Merge pull request github#4642 from geoffw0/memberfn

C++: Improve MemberFunction.qll data flows

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -677,6 +677,11 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
       exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel |
         f.hasDataFlow(inModel, outModel) and
         (
+          exists(int iIn |
+            inModel.isParameterDeref(iIn) and
+            call.passesByReference(iIn, fromExpr)
+          )
+          or
           exists(int iIn |
             inModel.isParameter(iIn) and
             fromExpr = call.getArgument(iIn)

cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll

@@ -35,11 +35,7 @@ class ConversionConstructorModel extends Constructor, TaintFunction {
 class CopyConstructorModel extends CopyConstructor, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // data flow from the first constructor argument to the returned object
-    (
-      input.isParameter(0)
-      or
-      input.isParameterDeref(0)
-    ) and
+    input.isParameterDeref(0) and
     (
       output.isReturnValue()
       or
@@ -54,11 +50,7 @@ class CopyConstructorModel extends CopyConstructor, DataFlowFunction {
 class MoveConstructorModel extends MoveConstructor, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // data flow from the first constructor argument to the returned object
-    (
-      input.isParameter(0)
-      or
-      input.isParameterDeref(0)
-    ) and
+    input.isParameterDeref(0) and
     (
       output.isReturnValue()
       or

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -5113,10 +5113,11 @@
 | swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:111:20:111:24 | data1 |  |
 | swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:115:18:115:22 | data1 |  |
 | swap1.cpp:109:23:109:28 | call to source | swap1.cpp:109:5:109:30 | ... = ... |  |
-| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class |  |
+| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | TAINT |
 | swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to |  |
 | swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move |  |
+| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:51 | call to Class |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:127:19:127:19 | x |  |
@@ -5279,10 +5280,11 @@
 | swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:111:20:111:24 | data1 |  |
 | swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:115:18:115:22 | data1 |  |
 | swap2.cpp:109:23:109:28 | call to source | swap2.cpp:109:5:109:30 | ... = ... |  |
-| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class |  |
+| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | TAINT |
 | swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to |  |
 | swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move |  |
+| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:51 | call to Class |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:127:19:127:19 | x |  |