Merge pull request #1047 from jbj/dataflow-StmtExpr

C++: Data flow through StmtExpr
2026-04-30 03:05:15 +02:00 · 2019-03-06 10:33:12 +00:00
parent 94699175a4 0a57767cc6
commit 693937367d
4 changed files with 25 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -275,6 +275,10 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
    fromExpr = op.getOperand()
  )
  or
+  toExpr = any(StmtExpr stmtExpr |
+    fromExpr = stmtExpr.getResultExpr()
+  )
+  or
  toExpr = any(Call call |
    exists(DataFlowFunction f, FunctionInput inModel , FunctionOutput outModel, int iIn |
      call.getTarget() = f and
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -491,3 +491,20 @@ void intArraySourceCaller2() {
  sink(local); // tainted
  sink(*local); // clean
 }
+
+///////////////////////////////////////////////////////////////////////////////
+
+void throughStmtExpr(int source1, int clean1) {
+  sink( ({ source1; }) ); // tainted
+  sink( ({ clean1; }) ); // clean
+
+  int local = ({
+    int tmp;
+    if (clean1)
+      tmp = source1;
+    else
+      tmp = clean1;
+    tmp;
+  });
+  sink(local); // tainted
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -35,6 +35,8 @@
 | test.cpp:478:8:478:12 | local | test.cpp:477:20:477:24 | ref arg local |
 | test.cpp:485:8:485:12 | local | test.cpp:484:18:484:23 | ref arg & ... |
 | test.cpp:491:8:491:12 | local | test.cpp:490:18:490:22 | ref arg local |
+| test.cpp:498:9:498:22 | (statement expression) | test.cpp:497:26:497:32 | source1 |
+| test.cpp:509:8:509:12 | local | test.cpp:497:26:497:32 | source1 |
 | true_upon_entry.cpp:21:8:21:8 | x | true_upon_entry.cpp:17:11:17:16 | call to source |
 | true_upon_entry.cpp:29:8:29:8 | x | true_upon_entry.cpp:27:9:27:14 | call to source |
 | true_upon_entry.cpp:39:8:39:8 | x | true_upon_entry.cpp:33:11:33:16 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -17,6 +17,8 @@
 | test.cpp:477:20:477:24 | test.cpp:478:8:478:12 | AST only |
 | test.cpp:484:18:484:23 | test.cpp:485:8:485:12 | AST only |
 | test.cpp:490:18:490:22 | test.cpp:491:8:491:12 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:498:9:498:22 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:509:8:509:12 | AST only |
 | true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
 | true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
 | true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |