C++: Fix spurious flow though and accept test changes.

MathiasVP · MathiasVP · commit 5bd7589109fd · 2023-02-10T12:42:40.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -52,12 +52,29 @@ private newtype TIRDataFlowNode =
   TFinalParameterNode(Parameter p, int indirectionIndex) {
     exists(Ssa::FinalParameterUse use |
       use.getParameter() = p and
-      use.getIndirectionIndex() = indirectionIndex
+      use.getIndirectionIndex() = indirectionIndex and
+      parameterIsDefined(p)
     )
   } or
   TFinalGlobalValue(Ssa::GlobalUse globalUse) or
   TInitialGlobalValue(Ssa::GlobalDef globalUse)
 
+/**
+ * Holds if the value of `*p` (or `**p`, `***p`, etc.) is redefined somewhere in the body
+ * of the enclosing function of `p`.
+ *
+ * Only parameters satisfying this predicate will generate a `FinalParameterNode` transferring
+ * flow out of the function.
+ */
+private predicate parameterIsDefined(Parameter p) {
+  exists(Ssa::Def def |
+    def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst() = p and
+    def.getIndirectionIndex() = 0 and
+    def.getIndirection() > 1 and
+    not def.getValue().asInstruction() instanceof InitializeParameterInstruction
+  )
+}
+
 /**
  * An operand that is defined by a `FieldAddressInstruction`.
  */
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -918,6 +918,8 @@ class Def extends DefOrUse {
   Instruction getAddress() { result = this.getAddressOperand().getDef() }
 
   /**
+   * Gets the indirection index of this definition.
+   *
    * This predicate ensures that joins go from `defOrUse` to the result
    * instead of the other way around.
    */
@@ -926,6 +928,19 @@ class Def extends DefOrUse {
     pragma[only_bind_into](result) = pragma[only_bind_out](defOrUse).getIndirectionIndex()
   }
 
+  /**
+   * Gets the indirection level that this definition is writing to.
+   * For instance, `x = y` is a definition of `x` at indirection level 1 and
+   * `*x = y` is a definition of `x` at indirection level 2.
+   *
+   * This predicate ensures that joins go from `defOrUse` to the result
+   * instead of the other way around.
+   */
+  pragma[inline]
+  int getIndirection() {
+    pragma[only_bind_into](result) = pragma[only_bind_out](defOrUse).getIndirection()
+  }
+
   Node0Impl getValue() { result = defOrUse.getValue() }
 
   predicate isCertain() { defOrUse.isCertain() }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -579,13 +579,13 @@ namespace IndirectFlowThroughGlobals {
   }
 }
 
-void write_to_param(int* x) { // $ ast-def=x ir-def=*x
+void write_to_param(int* x) { // $ ast-def=x
   int s = source();
   x = &s;
 }
 
 void test_write_to_param() {
   int x = 0;
   write_to_param(&x);
-  sink(x); // $ SPURIOUS: ast,ir
+  sink(x); // $ SPURIOUS: ast
 }

Original file line number	Diff line number	Diff line change
`@@ -579,13 +579,13 @@ namespace IndirectFlowThroughGlobals {`
`579`	`579`	`}`
`580`	`580`	`}`
`581`	`581`
`582`		`-void write_to_param(int* x) { // $ ast-def=x ir-def=*x`
	`582`	`+void write_to_param(int* x) { // $ ast-def=x`
`583`	`583`	`int s = source();`
`584`	`584`	`x = &s;`
`585`	`585`	`}`
`586`	`586`
`587`	`587`	`void test_write_to_param() {`
`588`	`588`	`int x = 0;`
`589`	`589`	`write_to_param(&x);`
`590`		`- sink(x); // $ SPURIOUS: ast,ir`
	`590`	`+ sink(x); // $ SPURIOUS: ast`
`591`	`591`	`}`