C++: Fix flow through arrays.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -441,10 +441,6 @@ class OperandNode extends Node, Node0 {
 Type stripPointer(Type t) {
   result = any(Ssa::Indirection ind | ind.getType() = t).getBaseType()
   or
-  // These types have a sensible base type, but don't receive additional
-  // dataflow nodes representing their indirections. So for now we special case them.
-  result = t.(ArrayType).getBaseType()
-  or
   result = t.(PointerToMemberType).getBaseType()
   or
   result = t.(FunctionPointerIshType).getBaseType()

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -176,18 +176,9 @@ private newtype TDefOrUseImpl =
       cppType.hasUnspecifiedType(p.getUnspecifiedType(), _) and
       isModifiableAt(cppType, indirectionIndex + 1)
     ) and
-    (
-      exists(Indirection indirection |
-        indirection.getType() = p.getUnspecifiedType() and
-        indirectionIndex = [1 .. indirection.getNumberOfIndirections()]
-      )
-      or
-      // Array types don't have indirections. So we need to special case them here.
-      exists(Cpp::ArrayType arrayType, CppType cppType |
-        arrayType = p.getUnspecifiedType() and
-        cppType.hasUnspecifiedType(arrayType, _) and
-        indirectionIndex = [1 .. countIndirectionsForCppType(cppType)]
-      )
+    exists(Indirection indirection |
+      indirection.getType() = p.getUnspecifiedType() and
+      indirectionIndex = [1 .. indirection.getNumberOfIndirections()]
     )
   }
 
@@ -287,7 +278,7 @@ abstract class DefImpl extends DefOrUseImpl {
 
   override int getIndirectionIndex() { result = ind }
 
-  override string toString() { result = "DefImpl" }
+  override string toString() { result = "Def of " + this.getSourceVariable() }
 
   override Cpp::Location getLocation() { result = this.getAddressOperand().getUse().getLocation() }
 
@@ -331,7 +322,7 @@ abstract class UseImpl extends DefOrUseImpl {
   /** Gets the node associated with this use. */
   abstract Node getNode();
 
-  override string toString() { result = "UseImpl" }
+  override string toString() { result = "Use of " + this.getSourceVariable() }
 
   /** Gets the indirection index of this use. */
   final override int getIndirectionIndex() { result = ind }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -86,10 +86,12 @@ int getMaxIndirectionsForType(Type type) {
   result = countIndirectionsForCppType(getTypeForGLValue(type))
 }
 
-private class PointerOrReferenceType extends Cpp::DerivedType {
-  PointerOrReferenceType() {
+private class PointerOrArrayOrReferenceType extends Cpp::DerivedType {
+  PointerOrArrayOrReferenceType() {
     this instanceof Cpp::PointerType
     or
+    this instanceof Cpp::ArrayType
+    or
     this instanceof Cpp::ReferenceType
   }
 }
@@ -180,8 +182,10 @@ abstract class Indirection extends Type {
   predicate isAdditionalConversionFlow(Operand opFrom, Instruction instrTo) { none() }
 }
 
-private class PointerOrReferenceTypeIndirection extends Indirection instanceof PointerOrReferenceType {
-  PointerOrReferenceTypeIndirection() { baseType = PointerOrReferenceType.super.getBaseType() }
+private class PointerOrArrayOrReferenceTypeIndirection extends Indirection instanceof PointerOrArrayOrReferenceType {
+  PointerOrArrayOrReferenceTypeIndirection() {
+    baseType = PointerOrArrayOrReferenceType.super.getBaseType()
+  }
 
   override int getNumberOfIndirections() {
     result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
@@ -211,7 +215,8 @@ private module IteratorIndirections {
 
   class IteratorIndirection extends Indirection instanceof Interfaces::Iterator {
     IteratorIndirection() {
-      not this instanceof PointerOrReferenceTypeIndirection and baseType = super.getValueType()
+      not this instanceof PointerOrArrayOrReferenceTypeIndirection and
+      baseType = super.getValueType()
     }
 
     override int getNumberOfIndirections() {
@@ -399,7 +404,7 @@ predicate isModifiableByCall(ArgumentOperand operand, int indirectionIndex) {
       // by `call` should not be of the form `const T*` (for some deeply const type `T`).
       if call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
       then
-        exists(PointerOrReferenceType resultType |
+        exists(PointerOrArrayOrReferenceType resultType |
           resultType = call.getResultType() and
           not resultType.isDeeplyConstBelow()
         )
@@ -420,10 +425,7 @@ private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
   (
     exists(Type pointerType, Type base, Type t |
       pointerType = t.getUnderlyingType() and
-      (
-        pointerType = any(Indirection ind).getUnderlyingType() or
-        pointerType instanceof Cpp::ArrayType
-      ) and
+      pointerType = any(Indirection ind).getUnderlyingType() and
       cppType.hasType(t, _) and
       base = getTypeImpl(pointerType, indirectionIndex)
     |

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -41,8 +41,7 @@ private newtype TDefOrUseImpl =
     isIteratorUse(container, iteratorAddress, _, _)
   } or
   TFinalParameterUse(Parameter p) {
-    any(Indirection indirection).getType() = p.getUnspecifiedType() or
-    p.getUnspecifiedType() instanceof Cpp::ArrayType
+    any(Indirection indirection).getType() = p.getUnspecifiedType()
   }
 
 abstract private class DefOrUseImpl extends TDefOrUseImpl {