From 87478d016ad5cfc6941066f864538d42fa65565b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 27 Feb 2026 11:52:13 +0000 Subject: [PATCH] C++: Move 'FieldAddress' and 'conversionFlow'. --- .../ir/dataflow/internal/DataFlowNodes.qll | 59 +++++++++++++++++++ .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 59 ------------------- 2 files changed, 59 insertions(+), 59 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll index d7e29b5a47b..d83d402cfd6 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll @@ -221,6 +221,65 @@ private module Cached { import Cached +/** + * An operand that is defined by a `FieldAddressInstruction`. + */ +class FieldAddress extends Operand { + FieldAddressInstruction fai; + + FieldAddress() { fai = this.getDef() and not SsaImpl::ignoreOperand(this) } + + /** Gets the field associated with this instruction. */ + Field getField() { result = fai.getField() } + + /** Gets the instruction whose result provides the address of the object containing the field. */ + Instruction getObjectAddress() { result = fai.getObjectAddress() } + + /** Gets the operand that provides the address of the object containing the field. */ + Operand getObjectAddressOperand() { result = fai.getObjectAddressOperand() } +} + +/** + * Holds if `opFrom` is an operand whose value flows to the result of `instrTo`. + * + * `isPointerArith` is `true` if `instrTo` is a `PointerArithmeticInstruction` and `opFrom` + * is the left operand. + * + * `additional` is `true` if the conversion is supplied by an implementation of the + * `Indirection` class. It is sometimes useful to exclude such conversions. + */ +predicate conversionFlow( + Operand opFrom, Instruction instrTo, boolean isPointerArith, boolean additional +) { + isPointerArith = false and + ( + additional = false and + ( + instrTo.(CopyValueInstruction).getSourceValueOperand() = opFrom + or + instrTo.(ConvertInstruction).getUnaryOperand() = opFrom + or + instrTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom + or + instrTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom + or + exists(BuiltInInstruction builtIn | + builtIn = instrTo and + // __builtin_bit_cast + builtIn.getBuiltInOperation() instanceof BuiltInBitCast and + opFrom = builtIn.getAnOperand() + ) + ) + or + additional = true and + SsaImpl::isAdditionalConversionFlow(opFrom, instrTo) + ) + or + isPointerArith = true and + additional = false and + instrTo.(PointerArithmeticInstruction).getLeftOperand() = opFrom +} + module Public { } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index ed642dbe551..a46e67c738f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -21,65 +21,6 @@ private import DataFlowDispatch as DataFlowDispatch import ExprNodes -/** - * An operand that is defined by a `FieldAddressInstruction`. - */ -class FieldAddress extends Operand { - FieldAddressInstruction fai; - - FieldAddress() { fai = this.getDef() and not SsaImpl::ignoreOperand(this) } - - /** Gets the field associated with this instruction. */ - Field getField() { result = fai.getField() } - - /** Gets the instruction whose result provides the address of the object containing the field. */ - Instruction getObjectAddress() { result = fai.getObjectAddress() } - - /** Gets the operand that provides the address of the object containing the field. */ - Operand getObjectAddressOperand() { result = fai.getObjectAddressOperand() } -} - -/** - * Holds if `opFrom` is an operand whose value flows to the result of `instrTo`. - * - * `isPointerArith` is `true` if `instrTo` is a `PointerArithmeticInstruction` and `opFrom` - * is the left operand. - * - * `additional` is `true` if the conversion is supplied by an implementation of the - * `Indirection` class. It is sometimes useful to exclude such conversions. - */ -predicate conversionFlow( - Operand opFrom, Instruction instrTo, boolean isPointerArith, boolean additional -) { - isPointerArith = false and - ( - additional = false and - ( - instrTo.(CopyValueInstruction).getSourceValueOperand() = opFrom - or - instrTo.(ConvertInstruction).getUnaryOperand() = opFrom - or - instrTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom - or - instrTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom - or - exists(BuiltInInstruction builtIn | - builtIn = instrTo and - // __builtin_bit_cast - builtIn.getBuiltInOperation() instanceof BuiltInBitCast and - opFrom = builtIn.getAnOperand() - ) - ) - or - additional = true and - SsaImpl::isAdditionalConversionFlow(opFrom, instrTo) - ) - or - isPointerArith = true and - additional = false and - instrTo.(PointerArithmeticInstruction).getLeftOperand() = opFrom -} - /** * A node in a data flow graph. *