C++: Don't limit instruction and operand reuse to those cases where we have a result for 'isUseImpl'.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -220,9 +220,10 @@ private module IndirectOperands {
     int indirectionIndex;
 
     IndirectOperandFromIRRepr() {
-      exists(Operand repr |
-        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
-        nodeHasOperand(this, repr, indirectionIndex - 1)
+      exists(Operand repr, int indirectionIndexRepr |
+        Ssa::hasIRRepresentationOfIndirectOperand(operand, indirectionIndex, repr,
+          indirectionIndexRepr) and
+        nodeHasOperand(this, repr, indirectionIndexRepr)
       )
     }
 
@@ -262,9 +263,10 @@ private module IndirectInstructions {
     int indirectionIndex;
 
     IndirectInstructionFromIRRepr() {
-      exists(Instruction repr |
-        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
-        nodeHasInstruction(this, repr, indirectionIndex - 1)
+      exists(Instruction repr, int indirectionIndexRepr |
+        Ssa::hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, repr,
+          indirectionIndexRepr) and
+        nodeHasInstruction(this, repr, indirectionIndexRepr)
       )
     }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -74,7 +74,7 @@ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) {
     type = getLanguageType(op) and
     m = countIndirectionsForCppType(type) and
     indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectOperand(op, indirectionIndex))
+    not hasIRRepresentationOfIndirectOperand(op, indirectionIndex, _, _)
   )
 }
 
@@ -88,7 +88,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
     type = getResultLanguageType(instr) and
     m = countIndirectionsForCppType(type) and
     indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectInstruction(instr, indirectionIndex))
+    not hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, _, _)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -781,11 +781,14 @@ private module Cached {
    * instead associated with the operand returned by this predicate.
    */
   cached
-  Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectOperand(
+    Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
+  ) {
+    indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
     exists(Instruction load |
       isDereference(load, operand) and
-      result = unique( | | getAUse(load)) and
-      isUseImpl(operand, _, indirectionIndex - 1)
+      operandRepr = unique( | | getAUse(load)) and
+      indirectionIndexRepr = indirectionIndex - 1
     )
   }
 
@@ -797,12 +800,15 @@ private module Cached {
    * instead associated with the instruction returned by this predicate.
    */
   cached
-  Instruction getIRRepresentationOfIndirectInstruction(Instruction instr, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectInstruction(
+    Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
+  ) {
+    indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
     exists(Instruction load, Operand address |
       address.getDef() = instr and
       isDereference(load, address) and
-      isUseImpl(address, _, indirectionIndex - 1) and
-      result = load
+      instrRepr = load and
+      indirectionIndexRepr = indirectionIndex - 1
     )
   }
 

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -3,5 +3,6 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:61,22-30)
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
 WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
-failures
 testFailures
+| vector.cpp:532:10:532:12 | call to operator[] | Unexpected result: ir= |
+failures

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -2,6 +2,7 @@ edges
 | tests.cpp:26:15:26:23 | badSource indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
 | tests.cpp:33:34:33:39 | call to getenv indirection | tests.cpp:38:39:38:49 | environment indirection |
 | tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | badSource indirection |
+| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:38:25:38:36 | strncat output argument |
 | tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
 | tests.cpp:51:12:51:20 | call to badSource indirection | tests.cpp:53:16:53:19 | data indirection |
 nodes

