C++: Fix models and simplify taint flow

[MathiasVP]

The taint-model interpretation code had a weird case that implemented something along the lines of:

If the model says that there's incoming flow from a dereference, then I'm also going to assume that there's incoming flow from the pointer.

(and similarly for the outgoing flow).

As far as I can see, these rules only existed to fix some models that were missing flow into arguments that didn't have indirections (for example, because the function actually took a non-pointer like argument), but for some reason used input.asParameterDeref(...) in their models.

This PR fixes those models and simplifies the taint-model interpretation code.

[jketema]

I hadn't thought about this before, but since we opted for an opt-in model for use-use dataflow, I think the model changes should go directly to main. This allows us to check that we don't break anything later for the AST and use-def dataflow. Looking a the feature branch we might have a similar "problem" with the changes to FlowSources.qll that are on the feature branch only.

[MathiasVP]

I hadn't thought about this before, but since we opted for an opt-in model for use-use dataflow, I think the model changes should go directly to main. This allows us to check that we don't break anything later for the AST and use-def dataflow. Looking a the feature branch we might have a similar "problem" with the changes to FlowSources.qll that are on the feature branch only.

That's a good point. This entire PR might actually be able to target the main branch since main also has this weird model deref -> model pointer conflation (see here). I'll try it out on main and see what happens 🤞.

[jketema]

CI doesn't seem to have triggered. Closing and re-opening this PR might do the trick? I'd also like to see some DCA results for this rebased branch 😄

[MathiasVP]

CI doesn't seem to have triggered. Closing and re-opening this PR might do the trick? I'd also like to see some DCA results for this rebased branch 😄

Will try that! I'm actually seeing one regression on set.cpp that I wasn't seeing on the use-use flow branch 😭.

[MathiasVP]

470abfd fixes the lost results. I've started another DCA run as well.

[jketema]

470abfd fixes the lost results. I've started another DCA run as well.

Is this only a problem with the set model, or can this happen with other models (and are we missing tests for it). I guess DCA might partially help figuring this out.

[MathiasVP]

Is this only a problem with the set model, or can this happen with other models (and are we missing tests for it). I guess DCA might partially help figuring this out.

Yeah, it could be a problem for other instances of iterator-based model flow if we're missing tests.

Edit: DCA didn't show any result changes, though 🎉.