C++: Some writes are always certain regardless of the address.

2026-05-24 16:17:07 +02:00 · 2026-05-12 11:44:54 +01:00
parent fc80a2472d
commit 8585bb616d
3 changed files with 23 additions and 23 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
@@ -305,27 +305,28 @@ private class AlwaysUncertain extends Certainty, TAlwaysUncertain {
 predicate isWrite(Node0Impl value, Operand address, Certainty certain) {
  any(Indirection ind).isAdditionalWrite(value, address, certain)
  or
-  certain instanceof CertainWhenAddressIsCertain and
-  (
-    exists(StoreInstruction store |
-      value.asInstruction() = store and
-      address = store.getDestinationAddressOperand()
-    )
-    or
-    exists(InitializeParameterInstruction init |
-      value.asInstruction() = init and
-      address = init.getAnOperand()
-    )
-    or
-    exists(InitializeDynamicAllocationInstruction init |
-      value.asInstruction() = init and
-      address = init.getAllocationAddressOperand()
-    )
-    or
-    exists(UninitializedInstruction uninitialized |
-      value.asInstruction() = uninitialized and
-      address = uninitialized.getAnOperand()
-    )
+  exists(StoreInstruction store |
+    value.asInstruction() = store and
+    address = store.getDestinationAddressOperand() and
+    certain instanceof CertainWhenAddressIsCertain
+  )
+  or
+  exists(InitializeParameterInstruction init |
+    value.asInstruction() = init and
+    address = init.getAnOperand() and
+    certain instanceof AlwaysCertain
+  )
+  or
+  exists(InitializeDynamicAllocationInstruction init |
+    value.asInstruction() = init and
+    address = init.getAllocationAddressOperand() and
+    certain instanceof AlwaysCertain
+  )
+  or
+  exists(UninitializedInstruction uninitialized |
+    value.asInstruction() = uninitialized and
+    address = uninitialized.getAnOperand() and
+    certain instanceof AlwaysCertain
  )
 }

--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
@@ -394,7 +394,6 @@ irFlow
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x |
 | test.cpp:1318:13:1318:18 | call to source | test.cpp:1327:10:1327:10 | i |
 | test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i |
-| test.cpp:1337:17:1337:24 | call to source | test.cpp:1336:10:1336:18 | access to array |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -1333,7 +1333,7 @@ void nsdmi_test() {
 void certain_def_uninitialized_instruction_test() {
  for(int i = 0; i < 10; i++) {
    char buffer[10];
-    sink(buffer[0]); // $ SPURIOUS: ir ast
+    sink(buffer[0]); // $ SPURIOUS: ast
    buffer[0] = source();
  }
 }