Merge pull request #10995 from MathiasVP/fix-as-expr

C++: Fix `asExpr` and `asIndirectExpr` in IR dataflow

Author: jketema

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -142,11 +142,7 @@ class Node extends TIRDataFlowNode {
    * Gets the non-conversion expression that's indirectly tracked by this node
    * under `index` number of indirections.
    */
-  Expr asIndirectExpr(int index) {
-    exists(Operand operand | hasOperandAndIndex(this, operand, index) |
-      result = operand.getDef().getUnconvertedResultExpression()
-    )
-  }
+  Expr asIndirectExpr(int index) { result = this.(IndirectExprNode).getExpr(index) }
 
   /**
    * Gets the non-conversion expression that's indirectly tracked by this node
@@ -165,9 +161,7 @@ class Node extends TIRDataFlowNode {
    * behind `index` number of indirections.
    */
   Expr asIndirectConvertedExpr(int index) {
-    exists(Operand operand | hasOperandAndIndex(this, operand, index) |
-      result = operand.getDef().getConvertedResultExpression()
-    )
+    result = this.(IndirectExprNode).getConvertedExpr(index)
   }
 
   /**
@@ -309,14 +303,25 @@ class Node extends TIRDataFlowNode {
 
   /** Gets a textual representation of this element. */
   cached
-  final string toString() { result = this.toStringImpl() }
+  final string toString() {
+    result = toExprString(this)
+    or
+    not exists(toExprString(this)) and
+    result = this.toStringImpl()
+  }
 
   /** INTERNAL: Do not use. */
   string toStringImpl() {
     none() // overridden by subclasses
   }
 }
 
+private string toExprString(Node n) {
+  result = n.asExpr().toString()
+  or
+  result = n.asIndirectExpr().toString() + " indirection"
+}
+
 /**
  * An instruction, viewed as a node in a data flow graph.
  */
@@ -738,6 +743,19 @@ private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e,
   not convertedExprMustBeOperand(e)
 }
 
+/** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
+private predicate indirectExprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e) {
+  exists(Instruction instr |
+    instr = node.getOperand().getDef() and
+    not node instanceof ExprNode
+  |
+    e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
+    or
+    not instr instanceof VariableAddressInstruction and
+    e = instr.getConvertedResultExpression()
+  )
+}
+
 private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
   exists(CallInstruction call |
     call.getStaticCallTarget() instanceof Constructor and
@@ -754,18 +772,35 @@ predicate exprNodeShouldBeInstruction(Node node, Expr e) {
   not exprNodeShouldBeIndirectOutNode(_, e)
 }
 
-private class ExprNodeBase extends Node {
-  Expr getConvertedExpr() { none() } // overridden by subclasses
+/** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
+predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
+  exists(Instruction instr |
+    instr = node.getInstruction() and not indirectExprNodeShouldBeIndirectOperand(_, e)
+  |
+    e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
+    or
+    not instr instanceof VariableAddressInstruction and
+    e = instr.getConvertedResultExpression()
+  )
+}
+
+abstract private class ExprNodeBase extends Node {
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  abstract Expr getConvertedExpr();
 
-  Expr getExpr() { none() } // overridden by subclasses
+  /** Gets the non-conversion expression corresponding to this node, if any. */
+  abstract Expr getExpr();
 }
 
 private class InstructionExprNode extends ExprNodeBase, InstructionNode {
   InstructionExprNode() { exprNodeShouldBeInstruction(this, _) }
 
   final override Expr getConvertedExpr() { exprNodeShouldBeInstruction(this, result) }
 
-  final override Expr getExpr() { result = this.getInstruction().getUnconvertedResultExpression() }
+  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
 
   final override string toStringImpl() { result = this.getConvertedExpr().toString() }
 }
@@ -775,9 +810,7 @@ private class OperandExprNode extends ExprNodeBase, OperandNode {
 
   final override Expr getConvertedExpr() { exprNodeShouldBeOperand(this, result) }
 
-  final override Expr getExpr() {
-    result = this.getOperand().getDef().getUnconvertedResultExpression()
-  }
+  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
 
   final override string toStringImpl() {
     // Avoid generating multiple `toString` results for `ArgumentNode`s
@@ -790,17 +823,58 @@ private class OperandExprNode extends ExprNodeBase, OperandNode {
 }
 
 private class IndirectOperandExprNode extends ExprNodeBase, IndirectOperand {
-  LoadInstruction load;
+  IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
 
-  IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, load) }
+  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOperand(this, result, _) }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOperand(this, result, load) }
-
-  final override Expr getExpr() { result = load.getUnconvertedResultExpression() }
+  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
 
   final override string toStringImpl() { result = this.getConvertedExpr().toString() }
 }
 
+abstract private class IndirectExprNodeBase extends Node {
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  abstract Expr getConvertedExpr(int indirectionIndex);
+
+  /** Gets the non-conversion expression corresponding to this node, if any. */
+  abstract Expr getExpr(int indirectionIndex);
+}
+
+private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, IndirectOperand {
+  IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _) }
+
+  final override Expr getConvertedExpr(int index) {
+    this.getIndirectionIndex() = index and
+    indirectExprNodeShouldBeIndirectOperand(this, result)
+  }
+
+  final override Expr getExpr(int index) {
+    this.getIndirectionIndex() = index and
+    result = this.getConvertedExpr(index).getUnconverted()
+  }
+
+  final override string toStringImpl() { result = super.toStringImpl() }
+}
+
+private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase, IndirectInstruction {
+  IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _) }
+
+  final override Expr getConvertedExpr(int index) {
+    this.getIndirectionIndex() = index and
+    indirectExprNodeShouldBeIndirectInstruction(this, result)
+  }
+
+  final override Expr getExpr(int index) {
+    this.getIndirectionIndex() = index and
+    result = this.getConvertedExpr(index).getUnconverted()
+  }
+
+  final override string toStringImpl() { result = super.toStringImpl() }
+}
+
 private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
   IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
 
@@ -830,6 +904,25 @@ class ExprNode extends Node instanceof ExprNodeBase {
   Expr getConvertedExpr() { result = super.getConvertedExpr() }
 }
 
+/**
+ * An indirect expression, viewed as a node in a data flow graph.
+ */
+class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
+  /**
+   * Gets the non-conversion expression corresponding to this node, if any. If
+   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
+   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
+   * expression.
+   */
+  Expr getExpr(int indirectionIndex) { result = super.getExpr(indirectionIndex) }
+
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  Expr getConvertedExpr(int indirectionIndex) { result = super.getConvertedExpr(indirectionIndex) }
+}
+
 /**
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph. This includes both explicit parameters such as `x` in `f(x)`

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected

@@ -1,20 +1,20 @@
 edges
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... |
-| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | (unsigned long)... |
+| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... |
-| test.cpp:22:17:22:21 | (size_t)... | test.cpp:23:33:23:37 | size1 |
+| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
 nodes
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
-| test.cpp:15:31:15:35 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
-| test.cpp:22:17:22:21 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
 | test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
@@ -24,13 +24,13 @@ subpaths
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
-| test.cpp:15:31:15:35 | (unsigned long)... | test.cpp:15:31:15:35 | (unsigned long)... | test.cpp:15:31:15:35 | (unsigned long)... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | (unsigned long)... | multiplication |
-| test.cpp:15:31:15:35 | (unsigned long)... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | (unsigned long)... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
+| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
+| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
 | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
 | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
 | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
 | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
-| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | (size_t)... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | (size_t)... | multiplication |
+| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
 | test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
 | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:27:30:31 | ... * ... | multiplication |
 | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:27:31:31 | ... * ... | multiplication |