Skip to content

Commit 26206a8

Browse files
committed
C++: Properly handle setter-related flow in IPA injector.
1 parent d3d706d commit 26206a8

File tree

1 file changed

+37
-18
lines changed

1 file changed

+37
-18
lines changed

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

Lines changed: 37 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -355,54 +355,73 @@ module ProductFlow {
355355
pragma[only_bind_out](succ.getNode().getEnclosingCallable())
356356
}
357357

358-
newtype TKind =
358+
private newtype TKind =
359359
TInto(DataFlowCall call) {
360-
[any(Flow1::PathNode n).getNode(), any(Flow2::PathNode n).getNode()]
361-
.(ArgumentNode)
362-
.getCall() = call
360+
intoImpl1(_, _, call) or
361+
intoImpl2(_, _, call)
363362
} or
364363
TOutOf(DataFlowCall call) {
365-
[any(Flow1::PathNode n).getNode(), any(Flow2::PathNode n).getNode()].(OutNode).getCall() =
366-
call
364+
outImpl1(_, _, call) or
365+
outImpl2(_, _, call)
367366
} or
368367
TJump()
369368

370-
private predicate into1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
369+
private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
371370
Flow1::PathGraph::edges(pred1, succ1) and
371+
pred1.getNode().(ArgumentNode).getCall() = call and
372+
succ1.getNode() instanceof ParameterNode
373+
}
374+
375+
private predicate into1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
372376
exists(DataFlowCall call |
373377
kind = TInto(call) and
374-
pred1.getNode().(ArgumentNode).getCall() = call and
375-
succ1.getNode() instanceof ParameterNode
378+
intoImpl1(pred1, succ1, call)
376379
)
377380
}
378381

379-
private predicate out1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
382+
private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
380383
Flow1::PathGraph::edges(pred1, succ1) and
381-
exists(ReturnKindExt returnKind, DataFlowCall call |
382-
kind = TOutOf(call) and
384+
exists(ReturnKindExt returnKind |
383385
succ1.getNode() = returnKind.getAnOutNode(call) and
384386
pred1.getNode().(ReturnNodeExt).getKind() = returnKind
385387
)
386388
}
387389

388-
private predicate into2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
390+
private predicate out1(Flow1::PathNode pred1, Flow1::PathNode succ1, TKind kind) {
391+
exists(DataFlowCall call |
392+
outImpl1(pred1, succ1, call) and
393+
kind = TOutOf(call)
394+
)
395+
}
396+
397+
private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
389398
Flow2::PathGraph::edges(pred2, succ2) and
399+
pred2.getNode().(ArgumentNode).getCall() = call and
400+
succ2.getNode() instanceof ParameterNode
401+
}
402+
403+
private predicate into2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
390404
exists(DataFlowCall call |
391405
kind = TInto(call) and
392-
pred2.getNode().(ArgumentNode).getCall() = call and
393-
succ2.getNode() instanceof ParameterNode
406+
intoImpl2(pred2, succ2, call)
394407
)
395408
}
396409

397-
private predicate out2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
410+
private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
398411
Flow2::PathGraph::edges(pred2, succ2) and
399-
exists(ReturnKindExt returnKind, DataFlowCall call |
400-
kind = TOutOf(call) and
412+
exists(ReturnKindExt returnKind |
401413
succ2.getNode() = returnKind.getAnOutNode(call) and
402414
pred2.getNode().(ReturnNodeExt).getKind() = returnKind
403415
)
404416
}
405417

418+
private predicate out2(Flow2::PathNode pred2, Flow2::PathNode succ2, TKind kind) {
419+
exists(DataFlowCall call |
420+
kind = TOutOf(call) and
421+
outImpl2(pred2, succ2, call)
422+
)
423+
}
424+
406425
pragma[nomagic]
407426
private predicate interprocEdge1(
408427
Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,

0 commit comments

Comments
 (0)