C++: A few more IR dataflow tweaks

Made `Node::getType()`, `Node::asParameter()`, and `Node::asUninitialized()` operate directly on the IR. This actually fixed several diffs compared to the AST dataflow, because `getType()` wasn't holding for nodes that weren't `Exprs`. Made `Uninitialized` a `VariableInstruction`. This makes it consistent with `InitializeParameter`.
2026-04-28 10:15:14 +02:00 · 2018-11-30 16:51:14 -08:00
parent 309b703e47
commit 7eb47f3f82
9 changed files with 183 additions and 163 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -21,23 +21,21 @@ class Node extends Instruction {

  /** Gets the type of this node. */
  Type getType() {
-    result = this.asExpr().getType()
-    or
-    result = this.getAST().(Variable).getType()
+    result = this.getResultType()
  }

  /** Gets the expression corresponding to this node, if any. */
  Expr asExpr() { result = this.getUnconvertedResultExpression() }

  /** Gets the parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.(ParameterNode).getParameter() }
+  Parameter asParameter() { result = this.(InitializeParameterInstruction).getParameter() }

  /**
   * Gets the uninitialized local variable corresponding to this node, if
   * any.
   */
  LocalVariable asUninitialized() {
-    result = this.(UninitializedNode).getLocalVariable()
+    result = this.(UninitializedInstruction).getLocalVariable()
  }

  /**
@@ -73,8 +71,6 @@ class ParameterNode extends Node, InitializeParameterInstruction {
 * flow graph.
 */
 class UninitializedNode extends Node, UninitializedInstruction {
-  /** Gets the uninitialized local variable corresponding to this node. */
-  LocalVariable getLocalVariable() { result = this.getAST().(VariableDeclarationEntry).getDeclaration()}
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -595,7 +595,7 @@ class FieldAddressInstruction extends FieldInstruction {
  }
 }

-class UninitializedInstruction extends Instruction {
+class UninitializedInstruction extends VariableInstruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
@@ -603,6 +603,13 @@ class UninitializedInstruction extends Instruction {
  override final MemoryAccessKind getResultMemoryAccess() {
    result instanceof IndirectMemoryAccess
  }
+
+  /**
+   * Gets the `LocalVariable` that is uninitialized.
+   */
+  final LocalVariable getLocalVariable() {
+    result = var.(IRUserVariable).getVariable()
+  }
 }

 class NoOpInstruction extends Instruction {
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -595,7 +595,7 @@ class FieldAddressInstruction extends FieldInstruction {
  }
 }

-class UninitializedInstruction extends Instruction {
+class UninitializedInstruction extends VariableInstruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
@@ -603,6 +603,13 @@ class UninitializedInstruction extends Instruction {
  override final MemoryAccessKind getResultMemoryAccess() {
    result instanceof IndirectMemoryAccess
  }
+
+  /**
+   * Gets the `LocalVariable` that is uninitialized.
+   */
+  final LocalVariable getLocalVariable() {
+    result = var.(IRUserVariable).getVariable()
+  }
 }

 class NoOpInstruction extends Instruction {
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -142,7 +142,10 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
  }

  override IRVariable getInstructionVariable(InstructionTag tag) {
-    tag = InitializerVariableAddressTag() and
+    (
+      tag = InitializerVariableAddressTag() or
+      hasUninitializedInstruction() and tag = InitializerStoreTag()
+    ) and
    result = getIRUserVariable(getFunction(), getVariable())
  }

--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -595,7 +595,7 @@ class FieldAddressInstruction extends FieldInstruction {
  }
 }

-class UninitializedInstruction extends Instruction {
+class UninitializedInstruction extends VariableInstruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
@@ -603,6 +603,13 @@ class UninitializedInstruction extends Instruction {
  override final MemoryAccessKind getResultMemoryAccess() {
    result instanceof IndirectMemoryAccess
  }
+
+  /**
+   * Gets the `LocalVariable` that is uninitialized.
+   */
+  final LocalVariable getLocalVariable() {
+    result = var.(IRUserVariable).getVariable()
+  }
 }

 class NoOpInstruction extends Instruction {