Skip to content

Commit 4f4cdf4

Browse files
authored
Merge pull request #22061 from MathiasVP/mad-write-through-model
Shared: Support flow summaries from `ReturnValue`s
2 parents 797f58b + b7b731b commit 4f4cdf4

37 files changed

Lines changed: 329 additions & 63 deletions

File tree

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ private import cpp as Cpp
66
private import codeql.dataflow.internal.FlowSummaryImpl
77
private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
88
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
9+
private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
910
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
1011
private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific as DataFlowImplSpecific
1112
private import semmle.code.cpp.dataflow.ExternalFlow
@@ -20,8 +21,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
2021

2122
class SinkBase = Void;
2223

24+
class FlowSummaryCallBase = CallInstruction;
25+
2326
predicate callableFromSource(SummarizedCallableBase c) { exists(c.getBlock()) }
2427

28+
FlowSummaryCallBase getASourceCall(SummarizedCallableBase sc) {
29+
result.getStaticCallTarget() = sc
30+
}
31+
32+
DataFlowCallable getSummarizedCallableAsDataFlowCallable(SummarizedCallableBase c) {
33+
result.asSummarizedCallable() = c
34+
}
35+
36+
DataFlowCallable getSourceCallEnclosingCallable(FlowSummaryCallBase call) {
37+
result.asSourceCallable() = call.getEnclosingFunction()
38+
}
39+
2540
ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
2641

2742
ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
@@ -30,6 +45,10 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
3045
arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
3146
}
3247

48+
ParameterPosition getFlowSummaryParameterPosition(ReturnKind rk) {
49+
result = TFlowSummaryPosition(rk)
50+
}
51+
3352
string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
3453

3554
string encodeArgumentPosition(ArgumentPosition pos) { result = pos.toString() }
@@ -114,10 +133,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
114133
private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl
115134

116135
private module StepsInput implements Impl::Private::StepsInputSig {
136+
Impl::Private::SummaryNode getSummaryNode(Node n) {
137+
result = n.(FlowSummaryNode).getSummaryNode()
138+
}
139+
117140
DataFlowCall getACall(Public::SummarizedCallable sc) {
118141
result.getStaticCallTarget().getUnderlyingCallable() = sc
119142
}
120143

144+
Node getSourceOutNode(Input::FlowSummaryCallBase call, ReturnKind rk) {
145+
exists(IndirectReturnOutNode out | result = out |
146+
out.getCallInstruction() = call and
147+
pragma[only_bind_out](rk.(NormalReturnKind).getIndirectionIndex()) =
148+
pragma[only_bind_out](out.getIndirectionIndex())
149+
)
150+
}
151+
121152
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
122153

123154
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1534,12 +1534,8 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
15341534
result = this.getSummaryNode().getSummarizedCallable()
15351535
}
15361536

1537-
/**
1538-
* Gets the enclosing callable. For a `FlowSummaryNode` this is always the
1539-
* summarized function this node is part of.
1540-
*/
15411537
override DataFlowCallable getEnclosingCallable() {
1542-
result.asSummarizedCallable() = this.getSummarizedCallable()
1538+
result = FlowSummaryImpl::Private::getEnclosingCallable(this.getSummaryNode())
15431539
}
15441540

15451541
override Location getLocationImpl() { result = this.getSummarizedCallable().getLocation() }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -561,6 +561,21 @@ class SummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
561561
}
562562
}
563563

564+
/** An argument node that re-enters return output as input to a flow summary. */
565+
private class FlowSummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
566+
private CallInstruction callInstruction;
567+
private ReturnKind rk;
568+
569+
FlowSummaryArgumentNode() {
570+
this.getSummaryNode() = FlowSummaryImpl::Private::summaryArgumentNode(callInstruction, rk)
571+
}
572+
573+
override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
574+
call.asCallInstruction() = callInstruction and
575+
pos = TFlowSummaryPosition(rk)
576+
}
577+
}
578+
564579
/** A parameter position represented by an integer. */
565580
class ParameterPosition = Position;
566581

@@ -616,6 +631,18 @@ class IndirectionPosition extends Position, TIndirectionPosition {
616631
final override int getIndirectionIndex() { result = indirectionIndex }
617632
}
618633

634+
class FlowSummaryPosition extends Position, TFlowSummaryPosition {
635+
ReturnKind rk;
636+
637+
FlowSummaryPosition() { this = TFlowSummaryPosition(rk) }
638+
639+
override string toString() { result = "write to: " + rk.toString() }
640+
641+
override int getArgumentIndex() { none() }
642+
643+
final override int getIndirectionIndex() { result = rk.getIndirectionIndex() }
644+
}
645+
619646
newtype TPosition =
620647
TDirectPosition(int argumentIndex) {
621648
exists(any(CallInstruction c).getArgument(argumentIndex))
@@ -634,7 +661,8 @@ newtype TPosition =
634661
p = f.getParameter(argumentIndex) and
635662
indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
636663
)
637-
}
664+
} or
665+
TFlowSummaryPosition(ReturnKind rk) { FlowSummaryImpl::Private::relevantFlowSummaryPosition(rk) }
638666

639667
private newtype TReturnKind =
640668
TNormalReturnKind(int indirectionIndex) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ private module Cached {
158158
model = ""
159159
or
160160
// models-as-data summarized flow
161-
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
161+
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
162162
nodeTo.(FlowSummaryNode).getSummaryNode(), true, model)
163163
}
164164

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ private module Cached {
6767
model = ""
6868
or
6969
// models-as-data summarized flow
70-
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
70+
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
7171
nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
7272
or
7373
// object->field conflation for content that is a `TaintInheritingContent`.

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

Lines changed: 48 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,17 @@ models
5353
| 52 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
5454
| 53 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
5555
| 54 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
56-
| 55 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
57-
| 56 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
58-
| 57 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
59-
| 58 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
60-
| 59 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
61-
| 60 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
62-
| 61 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
63-
| 62 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
56+
| 55 | Summary: ; MyString; true; operator[]; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
57+
| 56 | Summary: ; MyString; true; operator[]; ; ; ReturnValue[*]; Argument[-1]; taint; manual |
58+
| 57 | Summary: ; ReverseFlow; true; get_ptr; ; ; ReturnValue[*]; Argument[-1].Field[ReverseFlow::value]; value; manual |
59+
| 58 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
60+
| 59 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
61+
| 60 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
62+
| 61 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
63+
| 62 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
64+
| 63 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
65+
| 64 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
66+
| 65 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
6467
edges
6568
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32 |
6669
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
@@ -69,16 +72,16 @@ edges
6972
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | |
7073
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance | |
7174
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
72-
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:62 |
75+
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:65 |
7376
| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29 |
7477
| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance | |
7578
| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance | |
7679
| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance | |
77-
| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:58 |
80+
| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:61 |
7881
| azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance | |
79-
| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:59 |
82+
| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:62 |
8083
| azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance | |
81-
| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:60 |
84+
| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:63 |
8285
| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | |
8386
| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance | |
8487
| azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance | |
@@ -94,10 +97,10 @@ edges
9497
| azure.cpp:278:10:278:13 | body | azure.cpp:278:10:278:13 | body | provenance | |
9598
| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26 |
9699
| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance | |
97-
| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:60 |
100+
| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:63 |
98101
| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance | |
99102
| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | |
100-
| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:61 |
103+
| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:64 |
101104
| azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance | |
102105
| azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30 |
103106
| azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance | |
@@ -159,27 +162,27 @@ edges
159162
| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance | |
160163
| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance | |
161164
| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
162-
| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:56 |
165+
| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:59 |
163166
| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25 |
164167
| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance | |
165168
| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance | |
166169
| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
167-
| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:57 |
170+
| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:60 |
168171
| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25 |
169172
| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance | |
170173
| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance | |
171174
| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
172-
| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:57 |
175+
| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:60 |
173176
| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance | |
174177
| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance | |
175178
| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | |
176-
| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:55 |
179+
| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:58 |
177180
| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25 |
178181
| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance | |
179182
| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | |
180183
| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
181184
| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance | |
182-
| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:55 |
185+
| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:58 |
183186
| test.cpp:186:2:186:2 | *s [post update] [myField] | test.cpp:187:33:187:34 | *& ... [myField] | provenance | |
184187
| test.cpp:186:2:186:24 | ... = ... | test.cpp:186:2:186:2 | *s [post update] [myField] | provenance | |
185188
| test.cpp:186:14:186:22 | call to ymlSource | test.cpp:186:2:186:24 | ... = ... | provenance | Src:MaD:25 |
@@ -192,6 +195,18 @@ edges
192195
| test.cpp:200:10:200:33 | call to read_field_from_struct_2 | test.cpp:200:10:200:33 | call to read_field_from_struct_2 | provenance | |
193196
| test.cpp:200:10:200:33 | call to read_field_from_struct_2 | test.cpp:201:10:201:10 | x | provenance | Sink:MaD:1 |
194197
| test.cpp:200:35:200:36 | *& ... [myField] | test.cpp:200:10:200:33 | call to read_field_from_struct_2 | provenance | MaD:51 |
198+
| test.cpp:216:3:216:4 | get_ptr output argument [value] | test.cpp:217:11:217:12 | *rf [value] | provenance | |
199+
| test.cpp:216:3:216:28 | ... = ... | test.cpp:216:3:216:4 | get_ptr output argument [value] | provenance | MaD:57 |
200+
| test.cpp:216:18:216:26 | call to ymlSource | test.cpp:216:3:216:28 | ... = ... | provenance | Src:MaD:25 |
201+
| test.cpp:217:11:217:12 | *rf [value] | test.cpp:217:14:217:18 | value | provenance | |
202+
| test.cpp:217:14:217:18 | value | test.cpp:217:14:217:18 | value | provenance | |
203+
| test.cpp:217:14:217:18 | value | test.cpp:218:11:218:11 | x | provenance | Sink:MaD:1 |
204+
| test.cpp:222:3:222:3 | operator[] output argument | test.cpp:223:12:223:12 | *s | provenance | |
205+
| test.cpp:222:3:222:20 | ... = ... | test.cpp:222:3:222:3 | operator[] output argument | provenance | MaD:56 |
206+
| test.cpp:222:10:222:20 | call to ymlSource | test.cpp:222:3:222:20 | ... = ... | provenance | Src:MaD:25 |
207+
| test.cpp:223:12:223:12 | *s | test.cpp:223:13:223:15 | call to operator[] | provenance | MaD:55 |
208+
| test.cpp:223:13:223:15 | call to operator[] | test.cpp:223:13:223:15 | call to operator[] | provenance | |
209+
| test.cpp:223:13:223:15 | call to operator[] | test.cpp:224:11:224:11 | c | provenance | Sink:MaD:1 |
195210
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3 |
196211
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance | |
197212
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance | |
@@ -470,6 +485,20 @@ nodes
470485
| test.cpp:200:10:200:33 | call to read_field_from_struct_2 | semmle.label | call to read_field_from_struct_2 |
471486
| test.cpp:200:35:200:36 | *& ... [myField] | semmle.label | *& ... [myField] |
472487
| test.cpp:201:10:201:10 | x | semmle.label | x |
488+
| test.cpp:216:3:216:4 | get_ptr output argument [value] | semmle.label | get_ptr output argument [value] |
489+
| test.cpp:216:3:216:28 | ... = ... | semmle.label | ... = ... |
490+
| test.cpp:216:18:216:26 | call to ymlSource | semmle.label | call to ymlSource |
491+
| test.cpp:217:11:217:12 | *rf [value] | semmle.label | *rf [value] |
492+
| test.cpp:217:14:217:18 | value | semmle.label | value |
493+
| test.cpp:217:14:217:18 | value | semmle.label | value |
494+
| test.cpp:218:11:218:11 | x | semmle.label | x |
495+
| test.cpp:222:3:222:3 | operator[] output argument | semmle.label | operator[] output argument |
496+
| test.cpp:222:3:222:20 | ... = ... | semmle.label | ... = ... |
497+
| test.cpp:222:10:222:20 | call to ymlSource | semmle.label | call to ymlSource |
498+
| test.cpp:223:12:223:12 | *s | semmle.label | *s |
499+
| test.cpp:223:13:223:15 | call to operator[] | semmle.label | call to operator[] |
500+
| test.cpp:223:13:223:15 | call to operator[] | semmle.label | call to operator[] |
501+
| test.cpp:224:11:224:11 | c | semmle.label | c |
473502
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
474503
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
475504
| windows.cpp:24:8:24:11 | * ... | semmle.label | * ... |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,7 @@ extensions:
2323
- ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
2424
- ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]
2525
- ["", "", False, "read_field_from_struct", "", "", "Argument[*0].Field[MyNamespace::MyStructInNamespace::myField]", "ReturnValue", "value", "manual"]
26-
- ["", "", False, "read_field_from_struct_2", "", "", "Argument[*0].Field[MyGlobalStruct::myField]", "ReturnValue", "value", "manual"]
26+
- ["", "", False, "read_field_from_struct_2", "", "", "Argument[*0].Field[MyGlobalStruct::myField]", "ReturnValue", "value", "manual"]
27+
- ["", "ReverseFlow", True, "get_ptr", "", "", "ReturnValue[*]", "Argument[-1].Field[ReverseFlow::value]", "value", "manual"]
28+
- ["", "MyString", True, "operator[]", "", "", "ReturnValue[*]", "Argument[-1]", "taint", "manual"]
29+
- ["", "MyString", True, "operator[]", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]

0 commit comments

Comments
 (0)