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected

@@ -3,9 +3,11 @@ edges
 | test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
 | test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
 | test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
+| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:45:22:52 | userName indirection |
 | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection |
 | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
 | test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
+| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:35:50:43 | envCflags indirection |
 | test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
 | test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
 | test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -4,38 +4,29 @@ edges
 | test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] |
 | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
 | test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
+| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:19:5:19:7 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
 | test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string |
-| test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string indirection |
-| test.cpp:42:18:42:23 | string indirection | test.cpp:42:18:42:23 | string |
 | test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string |
-| test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string indirection |
-| test.cpp:72:22:72:27 | string indirection | test.cpp:72:22:72:27 | string |
 | test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string |
-| test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string indirection |
-| test.cpp:80:22:80:27 | string indirection | test.cpp:80:22:80:27 | string |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | test.cpp:90:10:90:15 | str indirection [post update] [string] |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] |
 | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
 | test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
+| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:91:5:91:7 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
 | test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string |
-| test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string indirection |
-| test.cpp:99:18:99:23 | string indirection | test.cpp:99:18:99:23 | string |
 | test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string |
-| test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string indirection |
-| test.cpp:129:22:129:27 | string indirection | test.cpp:129:22:129:27 | string |
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string |
-| test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string indirection |
-| test.cpp:137:22:137:27 | string indirection | test.cpp:137:22:137:27 | string |
 | test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] |
 | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:148:5:148:7 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] |
@@ -46,32 +37,14 @@ edges
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:203:17:203:19 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:207:17:207:19 | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
-| test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string indirection |
-| test.cpp:152:18:152:23 | string indirection | test.cpp:152:18:152:23 | string |
 | test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string |
-| test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string indirection |
-| test.cpp:154:18:154:23 | string indirection | test.cpp:154:18:154:23 | string |
 | test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string |
-| test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string indirection |
-| test.cpp:156:18:156:23 | string indirection | test.cpp:156:18:156:23 | string |
 | test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string |
-| test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string indirection |
-| test.cpp:175:22:175:27 | string indirection | test.cpp:175:22:175:27 | string |
 | test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string |
-| test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string indirection |
-| test.cpp:187:22:187:27 | string indirection | test.cpp:187:22:187:27 | string |
 | test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string |
-| test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string indirection |
-| test.cpp:195:22:195:27 | string indirection | test.cpp:195:22:195:27 | string |
 | test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string |
-| test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string indirection |
-| test.cpp:199:22:199:27 | string indirection | test.cpp:199:22:199:27 | string |
 | test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string |
-| test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string indirection |
-| test.cpp:203:22:203:27 | string indirection | test.cpp:203:22:203:27 | string |
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
-| test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string indirection |
-| test.cpp:207:22:207:27 | string indirection | test.cpp:207:22:207:27 | string |
 | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
 | test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
@@ -83,8 +56,6 @@ edges
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
 | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
 | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
-| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:16:243:21 | string indirection |
-| test.cpp:243:16:243:21 | string indirection | test.cpp:243:12:243:21 | string |
 | test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p |
 | test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
 | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
@@ -98,13 +69,10 @@ nodes
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
 | test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:42:18:42:23 | string | semmle.label | string |
-| test.cpp:42:18:42:23 | string indirection | semmle.label | string indirection |
 | test.cpp:72:17:72:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:72:22:72:27 | string | semmle.label | string |
-| test.cpp:72:22:72:27 | string indirection | semmle.label | string indirection |
 | test.cpp:80:17:80:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:80:22:80:27 | string | semmle.label | string |
-| test.cpp:80:22:80:27 | string indirection | semmle.label | string indirection |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | semmle.label | mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
@@ -113,44 +81,32 @@ nodes
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:99:18:99:23 | string | semmle.label | string |
-| test.cpp:99:18:99:23 | string indirection | semmle.label | string indirection |
 | test.cpp:129:17:129:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:129:22:129:27 | string | semmle.label | string |
-| test.cpp:129:22:129:27 | string indirection | semmle.label | string indirection |
 | test.cpp:137:17:137:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:137:22:137:27 | string | semmle.label | string |
-| test.cpp:137:22:137:27 | string indirection | semmle.label | string indirection |
 | test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
 | test.cpp:148:5:148:7 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:18:152:23 | string | semmle.label | string |
-| test.cpp:152:18:152:23 | string indirection | semmle.label | string indirection |
 | test.cpp:154:13:154:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:154:18:154:23 | string | semmle.label | string |
-| test.cpp:154:18:154:23 | string indirection | semmle.label | string indirection |
 | test.cpp:156:13:156:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:156:18:156:23 | string | semmle.label | string |
-| test.cpp:156:18:156:23 | string indirection | semmle.label | string indirection |
 | test.cpp:175:17:175:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:175:22:175:27 | string | semmle.label | string |
-| test.cpp:175:22:175:27 | string indirection | semmle.label | string indirection |
 | test.cpp:187:17:187:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:187:22:187:27 | string | semmle.label | string |
-| test.cpp:187:22:187:27 | string indirection | semmle.label | string indirection |
 | test.cpp:195:17:195:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:195:22:195:27 | string | semmle.label | string |
-| test.cpp:195:22:195:27 | string indirection | semmle.label | string indirection |
 | test.cpp:199:17:199:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:199:22:199:27 | string | semmle.label | string |
-| test.cpp:199:22:199:27 | string indirection | semmle.label | string indirection |
 | test.cpp:203:17:203:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:203:22:203:27 | string | semmle.label | string |
-| test.cpp:203:22:203:27 | string indirection | semmle.label | string indirection |
 | test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:207:22:207:27 | string | semmle.label | string |
-| test.cpp:207:22:207:27 | string indirection | semmle.label | string indirection |
 | test.cpp:214:24:214:24 | p | semmle.label | p |
 | test.cpp:216:10:216:10 | p | semmle.label | p |
 | test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
@@ -165,7 +121,6 @@ nodes
 | test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
 | test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:243:12:243:21 | string | semmle.label | string |
-| test.cpp:243:16:243:21 | string indirection | semmle.label | string indirection |
 | test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc |
 | test.cpp:250:12:250:12 | p | semmle.label | p |
 | test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |