C++: VariableAddressInstructions with array types are not single-object types.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll

@@ -27,8 +27,11 @@ private module Input implements TypeFlowInput<Location> {
   }
 
   private predicate hasExactSingleType(Instruction i) {
-    // The address of a variable is always a single object
-    i instanceof VariableAddressInstruction
+    // The address of a variable is always a single object (unless it's an array)
+    exists(VariableAddressInstruction vai |
+      i = vai and
+      not vai.getResultType() instanceof ArrayType
+    )
     or
     // A reference always points to a single object
     i.getResultLanguageType().hasUnspecifiedType(any(ReferenceType rt), false)

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -326,6 +326,7 @@ irFlow
 | test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
 | test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
 | test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x |
+| test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1137,5 +1137,5 @@ void test_uncertain_array(int n1, int n2) {
   int data[10];
   *(data + 1) = source();
   *data = 0;
-  sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 MISSING: ir
+  sink(*(data + 1)); // $ ast=1138:17 ast=1137:7 ir
 }