Merge pull request github#15835 from MathiasVP/initial-def-of-addresses

MathiasVP · web-flow · commit 73c4fe08fabf · 2024-03-11T10:42:01.000Z
C++: Provide an initial SSA definition of the address of a variable
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -103,6 +103,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
 
 cached
 private newtype TDefOrUseImpl =
+  TDefAddressImpl(BaseIRVariable v) or
   TDefImpl(BaseSourceVariableInstruction base, Operand address, int indirectionIndex) {
     isDef(_, _, address, base, _, indirectionIndex)
   } or
@@ -256,23 +257,63 @@ private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVari
 }
 
 abstract class DefImpl extends DefOrUseImpl {
-  Operand address;
   int ind;
 
   bindingset[ind]
   DefImpl() { any() }
 
+  override int getIndirectionIndex() { result = ind }
+
+  override string toString() { result = "Def of " + this.getSourceVariable() }
+
   abstract int getIndirection();
 
+  abstract predicate isCertain();
+
   abstract Node0Impl getValue();
+}
 
-  abstract predicate isCertain();
+/** An initial definition of an `IRVariable`'s address. */
+private class DefAddressImpl extends DefImpl, TDefAddressImpl {
+  BaseIRVariable v;
 
-  Operand getAddressOperand() { result = address }
+  DefAddressImpl() {
+    this = TDefAddressImpl(v) and
+    ind = 0
+  }
 
-  override int getIndirectionIndex() { result = ind }
+  final override int getIndirection() { result = 0 }
 
-  override string toString() { result = "Def of " + this.getSourceVariable() }
+  final override predicate isCertain() { any() }
+
+  final override Node0Impl getValue() { none() }
+
+  final override predicate hasIndexInBlock(IRBlock block, int index) {
+    block = v.getIRVariable().getEnclosingIRFunction().getEntryBlock() and
+    index = 0
+  }
+
+  override Cpp::Location getLocation() { result = v.getIRVariable().getLocation() }
+
+  final override SourceVariable getSourceVariable() {
+    result.getBaseVariable() = v and
+    result.getIndirection() = 0
+  }
+
+  final override BaseSourceVariableInstruction getBase() { none() }
+}
+
+/**
+ * An SSA definition that has an associated `Operand` representing the address
+ * that is being written to.
+ */
+abstract private class OperandBasedDef extends DefImpl {
+  Operand address;
+
+  bindingset[ind]
+  OperandBasedDef() { any() }
+
+  Operand getAddressOperand() { result = address }
 
   override Cpp::Location getLocation() { result = this.getAddressOperand().getUse().getLocation() }
 
@@ -281,7 +322,7 @@ abstract class DefImpl extends DefOrUseImpl {
   }
 }
 
-private class DirectDef extends DefImpl, TDefImpl {
+private class DirectDef extends OperandBasedDef, TDefImpl {
   BaseSourceVariableInstruction base;
 
   DirectDef() { this = TDefImpl(base, address, ind) }
@@ -295,7 +336,7 @@ private class DirectDef extends DefImpl, TDefImpl {
   override predicate isCertain() { isDef(true, _, address, base, _, ind) }
 }
 
-private class IteratorDef extends DefImpl, TIteratorDef {
+private class IteratorDef extends OperandBasedDef, TIteratorDef {
   BaseSourceVariableInstruction container;
 
   IteratorDef() { this = TIteratorDef(address, container, ind) }
@@ -1178,7 +1219,7 @@ class UseOrPhi extends SsaDefOrUse {
 class Def extends DefOrUse {
   override DefImpl defOrUse;
 
-  Operand getAddressOperand() { result = defOrUse.getAddressOperand() }
+  Operand getAddressOperand() { result = defOrUse.(OperandBasedDef).getAddressOperand() }
 
