, but we
+    // can't do anything useful with those at the moment.
+  )
+}

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -20,10 +20,12 @@ private newtype TNode =
   TInstanceParameterNode(MemberFunction f) { exists(f.getBlock()) and not f.isStatic() } or
   TPreConstructorInitThis(ConstructorFieldInit cfi) or
   TPostConstructorInitThis(ConstructorFieldInit cfi) or
-  TThisArgumentPostUpdate(ThisExpr ta) {
-    exists(Call c, int i |
-      ta = c.getArgument(i) and
-      not c.getTarget().getParameter(i).getUnderlyingType().(PointerType).getBaseType().isConst()
+  TInnerPartialDefinitionNode(Expr e) {
+    exists(PartialDefinition def, Expr outer |
+      def.definesExpressions(e, outer) and
+      // This condition ensures that we don't get two post-update nodes sharing
+      // the same pre-update node.
+      e != outer
     )
   } or
   TUninitializedNode(LocalVariable v) { not v.hasInitializer() } or
@@ -66,7 +68,7 @@ class Node extends TNode {
    * a partial definition of `&x`).
    */
   Expr asPartialDefinition() {
-    result = this.(PartialDefinitionNode).getPartialDefinition().getDefinedExpr()
+    this.(PartialDefinitionNode).getPartialDefinition().definesExpressions(_, result)
   }
 
   /**
@@ -198,25 +200,23 @@ class ImplicitParameterNode extends ParameterNode, TInstanceParameterNode {
  * returned. This node will have its `getArgument()` equal to `&x`.
  */
 class DefinitionByReferenceNode extends PartialDefinitionNode {
-  VariableAccess va;
+  Expr inner;
   Expr argument;
 
   DefinitionByReferenceNode() {
-    exists(DefinitionByReference def |
-      def = this.getPartialDefinition() and
-      argument = def.getDefinedExpr() and
-      va = def.getVariableAccess()
-    )
+    this.getPartialDefinition().(DefinitionByReference).definesExpressions(inner, argument)
   }
 
-  override Function getFunction() { result = va.getEnclosingFunction() }
+  override Function getFunction() { result = inner.getEnclosingFunction() }
 
-  override Type getType() { result = va.getType() }
+  override Type getType() { result = inner.getType() }
 
   override string toString() { result = "ref arg " + argument.toString() }
 
   override Location getLocation() { result = argument.getLocation() }
 
+  override ExprNode getPreUpdateNode() { result.getExpr() = argument }
+
   /** Gets the argument corresponding to this node. */
   Expr getArgument() { result = argument }
 
@@ -297,7 +297,7 @@ private class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNo
 
   PartialDefinitionNode() { this = TPartialDefinitionNode(pd) }
 
-  override Node getPreUpdateNode() { result.asExpr() = pd.getDefinedExpr() }
+  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
 
   override Location getLocation() { result = pd.getActualLocation() }
 
@@ -306,14 +306,23 @@ private class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNo
   override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
 }
 
-private class ThisArgumentPostUpdateNode extends PostUpdateNode, TThisArgumentPostUpdate {
-  ThisExpr thisExpr;
+/**
+ * A post-update node on the `e->f` in `f(&e->f)` (and other forms).
+ */
+private class InnerPartialDefinitionNode extends TInnerPartialDefinitionNode, PostUpdateNode {
+  Expr e;
+
+  InnerPartialDefinitionNode() { this = TInnerPartialDefinitionNode(e) }
 
-  ThisArgumentPostUpdateNode() { this = TThisArgumentPostUpdate(thisExpr) }
+  override ExprNode getPreUpdateNode() { result.getExpr() = e }
 
-  override Node getPreUpdateNode() { result.asExpr() = thisExpr }
+  override Function getFunction() { result = e.getEnclosingFunction() }
 
-  override string toString() { result = "ref arg this" }
+  override Type getType() { result = e.getType() }
+
+  override string toString() { result = e.toString() + " [inner post update]" }
+
+  override Location getLocation() { result = e.getLocation() }
 }
 
 /**
@@ -520,6 +529,14 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   or
   // post-update-`this` -> following-`this`-ref
   ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+  or
+  // In `f(&x->a)`, this step provides the flow from post-`&` to post-`x->a`,
+  // from which there is field flow to `x` via reverse read.
+  exists(PartialDefinition def, Expr inner, Expr outer |
+    def.definesExpressions(inner, outer) and
+    inner = nodeTo.(InnerPartialDefinitionNode).getPreUpdateNode().asExpr() and
+    outer = nodeFrom.(PartialDefinitionNode).getPreUpdateNode().asExpr()
+  )
 }
 
 /**