C++: Use getConvertedResultExpr in IR-based dataflow

dave-bartolomeo · dave-bartolomeo · commit 2b80aee55721 · 2018-12-05T12:34:44.000-08:00
This sort of fixes one FP and causes a new FN, but for the wrong reasons. The IR dataflow is tracking the reference itself, rather than the referred-to object. Once we can better model indirections, we can make this work correctly.

This change is still the right thing to do, because it ensures that the dataflow is looking at actual expression being computed by the instruction.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -25,7 +25,7 @@ class Node extends Instruction {
   }
 
   /** Gets the expression corresponding to this node, if any. */
-  Expr asExpr() { result = this.getUnconvertedResultExpression() }
+  Expr asExpr() { result = this.getConvertedResultExpression() }
 
   /** Gets the parameter corresponding to this node, if any. */
   Parameter asParameter() { result = this.(InitializeParameterInstruction).getParameter() }
@@ -48,8 +48,10 @@ class Node extends Instruction {
  * An expression, viewed as a node in a data flow graph.
  */
 class ExprNode extends Node {
-  ExprNode() { getAST() instanceof Expr }
-  Expr getExpr() { result = getAST() }
+  Expr expr;
+
+  ExprNode() { expr = this.getConvertedResultExpression() }
+  Expr getExpr() { result = expr }
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll b/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll
@@ -19,7 +19,7 @@ class TestAllocationConfig extends DataFlow::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall call |
       call.getTarget().getName() = "sink" and
-      sink.asExpr() = call.getAnArgument()
+      sink.asExpr() = call.getAnArgument().getFullyConverted()
     )
   }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -1,6 +1,6 @@
 | test.cpp:6:12:6:17 | test.cpp:21:8:21:9 | IR only |
 | test.cpp:66:30:66:36 | test.cpp:71:8:71:9 | AST only |
-| test.cpp:89:28:89:34 | test.cpp:92:8:92:14 | IR only |
+| test.cpp:89:28:89:34 | test.cpp:90:8:90:14 | AST only |
 | test.cpp:100:13:100:18 | test.cpp:103:10:103:12 | AST only |
 | test.cpp:120:9:120:20 | test.cpp:126:8:126:19 | AST only |
 | test.cpp:122:18:122:30 | test.cpp:132:22:132:23 | IR only |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
@@ -10,8 +10,6 @@
 | test.cpp:76:8:76:9 | Load: u1 | test.cpp:75:7:75:8 | Uninitialized: definition of u1 |
 | test.cpp:84:8:84:18 | Load: ... ? ... : ... | test.cpp:83:7:83:8 | Uninitialized: definition of u2 |
 | test.cpp:86:8:86:9 | Load: i1 | test.cpp:83:7:83:8 | Uninitialized: definition of u2 |
-| test.cpp:90:8:90:14 | Load: source1 | test.cpp:89:28:89:34 | InitializeParameter: source1 |
-| test.cpp:92:8:92:14 | Load: source1 | test.cpp:89:28:89:34 | InitializeParameter: source1 |
 | test.cpp:132:22:132:23 | Load: m1 | test.cpp:122:18:122:30 | InitializeParameter: sourceStruct1 |
 | test.cpp:140:22:140:23 | Load: m1 | test.cpp:122:18:122:30 | InitializeParameter: sourceStruct1 |
 | test.cpp:188:8:188:8 | Load: y | test.cpp:186:27:186:32 | Call: call to source |

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class TestAllocationConfig extends DataFlow::Configuration {`
`19`	`19`	`override predicate isSink(DataFlow::Node sink) {`
`20`	`20`	`exists(FunctionCall call \|`
`21`	`21`	`call.getTarget().getName() = "sink" and`
`22`		`- sink.asExpr() = call.getAnArgument()`
	`22`	`+ sink.asExpr() = call.getAnArgument().getFullyConverted()`
`23`	`23`	`)`
`24`	`24`	`}`
`25`	`25`