Merge pull request github#3733 from geoffw0/models5

C++: Constructor and assignment models

Author: jbj

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -4,6 +4,7 @@ private import implementations.Fread
 private import implementations.Gets
 private import implementations.IdentityFunction
 private import implementations.Inet
+private import implementations.MemberFunction
 private import implementations.Memcpy
 private import implementations.Memset
 private import implementations.Printf

cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll

@@ -0,0 +1,72 @@
+/**
+ * Provides models for C++ constructors and user-defined operators.
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Model for C++ conversion constructors.
+ */
+class ConversionConstructorModel extends ConversionConstructor, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from the first constructor argument to the returned object
+    input.isParameter(0) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * Model for C++ copy constructors.
+ */
+class CopyConstructorModel extends CopyConstructor, DataFlowFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // data flow from the first constructor argument to the returned object
+    input.isParameter(0) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * Model for C++ move constructors.
+ */
+class MoveConstructorModel extends MoveConstructor, DataFlowFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // data flow from the first constructor argument to the returned object
+    input.isParameter(0) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * Model for C++ copy assignment operators.
+ */
+class CopyAssignmentOperatorModel extends CopyAssignmentOperator, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from argument to self
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+    or
+    // taint flow from argument to return value
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    // TODO: it would be more accurate to model copy assignment as data flow
+  }
+}
+
+/**
+ * Model for C++ move assignment operators.
+ */
+class MoveAssignmentOperatorModel extends MoveAssignmentOperator, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from argument to self
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+    or
+    // taint flow from argument to return value
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    // TODO: it would be more accurate to model move assignment as data flow
+  }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -1,19 +1,5 @@
 import semmle.code.cpp.models.interfaces.Taint
 
-/**
- * The `std::basic_string` constructor(s).
- */
-class StdStringConstructor extends TaintFunction {
-  pragma[noinline]
-  StdStringConstructor() { this.hasQualifiedName("std", "basic_string", "basic_string") }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any constructor argument to return value
-    input.isParameter(_) and
-    output.isReturnValue()
-  }
-}
-
 /**
  * The standard function `std::string.c_str`.
  */

cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass.cpp

@@ -0,0 +1,69 @@
+
+int source();
+void sink(...) {};
+
+class MyCopyableClass {
+public:
+	MyCopyableClass() {} // Constructor
+	MyCopyableClass(int _v) : v(_v) {} // ConversionConstructor
+	MyCopyableClass(const MyCopyableClass &other) : v(other.v) {} // CopyConstructor
+	MyCopyableClass &operator=(const MyCopyableClass &other) { // CopyAssignmentOperator
+		v = other.v;
+		return *this;
+	}
+
+	int v;
+};
+
+void test_copyableclass()
+{
+	{
+		MyCopyableClass s1(1);
+		MyCopyableClass s2 = 1;
+		MyCopyableClass s3(s1);
+		MyCopyableClass s4;
+		s4 = 1;
+
+		sink(s1);
+		sink(s2);
+		sink(s3);
+		sink(s4);
+	}
+
+	{
+		MyCopyableClass s1(source());
+		MyCopyableClass s2 = source();
+		MyCopyableClass s3(s1);
+		MyCopyableClass s4;
+		s4 = source();
+
+		sink(s1); // tainted
+		sink(s2); // tainted
+		sink(s3); // tainted
+		sink(s4); // tainted
+	}
+
+	{
+		MyCopyableClass s1;
+		MyCopyableClass s2 = s1;
+		MyCopyableClass s3(s1);
+		MyCopyableClass s4;
+		s4 = s1;
+
+		sink(s1);
+		sink(s2);
+		sink(s3);
+		sink(s4);
+	}
+
+	{
+		MyCopyableClass s1 = MyCopyableClass(source());
+		MyCopyableClass s2;
+		MyCopyableClass s3;
+		s2 = MyCopyableClass(source());
+
+		sink(s1); // tainted
+		sink(s2); // tainted
+		sink(s3 = source()); // tainted
+	}
+}