C++: Handle *& sequences in sizeof VLA expressions

jketema · jketema · commit f4df3881f8f3 · 2025-09-02T12:29:24.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -4098,8 +4098,14 @@ private VlaDeclStmt getVlaDeclStmt(Expr expr, int pointerDerefCount) {
   expr.(VariableAccess).getTarget() = result.getVariable() and
   pointerDerefCount = 0
   or
+  not expr.(PointerDereferenceExpr).getOperand() instanceof AddressOfExpr and
   result = getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand(), pointerDerefCount - 1)
   or
+  // Skip sequences of the form `*&...`
+  result =
+    getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand().(AddressOfExpr).getOperand(),
+      pointerDerefCount)
+  or
   result = getVlaDeclStmt(expr.(ArrayExpr).getArrayBase(), pointerDerefCount - 1)
 }
 
diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
@@ -20662,6 +20662,14 @@ ir.cpp:
 # 2820|     r2820_6(unsigned long)        = Load[len2]                : &:r2820_5, m2819_8
 # 2820|     v2820_7(void)                 = NoOp                      : 
 # 2821|     r2821_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2821|     r2821_2(unsigned long)        = Constant[4]               : 
+# 2821|     r2821_3(unsigned long)        = CopyValue                 : r2820_6
+# 2821|     r2821_4(unsigned long)        = Mul                       : r2821_2, r2821_3
+# 2821|     m2821_5(unsigned long)        = Store[z]                  : &:r2821_1, r2821_4
+# 2822|     v2822_1(void)                 = NoOp                      : 
+# 2819|     v2819_9(void)                 = ReturnVoid                : 
+# 2819|     v2819_10(void)                = AliasedUse                : m2819_3
+# 2819|     v2819_11(void)                = ExitFunction              : 
 
 ir23.cpp:
 #    1| bool consteval_1()
diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected
@@ -6,7 +6,6 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.cpp:2821:10:2821:10 | VariableAddress: definition of z | Instruction 'VariableAddress: definition of z' has no successors in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected
@@ -6,7 +6,6 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.cpp:2821:10:2821:10 | VariableAddress: definition of z | Instruction 'VariableAddress: definition of z' has no successors in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
@@ -1,13 +1,11 @@
 missingOperand
-| ir.cpp:2821:14:2821:32 | Store: sizeof(<expr>) | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.cpp:2821:10:2821:10 | VariableAddress: definition of z | Instruction 'VariableAddress: definition of z' has no successors in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
@@ -23,7 +21,6 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 | ir.cpp:1535:8:1535:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1535:8:1535:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
-| ir.cpp:2821:10:2821:10 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -18803,13 +18803,14 @@ ir.cpp:
 # 2820|     r2820_6(unsigned long)        = Load[len2]                : &:r2820_5, ~m?
 # 2820|     v2820_7(void)                 = NoOp                      : 
 # 2821|     r2821_1(glval<unsigned long>) = VariableAddress[z]        : 
-
-# 2821|   Block 1
-# 2821|     mu2821_2(unsigned long) = Store[z]     : &:r2821_1
-# 2822|     v2822_1(void)           = NoOp         : 
-# 2819|     v2819_8(void)           = ReturnVoid   : 
-# 2819|     v2819_9(void)           = AliasedUse   : ~m?
-# 2819|     v2819_10(void)          = ExitFunction : 
+# 2821|     r2821_2(unsigned long)        = Constant[4]               : 
+# 2821|     r2821_3(unsigned long)        = CopyValue                 : r2820_6
+# 2821|     r2821_4(unsigned long)        = Mul                       : r2821_2, r2821_3
+# 2821|     mu2821_5(unsigned long)       = Store[z]                  : &:r2821_1, r2821_4
+# 2822|     v2822_1(void)                 = NoOp                      : 
+# 2819|     v2819_8(void)                 = ReturnVoid                : 
+# 2819|     v2819_9(void)                 = AliasedUse                : ~m?
+# 2819|     v2819_10(void)                = ExitFunction              : 
 
 ir23.cpp:
 #    1| bool consteval_1()
diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected
@@ -6,7 +6,6 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.cpp:2821:10:2821:10 | VariableAddress: definition of z | Instruction 'VariableAddress: definition of z' has no successors in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected
@@ -6,7 +6,6 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
-| ir.cpp:2821:10:2821:10 | VariableAddress: definition of z | Instruction 'VariableAddress: definition of z' has no successors in function '$@'. | ir.cpp:2819:6:2819:21 | void vla_sizeof_test5(int, size_t) | void vla_sizeof_test5(int, size_t) |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
