Merge pull request github#12030 from MathiasVP/iterator-public-models

C++: Make iterator classes public

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -108,91 +108,156 @@ private FunctionInput getIteratorArgumentInput(Operator op, int index) {
 }
 
 /**
- * A non-member prefix `operator*` function for an iterator type.
+ * A non-member `operator++` or `operator--` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and versions, use `IteratorCrementOperator`.
  */
-private class IteratorPointerDereferenceOperator extends Operator, TaintFunction,
-  IteratorReferenceFunction {
-  FunctionInput iteratorInput;
-
-  IteratorPointerDereferenceOperator() {
-    this.hasName("operator*") and
-    iteratorInput = getIteratorArgumentInput(this, 0)
+class IteratorCrementNonMemberOperator extends Operator {
+  IteratorCrementNonMemberOperator() {
+    this.hasName(["operator++", "operator--"]) and
+    exists(getIteratorArgumentInput(this, 0))
   }
+}
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
+private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMemberOperator,
+  DataFlowFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
     or
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
 
 /**
- * A non-member `operator++` or `operator--` function for an iterator type.
+ * An `operator++` or `operator--` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorCrementOperator`.
  */
-private class IteratorCrementOperator extends Operator, DataFlowFunction {
-  FunctionInput iteratorInput;
-
-  IteratorCrementOperator() {
-    this.hasName(["operator++", "operator--"]) and
-    iteratorInput = getIteratorArgumentInput(this, 0)
+class IteratorCrementMemberOperator extends MemberFunction {
+  IteratorCrementMemberOperator() {
+    this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
   }
+}
 
+private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
+  DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
+    input.isQualifierAddress() and
     output.isReturnValue()
     or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 }
 
 /**
- * A non-member `operator+` function for an iterator type.
+ * A (member or non-member) `operator++` or `operator--` function for an iterator type.
  */
-private class IteratorAddOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
+class IteratorCrementOperator extends Function {
+  IteratorCrementOperator() {
+    this instanceof IteratorCrementNonMemberOperator or
+    this instanceof IteratorCrementMemberOperator
+  }
+}
 
-  IteratorAddOperator() {
+/**
+ * A non-member `operator+` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
+ */
+class IteratorAddNonMemberOperator extends Operator {
+  IteratorAddNonMemberOperator() {
     this.hasName("operator+") and
-    iteratorInput = getIteratorArgumentInput(this, [0, 1])
+    exists(getIteratorArgumentInput(this, [0, 1]))
   }
+}
 
+private class IteratorAddNonMemberOperatorModel extends IteratorAddNonMemberOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
+    input = getIteratorArgumentInput(this, [0, 1]) and
     output.isReturnValue()
   }
 }
 
 /**
- * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ * An `operator+` or `operator-` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
  */
-private class IteratorSubOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
+class IteratorBinaryArithmeticMemberOperator extends MemberFunction {
+  IteratorBinaryArithmeticMemberOperator() {
+    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
+  }
+}
 
-  IteratorSubOperator() {
+private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinaryArithmeticMemberOperator,
+  TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A (member or non-member) `operator+` or `operator-` function for an iterator type.
+ */
+class IteratorBinaryArithmeticOperator extends Function {
+  IteratorBinaryArithmeticOperator() {
+    this instanceof IteratorAddNonMemberOperator or
+    this instanceof IteratorSubNonMemberOperator or
+    this instanceof IteratorBinaryArithmeticMemberOperator
+  }
+}
+
+/**
+ * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryArithmeticOperator` (which also
+ * includes `operator+` versions).
+ */
+class IteratorSubNonMemberOperator extends Operator {
+  IteratorSubNonMemberOperator() {
     this.hasName("operator-") and
-    iteratorInput = getIteratorArgumentInput(this, 0) and
+    exists(getIteratorArgumentInput(this, 0)) and
     this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
   }
+}
 
+private class IteratorSubOperatorModel extends IteratorSubNonMemberOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
   }
 }
 
 /**
  * A non-member `operator+=` or `operator-=` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
  */
-class IteratorAssignArithmeticOperator extends Operator {
-  IteratorAssignArithmeticOperator() {
+class IteratorAssignArithmeticNonMemberOperator extends Operator {
+  IteratorAssignArithmeticNonMemberOperator() {
     this.hasName(["operator+=", "operator-="]) and
     exists(getIteratorArgumentInput(this, 0))
   }
 }
 
-private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithmeticOperator,
+private class IteratorAssignArithmeticNonMemberOperatorModel extends IteratorAssignArithmeticNonMemberOperator,
   DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -212,101 +277,111 @@ private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithm
 }
 
 /**
- * A prefix `operator*` member function for an iterator type.
- */
-class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
-  IteratorReferenceFunction {
-  IteratorPointerDereferenceMemberOperator() {
-    this.getClassAndName("operator*") instanceof Iterator
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-}
-
-/**
- * An `operator++` or `operator--` member function for an iterator type.
+ * An `operator+=` or `operator-=` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
  */
-class IteratorCrementMemberOperator extends MemberFunction {
-  IteratorCrementMemberOperator() {
-    this.getClassAndName(["operator++", "operator--"]) instanceof Iterator
+class IteratorAssignArithmeticMemberOperator extends MemberFunction {
+  IteratorAssignArithmeticMemberOperator() {
+    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
   }
 }
 
-private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
+private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssignArithmeticMemberOperator,
   DataFlowFunction, TaintFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
     output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
     or
+    // reverse flow from returned reference to the qualifier
     input.isReturnValueDeref() and
     output.isQualifierObject()
     or
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+    (input.isParameter(0) or input.isParameterDeref(0)) and
+    output.isQualifierObject()
   }
+}
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+/**
+ * A (member or non-member) `operator+=` or `operator-=` function for an iterator type.
+ */
+class IteratorAssignArithmeticOperator extends Function {
+  IteratorAssignArithmeticOperator() {
+    this instanceof IteratorAssignArithmeticNonMemberOperator or
+    this instanceof IteratorAssignArithmeticMemberOperator
   }
 }
 
 /**
- * A member `operator->` function for an iterator type.
+ * A prefix `operator*` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
  */
-private class IteratorFieldMemberOperator extends Operator, TaintFunction {
-  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
+  IteratorReferenceFunction {
+  IteratorPointerDereferenceMemberOperator() {
+    this.getClassAndName("operator*") instanceof Iterator
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 
 /**
- * An `operator+` or `operator-` member function of an iterator class.
+ * A non-member prefix `operator*` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
  */
-private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFunction {
-  IteratorBinaryArithmeticMemberOperator() {
-    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
+class IteratorPointerDereferenceNonMemberOperator extends Operator, IteratorReferenceFunction {
+  IteratorPointerDereferenceNonMemberOperator() {
+    this.hasName("operator*") and
+    exists(getIteratorArgumentInput(this, 0))
   }
+}
 
+private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorPointerDereferenceNonMemberOperator,
+  TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
+    input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
   }
 }
 
 /**
- * An `operator+=` or `operator-=` member function of an iterator class.
+ * A (member or non-member) prefix `operator*` function for an iterator type.
  */
-private class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFunction,
-  TaintFunction {
-  IteratorAssignArithmeticMemberOperator() {
-    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
+class IteratorPointerDereferenceOperator extends Function {
+  IteratorPointerDereferenceOperator() {
+    this instanceof IteratorPointerDereferenceNonMemberOperator or
+    this instanceof IteratorPointerDereferenceMemberOperator
   }
+}
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierAddress() and
-    output.isReturnValue()
-  }
+/**
+ * A member `operator->` function for an iterator type.
+ */
+private class IteratorFieldMemberOperator extends Operator, TaintFunction {
+  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-    or
-    (input.isParameter(0) or input.isParameterDeref(0)) and
-    output.isQualifierObject()
+    output.isReturnValue()
   }
 }
 
@@ -326,17 +401,24 @@ private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
 /**
  * An `operator=` member function of an iterator class that is not a copy or move assignment
  * operator.
- *
- * The `hasTaintFlow` override provides flow through output iterators that return themselves with
- * `operator*` and use their own `operator=` to assign to the container.
  */
-private class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunction {
+class IteratorAssignmentMemberOperator extends MemberFunction {
   IteratorAssignmentMemberOperator() {
     this.getClassAndName("operator=") instanceof Iterator and
     not this instanceof CopyAssignmentOperator and
     not this instanceof MoveAssignmentOperator
   }
+}
 
+/**
+ * An `operator=` member function of an iterator class that is not a copy or move assignment
+ * operator.
+ *
+ * The `hasTaintFlow` override provides flow through output iterators that return themselves with
+ * `operator*` and use their own `operator=` to assign to the container.
+ */
+private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMemberOperator,
+  TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
     output.isQualifierObject()