Skip to content

Commit 7705fc4

Browse files
geoffw0geoffw0
committed
C++: Add more test cases for iterator taint flow.
1 parent 02578cf commit 7705fc4

File tree

3 files changed

+174
-0
lines changed

3 files changed

+174
-0
lines changed

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3197,6 +3197,52 @@
31973197
| standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
31983198
| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 | |
31993199
| standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
3200+
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 | |
3201+
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 | |
3202+
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:106:6:106:7 | c1 | |
3203+
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:109:7:109:8 | c1 | |
3204+
| standalone_iterators.cpp:101:6:101:7 | c1 | standalone_iterators.cpp:101:9:101:13 | call to begin | TAINT |
3205+
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:102:6:102:7 | c1 | |
3206+
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 | |
3207+
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
3208+
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:101:2:101:15 | ... = ... | |
3209+
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:103:3:103:3 | a | |
3210+
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:104:7:104:7 | a | |
3211+
| standalone_iterators.cpp:102:6:102:7 | c1 | standalone_iterators.cpp:102:9:102:13 | call to begin | TAINT |
3212+
| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 | |
3213+
| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
3214+
| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... | |
3215+
| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b | |
3216+
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
3217+
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 | |
3218+
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 | |
3219+
| standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
3220+
| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a | |
3221+
| standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
3222+
| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 | |
3223+
| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
3224+
| standalone_iterators.cpp:106:6:106:7 | c1 | standalone_iterators.cpp:106:9:106:13 | call to begin | TAINT |
3225+
| standalone_iterators.cpp:106:6:106:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
3226+
| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:106:2:106:15 | ... = ... | |
3227+
| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:108:7:108:7 | c | |
3228+
| standalone_iterators.cpp:107:7:107:7 | b [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
3229+
| standalone_iterators.cpp:108:7:108:7 | c [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
3230+
| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:116:7:116:8 | c1 | |
3231+
| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:122:7:122:8 | c1 | |
3232+
| standalone_iterators.cpp:116:7:116:8 | c1 | standalone_iterators.cpp:116:10:116:14 | call to begin | TAINT |
3233+
| standalone_iterators.cpp:116:7:116:8 | ref arg c1 | standalone_iterators.cpp:122:7:122:8 | c1 | |
3234+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:116:2:116:16 | ... = ... | |
3235+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:117:7:117:8 | it | |
3236+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:118:2:118:3 | it | |
3237+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:119:7:119:8 | it | |
3238+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it | |
3239+
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it | |
3240+
| standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 | |
3241+
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it | |
3242+
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it | |
3243+
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
3244+
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 | |
3245+
| standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
32003246
| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
32013247
| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
32023248
| stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] | |
@@ -7481,3 +7527,64 @@
74817527
| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:2:496:3 | ref arg v2 | TAINT |
74827528
| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:5:496:11 | call to emplace | TAINT |
74837529
| vector.cpp:497:7:497:8 | ref arg v2 | vector.cpp:498:1:498:1 | v2 | |
7530+
| vector.cpp:503:18:503:21 | {...} | vector.cpp:506:8:506:9 | as | |
7531+
| vector.cpp:503:18:503:21 | {...} | vector.cpp:507:8:507:9 | as | |
7532+
| vector.cpp:503:18:503:21 | {...} | vector.cpp:509:9:509:10 | as | |
7533+
| vector.cpp:503:18:503:21 | {...} | vector.cpp:515:8:515:9 | as | |
7534+
| vector.cpp:503:20:503:20 | 0 | vector.cpp:503:18:503:21 | {...} | TAINT |
7535+
| vector.cpp:506:8:506:9 | as | vector.cpp:506:8:506:12 | access to array | |
7536+
| vector.cpp:506:11:506:11 | 1 | vector.cpp:506:8:506:12 | access to array | TAINT |
7537+
| vector.cpp:507:8:507:9 | as | vector.cpp:507:8:507:19 | access to array | |
7538+
| vector.cpp:507:11:507:16 | call to source | vector.cpp:507:8:507:19 | access to array | TAINT |
7539+
| vector.cpp:509:9:509:10 | as | vector.cpp:509:3:509:10 | ... = ... | |
7540+
| vector.cpp:509:9:509:10 | as | vector.cpp:510:9:510:11 | ptr | |
7541+
| vector.cpp:509:9:509:10 | as | vector.cpp:511:3:511:5 | ptr | |
7542+
| vector.cpp:510:9:510:11 | ptr | vector.cpp:510:8:510:11 | * ... | TAINT |
7543+
| vector.cpp:511:3:511:5 | ptr | vector.cpp:511:3:511:10 | ... += ... | TAINT |
7544+
| vector.cpp:511:3:511:10 | ... += ... | vector.cpp:512:9:512:11 | ptr | |
7545+
| vector.cpp:511:3:511:10 | ... += ... | vector.cpp:513:3:513:5 | ptr | |
7546+
| vector.cpp:511:10:511:10 | 1 | vector.cpp:511:3:511:10 | ... += ... | TAINT |
7547+
| vector.cpp:512:9:512:11 | ptr | vector.cpp:512:8:512:11 | * ... | TAINT |
7548+
| vector.cpp:513:3:513:5 | ptr | vector.cpp:513:3:513:17 | ... += ... | TAINT |
7549+
| vector.cpp:513:3:513:17 | ... += ... | vector.cpp:514:9:514:11 | ptr | |
7550+
| vector.cpp:513:10:513:15 | call to source | vector.cpp:513:3:513:17 | ... += ... | TAINT |
7551+
| vector.cpp:514:9:514:11 | ptr | vector.cpp:514:8:514:11 | * ... | TAINT |
7552+
| vector.cpp:515:8:515:9 | as | vector.cpp:515:8:515:12 | access to array | |
7553+
| vector.cpp:515:11:515:11 | 1 | vector.cpp:515:8:515:12 | access to array | TAINT |
7554+
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:523:8:523:9 | vs | |
7555+
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:524:8:524:9 | vs | |
7556+
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:526:8:526:9 | vs | |
7557+
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:532:8:532:9 | vs | |
7558+
| vector.cpp:520:25:520:31 | call to vector | vector.cpp:533:2:533:2 | vs | |
7559+
| vector.cpp:520:30:520:30 | 0 | vector.cpp:520:25:520:31 | call to vector | TAINT |
7560+
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:524:8:524:9 | vs | |
7561+
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:526:8:526:9 | vs | |
7562+
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
7563+
| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
7564+
| vector.cpp:523:8:523:9 | vs | vector.cpp:523:10:523:10 | call to operator[] | TAINT |
7565+
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:526:8:526:9 | vs | |
7566+
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
7567+
| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
7568+
| vector.cpp:524:8:524:9 | vs | vector.cpp:524:10:524:10 | call to operator[] | TAINT |
7569+
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:532:8:532:9 | vs | |
7570+
| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
7571+
| vector.cpp:526:8:526:9 | vs | vector.cpp:526:11:526:15 | call to begin | TAINT |
7572+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:526:3:526:17 | ... = ... | |
7573+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:527:9:527:10 | it | |
7574+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:528:3:528:4 | it | |
7575+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:529:9:529:10 | it | |
7576+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:530:3:530:4 | it | |
7577+
| vector.cpp:526:11:526:15 | call to begin | vector.cpp:531:9:531:10 | it | |
7578+
| vector.cpp:527:9:527:10 | it | vector.cpp:527:8:527:8 | call to operator* | TAINT |
7579+
| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= | |
7580+
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it | |
7581+
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it | |
7582+
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it | |
7583+
| vector.cpp:528:9:528:9 | 1 | vector.cpp:528:6:528:6 | call to operator+= | |
7584+
| vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
7585+
| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= | |
7586+
| vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it | |
7587+
| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:6:530:6 | call to operator+= | |
7588+
| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
7589+
| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
7590+
| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |

cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,34 @@ void test_insert_iterator() {
9090
*i2-- = 0;
9191
sink(c2); // clean
9292
}
93+
94+
void sink(insert_iterator_by_trait);
95+
insert_iterator_by_trait &operator+=(insert_iterator_by_trait &it, int amount);
96+
97+
void test_assign_through_iterator() {
98+
container c1;
99+
insert_iterator_by_trait a, b, c;
100+
101+
a = c1.begin();
102+
b = c1.begin();
103+
*a = source();
104+
sink(a); // $ ast MISSING: ir
105+
106+
c = c1.begin();
107+
sink(b); // MISSING: ast,ir
108+
sink(c); // $ ast MISSING: ir
109+
sink(c1); // $ ast MISSING: ir
110+
}
111+
112+
void test_nonmember_iterator() {
113+
container c1;
114+
insert_iterator_by_trait it;
115+
116+
it = c1.begin();
117+
sink(it);
118+
it += 1;
119+
sink(it);
120+
it += source();
121+
sink(it); // $ MISSING: ast,ir
122+
sink(c1);
123+
}

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -496,3 +496,39 @@ void test_vector_emplace() {
496496
v2.emplace(v2.begin(), source());
497497
sink(v2); // $ ast,ir
498498
}
499+
500+
void test_vector_iterator() {
501+
{
502+
// array behaviour, for comparison
503+
short as[100] = {0};
504+
short *ptr;
505+
506+
sink(as[1]);
507+
sink(as[source()]); // $ ast,ir
508+
509+
ptr = as;
510+
sink(*ptr);
511+
ptr += 1;
512+
sink(*ptr);
513+
ptr += source();
514+
sink(*ptr); // $ ast,ir
515+
sink(as[1]);
516+
}
517+
518+
{
519+
// iterator behaviour
520+
std::vector<short> vs(100, 0);
521+
std::vector<short>::iterator it;
522+
523+
sink(vs[1]);
524+
sink(vs[source()]); // $ MISSING: ast,ir
525+
526+
it = vs.begin();
527+
sink(*it);
528+
it += 1;
529+
sink(*it);
530+
it += source();
531+
sink(*it); // $ MISSING: ast,ir
532+
sink(vs[1]);
533+
}
534+
}

0 commit comments

Comments
 (0)