C++: Add an API for indirect barrier guards and use it in tests.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1903,7 +1903,7 @@ signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);
  * in data flow and taint tracking.
  */
 module BarrierGuard<guardChecksSig/3 guardChecks> {
-  /** Gets a node that is safely guarded by the given guard check. */
+  /** Gets an expression node that is safely guarded by the given guard check. */
   ExprNode getABarrierNode() {
     exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
       e = value.getAnInstruction().getConvertedResultExpression() and
@@ -1912,6 +1912,16 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       g.controls(result.getBasicBlock(), edge)
     )
   }
+
+  /** Gets an indirect expression node that is safely guarded by the given guard check. */
+  IndirectExprNode getAnIndirectBarrierNode() {
+    exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
+      e = value.getAnInstruction().getConvertedResultExpression() and
+      result.getConvertedExpr(_) = e and
+      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
+      g.controls(result.getBasicBlock(), edge)
+    )
+  }
 }
 
 /**

cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp

@@ -73,6 +73,6 @@ bool guarded(const int*);
 void bg_indirect_expr() {
   int *buf = indirect_source();
   if (guarded(buf)) {
-    sink(buf); // $ SPURIOUS: ir
+    sink(buf);
   }
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql

@@ -95,6 +95,8 @@ module IRTest {
       )
       or
       barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
+      or
+      barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
     }
   }
 }