Merge pull request #19383 from MathiasVP/add-missing-predicate-to-mad-generation

MathiasVP · web-flow · commit f6e7d79f62ab · 2025-04-28T11:58:05.000+01:00
C++: Fix missing summaries in MaD generation
diff --git a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -295,6 +295,14 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
     result = qualifierString()
   }
 
+  DataFlowPrivate::ParameterPosition getReturnKindParamPosition(DataFlowPrivate::ReturnKind k) {
+    exists(int argumentIndex, int indirectionIndex |
+      k.isIndirectReturn(argumentIndex) and
+      k.getIndirectionIndex() = indirectionIndex and
+      result = DataFlowPrivate::TIndirectionPosition(argumentIndex, indirectionIndex)
+    )
+  }
+
   string getReturnValueString(DataFlowPrivate::ReturnKind k) {
     k.isNormalReturn() and
     exists(int indirectionIndex | indirectionIndex = k.getIndirectionIndex() |
diff --git a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp
@@ -131,6 +131,8 @@ namespace Models {
 
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
+//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;df-generated
+//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;dfc-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;dfc-generated
 int toplevel_function(int* p) {
@@ -199,3 +201,18 @@ int get_x_from_union(U* u) {
 void set_x_in_union(U* u, int x) {
     u->x = x;
 }
+
+struct HasInt {
+    int x;
+};
+
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;dfc-generated
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;dfc-generated
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;dfc-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;df-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;df-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];taint;df-generated
+int copy_struct(HasInt *out, const HasInt *in) {
+    *out = *in;
+    return 1;
+}
