Merge branch 'main' into impropnull

Author: geoffw0

cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

cpp/ql/src/semmle/code/cpp/Function.qll

@@ -82,9 +82,23 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   /** Holds if this function is inline. */
   predicate isInline() { this.hasSpecifier("inline") }
 
-  /** Holds if this function is virtual. */
+  /**
+   * Holds if this function is virtual.
+   *
+   * Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
+   * is not explicitly declared with the `virtual` specifier.
+   */
   predicate isVirtual() { this.hasSpecifier("virtual") }
 
+  /** Holds if this function is declared with the `virtual` specifier. */
+  predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
+
+  /** Holds if this function is declared with the `override` specifier. */
+  predicate isOverride() { this.hasSpecifier("override") }
+
+  /** Holds if this function is declared with the `final` specifier. */
+  predicate isFinal() { this.hasSpecifier("final") }
+
   /**
    * Holds if this function is deleted.
    * This may be because it was explicitly deleted with an `= delete`

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -735,7 +735,12 @@ private module FieldFlow {
   private class FieldConfiguration extends Configuration {
     FieldConfiguration() { this = "FieldConfiguration" }
 
-    override predicate isSource(Node source) { storeStep(source, _, _) }
+    override predicate isSource(Node source) {
+      storeStep(source, _, _)
+      or
+      // Also mark `foo(a.b);` as a source when `a.b` may be overwritten by `foo`.
+      readStep(_, _, any(Node node | node.asExpr() = source.asDefiningArgument()))
+    }
 
     override predicate isSink(Node sink) { readStep(_, _, sink) }
 

cpp/ql/test/library-tests/clang_ms/element.expected

@@ -79,6 +79,7 @@
 | file://:0:0:0:0 | declaration of 1st parameter |
 | file://:0:0:0:0 | declared_constexpr |
 | file://:0:0:0:0 | declared_constinit |
+| file://:0:0:0:0 | declared_virtual |
 | file://:0:0:0:0 | decltype(nullptr) |
 | file://:0:0:0:0 | definition of fp_offset |
 | file://:0:0:0:0 | definition of gp_offset |
@@ -91,6 +92,7 @@
 | file://:0:0:0:0 | explicit |
 | file://:0:0:0:0 | extern |
 | file://:0:0:0:0 | far |
+| file://:0:0:0:0 | final |
 | file://:0:0:0:0 | float |
 | file://:0:0:0:0 | forceinline |
 | file://:0:0:0:0 | fp_offset |

cpp/ql/test/library-tests/conditions/elements.expected

@@ -49,6 +49,7 @@
 | file://:0:0:0:0 | const __va_list_tag & |
 | file://:0:0:0:0 | declared_constexpr |
 | file://:0:0:0:0 | declared_constinit |
+| file://:0:0:0:0 | declared_virtual |
 | file://:0:0:0:0 | decltype(nullptr) |
 | file://:0:0:0:0 | definition of <error> |
 | file://:0:0:0:0 | definition of fp_offset |
@@ -62,6 +63,7 @@
 | file://:0:0:0:0 | explicit |
 | file://:0:0:0:0 | extern |
 | file://:0:0:0:0 | far |
+| file://:0:0:0:0 | final |
 | file://:0:0:0:0 | float |
 | file://:0:0:0:0 | forceinline |
 | file://:0:0:0:0 | fp_offset |

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected

@@ -70,3 +70,8 @@
 | test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:10:391:13 | ref arg & ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
+| test.cpp:480:67:480:67 | s | test.cpp:481:21:481:21 | s |
+| test.cpp:480:67:480:67 | s | test.cpp:482:20:482:20 | s |
+| test.cpp:481:21:481:21 | s [post update] | test.cpp:482:20:482:20 | s |
+| test.cpp:481:24:481:30 | ref arg content | test.cpp:482:23:482:29 | content |
+| test.cpp:482:23:482:29 | content | test.cpp:483:9:483:17 | p_content |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -470,3 +470,15 @@ void viaOutparam() {
   intOutparamSource(&x);
   sink(x); // $ ast,ir
 }
+
+void writes_to_content(void*);
+
+struct MyStruct {
+  int* content; 
+};
+
+void local_field_flow_def_by_ref_steps_with_local_flow(MyStruct * s) {
+  writes_to_content(s->content);
+  int* p_content = s->content;
+  sink(*p_content);
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -496,9 +496,13 @@
 | map.cpp:49:7:49:7 | f [post update] | map.cpp:51:7:51:7 | f |  |
 | map.cpp:49:7:49:7 | f [post update] | map.cpp:53:30:53:30 | f |  |
 | map.cpp:49:7:49:7 | f [post update] | map.cpp:59:6:59:6 | f |  |
+| map.cpp:49:9:49:13 | ref arg first | map.cpp:54:9:54:13 | first |  |
+| map.cpp:49:9:49:13 | ref arg first | map.cpp:60:9:60:13 | first |  |
 | map.cpp:50:7:50:7 | f [post update] | map.cpp:51:7:51:7 | f |  |
 | map.cpp:50:7:50:7 | f [post update] | map.cpp:53:30:53:30 | f |  |
 | map.cpp:50:7:50:7 | f [post update] | map.cpp:59:6:59:6 | f |  |
+| map.cpp:50:9:50:14 | ref arg second | map.cpp:55:9:55:14 | second |  |
+| map.cpp:50:9:50:14 | ref arg second | map.cpp:61:9:61:14 | second |  |
 | map.cpp:53:30:53:30 | f | map.cpp:54:7:54:7 | g |  |
 | map.cpp:53:30:53:30 | f | map.cpp:55:7:55:7 | g |  |
 | map.cpp:53:30:53:30 | f | map.cpp:56:7:56:7 | g |  |
@@ -3395,6 +3399,7 @@
 | smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 | TAINT |
 | smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr |  |
 | smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
+| smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:126:12:126:12 | q |  |
 | smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> |  |
 | smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
 | smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
@@ -3432,6 +3437,7 @@
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 |  |
 | smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 | TAINT |
+| smart_pointer.cpp:133:27:133:27 | ref arg q | smart_pointer.cpp:134:12:134:12 | q |  |
 | smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> |  |
 | smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
 | smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 | TAINT |
@@ -6435,6 +6441,7 @@
 | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:671:7:671:7 | s |  |
 | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:672:7:672:7 | s |  |
 | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:673:7:673:7 | s |  |
+| taint.cpp:669:20:669:20 | ref arg x | taint.cpp:672:9:672:9 | x |  |
 | taint.cpp:672:7:672:7 | s [post update] | taint.cpp:673:7:673:7 | s |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
@@ -7076,14 +7083,20 @@
 | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:200:3:200:4 | ee |  |
 | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:201:8:201:9 | ee |  |
 | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
+| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:199:11:199:12 | vs |  |
+| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:200:6:200:7 | vs |  |
+| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
 | vector.cpp:198:19:198:19 | 0 | vector.cpp:198:6:198:7 | ref arg vs | TAINT |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:200:3:200:4 | ee |  |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:201:8:201:9 | ee |  |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
+| vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:200:6:200:7 | vs |  |
+| vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
 | vector.cpp:199:11:199:12 | vs | vector.cpp:199:13:199:13 | call to operator[] | TAINT |
 | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:201:8:201:9 | ee |  |
 | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
 | vector.cpp:200:3:200:21 | ... = ... | vector.cpp:200:8:200:8 | call to operator[] [post update] |  |
+| vector.cpp:200:6:200:7 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
 | vector.cpp:200:6:200:7 | vs | vector.cpp:200:8:200:8 | call to operator[] | TAINT |
 | vector.cpp:200:8:200:8 | call to operator[] [post update] | vector.cpp:200:6:200:7 | ref arg vs | TAINT |
 | vector.cpp:200:14:200:19 | call to source | vector.cpp:200:3:200:21 | ... = ... |  |

cpp/ql/test/library-tests/specifiers2/specifiers2.expected

@@ -43,10 +43,12 @@
 | Function | specifiers2pp.cpp:10:18:10:24 | MyClass | MyClass | public |
 | Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | inline |
 | Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | public |
+| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | declared_virtual |
 | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | extern |
 | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | public |
 | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | pure |
 | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | virtual |
+| Function | specifiers2pp.cpp:14:21:14:21 | f | f | declared_virtual |
 | Function | specifiers2pp.cpp:14:21:14:21 | f | f | extern |
 | Function | specifiers2pp.cpp:14:21:14:21 | f | f | public |
 | Function | specifiers2pp.cpp:14:21:14:21 | f | f | virtual |
@@ -71,6 +73,7 @@
 | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | inline |
 | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public |
 | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public |
+| Function | specifiers2pp.cpp:26:21:26:21 | f | f | declared_virtual |
 | Function | specifiers2pp.cpp:26:21:26:21 | f | f | extern |
 | Function | specifiers2pp.cpp:26:21:26:21 | f | f | override |
 | Function | specifiers2pp.cpp:26:21:26:21 | f | f | public |

cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected

@@ -109,6 +109,7 @@
 | file://:0:0:0:0 | declaration of 1st parameter |
 | file://:0:0:0:0 | declared_constexpr |
 | file://:0:0:0:0 | declared_constinit |
+| file://:0:0:0:0 | declared_virtual |
 | file://:0:0:0:0 | decltype(nullptr) |
 | file://:0:0:0:0 | definition of fp_offset |
 | file://:0:0:0:0 | definition of gp_offset |
@@ -121,6 +122,7 @@
 | file://:0:0:0:0 | explicit |
 | file://:0:0:0:0 | extern |
 | file://:0:0:0:0 | far |
+| file://:0:0:0:0 | final |
 | file://:0:0:0:0 | float |
 | file://:0:0:0:0 | forceinline |
 | file://:0:0:0:0 | fp_offset |