@@ -123,14 +123,25 @@ private class StdSequenceContainerData extends TaintFunction {
123123/**
124124 * The standard container functions `push_back` and `push_front`.
125125 */
126- private class StdSequenceContainerPush extends TaintFunction {
126+ class StdSequenceContainerPush extends MemberFunction {
127127 StdSequenceContainerPush ( ) {
128128 this .getClassAndName ( "push_back" ) instanceof Vector or
129129 this .getClassAndName ( [ "push_back" , "push_front" ] ) instanceof Deque or
130130 this .getClassAndName ( "push_front" ) instanceof ForwardList or
131131 this .getClassAndName ( [ "push_back" , "push_front" ] ) instanceof List
132132 }
133133
134+ /**
135+ * Gets the index of a parameter to this function that is a reference to the
136+ * value type of the container.
137+ */
138+ int getAValueTypeParameterIndex ( ) {
139+ this .getParameter ( result ) .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
140+ this .getDeclaringType ( ) .getTemplateArgument ( 0 ) .( Type ) .getUnspecifiedType ( ) // i.e. the `T` of this `std::vector<T>`
141+ }
142+ }
143+
144+ private class StdSequenceContainerPushModel extends StdSequenceContainerPush , TaintFunction {
134145 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
135146 // flow from parameter to qualifier
136147 input .isParameterDeref ( 0 ) and
@@ -160,7 +171,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
160171/**
161172 * The standard container functions `insert` and `insert_after`.
162173 */
163- private class StdSequenceContainerInsert extends TaintFunction {
174+ class StdSequenceContainerInsert extends MemberFunction {
164175 StdSequenceContainerInsert ( ) {
165176 this .getClassAndName ( "insert" ) instanceof Deque or
166177 this .getClassAndName ( "insert" ) instanceof List or
@@ -181,7 +192,9 @@ private class StdSequenceContainerInsert extends TaintFunction {
181192 * Gets the index of a parameter to this function that is an iterator.
182193 */
183194 int getAnIteratorParameterIndex ( ) { this .getParameter ( result ) .getType ( ) instanceof Iterator }
195+ }
184196
197+ private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert , TaintFunction {
185198 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
186199 // flow from parameter to container itself (qualifier) and return value
187200 (
@@ -253,11 +266,28 @@ private class StdSequenceContainerAt extends TaintFunction {
253266}
254267
255268/**
256- * The standard vector `emplace` function.
269+ * The standard `emplace` function.
257270 */
258- class StdVectorEmplace extends TaintFunction {
259- StdVectorEmplace ( ) { this .getClassAndName ( "emplace" ) instanceof Vector }
271+ class StdSequenceEmplace extends MemberFunction {
272+ StdSequenceEmplace ( ) {
273+ this .getClassAndName ( "emplace" ) instanceof Vector
274+ or
275+ this .getClassAndName ( "emplace" ) instanceof List
276+ or
277+ this .getClassAndName ( "emplace" ) instanceof Deque
278+ }
279+
280+ /**
281+ * Gets the index of a parameter to this function that is a reference to the
282+ * value type of the container.
283+ */
284+ int getAValueTypeParameterIndex ( ) {
285+ this .getParameter ( result ) .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
286+ this .getDeclaringType ( ) .getTemplateArgument ( 0 ) .( Type ) .getUnspecifiedType ( ) // i.e. the `T` of this `std::vector<T>`
287+ }
288+ }
260289
290+ private class StdSequenceEmplaceModel extends StdSequenceEmplace , TaintFunction {
261291 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
262292 // flow from any parameter except the position iterator to qualifier and return value
263293 // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -269,16 +299,47 @@ class StdVectorEmplace extends TaintFunction {
269299 }
270300}
271301
302+ /**
303+ * The standard vector `emplace` function.
304+ */
305+ class StdVectorEmplace extends StdSequenceEmplace {
306+ StdVectorEmplace ( ) { this .getDeclaringType ( ) instanceof Vector }
307+ }
308+
272309/**
273310 * The standard vector `emplace_back` function.
274311 */
275- class StdVectorEmplaceBack extends TaintFunction {
276- StdVectorEmplaceBack ( ) { this .getClassAndName ( "emplace_back" ) instanceof Vector }
312+ class StdSequenceEmplaceBack extends MemberFunction {
313+ StdSequenceEmplaceBack ( ) {
314+ this .getClassAndName ( "emplace_back" ) instanceof Vector
315+ or
316+ this .getClassAndName ( "emplace_back" ) instanceof List
317+ or
318+ this .getClassAndName ( "emplace_back" ) instanceof Deque
319+ }
320+
321+ /**
322+ * Gets the index of a parameter to this function that is a reference to the
323+ * value type of the container.
324+ */
325+ int getAValueTypeParameterIndex ( ) {
326+ this .getParameter ( result ) .getUnspecifiedType ( ) .( ReferenceType ) .getBaseType ( ) =
327+ this .getDeclaringType ( ) .getTemplateArgument ( 0 ) .( Type ) .getUnspecifiedType ( ) // i.e. the `T` of this `std::vector<T>`
328+ }
329+ }
277330
331+ private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack , TaintFunction {
278332 override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
279333 // flow from any parameter to qualifier
280334 // (here we assume taint flow from any constructor parameter to the constructed object)
281335 input .isParameterDeref ( [ 0 .. this .getNumberOfParameters ( ) - 1 ] ) and
282336 output .isQualifierObject ( )
283337 }
284338}
339+
340+ /**
341+ * The standard vector `emplace_back` function.
342+ */
343+ class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
344+ StdVectorEmplaceBack ( ) { this .getDeclaringType ( ) instanceof Vector }
345+ }
0 commit comments