Merge pull request github#18416 from MathiasVP/more-robust-param-name-matching-arrays

C++: Also resolve typedefs nested inside `ArrayType`s

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -529,8 +529,21 @@ private string getTypeName(Type t, boolean needsSpace) {
       needsSpace = false and
       (if needsSpace0 = true then result = s + " *" else result = s + "*")
       or
+      // We don't need to check for `needsSpace0` here because the type of
+      // `x` in `int x[1024]` is formatted without a space between the bracket
+      // and the `int` by `Type.getName`. That is, calling `Type.getName` on
+      // the type of `x` gives `int[1024]` and not `int [1024]`.
+      needsSpace = false and
+      exists(ArrayType array | array = dt |
+        result = s + "[" + array.getArraySize() + "]"
+        or
+        not array.hasArraySize() and
+        result = s + "[]"
+      )
+      or
       not dt instanceof ReferenceType and
       not dt instanceof PointerType and
+      not dt instanceof ArrayType and
       result = s and
       needsSpace = needsSpace0
     )

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected

@@ -76,3 +76,5 @@
 | tests.cpp:437:5:437:36 | [summary] to write: ReturnValue in madCallReturnValueIgnoreFunction | ReturnNode | madCallReturnValueIgnoreFunction | madCallReturnValueIgnoreFunction |
 | tests.cpp:459:5:459:31 | [summary param] *0 in parameter_ref_to_return_ref | ParameterNode | parameter_ref_to_return_ref | parameter_ref_to_return_ref |
 | tests.cpp:459:5:459:31 | [summary] to write: ReturnValue[*] in parameter_ref_to_return_ref | ReturnNode | parameter_ref_to_return_ref | parameter_ref_to_return_ref |
+| tests.cpp:471:5:471:17 | [summary param] *0 in receive_array | ParameterNode | receive_array | receive_array |
+| tests.cpp:471:5:471:17 | [summary] to write: ReturnValue in receive_array | ReturnNode | receive_array | receive_array |

cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected

@@ -30,6 +30,7 @@ summarizedCallables
 | tests.cpp:436:6:436:25 | madCallArg0WithValue |
 | tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
 | tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
+| tests.cpp:471:5:471:17 | receive_array |
 sourceCallables
 | tests.cpp:3:5:3:10 | source |
 | tests.cpp:4:6:4:14 | sourcePtr |
@@ -230,3 +231,9 @@ sourceCallables
 | tests.cpp:463:6:463:6 | x |
 | tests.cpp:464:36:464:36 | s |
 | tests.cpp:465:6:465:6 | y |
+| tests.cpp:469:7:469:9 | INT |
+| tests.cpp:471:23:471:23 | a |
+| tests.cpp:473:6:473:23 | test_receive_array |
+| tests.cpp:474:6:474:6 | x |
+| tests.cpp:475:6:475:10 | array |
+| tests.cpp:476:6:476:6 | y |

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll

@@ -98,7 +98,8 @@ private class TestSummaries extends SummaryModelCsv {
         ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
         ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
         ";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
-        ";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value"
+        ";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value",
+        ";;false;receive_array;(int[20]);;Argument[*0];ReturnValue;taint"
       ]
   }
 }

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

@@ -464,4 +464,15 @@ void test_parameter_ref_to_return_ref() {
 	StructWithTypedefInParameter<int> s;
 	int y = s.parameter_ref_to_return_ref(x);
 	sink(y); // $ ir
+}
+
+using INT = int;
+
+int receive_array(INT a[20]); // $ interpretElement
+
+void test_receive_array() {
+	int x = source();
+	int array[10] = {x};
+	int y = receive_array(array);
+	sink(y); // $ ir
 }