C++: Respond to PR reviews.

MathiasVP · MathiasVP · commit 7583fe2ad850 · 2023-01-31T10:31:02.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
@@ -108,106 +108,136 @@ private FunctionInput getIteratorArgumentInput(Operator op, int index) {
 }
 
 /**
- * A non-member prefix `operator*` function for an iterator type.
+ * A non-member `operator++` or `operator--` function for an iterator type.
  */
-private class IteratorPointerDereferenceOperator extends Operator, TaintFunction,
-  IteratorReferenceFunction {
-  FunctionInput iteratorInput;
-
-  IteratorPointerDereferenceOperator() {
-    this.hasName("operator*") and
-    iteratorInput = getIteratorArgumentInput(this, 0)
+class IteratorCrementNonMemberOperator extends Operator {
+  IteratorCrementNonMemberOperator() {
+    this.hasName(["operator++", "operator--"]) and
+    exists(getIteratorArgumentInput(this, 0))
   }
+}
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
+private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMemberOperator,
+  DataFlowFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
     or
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
 
 /**
- * A non-member `operator++` or `operator--` function for an iterator type.
+ * An `operator++` or `operator--` member function for an iterator type.
  */
-class IteratorCrementOperator extends Operator {
-  FunctionInput iteratorInput;
-
-  IteratorCrementOperator() {
-    this.hasName(["operator++", "operator--"]) and
-    iteratorInput = getIteratorArgumentInput(this, 0)
+class IteratorCrementMemberOperator extends MemberFunction {
+  IteratorCrementMemberOperator() {
+    this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
   }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  FunctionInput getIteratorInput() { result = iteratorInput }
 }
 
-private class IteratorCrementOperatorModel extends IteratorCrementOperator, DataFlowFunction {
+private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
+  DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input = this.getIteratorInput() and
+    input.isQualifierAddress() and
     output.isReturnValue()
     or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 }
 
 /**
- * A non-member `operator+` function for an iterator type.
+ * A (member or non-member) `operator++` or `operator--` function for an iterator type.
  */
-class IteratorAddOperator extends Operator {
-  FunctionInput iteratorInput;
+class IteratorCrementOperator extends Function {
+  IteratorCrementOperator() {
+    this instanceof IteratorCrementNonMemberOperator or
+    this instanceof IteratorCrementMemberOperator
+  }
+}
 
-  IteratorAddOperator() {
+/**
+ * A non-member `operator+` function for an iterator type.
+ */
+class IteratorAddNonMemberOperator extends Operator {
+  IteratorAddNonMemberOperator() {
     this.hasName("operator+") and
-    iteratorInput = getIteratorArgumentInput(this, [0, 1])
+    exists(getIteratorArgumentInput(this, [0, 1]))
+  }
+}
+
+private class IteratorAddNonMemberOperatorModel extends IteratorAddNonMemberOperator, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, [0, 1]) and
+    output.isReturnValue()
   }
+}
 
-  FunctionInput getIteratorInput() { result = iteratorInput }
+/**
+ * An `operator+` or `operator-` member function of an iterator class.
+ */
+class IteratorBinaryArithmeticMemberOperator extends MemberFunction {
+  IteratorBinaryArithmeticMemberOperator() {
+    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
+  }
 }
 
-private class IteratorAddOperatorModel extends IteratorAddOperator, TaintFunction {
+private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinaryArithmeticMemberOperator,
+  TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = this.getIteratorInput() and
+    input.isQualifierObject() and
     output.isReturnValue()
   }
 }
 
 /**
- * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ * A (member or non-member) `operator+` or `operator-` function for an iterator type.
  */
-class IteratorSubOperator extends Operator {
-  FunctionInput iteratorInput;
+class IteratorBinaryAddOperator extends Function {
+  IteratorBinaryAddOperator() {
+    this instanceof IteratorAddNonMemberOperator or
+    this instanceof IteratorBinaryArithmeticMemberOperator
+  }
+}
 
-  IteratorSubOperator() {
+/**
+ * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ */
+class IteratorSubNonMemberOperator extends Operator {
+  IteratorSubNonMemberOperator() {
     this.hasName("operator-") and
-    iteratorInput = getIteratorArgumentInput(this, 0) and
+    exists(getIteratorArgumentInput(this, 0)) and
     this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
   }
-
-  FunctionInput getIteratorInput() { result = iteratorInput }
 }
 
-private class IteratorSubOperatorModel extends IteratorSubOperator, TaintFunction {
+private class IteratorSubOperatorModel extends IteratorSubNonMemberOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = this.getIteratorInput() and
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
   }
 }
 
 /**
  * A non-member `operator+=` or `operator-=` function for an iterator type.
  */
-class IteratorAssignArithmeticOperator extends Operator {
-  IteratorAssignArithmeticOperator() {
+class IteratorAssignArithmeticNonMemberOperator extends Operator {
+  IteratorAssignArithmeticNonMemberOperator() {
     this.hasName(["operator+=", "operator-="]) and
     exists(getIteratorArgumentInput(this, 0))
   }
 }
 
-private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithmeticOperator,
+private class IteratorAssignArithmeticNonMemberOperatorModel extends IteratorAssignArithmeticNonMemberOperator,
   DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -227,106 +257,102 @@ private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithm
 }
 
 /**
- * A prefix `operator*` member function for an iterator type.
- */
-class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
-  IteratorReferenceFunction {
-  IteratorPointerDereferenceMemberOperator() {
-    this.getClassAndName("operator*") instanceof Iterator
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-}
-
-/**
- * An `operator++` or `operator--` member function for an iterator type.
+ * An `operator+=` or `operator-=` member function of an iterator class.
  */
-class IteratorCrementMemberOperator extends MemberFunction {
-  IteratorCrementMemberOperator() {
-    this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
+class IteratorAssignArithmeticMemberOperator extends MemberFunction {
+  IteratorAssignArithmeticMemberOperator() {
+    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
   }
 }
 
-private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
+private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssignArithmeticMemberOperator,
   DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
     output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
     or
+    // reverse flow from returned reference to the qualifier
     input.isReturnValueDeref() and
     output.isQualifierObject()
     or
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+    (input.isParameter(0) or input.isParameterDeref(0)) and
+    output.isQualifierObject()
   }
+}
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+/**
+ * A (member or non-member) `operator+=` or `operator-=` function for an iterator type.
+ */
+class IteratorAssignArithmeticOperator extends Function {
+  IteratorAssignArithmeticOperator() {
+    this instanceof IteratorAssignArithmeticNonMemberOperator or
+    this instanceof IteratorAssignArithmeticMemberOperator
   }
 }
 
 /**
- * A member `operator->` function for an iterator type.
+ * A prefix `operator*` member function for an iterator type.
  */
-private class IteratorFieldMemberOperator extends Operator, TaintFunction {
-  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
+  IteratorReferenceFunction {
+  IteratorPointerDereferenceMemberOperator() {
+    this.getClassAndName("operator*") instanceof Iterator
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 
 /**
- * An `operator+` or `operator-` member function of an iterator class.
+ * A non-member prefix `operator*` function for an iterator type.
  */
-class IteratorBinaryArithmeticMemberOperator extends MemberFunction {
-  IteratorBinaryArithmeticMemberOperator() {
-    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
+class IteratorPointerDereferenceNonMemberOperator extends Operator, IteratorReferenceFunction {
+  IteratorPointerDereferenceNonMemberOperator() {
+    this.hasName("operator*") and
+    exists(getIteratorArgumentInput(this, 0))
   }
 }
 
-private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinaryArithmeticMemberOperator,
+private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorPointerDereferenceNonMemberOperator,
   TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
   }
 }
 
 /**
- * An `operator+=` or `operator-=` member function of an iterator class.
+ * A (member or non-member) prefix `operator*` function for an iterator type.
  */
-class IteratorAssignArithmeticMemberOperator extends MemberFunction {
-  IteratorAssignArithmeticMemberOperator() {
-    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
+class IteratorPointerDereferenceOperator extends Function {
+  IteratorPointerDereferenceOperator() {
+    this instanceof IteratorPointerDereferenceNonMemberOperator or
+    this instanceof IteratorPointerDereferenceMemberOperator
   }
 }
 
-private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssignArithmeticMemberOperator,
-  DataFlowFunction, TaintFunction {
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierAddress() and
-    output.isReturnValue()
-  }
+/**
+ * A member `operator->` function for an iterator type.
+ */
+private class IteratorFieldMemberOperator extends Operator, TaintFunction {
+  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-    or
-    (input.isParameter(0) or input.isParameterDeref(0)) and
-    output.isQualifierObject()
+    output.isReturnValue()
   }
 }
 
