[C++] Assigning to function pointer in a function appears to defeat dispatch analysis #18103
Description
Assigning to a function pointer in a function appears to defeat the points-to analysis used to resolve the dispatch of function pointers.
In the following example I would have expected to see two flows from source() to target() but only the second one from the direct assignment of the function pointer is reported.
int source()
{
return 2;
}
int a_function()
{
return source();
}
int target(int source)
{
return source;
}
void set(int (**ptr)(), int (*ptr2)())
{
*ptr = ptr2;
}
int main(int argv, char **argc)
{
int (*fptr)();
set(&fptr, a_function);
target(fptr()); // not detected as source
fptr = a_function;
target(fptr()); // detected
return 0;
}This is the complete query
import cpp
import semmle.code.cpp.dataflow.new.TaintTracking
module SourceSinkCallConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr().(FunctionCall).getTarget().getName() = "source"
}
predicate isSink(DataFlow::Node sink) {
exists(Call call |
call.getTarget().getName() = "target" and
call.getArgument(0) = sink.asExpr()
)
}
}
module SourceSinkCallTaint = TaintTracking::Global<SourceSinkCallConfig>;
from DataFlow::Node source, DataFlow::Node sink, int source_line, int sink_line
where
SourceSinkCallTaint::flow(source, sink) and
source_line = source.getLocation().getStartLine() and
sink_line = sink.getLocation().getStartLine()
select source, source_line, sink, sink_lineThis is the output. I would have expected to also see a flow to line 28.
| source | source_line | sink | sink_line |
+----------------+-------------+--------------------+-----------+
| call to source | 9 | call to expression | 32 |
CodeQL version: 2.19.3