C++: Move the union field check to the IPA branch of 'TFieldContent'.

MathiasVP · MathiasVP · commit cb4f10c609b4 · 2021-10-30T10:04:17.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -189,7 +189,6 @@ predicate jumpStep(Node n1, Node n2) { none() }
  */
 predicate storeStep(StoreNode node1, FieldContent f, StoreNode node2) {
   exists(FieldAddressInstruction fai |
-    not fai.getObjectAddress().getResultType().stripType() instanceof Union and
     node1.getInstruction() = fai and
     node2.getInstruction() = fai.getObjectAddress() and
     f.getField() = fai.getField()
@@ -203,7 +202,6 @@ predicate storeStep(StoreNode node1, FieldContent f, StoreNode node2) {
  */
 predicate readStep(ReadNode node1, FieldContent f, ReadNode node2) {
   exists(FieldAddressInstruction fai |
-    not fai.getObjectAddress().getResultType().stripType() instanceof Union and
     node1.getInstruction() = fai.getObjectAddress() and
     node2.getInstruction() = fai and
     f.getField() = fai.getField()
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -972,7 +972,11 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
 predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
 
 private newtype TContent =
-  TFieldContent(Field f) or
+  TFieldContent(Field f) {
+    // As reads and writes to union fields can create flow even though the reads and writes
+    // target different fields, we don't want a read (write) to create a read (write) step.
+    not f.getDeclaringType() instanceof Union
+  } or
   TCollectionContent() or // Not used in C/C++
   TArrayContent() // Not used in C/C++.
 
diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
@@ -1959,6 +1959,7 @@ postWithInFlow
 | ir.cpp:522:9:522:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:522:16:522:21 | PointerAdd [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:522:16:522:21 | PointerAdd [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:531:7:531:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:531:11:531:16 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:540:5:540:5 | y [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:545:9:545:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
