Merge pull request #20017 from jketema/final

C++: Add dataflow predicate for checking if a node is the final value of a parameter
2026-04-25 00:35:20 +02:00 · 2025-07-10 18:47:09 +02:00
parent 3a0def7848 96c379a076
commit 6d8e2f8231
3 changed files with 26 additions and 6 deletions
--- a/cpp/ql/lib/change-notes/2025-07-10-final.md
+++ b/cpp/ql/lib/change-notes/2025-07-10-final.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a `isFinalValueOfParameter` predicate to DataFlow::Node which holds when a dataflow node represents the final value of an output parameter of a function.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -488,6 +488,23 @@ class Node extends TIRDataFlowNode {
    result = this.(IndirectParameterNode).getParameter()
  }

+  /**
+   * Holds if this node represents the `indirectionIndex`'th indirection of
+   * the value of an output parameter `p` just before reaching the end of a function.
+   */
+  predicate isFinalValueOfParameter(Parameter p, int indirectionIndex) {
+    exists(FinalParameterNode n | n = this |
+      p = n.getParameter() and
+      indirectionIndex = n.getIndirectionIndex()
+    )
+  }
+
+  /**
+   * Holds if this node represents the value of an output parameter `p`
+   * just before reaching the end of a function.
+   */
+  predicate isFinalValueOfParameter(Parameter p) { this.isFinalValueOfParameter(p, _) }
+
  /**
   * Gets the variable corresponding to this node, if any. This can be used for
   * modeling flow in and out of global variables.
@@ -1225,7 +1242,7 @@ import RawIndirectNodes
 /**
 * INTERNAL: do not use.
 *
- * A node representing the value of an update parameter
+ * A node representing the value of an output parameter
 * just before reaching the end of a function.
 */
 class FinalParameterNode extends Node, TFinalParameterNode {
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql
@@ -24,10 +24,9 @@ module AstTest {

 module IRTest {
  private import semmle.code.cpp.ir.dataflow.DataFlow
-  private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil

  private string stars(int k) {
-    k = [0 .. max(FinalParameterNode n | | n.getIndirectionIndex())] and
+    k = [0 .. max(DataFlow::Node n, int i | n.isFinalValueOfParameter(_, i) | i)] and
    (if k = 0 then result = "" else result = "*" + stars(k - 1))
  }

@@ -35,14 +34,14 @@ module IRTest {
    string getARelevantTag() { result = "ir-def" }

    predicate hasActualResult(Location location, string element, string tag, string value) {
-      exists(Function f, Parameter p, FinalParameterNode n |
+      exists(Function f, Parameter p, DataFlow::Node n, int i |
        p.isNamed() and
-        n.getParameter() = p and
+        n.isFinalValueOfParameter(p, i) and
        n.getFunction() = f and
        location = f.getLocation() and
        element = p.toString() and
        tag = "ir-def" and
-        value = stars(n.getIndirectionIndex()) + p.getName()
+        value = stars(i) + p.getName()
      )
    }
  }