File tree Expand file tree Collapse file tree
cpp/ql/src/semmle/code/cpp/dataflow/internal Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -331,8 +331,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
331331 or
332332 varSourceBaseCase ( var , nodeFrom .asUninitialized ( ) )
333333 or
334- var .definedByReference ( nodeFrom .asDefiningArgument ( ) )
335- or
336334 var .definedPartiallyAt ( nodeFrom .asPartialDefinition ( ) )
337335 ) and
338336 varToExprStep ( var , nodeTo .asExpr ( ) )
@@ -392,6 +390,16 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
392390 or
393391 toExpr = any ( StmtExpr stmtExpr | fromExpr = stmtExpr .getResultExpr ( ) )
394392 or
393+ // The following case is needed to track the qualifier object for flow
394+ // through fields. It gives flow from `T(x)` to `new T(x)`. That's not
395+ // strictly _data_ flow but _taint_ flow because the type of `fromExpr` is
396+ // `T` while the type of `toExpr` is `T*`.
397+ //
398+ // This discrepancy is an artifact of how `new`-expressions are represented
399+ // in the database in a way that slightly varies from what the standard
400+ // specifies. In the C++ standard, there is no constructor call expression
401+ // `T(x)` after `new`. Instead there is a type `T` and an optional
402+ // initializer `(x)`.
395403 toExpr .( NewExpr ) .getInitializer ( ) = fromExpr
396404 or
397405 toExpr = any ( Call call |
You can’t perform that action at this time.
0 commit comments