C++: When we generate a string for the node we avoid multiple results by only using the 0'th result from the 'asExpr' predicate. However, when we want to convert between nodes and expressions we don't care about which one we get.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -414,9 +414,10 @@ class Node extends TIRDataFlowNode {
 }
 
 private string toExprString(Node n) {
-  result = n.asExpr().toString()
+  result = n.asExpr(0).toString()
   or
-  result = n.asIndirectExpr().toString() + " indirection"
+  not exists(n.asExpr()) and
+  result = n.asIndirectExpr(0, 1).toString() + " indirection"
 }
 
 /**
@@ -1506,15 +1507,15 @@ OperandNode operandNode(Operand operand) { result.getOperand() = operand }
  * _out of_ an expression, like when an argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
+ExprNode exprNode(Expr e) { result.getExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of evaluating `e`. Here, `e` may
  * be a `Conversion`. For data flowing _out of_ an expression, like when an
  * argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode convertedExprNode(Expr e) { result.getConvertedExpr() = e }
+ExprNode convertedExprNode(Expr e) { result.getConvertedExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of `p` at function entry.

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -8,37 +8,21 @@ testFailures
 | map.cpp:168:7:168:27 | ... = ... | Unexpected result: ir=168:20 |
 | map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:7 |
 | map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:20 |
-| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:7 |
-| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:20 |
-| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:7 |
-| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:20 |
 | map.cpp:168:31:168:41 | // $ ast,ir | Missing result:ir= |
 | map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:7 |
 | map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:23 |
 | map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:7 |
 | map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:23 |
-| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:7 |
-| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:23 |
-| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:7 |
-| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:23 |
 | map.cpp:170:34:170:44 | // $ ast,ir | Missing result:ir= |
 | map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:7 |
 | map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:20 |
 | map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:7 |
 | map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:20 |
-| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:7 |
-| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:20 |
-| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:7 |
-| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:20 |
 | map.cpp:320:31:320:41 | // $ ast,ir | Missing result:ir= |
 | map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:7 |
 | map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:23 |
 | map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:7 |
 | map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:23 |
-| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:7 |
-| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:23 |
-| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:7 |
-| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:23 |
 | map.cpp:322:34:322:44 | // $ ast,ir | Missing result:ir= |
 | taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:13 |
 | taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:22 |

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected

@@ -9,9 +9,6 @@ edges
 | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a |
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a |
 | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... |
-| test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | a indirection |
-| test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | * ... |
-| test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | a indirection |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
 | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
 | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p |
@@ -36,13 +33,7 @@ nodes
 | test_free.cpp:101:10:101:10 | a | semmle.label | a |
 | test_free.cpp:103:10:103:10 | a | semmle.label | a |
 | test_free.cpp:128:10:128:11 | * ... | semmle.label | * ... |
-| test_free.cpp:128:10:128:11 | * ... | semmle.label | a indirection |
-| test_free.cpp:128:10:128:11 | a indirection | semmle.label | * ... |
-| test_free.cpp:128:10:128:11 | a indirection | semmle.label | a indirection |
 | test_free.cpp:129:10:129:11 | * ... | semmle.label | * ... |
-| test_free.cpp:129:10:129:11 | * ... | semmle.label | a indirection |
-| test_free.cpp:129:10:129:11 | a indirection | semmle.label | * ... |
-| test_free.cpp:129:10:129:11 | a indirection | semmle.label | a indirection |
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:154:10:154:10 | a | semmle.label | a |
 | test_free.cpp:207:10:207:10 | a | semmle.label | a |
@@ -63,13 +54,6 @@ subpaths
 | test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | a indirection | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | a indirection | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | a indirection | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | a indirection | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | a indirection | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | a indirection | test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | a indirection | test_free.cpp:128:10:128:11 | a indirection | test_free.cpp:129:10:129:11 | a indirection | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
 | test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
 | test_free.cpp:255:10:255:10 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -1,7 +1,6 @@
 edges
 | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a |
 | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... |
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | a |
 | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a |
 | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
@@ -19,9 +18,6 @@ nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
 | test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
-| test_free.cpp:13:5:13:6 | * ... | semmle.label | a |
-| test_free.cpp:13:5:13:6 | a | semmle.label | * ... |
-| test_free.cpp:13:5:13:6 | a | semmle.label | a |
 | test_free.cpp:42:27:42:27 | a | semmle.label | a |
 | test_free.cpp:44:27:44:27 | a | semmle.label | a |
 | test_free.cpp:45:5:45:5 | a | semmle.label | a |
@@ -52,9 +48,6 @@ subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:13:5:13:6 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:13:5:13:6 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -39,8 +39,6 @@ edges
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | i2 indirection |
-| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | i2 indirection |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
@@ -65,8 +63,6 @@ edges
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
@@ -141,9 +137,6 @@ nodes
 | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
 | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
-| argvLocal.c:111:15:111:17 | * ... | semmle.label | i2 indirection |
-| argvLocal.c:111:15:111:17 | i2 indirection | semmle.label | * ... |
-| argvLocal.c:111:15:111:17 | i2 indirection | semmle.label | i2 indirection |
 | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
 | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
 | argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
@@ -168,9 +161,6 @@ nodes
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
-| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | i4 |
-| argvLocal.c:135:9:135:12 | i4 | semmle.label | ... ++ |
-| argvLocal.c:135:9:135:12 | i4 | semmle.label | i4 |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |

cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected

@@ -37,8 +37,6 @@ edges
 | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
-| funcsLocal.c:46:7:46:9 | i7 indirection | funcsLocal.c:47:9:47:11 | * ... |
-| funcsLocal.c:46:7:46:9 | i7 indirection | funcsLocal.c:47:9:47:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
@@ -70,10 +68,7 @@ nodes
 | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
 | funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
-| funcsLocal.c:46:7:46:9 | * ... | semmle.label | i7 indirection |
 | funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument |
-| funcsLocal.c:46:7:46:9 | i7 indirection | semmle.label | * ... |
-| funcsLocal.c:46:7:46:9 | i7 indirection | semmle.label | i7 indirection |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
 | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -3,7 +3,7 @@ edges
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
-| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size |
+| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | new[] |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
 | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
@@ -40,7 +40,7 @@ nodes
 | test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
 | test.cpp:49:32:49:35 | size | semmle.label | size |
-| test.cpp:50:17:50:30 | size | semmle.label | size |
+| test.cpp:50:17:50:30 | new[] | semmle.label | new[] |
 | test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:124:18:124:31 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -82,7 +82,7 @@ subpaths
 | test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
-| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
+| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | new[] | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |