C++: Add support for AST dataflow out of functions that take a smart pointer by value.

MathiasVP · MathiasVP · commit 9ff894bf839a · 2021-03-31T13:54:32.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -199,6 +199,8 @@ class DefinitionByReferenceOrIteratorNode extends PartialDefinitionNode {
       this.getPartialDefinition() instanceof DefinitionByReference
       or
       this.getPartialDefinition() instanceof DefinitionByIterator
+      or
+      this.getPartialDefinition() instanceof DefinitionBySmartPointer
     )
   }
 
@@ -330,6 +332,18 @@ class IteratorPartialDefinitionNode extends PartialDefinitionNode {
   override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
 }
 
+/**
+ * INTERNAL: do not use.
+ *
+ * A synthetic data flow node used for flow into a collection when a smart pointer
+ * write occurs in a callee.
+ */
+class SmartPointerPartialDefinitionNode extends PartialDefinitionNode {
+  override SmartPointerPartialDefinition pd;
+
+  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
+}
+
 /**
  * A post-update node on the `e->f` in `f(&e->f)` (and other forms).
  */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -7,6 +7,7 @@ private import semmle.code.cpp.controlflow.SSA
 private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
 private import semmle.code.cpp.dataflow.internal.AddressFlow
 private import semmle.code.cpp.models.implementations.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 /**
  * A conceptual variable that is assigned only once, like an SSA variable. This
@@ -243,6 +244,54 @@ private module PartialDefinitions {
     }
   }
 
+  class SmartPointerPartialDefinition extends PartialDefinition {
+    Variable pointer;
+    Expr innerDefinedExpr;
+
+    SmartPointerPartialDefinition() {
+      exists(Expr convertedInner |
+        not this instanceof Conversion and
+        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
+        innerDefinedExpr = convertedInner.getUnconverted() and
+        innerDefinedExpr = getAPointerWrapperAccess(pointer)
+      )
+      or
+      // iterators passed by value without a copy constructor
+      exists(Call call |
+        call = node and
+        call.getAnArgument() = innerDefinedExpr and
+        innerDefinedExpr = this and
+        this = getAPointerWrapperAccess(pointer) and
+        not call instanceof OverloadedPointerDereferenceExpr
+      )
+      or
+      // iterators passed by value with a copy constructor
+      exists(Call call, ConstructorCall copy |
+        copy.getTarget() instanceof CopyConstructor and
+        call = node and
+        call.getAnArgument() = copy and
+        copy.getArgument(0) = getAPointerWrapperAccess(pointer) and
+        innerDefinedExpr = this and
+        this = copy and
+        not call instanceof OverloadedPointerDereferenceExpr
+      )
+    }
+
+    deprecated override predicate partiallyDefines(Variable v) { v = pointer }
+
+    deprecated override predicate partiallyDefinesThis(ThisExpr e) { none() }
+
+    override predicate definesExpressions(Expr inner, Expr outer) {
+      inner = innerDefinedExpr and
+      outer = this
+    }
+
+    override predicate partiallyDefinesVariableAt(Variable v, ControlFlowNode cfn) {
+      v = pointer and
+      cfn = node
+    }
+  }
+
   /**
    * A partial definition that's a definition via an output iterator.
    */
@@ -256,6 +305,15 @@ private module PartialDefinitions {
   class DefinitionByReference extends VariablePartialDefinition {
     DefinitionByReference() { exists(Call c | this = c.getAnArgument() or this = c.getQualifier()) }
   }
+
+  /**
+   * A partial definition that's a definition via a smart pointer being passed into a function.
+   */
+  class DefinitionBySmartPointer extends SmartPointerPartialDefinition {
+    DefinitionBySmartPointer() {
+      exists(Call c | this = c.getAnArgument() or this = c.getQualifier())
+    }
+  }
 }
 
 import PartialDefinitions
@@ -296,7 +354,8 @@ module FlowVar_internal {
     // treating them as immutable, but for data flow it gives better results in
     // practice to make the variable synonymous with its contents.
     not v.getUnspecifiedType() instanceof ReferenceType and
-    not v instanceof IteratorParameter
+    not v instanceof IteratorParameter and
+    not v instanceof PointerWrapperParameter
   }
 
   /**
@@ -648,6 +707,8 @@ module FlowVar_internal {
     )
     or
     p instanceof IteratorParameter
+    or
+    p instanceof PointerWrapperParameter
   }
 
   /**
@@ -832,10 +893,19 @@ module FlowVar_internal {
     )
   }
 
+  Call getAPointerWrapperAccess(Variable pointer) {
+    pointer.getUnspecifiedType() instanceof PointerWrapper and
+    [result.getQualifier(), result.getAnArgument()] = pointer.getAnAccess()
+  }
+
   class IteratorParameter extends Parameter {
     IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
   }
 
+  class PointerWrapperParameter extends Parameter {
+    PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
+  }
+
   /**
    * Holds if `v` is initialized to have value `assignedExpr`.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -11,6 +11,7 @@
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 private module DataFlow {
   import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -141,7 +142,10 @@ private predicate noFlowFromChildExpr(Expr e) {
   or
   e instanceof LogicalOrExpr
   or
-  e instanceof Call
+  // Allow taint from `operator*` on smart pointers.
+  exists(Call call | e = call |
+    not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
+  )
   or
   e instanceof SizeofOperator
   or
diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Call.qll b/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
@@ -314,6 +314,7 @@ class OverloadedPointerDereferenceFunction extends Function {
  * T1 operator*(const T2 &);
  * T1 a; T2 b;
  * a = *b;
+ * ```
  */
 class OverloadedPointerDereferenceExpr extends FunctionCall {
   OverloadedPointerDereferenceExpr() {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,24 +3223,30 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
+| smart_pointer.cpp:12:10:12:10 | call to operator* [post update] | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
+| smart_pointer.cpp:24:10:24:10 | call to operator* [post update] | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
 | smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
@@ -3251,6 +3257,8 @@
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
 | smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
@@ -3268,7 +3276,21 @@
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p |  |
 | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
 | smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
+| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> | TAINT |
 | smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p |  |
+| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> | TAINT |
+| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr |  |
+| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
+| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | TAINT |
+| smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... |  |
+| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p |  |
+| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:76:13:76:13 | call to shared_ptr [post update] | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:76:13:76:13 | p | smart_pointer.cpp:76:13:76:13 | call to shared_ptr |  |
+| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | TAINT |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -35,16 +35,16 @@ void test_reverse_taint_shared() {
     std::shared_ptr<int> p = std::make_shared<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_reverse_taint_unique() {
     std::unique_ptr<int> p = std::unique_ptr<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_shared_get() {
@@ -74,5 +74,5 @@ void getNumber(std::shared_ptr<int> ptr) {
 int test_from_issue_5190() {
   std::shared_ptr<int> p(new int);
   getNumber(p);
-  sink(*p); // $ MISSING: ast,ir
+  sink(*p); // $ ast MISSING: ir
 }
