C++: C++: Use getAUse in getIRRepresentationOfIndirectOperand

jketema · jketema · commit de97ae38dce6 · 2023-03-09T15:15:00.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -765,7 +765,7 @@ private module Cached {
   Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {
     exists(Instruction load |
       isDereference(load, operand) and
-      result = unique( | | load.getAUse()) and
+      result = unique( | | getAUse(load)) and
       isUseImpl(operand, _, indirectionIndex - 1)
     )
   }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
@@ -25,9 +25,16 @@ edges
 | globalVars.c:16:2:16:12 | ... = ... | globalVars.c:9:7:9:11 | copy2 |
 | globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
 | globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:33:15:33:18 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
+| globalVars.c:35:11:35:14 | copy | globalVars.c:35:11:35:14 | copy |
+| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,23 +1,17 @@
 edges
-| test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 nodes
 | test2.cpp:110:3:110:6 | call to gets indirection | semmle.label | call to gets indirection |
-| test.cpp:53:27:53:30 | argv | semmle.label | argv |
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 subpaths
 #select
 | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets indirection | test2.cpp:110:3:110:6 | call to gets indirection | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets indirection | user input (string read by gets) |
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv | user input (a command-line argument) |
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,6 +1,5 @@
 edges
 | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
-| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 indirection |
 | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
 | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection |
 | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
@@ -28,7 +27,6 @@ nodes
 | test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |
 | test2.cpp:62:18:62:25 | password | semmle.label | password |
 | test2.cpp:65:31:65:34 | cpy1 | semmle.label | cpy1 |
-| test2.cpp:65:31:65:34 | cpy1 indirection | semmle.label | cpy1 indirection |
 | test2.cpp:72:15:72:24 | password | semmle.label | password |
 | test2.cpp:72:17:72:24 | password | semmle.label | password |
 | test2.cpp:73:30:73:32 | buf indirection | semmle.label | buf indirection |
@@ -57,7 +55,6 @@ subpaths
 | test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. |
 | test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. |
 | test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
-| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
 | test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
@@ -1,5 +1,4 @@
 edges
-| test.cpp:11:26:11:28 | url | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | test.cpp:38:11:38:15 | url_g indirection |
@@ -17,20 +16,14 @@ edges
 | test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:49:11:49:16 | buffer indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
-| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
-| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
 | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
-| test.cpp:121:11:121:13 | ptr | test.cpp:11:26:11:28 | url |
 | test.cpp:121:11:121:13 | ptr indirection | test.cpp:11:26:11:28 | url indirection |
 nodes
-| test.cpp:11:26:11:28 | url | semmle.label | url |
 | test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
 | test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
 | test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
-| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | semmle.label | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
@@ -49,7 +42,6 @@ nodes
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:121:11:121:13 | ptr | semmle.label | ptr |
 | test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection |
 subpaths
 #select
@@ -79,6 +71,3 @@ subpaths
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -9,7 +9,6 @@ edges
 | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
-| tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
 | tests2.cpp:109:3:109:36 | ... = ... indirection | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] |
@@ -55,8 +54,6 @@ nodes
 | tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | semmle.label | str1 indirection |
-| tests2.cpp:91:42:91:45 | str1 indirection | semmle.label | str1 indirection |
-| tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | semmle.label | call to getpwuid indirection |
@@ -103,7 +100,6 @@ subpaths
 | tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
-| tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:111:14:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:14:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |

Original file line number	Diff line number	Diff line change
`@@ -765,7 +765,7 @@ private module Cached {`
`765`	`765`	`Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {`
`766`	`766`	`exists(Instruction load \|`
`767`	`767`	`isDereference(load, operand) and`
`768`		`- result = unique( \| \| load.getAUse()) and`
	`768`	`+ result = unique( \| \| getAUse(load)) and`
`769`	`769`	`isUseImpl(operand, _, indirectionIndex - 1)`
`770`	`770`	`)`
`771`	`771`	`}`