C++: Block flow out of 'swap'.

MathiasVP · MathiasVP · commit 359b6e14c67c · 2024-02-06T16:15:21.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll
@@ -1,14 +1,15 @@
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.FlowOutBarrier
 
 /**
  * The standard function `swap`. A use of `swap` looks like this:
  * ```
  * std::swap(obj1, obj2)
  * ```
  */
-private class Swap extends DataFlowFunction {
+private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
   Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -18,6 +19,8 @@ private class Swap extends DataFlowFunction {
     input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
+
+  override predicate isFlowOutBarrier(FunctionInput input) { input.isParameterDeref(1) }
 }
 
 /**
@@ -26,7 +29,9 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
+  FlowOutBarrierFunction
+{
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -47,4 +52,8 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
   override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
 
   override predicate parameterIsAlwaysReturned(int index) { index = 0 }
+
+  override predicate isFlowOutBarrier(FunctionInput input) {
+    input.isQualifierObject() or input.isParameterDeref(0)
+  }
 }
