C++: Fix an inconsistency with too many out nodes.

MathiasVP · MathiasVP · commit 6b851d052908 · 2023-02-09T16:55:19.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -367,14 +367,18 @@ class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode {
   }
 }
 
-private Operand fullyConvertedCallStep(Operand op) {
+private Operand fullyConvertedCallStepImpl(Operand op) {
   not exists(getANonConversionUse(op)) and
   exists(Instruction instr |
     conversionFlow(op, instr, _, _) and
     result = getAUse(instr)
   )
 }
 
+private Operand fullyConvertedCallStep(Operand op) {
+  result = unique( | | fullyConvertedCallStepImpl(op))
+}
+
 /**
  * Gets the instruction that uses this operand, if the instruction is not
  * ignored for dataflow purposes.
@@ -401,10 +405,21 @@ private Instruction getANonConversionUse(Operand operand) {
 }
 
 /**
- * Gets the operand that represents the first use of the value of `call` following
+ * Gets an operand that represents the use of the value of `call` following
  * a sequence of conversion-like instructions.
+ *
+ * Note that `operand` is not functionally determined by `call` since there
+ * can be multiple sequences of disjoint conversions following a call. For example,
+ * consider an example like:
+ * ```cpp
+ * long f();
+ * int y;
+ * long x = (long)(y = (int)f());
+ * ```
+ * in this case, there'll be a long-to-int conversion on `f()` before the value is assigned to `y`,
+ * and there will be an int-to-long conversion on `(int)f()` before the value is assigned to `x`.
  */
-predicate operandForFullyConvertedCall(Operand operand, CallInstruction call) {
+private predicate operandForFullyConvertedCallImpl(Operand operand, CallInstruction call) {
   exists(getANonConversionUse(operand)) and
   (
     operand = getAUse(call)
@@ -413,6 +428,25 @@ predicate operandForFullyConvertedCall(Operand operand, CallInstruction call) {
   )
 }
 
+/**
+ * Gets the operand that represents the use of the value of `call` following
+ * a sequence of conversion-like instructions, if a unique operand exists.
+ */
+predicate operandForFullyConvertedCall(Operand operand, CallInstruction call) {
+  operand = unique(Operand cand | operandForFullyConvertedCallImpl(cand, call))
+}
+
+private predicate instructionForFullyConvertedCallWithConversions(
+  Instruction instr, CallInstruction call
+) {
+  // Otherwise, flow to the first non-conversion use.
+  instr =
+    getUse(unique(Operand operand |
+        operand = fullyConvertedCallStep*(getAUse(call)) and
+        not exists(fullyConvertedCallStep(operand))
+      ))
+}
+
 /**
  * Gets the instruction that represents the first use of the value of `call` following
  * a sequence of conversion-like instructions.
@@ -424,13 +458,10 @@ predicate instructionForFullyConvertedCall(Instruction instr, CallInstruction ca
   not operandForFullyConvertedCall(_, call) and
   (
     // If there is no use of the call then we pick the call instruction
-    not exists(getAUse(call)) and
+    not instructionForFullyConvertedCallWithConversions(_, call) and
     instr = call
     or
-    // Otherwise, flow to the first non-conversion use.
-    exists(Operand operand | operand = fullyConvertedCallStep*(getAUse(call)) |
-      instr = getANonConversionUse(operand)
-    )
+    instructionForFullyConvertedCallWithConversions(instr, call)
   )
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.expected
@@ -1,3 +0,0 @@
-| dispatch.cpp:60:18:60:29 | Call: new | Unexpected result: ir-count(indirect return)=3 |
-| dispatch.cpp:61:18:61:29 | Call: new | Unexpected result: ir-count(indirect return)=3 |
-| dispatch.cpp:65:10:65:21 | Call: new | Unexpected result: ir-count(indirect return)=3 |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
@@ -12,16 +12,6 @@ compatibleTypesReflexive
 unreachableNodeCCtx
 localCallNodes
 postIsNotPre
-| A.cpp:98:12:98:18 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| B.cpp:6:15:6:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| B.cpp:15:15:15:27 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| C.cpp:22:12:22:21 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| C.cpp:24:16:24:25 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| D.cpp:28:15:28:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| D.cpp:35:15:35:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| D.cpp:42:15:42:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| D.cpp:49:15:49:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
-| D.cpp:56:15:56:24 | new indirection | PostUpdateNode should not equal its pre-update node. |
 postHasUniquePre
 uniquePostUpdate
 | aliasing.cpp:70:11:70:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
@@ -42,16 +32,6 @@ postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
-| A.cpp:98:12:98:18 | new indirection | PostUpdateNode should not be the target of local flow. |
-| B.cpp:6:15:6:24 | new indirection | PostUpdateNode should not be the target of local flow. |
-| B.cpp:15:15:15:27 | new indirection | PostUpdateNode should not be the target of local flow. |
-| C.cpp:22:12:22:21 | new indirection | PostUpdateNode should not be the target of local flow. |
-| C.cpp:24:16:24:25 | new indirection | PostUpdateNode should not be the target of local flow. |
-| D.cpp:28:15:28:24 | new indirection | PostUpdateNode should not be the target of local flow. |
-| D.cpp:35:15:35:24 | new indirection | PostUpdateNode should not be the target of local flow. |
-| D.cpp:42:15:42:24 | new indirection | PostUpdateNode should not be the target of local flow. |
-| D.cpp:49:15:49:24 | new indirection | PostUpdateNode should not be the target of local flow. |
-| D.cpp:56:15:56:24 | new indirection | PostUpdateNode should not be the target of local flow. |
 | realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -31,7 +31,6 @@ edges
 | A.cpp:57:11:57:24 | call to B [c] | A.cpp:57:11:57:24 | new indirection [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:28:8:28:10 | this indirection [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:57:10:57:32 | call to get |
-| A.cpp:57:11:57:24 | new indirection [c] | A.cpp:57:11:57:24 | new indirection [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | call to B [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:57:17:57:23 | new |

Original file line number	Diff line number	Diff line change
`@@ -1,3 +0,0 @@`
`1`		`-\| dispatch.cpp:60:18:60:29 \| Call: new \| Unexpected result: ir-count(indirect return)=3 \|`
`2`		`-\| dispatch.cpp:61:18:61:29 \| Call: new \| Unexpected result: ir-count(indirect return)=3 \|`
`3`		`-\| dispatch.cpp:65:10:65:21 \| Call: new \| Unexpected result: ir-count(indirect return)=3 \|`