   Instruction getAddress() { result = this.getAddressOperand().getDef() }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -166,6 +166,8 @@ postWithInFlow
 | test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1051:5:1051:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1052:9:1052:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected
@@ -0,0 +1,197 @@
+| example.c:15:37:15:37 | **b | example.c:15:37:15:37 | **b |
+| example.c:15:37:15:37 | **b | example.c:15:37:15:37 | **b |
+| example.c:15:37:15:37 | **b | example.c:15:37:15:37 | *b |
+| example.c:15:37:15:37 | **b | example.c:19:6:19:6 | *b |
+| example.c:15:37:15:37 | *b | example.c:15:37:15:37 | **b |
+| example.c:15:37:15:37 | *b | example.c:15:37:15:37 | *b |
+| example.c:15:37:15:37 | *b | example.c:15:37:15:37 | *b |
+| example.c:15:37:15:37 | *b | example.c:15:37:15:37 | b |
+| example.c:15:37:15:37 | *b | example.c:19:6:19:6 | b |
+| example.c:15:37:15:37 | b | example.c:15:37:15:37 | *b |
+| example.c:15:37:15:37 | b | example.c:15:37:15:37 | b |
+| example.c:15:37:15:37 | b | example.c:15:37:15:37 | b |
+| example.c:15:37:15:37 | b | example.c:19:6:19:6 | b |
+| example.c:15:44:15:46 | pos | example.c:24:24:24:26 | pos |
+| example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | *definition of coords | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | *definition of coords | example.c:24:13:24:18 | *coords |
+| example.c:17:11:17:16 | *definition of coords [post update] | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | *definition of coords [post update] | example.c:24:13:24:18 | *coords |
+| example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | *definition of coords |
+| example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | definition of coords |
+| example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | definition of coords |
+| example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | definition of coords |
+| example.c:17:11:17:16 | definition of coords | example.c:17:11:17:16 | definition of coords |
+| example.c:17:11:17:16 | definition of coords | example.c:24:13:24:18 | coords |
+| example.c:17:11:17:16 | definition of coords [post update] | example.c:17:11:17:16 | definition of coords |
+| example.c:17:11:17:16 | definition of coords [post update] | example.c:24:13:24:18 | coords |
+| example.c:17:19:17:22 | {...} | example.c:17:19:17:22 | {...} |
+| example.c:17:21:17:21 | 0 | example.c:17:21:17:21 | 0 |
+| example.c:19:6:19:6 | *b | example.c:15:37:15:37 | *b |
+| example.c:19:6:19:6 | *b [post update] | example.c:15:37:15:37 | *b |
+| example.c:19:6:19:6 | *b [post update] | example.c:19:6:19:6 | *b |
+| example.c:19:6:19:6 | b [post update] | example.c:19:6:19:6 | b |
+| example.c:24:2:24:7 | *coords | example.c:26:18:26:24 | *& ... |
+| example.c:24:2:24:7 | *coords [post update] | example.c:26:18:26:24 | *& ... |
+| example.c:24:2:24:7 | coords | example.c:26:18:26:24 | & ... |
+| example.c:24:2:24:7 | coords [post update] | example.c:26:18:26:24 | & ... |
+| example.c:24:13:24:18 | *coords | example.c:24:2:24:7 | *coords |
+| example.c:24:13:24:18 | *coords [post update] | example.c:24:2:24:7 | *coords |
+| example.c:24:13:24:18 | coords | example.c:24:2:24:7 | coords |
+| example.c:24:13:24:18 | coords [post update] | example.c:24:2:24:7 | coords |
+| example.c:24:13:24:30 | ... = ... | example.c:24:2:24:30 | ... = ... |
+| example.c:24:20:24:20 | *y | example.c:24:20:24:20 | *y |
+| example.c:24:20:24:20 | y | example.c:24:20:24:20 | y |
+| example.c:24:20:24:20 | y | example.c:24:20:24:20 | y |
+| example.c:24:24:24:26 | pos | example.c:28:14:28:25 | & ... |
+| example.c:24:24:24:26 | pos | example.c:28:14:28:25 | *& ... |
+| example.c:24:24:24:30 | ... + ... | example.c:24:13:24:30 | ... = ... |
+| example.c:26:13:26:16 | call to getX | example.c:26:2:26:25 | ... = ... |
+| example.c:26:18:26:24 | & ... | example.c:26:2:26:7 | coords |
+| example.c:26:18:26:24 | *& ... | example.c:26:2:26:7 | *coords |
+| example.c:26:18:26:24 | getX output argument | example.c:26:2:26:7 | *coords |
+| example.c:26:18:26:24 | pointer to getX output argument | example.c:26:2:26:7 | coords |
+| example.c:26:19:26:24 | *coords | example.c:26:18:26:24 | *& ... |
+| example.c:26:19:26:24 | coords | example.c:26:18:26:24 | & ... |
+| example.c:28:22:28:25 | & ... | example.c:28:14:28:25 | & ... |
+| example.c:28:22:28:25 | *& ... | example.c:28:14:28:25 | *& ... |
+| example.c:28:23:28:25 | *pos | example.c:28:22:28:25 | *& ... |
+| example.c:28:23:28:25 | pos | example.c:28:22:28:25 | & ... |
+| test.cpp:6:12:6:17 | call to source | test.cpp:6:12:6:17 | call to source |
+| test.cpp:6:12:6:17 | call to source | test.cpp:7:8:7:9 | t1 |
+| test.cpp:7:8:7:9 | t1 | test.cpp:8:8:8:9 | t1 |
+| test.cpp:7:8:7:9 | t1 | test.cpp:8:8:8:9 | t1 |
+| test.cpp:8:3:8:9 | ... = ... | test.cpp:10:8:10:9 | t2 |
+| test.cpp:8:8:8:9 | t1 | test.cpp:8:3:8:9 | ... = ... |
+| test.cpp:8:8:8:9 | t1 | test.cpp:9:8:9:9 | t1 |
+| test.cpp:8:8:8:9 | t1 | test.cpp:9:8:9:9 | t1 |
+| test.cpp:9:8:9:9 | t1 | test.cpp:11:7:11:8 | t1 |
+| test.cpp:9:8:9:9 | t1 | test.cpp:11:7:11:8 | t1 |
+| test.cpp:10:8:10:9 | t2 | test.cpp:13:10:13:11 | t2 |
+| test.cpp:10:8:10:9 | t2 | test.cpp:15:3:15:6 | Phi |
+| test.cpp:10:8:10:9 | t2 | test.cpp:15:3:15:6 | Phi |
+| test.cpp:11:7:11:8 | t1 | test.cpp:21:8:21:9 | t1 |
+| test.cpp:12:5:12:10 | ... = ... | test.cpp:13:10:13:11 | t2 |
+| test.cpp:12:10:12:10 | 0 | test.cpp:12:5:12:10 | ... = ... |
+| test.cpp:13:10:13:11 | t2 | test.cpp:15:3:15:6 | Phi |
+| test.cpp:13:10:13:11 | t2 | test.cpp:15:3:15:6 | Phi |
+| test.cpp:15:3:15:6 | Phi | test.cpp:15:8:15:9 | t2 |
+| test.cpp:15:3:15:6 | Phi | test.cpp:15:8:15:9 | t2 |
+| test.cpp:15:8:15:9 | t2 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:15:8:15:9 | t2 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:17:3:17:8 | ... = ... | test.cpp:21:8:21:9 | t1 |
+| test.cpp:17:8:17:8 | 0 | test.cpp:17:3:17:8 | ... = ... |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:23:15:23:16 | 0 | test.cpp:23:15:23:16 | 0 |
+| test.cpp:23:15:23:16 | 0 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:23:19:23:19 | Phi | test.cpp:23:19:23:19 | i |
+| test.cpp:23:19:23:19 | Phi | test.cpp:23:19:23:19 | i |
+| test.cpp:23:19:23:19 | Phi | test.cpp:23:23:23:24 | t1 |
+| test.cpp:23:19:23:19 | Phi | test.cpp:23:23:23:24 | t1 |
+| test.cpp:23:19:23:19 | Phi | test.cpp:24:10:24:11 | t2 |
+| test.cpp:23:19:23:19 | Phi | test.cpp:24:10:24:11 | t2 |
+| test.cpp:23:19:23:19 | i | test.cpp:23:27:23:27 | i |
+| test.cpp:23:19:23:19 | i | test.cpp:23:27:23:27 | i |
+| test.cpp:23:23:23:24 | t1 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:23:23:23:24 | t1 | test.cpp:26:8:26:9 | t1 |
+| test.cpp:23:23:23:24 | t1 | test.cpp:26:8:26:9 | t1 |
+| test.cpp:23:27:23:27 | *i | test.cpp:23:27:23:27 | *i |
+| test.cpp:23:27:23:27 | *i | test.cpp:23:27:23:27 | i |
+| test.cpp:23:27:23:27 | i | test.cpp:23:19:23:19 | Phi |
+| test.cpp:23:27:23:27 | i | test.cpp:23:27:23:27 | i |
+| test.cpp:23:27:23:27 | i | test.cpp:23:27:23:27 | i |
+| test.cpp:23:27:23:29 | ... ++ | test.cpp:23:19:23:19 | Phi |
+| test.cpp:23:27:23:29 | ... ++ | test.cpp:23:27:23:29 | ... ++ |
+| test.cpp:24:5:24:11 | ... = ... | test.cpp:23:19:23:19 | Phi |
+| test.cpp:24:10:24:11 | t2 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:24:10:24:11 | t2 | test.cpp:23:19:23:19 | Phi |
+| test.cpp:24:10:24:11 | t2 | test.cpp:24:5:24:11 | ... = ... |
+| test.cpp:382:48:382:54 | source1 | test.cpp:384:16:384:23 | *& ... |
+| test.cpp:383:12:383:13 | 0 | test.cpp:383:12:383:13 | 0 |
