C++: Data flow and member templates

[fbesler]

Given this example I'm not able to find a data flow in the function process1, while the flow in the others are found.

class Data {
    public:
    template <typename U>
    int process1() {
        return data_ + 10;
    }

    template <typename U>
    int process2(int data) {
        return data + 20;
    }

    int process3() {
        return data_ + 30;
    }

    int data_;
};

int taint_source() {return 1;}

void df() {
    int i;
    Data data;

    data.data_ = taint_source();
    i = data.process1<void>();
    i = data.process2<void>(data.data_);
    i = data.process3();
}

int main(int argc, char* argv[]) {
    df();
    return 0;
}

/**
 * @kind path-problem
 */

import cpp
import semmle.code.cpp.dataflow.new.TaintTracking
import MyFlow::PathGraph

module MyFlowConf implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source.asExpr() = any(Call c | c.getTarget().hasName("taint_source))
  }

  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(BinaryArithmeticOperation b).getAnOperand()
  }
}

module MyFlow = TaintTracking::Global<MyFlowConf>;

from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Flow"

Is this related to the issue 18122 ? Is there a way to find the missing data flow?

[jketema]

Hi @fbesler,

This is a different issue, as you are instantiating the templates. This is bug though, so thank you for reporting. We have identified what the issue is, and have a potential fix. We'll keep posted.