Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2c6dbac

Browse files
committed
C++: Tidy up DataFlowUtil.qll
1 parent 0a13d7a commit 2c6dbac

1 file changed

Lines changed: 10 additions & 2 deletions

File tree

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -331,8 +331,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
331331
or
332332
varSourceBaseCase(var, nodeFrom.asUninitialized())
333333
or
334-
var.definedByReference(nodeFrom.asDefiningArgument())
335-
or
336334
var.definedPartiallyAt(nodeFrom.asPartialDefinition())
337335
) and
338336
varToExprStep(var, nodeTo.asExpr())
@@ -392,6 +390,16 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
392390
or
393391
toExpr = any(StmtExpr stmtExpr | fromExpr = stmtExpr.getResultExpr())
394392
or
393+
// The following case is needed to track the qualifier object for flow
394+
// through fields. It gives flow from `T(x)` to `new T(x)`. That's not
395+
// strictly _data_ flow but _taint_ flow because the type of `fromExpr` is
396+
// `T` while the type of `toExpr` is `T*`.
397+
//
398+
// This discrepancy is an artifact of how `new`-expressions are represented
399+
// in the database in a way that slightly varies from what the standard
400+
// specifies. In the C++ standard, there is no constructor call expression
401+
// `T(x)` after `new`. Instead there is a type `T` and an optional
402+
// initializer `(x)`.
395403
toExpr.(NewExpr).getInitializer() = fromExpr
396404
or
397405
toExpr = any(Call call |

0 commit comments

Comments
 (0)