Merge pull request #11254 from MathiasVP/fix-ssa-flow

MathiasVP · web-flow · commit 349c5cd8007a · 2022-11-23T09:52:28.000Z
C++: Fix spurious reference flow
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -235,7 +235,13 @@ class Node extends TIRDataFlowNode {
   Expr asIndirectArgument() { result = this.asIndirectArgument(_) }
 
   /** Gets the positional parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.asParameter(0) }
+  Parameter asParameter() {
+    exists(int indirectionIndex | result = this.asParameter(indirectionIndex) |
+      if result.getUnspecifiedType() instanceof ReferenceType
+      then indirectionIndex = 1
+      else indirectionIndex = 0
+    )
+  }
 
   /**
    * Gets the uninitialized local variable corresponding to this node, if
@@ -1233,35 +1239,11 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   )
 }
 
-pragma[noinline]
-private predicate getAddressType(LoadInstruction load, Type t) {
-  exists(Instruction address |
-    address = load.getSourceAddress() and
-    t = address.getResultType()
-  )
-}
-
-/**
- * Like the AST dataflow library, we want to conflate the address and value of a reference. This class
- * represents the `LoadInstruction` that is generated from a reference dereference.
- */
-private class ReferenceDereferenceInstruction extends LoadInstruction {
-  ReferenceDereferenceInstruction() {
-    exists(ReferenceType ref |
-      getAddressType(this, ref) and
-      this.getResultType() = ref.getBaseType()
-    )
-  }
-}
-
 private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
   // Treat all conversions as flow, even conversions between different numeric types.
   conversionFlow(opFrom, iTo, false)
   or
   iTo.(CopyInstruction).getSourceValueOperand() = opFrom
-  or
-  // Conflate references and values like in AST dataflow.
-  iTo.(ReferenceDereferenceInstruction).getSourceAddressOperand() = opFrom
 }
 
 private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -275,10 +275,10 @@ predicate adjacentDefRead(DefOrUse defOrUse1, UseOrPhi use) {
   exists(IRBlock bb1, int i1, SourceVariable v |
     defOrUse1.asDefOrUse().hasIndexInBlock(bb1, i1, v)
   |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(_, pragma[only_bind_into](bb1), pragma[only_bind_into](i1),
-        pragma[only_bind_into](bb2), pragma[only_bind_into](i2))
-    |
+    exists(IRBlock bb2, int i2, Definition def |
+      adjacentDefRead(pragma[only_bind_into](def), pragma[only_bind_into](bb1),
+        pragma[only_bind_into](i1), pragma[only_bind_into](bb2), pragma[only_bind_into](i2)) and
+      def.getSourceVariable() = v and
       use.asDefOrUse().(UseImpl).hasIndexInBlock(bb2, i2, v)
     )
     or
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -197,11 +197,11 @@ private module Cached {
   predicate isUse(boolean certain, Operand op, Instruction base, int ind, int indirectionIndex) {
     not ignoreOperand(op) and
     certain = true and
-    exists(LanguageType type, int m, int ind0 |
+    exists(LanguageType type, int upper, int ind0 |
       type = getLanguageType(op) and
-      m = countIndirectionsForCppType(type) and
+      upper = countIndirectionsForCppType(type) and
       isUseImpl(op, base, ind0) and
-      ind = ind0 + [0 .. m] and
+      ind = ind0 + [0 .. upper] and
       indirectionIndex = ind - ind0
     )
   }
@@ -277,7 +277,7 @@ private module Cached {
     int indirectionIndex
   ) {
     certain = true and
-    exists(int ind0, CppType type, int m |
+    exists(int ind0, CppType type, int lower, int upper |
       address =
         [
           instr.(StoreInstruction).getDestinationAddressOperand(),
@@ -288,9 +288,10 @@ private module Cached {
     |
       isDefImpl(address, base, ind0) and
       type = getLanguageType(address) and
-      m = countIndirectionsForCppType(type) and
-      ind = ind0 + [1 .. m] and
-      indirectionIndex = ind - (ind0 + 1)
+      upper = countIndirectionsForCppType(type) and
+      ind = ind0 + [lower .. upper] and
+      indirectionIndex = ind - (ind0 + lower) and
+      if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1
     )
   }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -85,11 +85,11 @@ postWithInFlow
 | test.cpp:407:10:407:13 | ref arg & ... | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:11:407:13 | tmp [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:423:21:423:25 | local [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:436:19:436:23 | local [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:465:3:465:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:465:4:465:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:470:22:470:22 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:499:4:499:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:505:35:505:35 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:441:19:441:23 | local [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:472:3:472:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:472:4:472:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:477:22:477:22 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:506:3:506:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:506:4:506:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:512:35:512:35 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected
@@ -71,10 +71,10 @@
 | test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:10:391:13 | ref arg & ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
-| test.cpp:480:67:480:67 | s | test.cpp:480:67:480:67 | s |
-| test.cpp:480:67:480:67 | s | test.cpp:481:21:481:21 | s |
-| test.cpp:480:67:480:67 | s | test.cpp:482:20:482:20 | s |
-| test.cpp:481:21:481:21 | s [post update] | test.cpp:480:67:480:67 | s |
-| test.cpp:481:21:481:21 | s [post update] | test.cpp:482:20:482:20 | s |
-| test.cpp:481:24:481:30 | ref arg content | test.cpp:482:23:482:29 | content |
-| test.cpp:482:23:482:29 | content | test.cpp:483:9:483:17 | p_content |
+| test.cpp:487:67:487:67 | s | test.cpp:487:67:487:67 | s |
+| test.cpp:487:67:487:67 | s | test.cpp:488:21:488:21 | s |
+| test.cpp:487:67:487:67 | s | test.cpp:489:20:489:20 | s |
+| test.cpp:488:21:488:21 | s [post update] | test.cpp:487:67:487:67 | s |
+| test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
+| test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
+| test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp
@@ -56,13 +56,13 @@ namespace withoutFields {
     sink(x1); // $ ast,ir=55:23 SPURIOUS: ast,ir=53:9
 
