diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll index 09409eb30f2a..0a6d459ec79b 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll @@ -677,6 +677,11 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) { exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel | f.hasDataFlow(inModel, outModel) and ( + exists(int iIn | + inModel.isParameterDeref(iIn) and + call.passesByReference(iIn, fromExpr) + ) + or exists(int iIn | inModel.isParameter(iIn) and fromExpr = call.getArgument(iIn) diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll index 70bf37a96d38..c2fb7a30d989 100644 --- a/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll @@ -35,11 +35,7 @@ class ConversionConstructorModel extends Constructor, TaintFunction { class CopyConstructorModel extends CopyConstructor, DataFlowFunction { override predicate hasDataFlow(FunctionInput input, FunctionOutput output) { // data flow from the first constructor argument to the returned object - ( - input.isParameter(0) - or - input.isParameterDeref(0) - ) and + input.isParameterDeref(0) and ( output.isReturnValue() or @@ -54,11 +50,7 @@ class CopyConstructorModel extends CopyConstructor, DataFlowFunction { class MoveConstructorModel extends MoveConstructor, DataFlowFunction { override predicate hasDataFlow(FunctionInput input, FunctionOutput output) { // data flow from the first constructor argument to the returned object - ( - input.isParameter(0) - or - input.isParameterDeref(0) - ) and + input.isParameterDeref(0) and ( output.isReturnValue() or diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 080d7a3c14ef..51ad85369398 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -5113,10 +5113,11 @@ | swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:111:20:111:24 | data1 | | | swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:115:18:115:22 | data1 | | | swap1.cpp:109:23:109:28 | call to source | swap1.cpp:109:5:109:30 | ... = ... | | -| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | | +| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | TAINT | | swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] | | | swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to | | | swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | | +| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:51 | call to Class | | | swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x | | | swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x | | | swap1.cpp:120:23:120:23 | x | swap1.cpp:127:19:127:19 | x | | @@ -5279,10 +5280,11 @@ | swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:111:20:111:24 | data1 | | | swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:115:18:115:22 | data1 | | | swap2.cpp:109:23:109:28 | call to source | swap2.cpp:109:5:109:30 | ... = ... | | -| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | | +| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | TAINT | | swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] | | | swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to | | | swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | | +| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:51 | call to Class | | | swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x | | | swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x | | | swap2.cpp:120:23:120:23 | x | swap2.cpp:127:19:127:19 | x | |