+| test.cpp:383:12:383:13 | 0 | test.cpp:384:10:384:13 | *& ... |
+| test.cpp:384:10:384:13 | & ... | test.cpp:384:3:384:8 | call to memcpy |
+| test.cpp:384:10:384:13 | & ... | test.cpp:384:10:384:13 | & ... |
+| test.cpp:384:10:384:13 | & ... | test.cpp:385:8:385:10 | tmp |
+| test.cpp:384:10:384:13 | *& ... | test.cpp:384:10:384:13 | *& ... |
+| test.cpp:384:10:384:13 | memcpy output argument | test.cpp:385:8:385:10 | tmp |
+| test.cpp:384:10:384:13 | pointer to memcpy output argument | test.cpp:385:8:385:10 | tmp |
+| test.cpp:384:11:384:13 | *tmp | test.cpp:384:10:384:13 | *& ... |
+| test.cpp:384:11:384:13 | tmp | test.cpp:384:10:384:13 | & ... |
+| test.cpp:384:16:384:23 | & ... | test.cpp:384:16:384:23 | & ... |
+| test.cpp:384:16:384:23 | *& ... | test.cpp:384:3:384:8 | **call to memcpy |
+| test.cpp:384:16:384:23 | *& ... | test.cpp:384:3:384:8 | *call to memcpy |
+| test.cpp:384:16:384:23 | *& ... | test.cpp:384:10:384:13 | memcpy output argument |
+| test.cpp:384:16:384:23 | *& ... | test.cpp:384:16:384:23 | *& ... |
+| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:3:384:8 | **call to memcpy |
+| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:10:384:13 | memcpy output argument |
+| test.cpp:384:17:384:23 | *source1 | test.cpp:384:16:384:23 | *& ... |
+| test.cpp:384:17:384:23 | source1 | test.cpp:384:16:384:23 | & ... |
+| test.cpp:388:53:388:59 | source1 | test.cpp:391:16:391:23 | *& ... |
+| test.cpp:388:66:388:66 | b | test.cpp:393:7:393:7 | b |
+| test.cpp:389:12:389:13 | 0 | test.cpp:389:12:389:13 | 0 |
+| test.cpp:389:12:389:13 | 0 | test.cpp:390:18:390:21 | *& ... |
+| test.cpp:390:18:390:21 | & ... | test.cpp:390:18:390:21 | & ... |
+| test.cpp:390:18:390:21 | & ... | test.cpp:391:10:391:13 | & ... |
+| test.cpp:390:18:390:21 | *& ... | test.cpp:390:18:390:21 | *& ... |
+| test.cpp:390:18:390:21 | *& ... | test.cpp:391:10:391:13 | *& ... |
+| test.cpp:390:19:390:21 | *tmp | test.cpp:390:18:390:21 | *& ... |
+| test.cpp:390:19:390:21 | tmp | test.cpp:390:18:390:21 | & ... |
+| test.cpp:391:10:391:13 | & ... | test.cpp:391:3:391:8 | call to memcpy |
+| test.cpp:391:10:391:13 | & ... | test.cpp:391:10:391:13 | & ... |
+| test.cpp:391:10:391:13 | & ... | test.cpp:392:8:392:10 | tmp |
+| test.cpp:391:10:391:13 | *& ... | test.cpp:391:10:391:13 | *& ... |
+| test.cpp:391:10:391:13 | memcpy output argument | test.cpp:392:8:392:10 | tmp |
+| test.cpp:391:10:391:13 | pointer to memcpy output argument | test.cpp:392:8:392:10 | tmp |
+| test.cpp:391:11:391:13 | *tmp | test.cpp:391:10:391:13 | *& ... |
+| test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... |
+| test.cpp:391:16:391:23 | & ... | test.cpp:391:16:391:23 | & ... |
+| test.cpp:391:16:391:23 | *& ... | test.cpp:391:3:391:8 | **call to memcpy |
+| test.cpp:391:16:391:23 | *& ... | test.cpp:391:3:391:8 | *call to memcpy |
+| test.cpp:391:16:391:23 | *& ... | test.cpp:391:10:391:13 | memcpy output argument |
+| test.cpp:391:16:391:23 | *& ... | test.cpp:391:16:391:23 | *& ... |
+| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:3:391:8 | **call to memcpy |
+| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:10:391:13 | memcpy output argument |
+| test.cpp:391:17:391:23 | *source1 | test.cpp:391:16:391:23 | *& ... |
+| test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
+| test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp |
+| test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp |
+| test.cpp:487:67:487:67 | **s | test.cpp:487:67:487:67 | **s |
+| test.cpp:487:67:487:67 | **s | test.cpp:487:67:487:67 | **s |
+| test.cpp:487:67:487:67 | **s | test.cpp:487:67:487:67 | *s |
+| test.cpp:487:67:487:67 | **s | test.cpp:488:21:488:21 | *s |
+| test.cpp:487:67:487:67 | *s | test.cpp:487:67:487:67 | **s |
+| test.cpp:487:67:487:67 | *s | test.cpp:487:67:487:67 | *s |
+| test.cpp:487:67:487:67 | *s | test.cpp:487:67:487:67 | *s |
+| test.cpp:487:67:487:67 | *s | test.cpp:487:67:487:67 | s |
+| test.cpp:487:67:487:67 | *s | test.cpp:488:21:488:21 | s |
+| test.cpp:487:67:487:67 | s | test.cpp:487:67:487:67 | *s |
+| test.cpp:487:67:487:67 | s | test.cpp:487:67:487:67 | s |
+| test.cpp:487:67:487:67 | s | test.cpp:487:67:487:67 | s |
+| test.cpp:487:67:487:67 | s | test.cpp:488:21:488:21 | s |
+| test.cpp:488:21:488:21 | *s | test.cpp:489:20:489:20 | *s |
+| test.cpp:488:21:488:21 | *s [post update] | test.cpp:489:20:489:20 | *s |
+| test.cpp:488:21:488:21 | s | test.cpp:489:20:489:20 | s |
+| test.cpp:488:21:488:21 | s | test.cpp:489:20:489:20 | s |
+| test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
+| test.cpp:488:24:488:30 | *content | test.cpp:488:21:488:30 | *content |
+| test.cpp:488:24:488:30 | content | test.cpp:488:21:488:30 | content |
+| test.cpp:489:20:489:20 | *s | test.cpp:487:67:487:67 | *s |
+| test.cpp:489:20:489:20 | *s [post update] | test.cpp:487:67:487:67 | *s |
+| test.cpp:489:20:489:20 | *s [post update] | test.cpp:489:20:489:20 | *s |
+| test.cpp:489:20:489:20 | s [post update] | test.cpp:489:20:489:20 | s |
+| test.cpp:489:23:489:29 | *content | test.cpp:489:23:489:29 | *content |
+| test.cpp:489:23:489:29 | *content | test.cpp:490:8:490:17 | * ... |
+| test.cpp:489:23:489:29 | content | test.cpp:489:23:489:29 | content |
+| test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
+| test.cpp:1050:12:1050:12 | definition of a | test.cpp:1051:3:1051:3 | *a |
+| test.cpp:1051:3:1051:3 | *a | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1051:3:1051:3 | *a [post update] | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1051:3:1051:3 | a | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
+| test.cpp:1051:15:1051:21 | *0 | test.cpp:1051:3:1051:21 | *... = ... |
+| test.cpp:1052:9:1052:9 | *a | test.cpp:1052:8:1052:9 | *& ... |
+| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.ql
@@ -0,0 +1,8 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+from DataFlow::Node nodeFrom, DataFlow::Node nodeTo
+where
+  DataFlow::localFlowStep(nodeFrom, nodeTo) and
+  nodeFrom.getFunction().getName().matches("%\\_with\\_local\\_flow")
+select nodeFrom, nodeTo
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected
@@ -81,3 +81,10 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (local
 | test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
 | test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
+| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:9:1052:9 | a |
+| test.cpp:1051:3:1051:21 | ... = ... | test.cpp:1051:5:1051:11 | content [post update] |
+| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
+| test.cpp:1052:8:1052:9 | ref arg & ... | test.cpp:1052:9:1052:9 | a [inner post update] |
+| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
@@ -123,6 +123,7 @@ astFlow
 | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
 | test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
 | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:8:1052:9 | & ... |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -1044,4 +1044,10 @@ void* memset(void*, int, size_t);
 void memset_test(char* buf) { // $ ast-def=buf ir-def=*buf
 	memset(buf, source(), 10);
 	sink(*buf); // $ ir MISSING: ast
+}
+
+void flow_out_of_address_with_local_flow() {
+  MyStruct a;
+  a.content = nullptr;
+  sink(&a); // $ SPURIOUS: ast
 }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
@@ -54,3 +54,5 @@
 | test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
+| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.expected b/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.expected
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp
