C++: outbound dataflow via this indirections

Author: Robert Marsh

cpp/ql/src/semmle/code/cpp/Parameter.qll

@@ -165,6 +165,7 @@ class Parameter extends LocalScopeVariable, @parameter {
 class ParameterIndex extends int {
   ParameterIndex() {
     exists(Parameter p | this = p.getIndex()) or
-    exists(Call c | exists(c.getArgument(this))) // permit indexing varargs
+    exists(Call c | exists(c.getArgument(this))) or // permit indexing varargs
+    this = -1 // used for `this`
   }
 }

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -74,7 +74,13 @@ class ReturnValueNode extends ReturnNode {
 class ReturnIndirectionNode extends ReturnNode {
   override ReturnIndirectionInstruction primary;
 
-  override ReturnKind getKind() { result = TIndirectReturnKind(primary.getParameter().getIndex()) }
+  override ReturnKind getKind() { 
+    result = TIndirectReturnKind(-1) and
+    primary.isThisIndirection()
+    or
+    result = TIndirectReturnKind(primary.getParameter().getIndex())
+  }
+
 }
 
 /** A data flow node that represents the output of a call. */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -541,6 +541,8 @@ class ReturnIndirectionInstruction extends VariableInstruction {
    * function.
    */
   final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  final predicate isThisIndirection() { var instanceof IRThisVariable }
 }
 
 class CopyInstruction extends Instruction {

cpp/ql/test/library-tests/dataflow/fields/A.cpp

@@ -129,7 +129,7 @@ class A
   {
     B *b = new B();
     f7(b);
-    sink(b->c); // $ast $f-:ir
+    sink(b->c); // $ast,ir
   }
 
   class D
@@ -149,7 +149,7 @@ class A
   {
     B *b = new B();
     D *d = new D(b, r());
-    sink(d->b);    // $ast=143:25 $ast=150:12 $f-:ir
+    sink(d->b);    // $ast,ir=143:25 $ast,ir=150:12
     sink(d->b->c); // $ast $f-:ir
     sink(b->c);    // $ast,ir
   }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -86,12 +86,12 @@ void class_field_test() {
 	mc1.myMethod();
 
 	sink(mc1.a);
-	sink(mc1.b); // tainted [NOT DETECTED with IR]
-	sink(mc1.c); // tainted [NOT DETECTED with IR]
-	sink(mc1.d); // tainted [NOT DETECTED with IR]
+	sink(mc1.b); // tainted
+	sink(mc1.c); // tainted
+	sink(mc1.d); // tainted
 	sink(mc2.a);
-	sink(mc2.b); // tainted [NOT DETECTED with IR]
-	sink(mc2.c); // tainted [NOT DETECTED with IR]
+	sink(mc2.b); // tainted
+	sink(mc2.c); // tainted
 	sink(mc2.d);
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -16,11 +16,6 @@
 | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |
-| taint.cpp:89:11:89:11 | taint.cpp:71:22:71:27 | AST only |
-| taint.cpp:90:11:90:11 | taint.cpp:72:7:72:12 | AST only |
-| taint.cpp:91:11:91:11 | taint.cpp:77:7:77:12 | AST only |
-| taint.cpp:93:11:93:11 | taint.cpp:71:22:71:27 | AST only |
-| taint.cpp:94:11:94:11 | taint.cpp:72:7:72:12 | AST only |
 | taint.cpp:109:7:109:13 | taint.cpp:105:12:105:17 | IR only |
 | taint.cpp:110:7:110:13 | taint.cpp:105:12:105:17 | IR only |
 | taint.cpp:111:7:111:13 | taint.cpp:106:12:106:17 | IR only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

@@ -3,6 +3,11 @@
 | taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
 | taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
 | taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |
+| taint.cpp:89:11:89:11 | b | taint.cpp:71:22:71:27 | call to source |
+| taint.cpp:90:11:90:11 | c | taint.cpp:72:7:72:12 | call to source |
+| taint.cpp:91:11:91:11 | d | taint.cpp:77:7:77:12 | call to source |
+| taint.cpp:93:11:93:11 | b | taint.cpp:71:22:71:27 | call to source |
+| taint.cpp:94:11:94:11 | c | taint.cpp:72:7:72:12 | call to source |
 | taint.cpp:109:7:109:13 | access to array | taint.cpp:105:12:105:17 | call to source |
 | taint.cpp:110:7:110:13 | access to array | taint.cpp:105:12:105:17 | call to source |
 | taint.cpp:111:7:111:13 | access to array | taint.cpp:106:12:106:17 | call to source |