Merge pull request github#17351 from paldepind/swap-member-data-flow

C++: Make swap member functions data-flow functions

Author: paldepind

cpp/ql/lib/change-notes/2024-09-04-swap-data-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -26,15 +26,15 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction {
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
     this.getParameter(0).getType().(ReferenceType).getBaseType().getUnspecifiedType() =
       this.getDeclaringType()
   }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isParameterDeref(0)
     or

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -33,7 +33,7 @@ argHasPostUpdate
 | test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. |
-| test.cpp:1065:19:1065:21 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:1093:19:1093:21 | * ... | ArgumentNode is missing PostUpdateNode. |
 postWithInFlow
 | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
@@ -167,15 +167,17 @@ postWithInFlow
 | test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1059:5:1059:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1060:9:1060:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1064:5:1064:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1064:6:1064:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1070:53:1070:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1080:3:1080:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1080:4:1080:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1081:3:1081:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1081:4:1081:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1066:5:1066:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1069:5:1069:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1087:5:1087:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1088:9:1088:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1092:5:1092:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1092:6:1092:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1098:53:1098:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1108:3:1108:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -26,6 +26,10 @@ postWithInFlow
 | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1076:2:1076:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1076:10:1076:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1077:2:1077:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1077:10:1077:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -202,12 +202,12 @@
 | test.cpp:489:23:489:29 | *content | test.cpp:490:8:490:17 | * ... |
 | test.cpp:489:23:489:29 | content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1058:12:1058:12 | definition of a | test.cpp:1059:3:1059:3 | *a |
-| test.cpp:1059:3:1059:3 | *a | test.cpp:1060:8:1060:9 | *& ... |
-| test.cpp:1059:3:1059:3 | *a [post update] | test.cpp:1060:8:1060:9 | *& ... |
-| test.cpp:1059:3:1059:3 | a | test.cpp:1060:8:1060:9 | & ... |
-| test.cpp:1059:3:1059:3 | a [post update] | test.cpp:1060:8:1060:9 | & ... |
-| test.cpp:1059:15:1059:21 | 0 | test.cpp:1059:3:1059:21 | ... = ... |
-| test.cpp:1059:15:1059:21 | *0 | test.cpp:1059:3:1059:21 | *... = ... |
-| test.cpp:1060:9:1060:9 | *a | test.cpp:1060:8:1060:9 | *& ... |
-| test.cpp:1060:9:1060:9 | a | test.cpp:1060:8:1060:9 | & ... |
+| test.cpp:1086:12:1086:12 | definition of a | test.cpp:1087:3:1087:3 | *a |
+| test.cpp:1087:3:1087:3 | *a | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1087:3:1087:3 | *a [post update] | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1087:3:1087:3 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
+| test.cpp:1087:15:1087:21 | *0 | test.cpp:1087:3:1087:21 | *... = ... |
+| test.cpp:1088:9:1088:9 | *a | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected

@@ -81,10 +81,10 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (loc
 | test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
 | test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1058:12:1058:12 | a | test.cpp:1059:3:1059:3 | a |
-| test.cpp:1058:12:1058:12 | a | test.cpp:1060:9:1060:9 | a |
-| test.cpp:1059:3:1059:3 | a [post update] | test.cpp:1060:9:1060:9 | a |
-| test.cpp:1059:3:1059:21 | ... = ... | test.cpp:1059:5:1059:11 | content [post update] |
-| test.cpp:1059:15:1059:21 | 0 | test.cpp:1059:3:1059:21 | ... = ... |
-| test.cpp:1060:8:1060:9 | ref arg & ... | test.cpp:1060:9:1060:9 | a [inner post update] |
-| test.cpp:1060:9:1060:9 | a | test.cpp:1060:8:1060:9 | & ... |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1087:3:1087:21 | ... = ... | test.cpp:1087:5:1087:11 | content [post update] |
+| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
+| test.cpp:1088:8:1088:9 | ref arg & ... | test.cpp:1088:9:1088:9 | a [inner post update] |
+| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -127,7 +127,11 @@ astFlow
 | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
 | test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
 | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
-| test.cpp:1058:12:1058:12 | a | test.cpp:1060:8:1060:9 | & ... |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1080:10:1080:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -314,7 +318,11 @@ irFlow
 | test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
 | test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
 | test.cpp:1052:13:1052:27 | *call to indirect_source | test.cpp:1054:7:1054:11 | * ... |
-| test.cpp:1089:27:1089:34 | call to source | test.cpp:1089:27:1089:34 | call to source |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1079:10:1079:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
+| test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1054,6 +1054,34 @@ void test_realloc() {
 	sink(*dest); // $ ir, MISSING: ast
 }
 
+struct MyInt {
+  int i;
+  MyInt();
+  void swap(MyInt &j);
+};
+
+void test_member_swap() {
+	MyInt s1;
+	MyInt s2;
+	s2.i = source();
+	MyInt s3;
+	MyInt s4;
+	s4.i = source();
+
+	sink(s1.i);
+	sink(s2.i); // $ ast,ir
+	sink(s3.i);
+	sink(s4.i); // $ ast,ir
+
+	s1.swap(s2);
+	s4.swap(s3);
+
+	sink(s1.i); // $ ir
+	sink(s2.i); // $ SPURIOUS: ast
+	sink(s3.i); // $ ir
+	sink(s4.i); // $ SPURIOUS: ast
+}
+
 void flow_out_of_address_with_local_flow() {
   MyStruct a;
   a.content = nullptr;

cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected

@@ -51,5 +51,5 @@ incorrectBaseType
 | test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * |
 | test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
 | test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
-| test.cpp:1070:52:1070:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
+| test.cpp:1098:52:1098:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
 failures

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -54,5 +54,5 @@
 | test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
-| test.cpp:1058:12:1058:12 | a | test.cpp:1059:3:1059:3 | a |
-| test.cpp:1058:12:1058:12 | a | test.cpp:1060:9:1060:9 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |