C++: Test range-based-for with std::vector too

Author: jbj

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -453,6 +453,60 @@
 | stl.cpp:252:22:252:28 | const_s | stl.cpp:252:22:252:22 | (__range) |  |
 | stl.cpp:252:22:252:28 | const_s | stl.cpp:252:22:252:22 | (__range) |  |
 | stl.cpp:252:22:252:28 | const_s | stl.cpp:252:22:252:22 | call to operator* | TAINT |
+| stl.cpp:288:43:288:49 | source1 | stl.cpp:292:21:292:27 | source1 |  |
+| stl.cpp:288:43:288:49 | source1 | stl.cpp:306:33:306:39 | source1 |  |
+| stl.cpp:292:21:292:27 | source1 | stl.cpp:292:21:292:28 | call to vector | TAINT |
+| stl.cpp:292:21:292:28 | call to vector | stl.cpp:294:14:294:14 | v |  |
+| stl.cpp:292:21:292:28 | call to vector | stl.cpp:298:38:298:38 | v |  |
+| stl.cpp:292:21:292:28 | call to vector | stl.cpp:298:55:298:55 | v |  |
+| stl.cpp:292:21:292:28 | call to vector | stl.cpp:302:15:302:15 | v |  |
+| stl.cpp:294:14:294:14 | call to begin | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | call to begin | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | call to begin | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | call to end | stl.cpp:294:14:294:14 | (__end) |  |
+| stl.cpp:294:14:294:14 | call to operator* | stl.cpp:295:8:295:8 | x |  |
+| stl.cpp:294:14:294:14 | ref arg (__begin) | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | ref arg (__begin) | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | ref arg (__begin) | stl.cpp:294:14:294:14 | (__begin) |  |
+| stl.cpp:294:14:294:14 | ref arg (__range) | stl.cpp:294:14:294:14 | (__range) |  |
+| stl.cpp:294:14:294:14 | v | stl.cpp:294:14:294:14 | (__range) |  |
+| stl.cpp:294:14:294:14 | v | stl.cpp:294:14:294:14 | (__range) |  |
+| stl.cpp:294:14:294:14 | v | stl.cpp:294:14:294:14 | call to operator* | TAINT |
+| stl.cpp:298:38:298:38 | ref arg v | stl.cpp:298:55:298:55 | v |  |
+| stl.cpp:298:38:298:38 | ref arg v | stl.cpp:302:15:302:15 | v |  |
+| stl.cpp:298:40:298:44 | call to begin | stl.cpp:298:49:298:50 | it |  |
+| stl.cpp:298:40:298:44 | call to begin | stl.cpp:298:66:298:67 | it |  |
+| stl.cpp:298:40:298:44 | call to begin | stl.cpp:299:9:299:10 | it |  |
+| stl.cpp:298:55:298:55 | ref arg v | stl.cpp:298:55:298:55 | v |  |
+| stl.cpp:298:55:298:55 | ref arg v | stl.cpp:302:15:302:15 | v |  |
+| stl.cpp:298:66:298:67 | ref arg it | stl.cpp:298:49:298:50 | it |  |
+| stl.cpp:298:66:298:67 | ref arg it | stl.cpp:298:66:298:67 | it |  |
+| stl.cpp:298:66:298:67 | ref arg it | stl.cpp:299:9:299:10 | it |  |
+| stl.cpp:302:15:302:15 | call to begin | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | call to begin | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | call to begin | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | call to end | stl.cpp:302:15:302:15 | (__end) |  |
+| stl.cpp:302:15:302:15 | call to operator* | stl.cpp:303:8:303:8 | x |  |
+| stl.cpp:302:15:302:15 | ref arg (__begin) | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | ref arg (__begin) | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | ref arg (__begin) | stl.cpp:302:15:302:15 | (__begin) |  |
+| stl.cpp:302:15:302:15 | ref arg (__range) | stl.cpp:302:15:302:15 | (__range) |  |
+| stl.cpp:302:15:302:15 | v | stl.cpp:302:15:302:15 | (__range) |  |
+| stl.cpp:302:15:302:15 | v | stl.cpp:302:15:302:15 | (__range) |  |
+| stl.cpp:302:15:302:15 | v | stl.cpp:302:15:302:15 | call to operator* | TAINT |
+| stl.cpp:306:33:306:39 | source1 | stl.cpp:306:33:306:40 | call to vector | TAINT |
+| stl.cpp:306:33:306:40 | call to vector | stl.cpp:307:21:307:27 | const_v |  |
+| stl.cpp:307:21:307:21 | call to begin | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:21 | call to begin | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:21 | call to begin | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:21 | call to end | stl.cpp:307:21:307:21 | (__end) |  |
+| stl.cpp:307:21:307:21 | call to operator* | stl.cpp:308:8:308:8 | x |  |
+| stl.cpp:307:21:307:21 | ref arg (__begin) | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:21 | ref arg (__begin) | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:21 | ref arg (__begin) | stl.cpp:307:21:307:21 | (__begin) |  |
+| stl.cpp:307:21:307:27 | const_v | stl.cpp:307:21:307:21 | (__range) |  |
+| stl.cpp:307:21:307:27 | const_v | stl.cpp:307:21:307:21 | (__range) |  |
+| stl.cpp:307:21:307:27 | const_v | stl.cpp:307:21:307:21 | call to operator* | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp

@@ -234,7 +234,7 @@ void test_string_constructors_assignments()
 
 void sink(char) {}
 
-void test_range_based_for_loop() {
+void test_range_based_for_loop_string() {
 	std::string s(source());
 	for(char c : s) {
 		sink(c); // tainted [NOT DETECTED by IR]
@@ -252,4 +252,59 @@ void test_range_based_for_loop() {
 	for(const char& c : const_s) {
 		sink(c); // tainted [NOT DETECTED by IR]
 	}
-}
+}
+
+
+
+
+
+
+
+
+namespace std {
+	template <class T>
+	class vector {
+	private:
+		void *data_;
+	public:
+		vector(int size);
+
+		T& operator[](int idx);
+		const T& operator[](int idx) const;
+
+		typedef std::iterator<random_access_iterator_tag, T> iterator;
+		typedef std::iterator<random_access_iterator_tag, const T> const_iterator;
+
+		iterator begin() noexcept;
+		iterator end() noexcept;
+
+		const_iterator begin() const noexcept;
+		const_iterator end() const noexcept;
+	};
+}
+
+void sink(int);
+
+void test_range_based_for_loop_vector(int source1) {
+	// Tainting the vector by allocating a tainted length. This doesn't represent
+	// how a vector would typically get tainted, but it allows this test to avoid
+	// being concerned with std::vector modeling.
+	std::vector<int> v(source1);
+
+	for(int x : v) {
+		sink(x); // tainted [NOT DETECTED by IR]
+	}
+
+	for(std::vector<int>::iterator it = v.begin(); it != v.end(); ++it) {
+		sink(*it); // tainted [NOT DETECTED]
+	}
+
+	for(int& x : v) {
+		sink(x); // tainted [NOT DETECTED by IR]
+	}
+
+	const std::vector<int> const_v(source1);
+	for(const int& x : const_v) {
+		sink(x); // tainted [NOT DETECTED by IR]
+	}
+}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -50,6 +50,9 @@
 | stl.cpp:240:8:240:8 | c | stl.cpp:238:16:238:21 | call to source |
 | stl.cpp:248:8:248:8 | c | stl.cpp:238:16:238:21 | call to source |
 | stl.cpp:253:8:253:8 | c | stl.cpp:251:28:251:33 | call to source |
+| stl.cpp:295:8:295:8 | x | stl.cpp:288:43:288:49 | source1 |
+| stl.cpp:303:8:303:8 | x | stl.cpp:288:43:288:49 | source1 |
+| stl.cpp:308:8:308:8 | x | stl.cpp:288:43:288:49 | source1 |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -47,6 +47,9 @@
 | stl.cpp:240:8:240:8 | stl.cpp:238:16:238:21 | AST only |
 | stl.cpp:248:8:248:8 | stl.cpp:238:16:238:21 | AST only |
 | stl.cpp:253:8:253:8 | stl.cpp:251:28:251:33 | AST only |
+| stl.cpp:295:8:295:8 | stl.cpp:288:43:288:49 | AST only |
+| stl.cpp:303:8:303:8 | stl.cpp:288:43:288:49 | AST only |
+| stl.cpp:308:8:308:8 | stl.cpp:288:43:288:49 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |