C++: Improve EscapesTree analysis in the presence of temporary objects.

cpp/ql/src/semmle/code/cpp/dataflow/EscapesTree.qll

@@ -222,6 +222,14 @@ private predicate addressMayEscapeMutablyAt(Expr e) {
     // If the address has been cast to an integral type, conservatively assume that it may eventually be cast back to a
     // pointer to non-const type.
     t instanceof IntegralType
+    or
+    // If we go through a temporary object step, we can take a reference to a temporary const pointer
+    // object, where the pointer doesn't point to a const value
+    exists(TemporaryObjectExpr temp, PointerType pt |
+      temp.getConversion() = e and pt = temp.getType().stripTopLevelSpecifiers()
+    |
+      not pt.getBaseType().isConst()
+    )
   )
 }
 
@@ -249,7 +257,7 @@ private predicate addressFromVariableAccess(VariableAccess va, Expr e) {
   // `e` could be a pointer that is converted to a reference as the final step,
   // meaning that we pass a value that is two dereferences away from referring
   // to `va`. This happens, for example, with `void std::vector::push_back(T&&
-  // value);` when called as `v.push_back(&x)`, for a static variable `x`. It
+  // value);` when called as `v.push_back(&x)`, for a variable `x`. It
   // can also happen when taking a reference to a const pointer to a
   // (potentially non-const) value.
   exists(Expr pointerValue |

cpp/ql/test/library-tests/defuse/definition.expected

@@ -1,5 +1,6 @@
 | addressOf.cpp:23:9:23:9 | i | addressOf.cpp:24:22:24:30 | call to move |
 | addressOf.cpp:23:9:23:9 | i | addressOf.cpp:25:25:25:26 | & ... |
+| addressOf.cpp:23:9:23:9 | i | addressOf.cpp:26:31:26:32 | & ... |
 | addressOf.cpp:31:23:31:23 | i | addressOf.cpp:32:18:32:19 | & ... |
 | addressOf.cpp:31:23:31:23 | i | addressOf.cpp:34:18:34:33 | ... ? ... : ... |
 | addressOf.cpp:31:23:31:23 | i | addressOf.cpp:35:18:35:23 | & ... |
@@ -78,6 +79,7 @@
 | pass_by_ref.cpp:46:7:46:7 | i | pass_by_ref.cpp:49:5:49:7 | ... ++ |
 | pass_by_ref.cpp:46:7:46:7 | i | pass_by_ref.cpp:53:22:53:22 | i |
 | pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:60:10:60:11 | 2 |
+| pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:61:34:61:35 | & ... |
 | pass_by_ref.cpp:66:8:66:8 | p | pass_by_ref.cpp:66:12:66:18 | 0 |
 | test.cpp:4:7:4:7 | a | test.cpp:5:3:5:8 | ... = ... |
 | test.cpp:4:7:4:7 | a | test.cpp:13:3:13:7 | ... = ... |

cpp/ql/test/library-tests/defuse/definitionUsePair.expected

@@ -76,7 +76,7 @@
 | pass_by_ref.cpp:46:7:46:7 | i | pass_by_ref.cpp:49:5:49:7 | ... ++ | pass_by_ref.cpp:53:22:53:22 | i |
 | pass_by_ref.cpp:46:7:46:7 | i | pass_by_ref.cpp:53:22:53:22 | i | pass_by_ref.cpp:54:10:54:10 | i |
 | pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:60:10:60:11 | 2 | pass_by_ref.cpp:61:35:61:35 | x |
-| pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:60:10:60:11 | 2 | pass_by_ref.cpp:62:10:62:10 | x |
+| pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:61:34:61:35 | & ... | pass_by_ref.cpp:62:10:62:10 | x |
 | pass_by_ref.cpp:66:8:66:8 | p | pass_by_ref.cpp:66:12:66:18 | 0 | pass_by_ref.cpp:67:34:67:34 | p |
 | pass_by_ref.cpp:66:8:66:8 | p | pass_by_ref.cpp:66:12:66:18 | 0 | pass_by_ref.cpp:68:10:68:10 | p |
 | test.cpp:4:7:4:7 | a | test.cpp:5:3:5:8 | ... = ... | test.cpp:9:7:9:7 | a |

cpp/ql/test/library-tests/defuse/isAddressOfAccess.expected

@@ -1,7 +1,7 @@
 | addressOf.cpp:14:28:14:29 | d_ | non-const address |
 | addressOf.cpp:24:32:24:32 | i | non-const address |
 | addressOf.cpp:25:26:25:26 | i | non-const address |
-| addressOf.cpp:26:32:26:32 | i | const address |
+| addressOf.cpp:26:32:26:32 | i | non-const address |
 | addressOf.cpp:32:19:32:19 | i | non-const address |
 | addressOf.cpp:34:18:34:18 | i |  |
 | addressOf.cpp:34:23:34:23 | i | non-const address |
@@ -151,7 +151,7 @@
 | pass_by_ref.cpp:49:5:49:5 | i |  |
 | pass_by_ref.cpp:53:22:53:22 | i | non-const address |
 | pass_by_ref.cpp:54:10:54:10 | i |  |
-| pass_by_ref.cpp:61:35:61:35 | x | const address |
+| pass_by_ref.cpp:61:35:61:35 | x | non-const address |
 | pass_by_ref.cpp:62:10:62:10 | x |  |
 | pass_by_ref.cpp:67:34:67:34 | p | const address |
 | pass_by_ref.cpp:68:10:68:10 | p |  |

cpp/ql/test/library-tests/defuse/useUsePair.expected

@@ -25,7 +25,6 @@
 | pass_by_ref.cpp:21:7:21:8 | i2 | pass_by_ref.cpp:24:26:24:27 | i2 | pass_by_ref.cpp:27:39:27:40 | i2 |
 | pass_by_ref.cpp:21:7:21:8 | i2 | pass_by_ref.cpp:25:27:25:28 | i2 | pass_by_ref.cpp:27:39:27:40 | i2 |
 | pass_by_ref.cpp:45:17:45:17 | n | pass_by_ref.cpp:46:11:46:11 | n | pass_by_ref.cpp:48:7:48:7 | n |
-| pass_by_ref.cpp:60:7:60:7 | x | pass_by_ref.cpp:61:35:61:35 | x | pass_by_ref.cpp:62:10:62:10 | x |
 | pass_by_ref.cpp:66:8:66:8 | p | pass_by_ref.cpp:67:34:67:34 | p | pass_by_ref.cpp:68:10:68:10 | p |
 | test.cpp:4:7:4:7 | a | test.cpp:14:7:14:7 | a | test.cpp:18:7:18:7 | a |
 | test.cpp:4:7:4:7 | a | test.cpp:14:7:14:7 | a | test.cpp:24:7:24:7 | a |

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected

@@ -50,5 +50,4 @@
 | PointlessComparison.cpp:43:6:43:29 | ... >= ... | Comparison is always true because ... >> ... >= 140737488355327.5. |
 | PointlessComparison.cpp:44:6:44:28 | ... >= ... | Comparison is always true because ... >> ... >= 140737488355327.5. |
 | RegressionTests.cpp:57:7:57:22 | ... <= ... | Comparison is always true because * ... <= 4294967295. |
-| RegressionTests.cpp:125:7:125:11 | ... > ... | Comparison is always false because x <= 0. |
 | Templates.cpp:9:10:9:24 | ... <= ... | Comparison is always true because local <= 32767. |

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp

@@ -122,5 +122,5 @@ void f(int *const &ref_to_ptr);
 void testTempObject() {
   int x = 0;
   f(&x);
-  if (x > 0) {} // BAD [FALSE POSITIVE]
+  if (x > 0) {} // GOOD [NO LONGER REPORTED]
 }