     notAssign(x2, source());
-    sink(x2); // $ SPURIOUS: ast ir=53:13 ir=58:19
+    sink(x2); // $ SPURIOUS: ast ir
 
     sourceToParamWrapper(x3);
     sink(x3); // $ ast,ir=29:11 SPURIOUS: ast,ir=53:17
 
     notSource(x4);
-    sink(x4); // $ SPURIOUS: ast ir=44:11 ir=53:21
+    sink(x4); // $ SPURIOUS: ast ir
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -89,7 +89,7 @@ void trackUninitialized() {
 void local_references(int &source1, int clean1) {
   sink(source1); // $ ast,ir
   source1 = clean1;
-  sink(source1); // $ SPURIOUS: ir
+  sink(source1); // clean
 
   // The next two test cases show that the analysis does not understand the "&"
   // on the type at all. It does not understand that the initialization creates
@@ -423,25 +423,32 @@ void intPointerSourceCaller() {
   intPointerSource(&local);
   sink(local); // $ ast,ir=422:7 ast,ir=423:20
 }
-
+// The IR results for this test _are_ equivalent to the AST ones.
+// The IR annotation is just "ir" because the sink of the unitialized source at
+// `433:7` (i.e., the declaration `int local[1];`) is value of `local`, but the sink
+// of the source from `intPointerSource` value of `*local` (i.e., the indirection node
+// of `local`). So unlike AST dataflow, each of these two sinks correspond to a unique
+// source, and thus we don't need to attach a location annotation to it.
 void intPointerSourceCaller2() {
   int local[1];
   intPointerSource(local);
-  sink(local); // $ ast,ir=428:7 ast,ir=429:20
-  sink(*local); // $ ast,ir=428:7 ast,ir=429:20
+  sink(local); // $ ast=433:7 ast=434:20 ir
+  sink(*local); // $ ast=433:7 ast=434:20 ir
 }
 
 void intArraySourceCaller() {
   int local;
   intArraySource(&local, 1);
-  sink(local); // $ ast,ir=435:7 ast,ir=436:18
+  sink(local); // $ ast,ir=440:7 ast,ir=441:18
 }
 
+// The IR results for this test _are_ equivalent to the AST ones.
+// See the comment on `intPointerSourceCaller2` for an explanation.
 void intArraySourceCaller2() {
   int local[2];
   intArraySource(local, 2);
-  sink(local); // $ ast,ir=441:7 ast,ir=442:18
-  sink(*local); // $ ast,ir=441:7 ast,ir=442:18
+  sink(local); // $ ast=448:7 ast=449:18 ir
+  sink(*local); // $ ast=448:7 ast=449:18 ir
 }
 
 ///////////////////////////////////////////////////////////////////////////////
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
@@ -26,11 +26,11 @@
 | test.cpp:416:7:416:11 | local | test.cpp:418:8:418:12 | local |
 | test.cpp:422:7:422:11 | local | test.cpp:423:21:423:25 | local |
 | test.cpp:422:7:422:11 | local | test.cpp:424:8:424:12 | local |
-| test.cpp:428:7:428:11 | local | test.cpp:429:20:429:24 | local |
-| test.cpp:428:7:428:11 | local | test.cpp:430:8:430:12 | local |
-| test.cpp:428:7:428:11 | local | test.cpp:431:9:431:13 | local |
-| test.cpp:435:7:435:11 | local | test.cpp:436:19:436:23 | local |
-| test.cpp:435:7:435:11 | local | test.cpp:437:8:437:12 | local |
-| test.cpp:441:7:441:11 | local | test.cpp:442:18:442:22 | local |
-| test.cpp:441:7:441:11 | local | test.cpp:443:8:443:12 | local |
-| test.cpp:441:7:441:11 | local | test.cpp:444:9:444:13 | local |
+| test.cpp:433:7:433:11 | local | test.cpp:434:20:434:24 | local |
+| test.cpp:433:7:433:11 | local | test.cpp:435:8:435:12 | local |
+| test.cpp:433:7:433:11 | local | test.cpp:436:9:436:13 | local |
+| test.cpp:440:7:440:11 | local | test.cpp:441:19:441:23 | local |
+| test.cpp:440:7:440:11 | local | test.cpp:442:8:442:12 | local |
+| test.cpp:448:7:448:11 | local | test.cpp:449:18:449:22 | local |
+| test.cpp:448:7:448:11 | local | test.cpp:450:8:450:12 | local |
+| test.cpp:448:7:448:11 | local | test.cpp:451:9:451:13 | local |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/A.cpp b/cpp/ql/test/library-tests/dataflow/fields/A.cpp
@@ -54,7 +54,7 @@ class A
     B *b = new B();
     b->set(new C1());
     sink(b->get());                // $ ast ir=55:12
-    sink((new B(new C()))->get()); // $ ast ir=57:17
+    sink((new B(new C()))->get()); // $ ast ir
   }
 
   void f3()
@@ -129,7 +129,7 @@ class A
   {
     B *b = new B();
     f7(b);
-    sink(b->c); // $ ast ir=126:12
+    sink(b->c); // $ ast ir
   }
 
   class D
diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -35,7 +35,6 @@ edges
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:57:11:57:24 | new indirection [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | call to B [c] |
-| A.cpp:57:17:57:23 | new | A.cpp:57:17:57:23 | new |
 | A.cpp:64:10:64:15 | call to setOnB indirection [c] | A.cpp:66:10:66:11 | Load indirection [c] |
 | A.cpp:64:21:64:28 | new | A.cpp:64:10:64:15 | call to setOnB indirection [c] |
 | A.cpp:64:21:64:28 | new | A.cpp:64:21:64:28 | new |
@@ -77,7 +76,6 @@ edges
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c |
 | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | set output argument [c] |
-| A.cpp:126:12:126:18 | new | A.cpp:126:12:126:18 | new |
 | A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:132:10:132:10 | Load indirection [c] |
 | A.cpp:132:10:132:10 | Load indirection [c] | A.cpp:132:10:132:13 | c |
 | A.cpp:132:10:132:10 | Load indirection [c] | A.cpp:132:13:132:13 | FieldAddress indirection |
@@ -924,7 +922,6 @@ nodes
 | A.cpp:57:11:57:24 | call to B [c] | semmle.label | call to B [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | semmle.label | new indirection [c] |
 | A.cpp:57:17:57:23 | new | semmle.label | new |
-| A.cpp:57:17:57:23 | new | semmle.label | new |
 | A.cpp:64:10:64:15 | call to setOnB indirection [c] | semmle.label | call to setOnB indirection [c] |
 | A.cpp:64:21:64:28 | new | semmle.label | new |
 | A.cpp:64:21:64:28 | new | semmle.label | new |
@@ -962,7 +959,6 @@ nodes
 | A.cpp:120:16:120:16 | a | semmle.label | a |
 | A.cpp:126:5:126:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:126:12:126:18 | new | semmle.label | new |
-| A.cpp:126:12:126:18 | new | semmle.label | new |
 | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] |
 | A.cpp:132:10:132:10 | Load indirection [c] | semmle.label | Load indirection [c] |
 | A.cpp:132:10:132:13 | c | semmle.label | c |
@@ -1772,7 +1768,6 @@ subpaths
 | A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
 | A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
 | A.cpp:57:10:57:32 | call to get | A.cpp:57:17:57:23 | new | A.cpp:57:10:57:32 | call to get | call to get flows from $@ | A.cpp:57:17:57:23 | new | new |
-| A.cpp:57:10:57:32 | call to get | A.cpp:57:17:57:23 | new | A.cpp:57:10:57:32 | call to get | call to get flows from $@ | A.cpp:57:17:57:23 | new | new |
 | A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
 | A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
 | A.cpp:66:14:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:14:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
@@ -1786,8 +1781,6 @@ subpaths
 | A.cpp:120:12:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:12:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
 | A.cpp:120:16:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:16:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
 | A.cpp:132:10:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:10:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
-| A.cpp:132:10:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:10:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
-| A.cpp:132:13:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:13:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
 | A.cpp:132:13:132:13 | c | A.cpp:126:12:126:18 | new | A.cpp:132:13:132:13 | c | c flows from $@ | A.cpp:126:12:126:18 | new | new |
 | A.cpp:152:10:152:13 | b | A.cpp:143:25:143:31 | new | A.cpp:152:10:152:13 | b | b flows from $@ | A.cpp:143:25:143:31 | new | new |
 | A.cpp:152:10:152:13 | b | A.cpp:150:12:150:18 | new | A.cpp:152:10:152:13 | b | b flows from $@ | A.cpp:150:12:150:18 | new | new |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected
@@ -1,14 +1,11 @@
 edges
 | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
 | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
-| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
-| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
 | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
 | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
 subpaths
 nodes
 | examples.cpp:63:26:63:30 | & ... | semmle.label | & ... |
-| examples.cpp:63:26:63:30 | & ... | semmle.label | & ... |
 | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
 | examples.cpp:66:11:66:14 | data | semmle.label | data |
 | examples.cpp:66:11:66:14 | data | semmle.label | data |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -2,7 +2,6 @@ edges
 | test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
 | test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
 | test2.cpp:25:22:25:23 | & ... | test2.cpp:27:13:27:13 | v |
-| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:13:27:13 | v |
 | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v |
 | test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v |
 | test5.cpp:5:5:5:17 | VariableAddress indirection | test5.cpp:17:6:17:18 | call to getTaintedInt |
@@ -34,7 +33,6 @@ nodes
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
 | test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
-| test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
 | test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
 | test2.cpp:27:13:27:13 | v | semmle.label | v |
 | test5.cpp:5:5:5:17 | VariableAddress indirection | semmle.label | VariableAddress indirection |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

Original file line number	Diff line number	Diff line change
`@@ -56,13 +56,13 @@ namespace withoutFields {`
`56`	`56`	`sink(x1); // $ ast,ir=55:23 SPURIOUS: ast,ir=53:9`
`57`	`57`
`58`	`58`	`notAssign(x2, source());`
`59`		`- sink(x2); // $ SPURIOUS: ast ir=53:13 ir=58:19`
	`59`	`+ sink(x2); // $ SPURIOUS: ast ir`
`60`	`60`
`61`	`61`	`sourceToParamWrapper(x3);`
`62`	`62`	`sink(x3); // $ ast,ir=29:11 SPURIOUS: ast,ir=53:17`
`63`	`63`
`64`	`64`	`notSource(x4);`
`65`		`- sink(x4); // $ SPURIOUS: ast ir=44:11 ir=53:21`
	`65`	`+ sink(x4); // $ SPURIOUS: ast ir`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ class A`
`54`	`54`	`B *b = new B();`
`55`	`55`	`b->set(new C1());`
`56`	`56`	`sink(b->get()); // $ ast ir=55:12`
`57`		`- sink((new B(new C()))->get()); // $ ast ir=57:17`
	`57`	`+ sink((new B(new C()))->get()); // $ ast ir`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`void f3()`
`@@ -129,7 +129,7 @@ class A`
`129`	`129`	`{`
`130`	`130`	`B *b = new B();`
`131`	`131`	`f7(b);`
`132`		`- sink(b->c); // $ ast ir=126:12`
	`132`	`+ sink(b->c); // $ ast ir`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`class D`