C++: Add tests demonstrating differences between AST virtual dispatch analysis and IR virtual dispatch analysis

Author: MathiasVP

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.cpp

@@ -0,0 +1,129 @@
+void sink(const char *);
+void sink(int);
+
+struct S {
+    void(*f)(const char*);
+
+    void apply(char* p) {
+        f(p);
+    }
+
+    void (*get())(const char*) {
+        return f;
+    }
+};
+
+void calls_sink_with_argv(const char* a) {
+    sink(a);
+}
+
+extern int i;
+
+class BaseWithPureVirtual {
+public:
+    virtual void f(const char*) = 0;
+};
+
+class DerivedCallsSink : public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class DerivedDoesNotCallSink : public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {}
+};
+
+class DerivedCallsSinkDiamond1 : virtual public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class DerivedDoesNotCallSinkDiamond2 : virtual public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {}
+};
+
+class DerivesMultiple : public DerivedCallsSinkDiamond1, public DerivedDoesNotCallSinkDiamond2 {
+    void f(const char* p) override {
+        DerivedCallsSinkDiamond1::f(p);
+    }
+};
+
+template<typename T>
+class CRTP {
+public:
+    void f(const char* p) {
+        static_cast<T*>(this)->g(p);
+    }
+};
+
+class CRTPCallsSink : public CRTP<CRTPCallsSink> {
+    public:
+    void g(const char* p) {
+        sink(p);
+    }
+};
+
+class Derived1 : public BaseWithPureVirtual {};
+
+class Derived2 : public Derived1 {
+    public:
+    void f(const char* p) override {}
+};
+
+class Derived3 : public Derived2 {
+    public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class CRTPDoesNotCallSink : public CRTP<CRTPDoesNotCallSink> {
+    public:
+    void g(const char* p) {}
+};
+
+int main(int argc, char *argv[]) {
+    sink(argv[0]);
+
+    sink(reinterpret_cast<int>(argv));
+
+    calls_sink_with_argv(argv[1]);
+
+    char*** p = &argv;
+
+    sink(*p[0]);
+
+    calls_sink_with_argv(*p[i]);
+
+    sink(*(argv + 1)); // flow [NOT DECTED by AST]
+
+    BaseWithPureVirtual* b = new DerivedCallsSink;
+
+    b->f(argv[1]); // flow [NOT DETECTED by IR]
+
+    b = new DerivedDoesNotCallSink;
+    b->f(argv[0]); // no flow [FALSE POSITIVE by AST]
+
+    BaseWithPureVirtual* b2 = new DerivesMultiple;
+
+    b2->f(argv[i]); // flow [NOT DETECTED]
+
+    CRTP<CRTPDoesNotCallSink> crtp_not_call_sink;
+    crtp_not_call_sink.f(argv[0]);
+
+    CRTP<CRTPCallsSink> crtp_calls_sink;
+    crtp_calls_sink.f(argv[0]); // flow [NOT DETECTED]
+
+    Derived1* calls_sink = new Derived3;
+    calls_sink->f(argv[1]); // flow [NOT DETECTED by AST]
+
+    static_cast<Derived2*>(calls_sink)->f(argv[1]); // flow [NOT DETECTED]
+
+    dynamic_cast<Derived2*>(calls_sink)->f(argv[1]); // flow [NOT DETECTED by IR]
+}

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected

@@ -0,0 +1,22 @@
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:9:11:9:20 | p#0 | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:8:16:14 | call to _strdup | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:8:16:29 | (const char *)... | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | test_diff.cpp:1:11:1:20 | p#0 | IR only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:3:21:3:22 | s1 | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:21:8:21:10 | buf | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:15:22:17 | buf | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:24:8:24:10 | buf | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:31:40:31:53 | dotted_address | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:36:39:61 | (const char *)... | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:51:39:61 | env_pointer | AST only |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:11:104:20 | (...) | IR only |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:36:24:36:24 | p | AST only |
+| test_diff.cpp:111:10:111:13 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:1:11:1:20 | p#0 | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:29:24:29:24 | p | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:30:14:30:14 | p | AST only |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:76:24:76:24 | p | IR only |
+| test_diff.cpp:128:44:128:47 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:1:11:1:20 | p#0 | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:81:24:81:24 | p | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:82:14:82:14 | p | AST only |

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.ql

@@ -0,0 +1,23 @@
+import cpp
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.security.TaintTracking as ASTTaintTracking
+import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+
+predicate astFlow(Expr source, Element sink) {
+  ASTTaintTracking::tainted(source, sink)
+}
+
+predicate irFlow(Expr source, Element sink) {
+  IRDefaultTaintTracking::tainted(source, sink)
+}
+
+from Expr source, Element sink, string note
+where
+  astFlow(source, sink) and
+  not irFlow(source, sink) and
+  note = "AST only"
+  or
+  irFlow(source, sink) and
+  not astFlow(source, sink) and
+  note = "IR only"
+select source, sink, note