C++: Remove hasTaintFlow from poll and select functions.

MathiasVP · MathiasVP · commit f908d2f1de7f · 2021-02-22T08:54:43.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll
@@ -5,14 +5,13 @@
 
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.interfaces.ArrayFunction
-import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * The function `poll` and its assorted variants
  */
-private class Poll extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+private class Poll extends ArrayFunction, AliasFunction, SideEffectFunction {
   Poll() { this.hasGlobalName(["poll", "ppoll", "WSAPoll"]) }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
@@ -29,11 +28,6 @@ private class Poll extends ArrayFunction, AliasFunction, TaintFunction, SideEffe
 
   override predicate parameterIsAlwaysReturned(int index) { none() }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(0) and
-    output.isParameterDeref(0)
-  }
-
   override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
     i = 0 and buffer = true and mustWrite = false
   }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll
@@ -5,14 +5,13 @@
 
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.interfaces.ArrayFunction
-import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * The function `select` and its assorted variants
  */
-private class Select extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+private class Select extends ArrayFunction, AliasFunction, SideEffectFunction {
   Select() { this.hasGlobalName(["select", "pselect"]) }
 
   override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = [1 .. 3] }
@@ -27,13 +26,6 @@ private class Select extends ArrayFunction, AliasFunction, TaintFunction, SideEf
 
   override predicate parameterIsAlwaysReturned(int index) { none() }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    exists(int i | i = [1 .. 3] |
-      input.isParameterDeref(i) and
-      output.isParameterDeref(i)
-    )
-  }
-
   override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
     i = [1 .. 3] and buffer = true and mustWrite = false
   }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp
@@ -22,43 +22,3 @@ void test_accept() {
   sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
   sink(addr); // $ ast MISSING: ir
 }
-
-// --- poll ---
-
-struct pollfd {
-  int   fd;
-  short events;
-  short revents;
-};
-
-int poll(struct pollfd *, int, int);
-
-void test_poll() {
-  pollfd pfds;
-
-  pfds.events = 1;
-  pfds.fd = source();
-  poll(&pfds, 1, -1);
-
-  sink(pfds); // $ ast MISSING: ir
-}
-
-// --- select ---
-
-typedef struct {} timeval;
-
-typedef struct fd_set {
-  int  fd_count;
-  int fd_array[4096];
-} fd_set;
-
-int select(int, fd_set *, fd_set *, fd_set *, timeval *);
-
-void test_select(timeval timeout) {
-  fd_set readfds;
-
-  readfds.fd_count = 1;
-  readfds.fd_array[0] = source();
-  select(2, &readfds, nullptr, nullptr, &timeout);
-  sink(&readfds); // $ ast MISSING: ir
-}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -146,51 +146,6 @@
 | bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... |  |
 | bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] |  |
 | bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... |  |
-| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:39:3:39:6 | pfds |  |
-| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:40:3:40:6 | pfds |  |
-| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:41:9:41:12 | pfds |  |
-| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:43:8:43:11 | pfds |  |
-| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:40:3:40:6 | pfds |  |
-| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds |  |
-| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds |  |
-| bsd.cpp:39:3:39:17 | ... = ... | bsd.cpp:39:8:39:13 | events [post update] |  |
-| bsd.cpp:39:17:39:17 | 1 | bsd.cpp:39:3:39:17 | ... = ... |  |
-| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds |  |
-| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds |  |
-| bsd.cpp:40:3:40:20 | ... = ... | bsd.cpp:40:8:40:9 | fd [post update] |  |
-| bsd.cpp:40:13:40:18 | call to source | bsd.cpp:40:3:40:20 | ... = ... |  |
-| bsd.cpp:41:8:41:12 | & ... | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
-| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:41:9:41:12 | pfds [inner post update] |  |
-| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:43:8:43:11 | pfds |  |
-| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | & ... |  |
-| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
-| bsd.cpp:41:19:41:19 | 1 | bsd.cpp:41:18:41:19 | - ... | TAINT |
-| bsd.cpp:57:26:57:32 | timeout | bsd.cpp:62:42:62:48 | timeout |  |
-| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:60:3:60:9 | readfds |  |
-| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:61:3:61:9 | readfds |  |
-| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:62:14:62:20 | readfds |  |
-| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:63:9:63:15 | readfds |  |
-| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:61:3:61:9 | readfds |  |
-| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds |  |
-| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds |  |
-| bsd.cpp:60:3:60:22 | ... = ... | bsd.cpp:60:11:60:18 | fd_count [post update] |  |
-| bsd.cpp:60:22:60:22 | 1 | bsd.cpp:60:3:60:22 | ... = ... |  |
-| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds |  |
-| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds |  |
-| bsd.cpp:61:3:61:21 | access to array [post update] | bsd.cpp:61:11:61:18 | fd_array [inner post update] |  |
-| bsd.cpp:61:3:61:32 | ... = ... | bsd.cpp:61:3:61:21 | access to array [post update] |  |
-| bsd.cpp:61:11:61:18 | fd_array | bsd.cpp:61:3:61:21 | access to array |  |
-| bsd.cpp:61:20:61:20 | 0 | bsd.cpp:61:3:61:21 | access to array | TAINT |
-| bsd.cpp:61:25:61:30 | call to source | bsd.cpp:61:3:61:32 | ... = ... |  |
-| bsd.cpp:62:13:62:20 | & ... | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
-| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:62:14:62:20 | readfds [inner post update] |  |
-| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds |  |
-| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | & ... |  |
-| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
-| bsd.cpp:62:41:62:48 | ref arg & ... | bsd.cpp:62:42:62:48 | timeout [inner post update] |  |
-| bsd.cpp:62:42:62:48 | timeout | bsd.cpp:62:41:62:48 | & ... |  |
-| bsd.cpp:63:8:63:15 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds [inner post update] |  |
-| bsd.cpp:63:9:63:15 | readfds | bsd.cpp:63:8:63:15 | & ... |  |
 | constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] |  |
 | constructor_delegation.cpp:8:14:8:15 | _x | constructor_delegation.cpp:8:22:8:23 | _x |  |
 | constructor_delegation.cpp:8:22:8:23 | _x | constructor_delegation.cpp:8:20:8:24 | constructor init of field x | TAINT |
