From 8585bb616d65d054304d29fed2af0fe12849cd1e Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 12 May 2026 11:44:54 +0100 Subject: [PATCH] C++: Some writes are always certain regardless of the address. --- .../ir/dataflow/internal/SsaImplCommon.qll | 43 ++++++++++--------- .../dataflow-tests/test-source-sink.expected | 1 - .../dataflow/dataflow-tests/test.cpp | 2 +- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll index 03cbf387550..31931189003 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll @@ -305,27 +305,28 @@ private class AlwaysUncertain extends Certainty, TAlwaysUncertain { predicate isWrite(Node0Impl value, Operand address, Certainty certain) { any(Indirection ind).isAdditionalWrite(value, address, certain) or - certain instanceof CertainWhenAddressIsCertain and - ( - exists(StoreInstruction store | - value.asInstruction() = store and - address = store.getDestinationAddressOperand() - ) - or - exists(InitializeParameterInstruction init | - value.asInstruction() = init and - address = init.getAnOperand() - ) - or - exists(InitializeDynamicAllocationInstruction init | - value.asInstruction() = init and - address = init.getAllocationAddressOperand() - ) - or - exists(UninitializedInstruction uninitialized | - value.asInstruction() = uninitialized and - address = uninitialized.getAnOperand() - ) + exists(StoreInstruction store | + value.asInstruction() = store and + address = store.getDestinationAddressOperand() and + certain instanceof CertainWhenAddressIsCertain + ) + or + exists(InitializeParameterInstruction init | + value.asInstruction() = init and + address = init.getAnOperand() and + certain instanceof AlwaysCertain + ) + or + exists(InitializeDynamicAllocationInstruction init | + value.asInstruction() = init and + address = init.getAllocationAddressOperand() and + certain instanceof AlwaysCertain + ) + or + exists(UninitializedInstruction uninitialized | + value.asInstruction() = uninitialized and + address = uninitialized.getAnOperand() and + certain instanceof AlwaysCertain ) } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index a4c83c44066..2ead5d7b23a 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -394,7 +394,6 @@ irFlow | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x | | test.cpp:1318:13:1318:18 | call to source | test.cpp:1327:10:1327:10 | i | | test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i | -| test.cpp:1337:17:1337:24 | call to source | test.cpp:1336:10:1336:18 | access to array | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index f87671464f9..6e80fa75aa0 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1333,7 +1333,7 @@ void nsdmi_test() { void certain_def_uninitialized_instruction_test() { for(int i = 0; i < 10; i++) { char buffer[10]; - sink(buffer[0]); // $ SPURIOUS: ir ast + sink(buffer[0]); // $ SPURIOUS: ast buffer[0] = source(); } } \ No newline at end of file