github
diff --git a/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 20 additions & 1 deletion b/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql‎
Lines changed: 3 additions & 2 deletions b/‎cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql‎
Lines changed: 14 additions & 13 deletions b/‎cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql‎
Lines changed: 14 additions & 13 deletions
@@ -756,11 +756,20 @@ private predicate indirectExprNodeShouldBeIndirectOperand(IndirectOperand node,
   )
 }
 
+private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
+  exists(CallInstruction call |
+    call.getStaticCallTarget() instanceof Constructor and
+    e = call.getConvertedResultExpression() and
+    call.getThisArgumentOperand() = node.getAddressOperand()
+  )
+}
+
 /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
 predicate exprNodeShouldBeInstruction(Node node, Expr e) {
   e = node.asInstruction().getConvertedResultExpression() and
   not exprNodeShouldBeOperand(_, e) and
-  not exprNodeShouldBeIndirectOperand(_, e, _)
+  not exprNodeShouldBeIndirectOperand(_, e, _) and
+  not exprNodeShouldBeIndirectOutNode(_, e)
 }
 
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
@@ -866,6 +875,16 @@ private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase,
   final override string toStringImpl() { result = super.toStringImpl() }
 }
 
+private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
+  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
+
+  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) }
+
+  final override Expr getExpr() { result = this.getConvertedExpr() }
+
+  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+}
+
 /**
  * An expression, viewed as a node in a data flow graph.
  */
 
@@ -46,7 +46,7 @@ predicate illDefinedDecrForStmt(
     candidateDecrForStmt(forstmt, v, lesserOperand, terminalCondition) and
     // `initialCondition` is a value of `v` in the for loop
     v.getAnAssignedValue() = initialCondition and
-    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
+    DataFlow::localFlowStep+(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
     // `initialCondition` < `terminalCondition`
     (
       upperBound(initialCondition) < lowerBound(terminalCondition) and
@@ -82,7 +82,8 @@ predicate illDefinedIncrForStmt(
     candidateIncrForStmt(forstmt, v, greaterOperand, terminalCondition) and
     // `initialCondition` is a value of `v` in the for loop
     v.getAnAssignedValue() = initialCondition and
-    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(greaterOperand)) and
+    DataFlow::localFlowStep+(DataFlow::exprNode(initialCondition),
+      DataFlow::exprNode(greaterOperand)) and
     // `terminalCondition` < `initialCondition`
     (
       upperBound(terminalCondition) < lowerBound(initialCondition)
 
@@ -36,20 +36,20 @@ class StdString extends Class {
  * Holds if `e` is a direct or indirect reference to a locally
  * allocated `std::string`.
  */
-predicate refToStdString(Expr e, ConstructorCall source) {
+predicate refToStdString(DataFlow::Node node, ConstructorCall source) {
   exists(StdString stdstring |
     stdstring.getAMemberFunction() = source.getTarget() and
     not exists(LocalVariable v |
       source = v.getInitializer().getExpr() and
       v.isStatic()
     ) and
-    e = source
+    node.asExpr() = source
   )
   or
   // Indirect use.
-  exists(Expr prev |
+  exists(DataFlow::Node prev |
     refToStdString(prev, source) and
-    DataFlow::localFlowStep(DataFlow::exprNode(prev), DataFlow::exprNode(e))
+    DataFlow::localFlowStep(prev, node)
   )
 }
 
@@ -74,29 +74,30 @@ predicate flowFunction(Function fcn, int argIndex) {
  * Holds if `e` is a direct or indirect reference to the result of calling
  * `c_str` on a locally allocated `std::string`.
  */
-predicate refToCStr(Expr e, ConstructorCall source) {
-  exists(MemberFunction f, FunctionCall call |
+predicate refToCStr(DataFlow::Node node, ConstructorCall source) {
+  exists(MemberFunction f, FunctionCall call, DataFlow::Node qualifier |
     f.getName() = "c_str" and
-    call = e and
+    call = node.asExpr() and
     call.getTarget() = f and
-    refToStdString(call.getQualifier(), source)
+    qualifier.asIndirectArgument() = call.getQualifier() and
+    refToStdString(qualifier, source)
   )
   or
   // Indirect use.
-  exists(Expr prev |
+  exists(DataFlow::Node prev |
     refToCStr(prev, source) and
-    DataFlow::localFlowStep(DataFlow::exprNode(prev), DataFlow::exprNode(e))
+    DataFlow::localFlowStep(prev, node)
   )
   or
   // Some functions, such as `JNIEnv::NewStringUTF()` (from Java's JNI)
   // embed return a structure containing a reference to the C-style string.
   exists(Function f, int argIndex |
     flowFunction(f, argIndex) and
-    f = e.(Call).getTarget() and
-    refToCStr(e.(Call).getArgument(argIndex), source)
+    f = node.asExpr().(Call).getTarget() and
+    refToCStr(DataFlow::exprNode(node.asExpr().(Call).getArgument(argIndex)), source)
   )
 }
 
 from ReturnStmt r, ConstructorCall source
-where refToCStr(r.getExpr(), source)
+where refToCStr(DataFlow::exprNode(r.getExpr()), source)
 select r, "Return value may contain a dangling pointer to $@.", source, "this local std::string"