C++: Remove 'ReferenceToInstruction' from the list of instructions we interpret as a load. This makes use lose a bunch of flow, and we'll restore this flow in the next commit.

MathiasVP · MathiasVP · commit dbcd4d6d5dd1 · 2021-11-11T10:38:52.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -244,17 +244,6 @@ Instruction getDestinationAddress(Instruction instr) {
     ]
 }
 
-class ReferenceToInstruction extends CopyValueInstruction {
-  ReferenceToInstruction() {
-    this.getResultType() instanceof Cpp::ReferenceType and
-    not this.getUnary().getResultType() instanceof Cpp::ReferenceType
-  }
-
-  Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
-
-  Operand getSourceAddressOperand() { result = this.getUnaryOperand() }
-}
-
 /** Gets the source address of `instr` if it is an instruction that behaves like a `LoadInstruction`. */
 Instruction getSourceAddress(Instruction instr) { result = getSourceAddressOperand(instr).getDef() }
 
@@ -266,11 +255,7 @@ Operand getSourceAddressOperand(Instruction instr) {
   result =
     [
       instr.(LoadInstruction).getSourceAddressOperand(),
-      instr.(ReadSideEffectInstruction).getArgumentOperand(),
-      // `ReferenceToInstruction` is really more of an address-of operation,
-      // but by including it in this list we break out of `flowOutOfAddressStep` at an
-      // instruction that, at the source level, looks like a use of a variable.
-      instr.(ReferenceToInstruction).getSourceAddressOperand()
+      instr.(ReadSideEffectInstruction).getArgumentOperand()
     ]
 }
 
@@ -295,10 +280,6 @@ Operand getSourceValueOperand(Instruction instr) {
   result = instr.(LoadInstruction).getSourceValueOperand()
   or
   result = instr.(ReadSideEffectInstruction).getSideEffectOperand()
-  or
-  // See the comment on the `ReferenceToInstruction` disjunct in `getSourceAddressOperand` for why
-  // this case is included.
-  result = instr.(ReferenceToInstruction).getSourceValueOperand()
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/lambdas.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/lambdas.cpp
@@ -18,27 +18,27 @@ void test_lambdas()
 	sink(a()); // $ ast,ir
 
 	auto b = [&] {
-		sink(t); // $ ast,ir
+		sink(t); // $ ast MISSING: ir
 		sink(u);
 		v = source(); // (v is reference captured)
 	};
 	b();
 	sink(v); // $ MISSING: ast,ir
 
 	auto c = [=] {
-		sink(t); // $ ast,ir
+		sink(t); // $ ast MISSING: ir
 		sink(u);
 	};
 	c();
 
 	auto d = [](int a, int b) {
-		sink(a); // $ ast,ir
+		sink(a); // $ ast MISSING: ir
 		sink(b);
 	};
 	d(t, u);
 
 	auto e = [](int &a, int &b, int &c) {
-		sink(a); // $ ast,ir
+		sink(a); // $ ast MISSING: ir
 		sink(b);
 		c = source();
 	};
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -100,7 +100,7 @@ void local_references(int &source1, int clean1) {
     int t = source();
     int &ref = t;
     t = clean1;
-    sink(ref); // $ SPURIOUS: ast,ir
+    sink(ref); // $ SPURIOUS: ast
   }
 
   {
diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
diff --git a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
@@ -21,9 +21,9 @@ void test_unique_ptr_struct() {
 	std::unique_ptr<A> p1(new A{source(), 0});
 	std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
 	
-	sink(p1->x); // $ ir MISSING: ast
+	sink(p1->x); // $ MISSING: ast,ir
 	sink(p1->y);
-	sink(p2->x); // $ ir=22:46 MISSING: ast
+	sink(p2->x); // $ MISSING: ast,ir=22:46
 	sink(p2->y);
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -119,20 +119,20 @@ void test_string_constructors_assignments()
 void test_range_based_for_loop_string() {
 	std::string s(source());
 	for(char c : s) {
-		sink(c); // $ ast,ir
+		sink(c); // $ ast MISSING: ir
 	}
 
 	for(std::string::iterator it = s.begin(); it != s.end(); ++it) {
-		sink(*it); // $ ast,ir
+		sink(*it); // $ ast MISSING: ir
 	}
 
 	for(char& c : s) {
-		sink(c); // $ ast,ir
+		sink(c); // $ ast MISSING: ir
 	}
 
 	const std::string const_s(source());
 	for(const char& c : const_s) {
-		sink(c); // $ ast,ir
+		sink(c); // $ ast MISSING: ir
 	}
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/swap1.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/swap1.cpp
@@ -100,7 +100,7 @@ void test_move_assignment_operator()
     y = std::move(x);
 
     sink(y.data1); // $ ir ast=95:15 SPURIOUS: ast=93:23
-    sink(x.data1); // $ ast,ir
+    sink(x.data1); // $ ast MISSING: ir
 }
 
 void test_move_constructor()
@@ -142,7 +142,7 @@ void test_move_assignment_method()
     y.move_assign(std::move(x));
 
     sink(y.data1); // $ ir ast=137:15 SPURIOUS: ast=135:23
-    sink(x.data1); // $ ast,ir
+    sink(x.data1); // $ ast MISSING: ir
 }
 
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/swap2.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/swap2.cpp
@@ -100,7 +100,7 @@ void test_move_assignment_operator()
     y = std::move(x);
 
     sink(y.data1); // $ ir ast=95:15 SPURIOUS: ast=93:23
-    sink(x.data1); // $ ast,ir
+    sink(x.data1); // $ ast MISSING: ir
 }
 
 void test_move_constructor()
@@ -142,7 +142,7 @@ void test_move_assignment_method()
     y.move_assign(std::move(x));
 
     sink(y.data1); // $ ir ast=137:15 SPURIOUS: ast=135:23
-    sink(x.data1); // $ ast,ir
+    sink(x.data1); // $ ast MISSING: ir
 }
 
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -233,27 +233,27 @@ void test_lambdas()
 	sink(a()); // $ ast,ir
 
 	auto b = [&] {
-		sink(t); // $ ast,ir
+		sink(t); // $ ast MISSING: ir
 		sink(u); // clean
 		v = source(); // (v is reference captured)
 	};
 	b();
 	sink(v); // $ MISSING: ast,ir
 
 	auto c = [=] {
-		sink(t); // $ ast,ir
+		sink(t); // $ ast MISSING: ir
 		sink(u); // clean
 	};
 	c();
 
 	auto d = [](int a, int b) {
-		sink(a); // $ ast,ir
+		sink(a); // $ ast MISSING: ir
 		sink(b); // clean
 	};
 	d(t, u);
 
 	auto e = [](int &a, int &b, int &c) {
-		sink(a); // $ ast,ir
+		sink(a); // $ ast MISSING: ir
 		sink(b); // clean
 		c = source();
 	};
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -17,20 +17,20 @@ void test_range_based_for_loop_vector(int source1) {
 	std::vector<int> v(100, source1);
 
 	for(int x : v) {
-		sink(x); // $ ast,ir
+		sink(x); // $ ast MISSING: ir
 	}
 
 	for(std::vector<int>::iterator it = v.begin(); it != v.end(); ++it) {
-		sink(*it); // $ ast,ir
+		sink(*it); // $ ast MISSING: ir
 	}
 
 	for(int& x : v) {
-		sink(x); // $ ast,ir
+		sink(x); // $ ast MISSING: ir
 	}
 
 	const std::vector<int> const_v(100, source1);
 	for(const int& x : const_v) {
-		sink(x); // $ ast,ir
+		sink(x); // $ ast MISSING: ir
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ void local_references(int &source1, int clean1) {`
`100`	`100`	`int t = source();`
`101`	`101`	`int &ref = t;`
`102`	`102`	`t = clean1;`
`103`		`- sink(ref); // $ SPURIOUS: ast,ir`
	`103`	`+ sink(ref); // $ SPURIOUS: ast`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`{`
Original file line number	Diff line number	Diff line change
`@@ -119,20 +119,20 @@ void test_string_constructors_assignments()`
`119`	`119`	`void test_range_based_for_loop_string() {`
`120`	`120`	`std::string s(source());`
`121`	`121`	`for(char c : s) {`
`122`		`- sink(c); // $ ast,ir`
	`122`	`+ sink(c); // $ ast MISSING: ir`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`for(std::string::iterator it = s.begin(); it != s.end(); ++it) {`
`126`		`- sink(*it); // $ ast,ir`
	`126`	`+ sink(*it); // $ ast MISSING: ir`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`for(char& c : s) {`
`130`		`- sink(c); // $ ast,ir`
	`130`	`+ sink(c); // $ ast MISSING: ir`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`const std::string const_s(source());`
`134`	`134`	`for(const char& c : const_s) {`
`135`		`- sink(c); // $ ast,ir`
	`135`	`+ sink(c); // $ ast MISSING: ir`
`136`	`136`	`}`
`137`	`137`	`}`
`138`	`138`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ void test_move_assignment_operator()`
`100`	`100`	`y = std::move(x);`
`101`	`101`
`102`	`102`	`sink(y.data1); // $ ir ast=95:15 SPURIOUS: ast=93:23`
`103`		`- sink(x.data1); // $ ast,ir`
	`103`	`+ sink(x.data1); // $ ast MISSING: ir`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`void test_move_constructor()`
`@@ -142,7 +142,7 @@ void test_move_assignment_method()`
`142`	`142`	`y.move_assign(std::move(x));`
`143`	`143`
`144`	`144`	`sink(y.data1); // $ ir ast=137:15 SPURIOUS: ast=135:23`
`145`		`- sink(x.data1); // $ ast,ir`
	`145`	`+ sink(x.data1); // $ ast MISSING: ir`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,20 +17,20 @@ void test_range_based_for_loop_vector(int source1) {`
`17`	`17`	`std::vector<int> v(100, source1);`
`18`	`18`
`19`	`19`	`for(int x : v) {`
`20`		`- sink(x); // $ ast,ir`
	`20`	`+ sink(x); // $ ast MISSING: ir`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`for(std::vector<int>::iterator it = v.begin(); it != v.end(); ++it) {`
`24`		`- sink(*it); // $ ast,ir`
	`24`	`+ sink(*it); // $ ast MISSING: ir`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`for(int& x : v) {`
`28`		`- sink(x); // $ ast,ir`
	`28`	`+ sink(x); // $ ast MISSING: ir`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`const std::vector<int> const_v(100, source1);`
`32`	`32`	`for(const int& x : const_v) {`
`33`		`- sink(x); // $ ast,ir`
	`33`	`+ sink(x); // $ ast MISSING: ir`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`