C++: Keep old instruction -> instruction flow in simpleInstructionLocalFlowStep. This means we don't have to add general operand -> instruction to the simpleLocalFlowStep relation, which seems to add a 10% performance regression.

2026-04-29 02:35:15 +02:00 · 2020-06-28 11:28:43 +02:00
parent a0bfbda51c
commit 9c0f877172
3 changed files with 117 additions and 58 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -186,19 +186,18 @@ private class ArrayContent extends Content, TArrayContent {

 private predicate storeStepNoChi(Node node1, Content f, PostUpdateNode node2) {
  exists(FieldAddressInstruction fa, StoreInstruction store |
-    node2.asInstruction() = store and
-    node1.asOperand() = store.getSourceValueOperand() and
+    store = node2.asInstruction() and
    store.getDestinationAddress() = fa and
+    store.getSourceValue() = node1.asInstruction() and
    f.(FieldContent).getField() = fa.getField()
  )
 }

 private predicate storeStepChi(Node node1, Content f, PostUpdateNode node2) {
-  exists(FieldAddressInstruction fa, ChiInstruction chi, StoreInstruction store |
-    node2.asInstruction() = chi and
-    node1.asOperand() = chi.getPartialOperand() and
-    chi.getPartial() = store and
+  exists(FieldAddressInstruction fa, StoreInstruction store |
+    node1.asInstruction() = store and
    store.getDestinationAddress() = fa and
+    node2.asInstruction().(ChiInstruction).getPartial() = store and
    f.(FieldContent).getField() = fa.getField()
  )
 }
@@ -220,10 +219,10 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
 */
 predicate readStep(Node node1, Content f, Node node2) {
  exists(FieldAddressInstruction fa, LoadInstruction load |
-    node2.asInstruction() = load and
-    node1.asOperand() = load.getSourceValueOperand() and
    load.getSourceAddress() = fa and
-    fa.getField() = f.(FieldContent).getField()
+    node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and
+    fa.getField() = f.(FieldContent).getField() and
+    load = node2.asInstruction()
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -332,6 +332,10 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
    )
  }

+  // By using an operand as the result of this predicate we avoid the dataflow inconsistency errors
+  // caused by having multiple nodes sharing the same pre update node. This inconsistency error can cause
+  // a tuple explosion in the big step dataflow relation since it can make many nodes be the entry node
+  // into a big step.
  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }

  override Expr getDefinedExpr() {
@@ -504,10 +508,11 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
 * data flow. It may have less flow than the `localFlowStep` predicate.
 */
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-  simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
+  // Instruction -> Instruction flow
+  simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
  or
-  // Flow from an instruction to its operands
-  nodeTo.asOperand().getAnyDef() = nodeFrom.asInstruction()
+  // Operand -> Instruction flow
+  simpleOperandLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
 }

 pragma[noinline]
@@ -519,16 +524,26 @@ private predicate getFieldSizeOfClass(Class c, Type type, int size) {
  )
 }

+private predicate simpleOperandLocalFlowStep(Operand opFrom, Instruction iTo) {
+  // Certain dataflow steps (for instance `PostUpdateNode.getPreUpdateNode()`) generates flow to
+  // operands, so we include dataflow from those operands to the "result" of the instruction (i.e., to
+  // the instruction itself).
+  exists(PostUpdateNode post |
+    opFrom = post.getPreUpdateNode().asOperand() and
+    iTo.getAnOperand() = opFrom
+  )
+}
+
 cached
-private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
-  iTo.(CopyInstruction).getSourceValueOperand() = opFrom and not opFrom.isDefinitionInexact()
+private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction iTo) {
+  iTo.(CopyInstruction).getSourceValue() = iFrom
  or
-  iTo.(PhiInstruction).getAnInputOperand() = opFrom and not opFrom.isDefinitionInexact()
+  iTo.(PhiInstruction).getAnOperand().getDef() = iFrom
  or
  // A read side effect is almost never exact since we don't know exactly how
  // much memory the callee will read.
-  iTo.(ReadSideEffectInstruction).getSideEffectOperand() = opFrom and
-  not opFrom.getAnyDef().isResultConflated()
+  iTo.(ReadSideEffectInstruction).getSideEffectOperand().getAnyDef() = iFrom and
+  not iFrom.isResultConflated()
  or
  // Loading a single `int` from an `int *` parameter is not an exact load since
  // the parameter may point to an entire array rather than a single `int`. The
@@ -541,8 +556,8 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
  // reassignment of the parameter indirection, including a conditional one that
  // leads to a phi node.
  exists(InitializeIndirectionInstruction init |
-    opFrom.getAnyDef() = init and
-    iTo.(LoadInstruction).getSourceValueOperand() = opFrom and
+    iFrom = init and
+    iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = init and
    // Check that the types match. Otherwise we can get flow from an object to
    // its fields, which leads to field conflation when there's flow from other
    // fields to the object elsewhere.
@@ -551,13 +566,11 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
  )
  or
  // Treat all conversions as flow, even conversions between different numeric types.
-  iTo.(ConvertInstruction).getUnaryOperand() = opFrom and not opFrom.isDefinitionInexact()
+  iTo.(ConvertInstruction).getUnary() = iFrom
  or
-  iTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom and
-  not opFrom.isDefinitionInexact()
+  iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
  or
-  iTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom and
-  not opFrom.isDefinitionInexact()
+  iTo.(InheritanceConversionInstruction).getUnary() = iFrom
  or
  // A chi instruction represents a point where a new value (the _partial_
  // operand) may overwrite an old value (the _total_ operand), but the alias
@@ -570,7 +583,7 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
  //
  // Flow through the partial operand belongs in the taint-tracking libraries
  // for now.
-  iTo.getAnOperand().(ChiTotalOperand) = opFrom
+  iTo.getAnOperand().(ChiTotalOperand).getDef() = iFrom
  or
  // Add flow from write side-effects to non-conflated chi instructions through their
  // partial operands. From there, a `readStep` will find subsequent reads of that field.
@@ -585,25 +598,24 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
  // Here, a `WriteSideEffectInstruction` will provide a new definition for `p->x` after the call to
  // `setX`, which will be melded into `p` through a chi instruction.
  exists(ChiInstruction chi | chi = iTo |
-    opFrom.getAnyDef() instanceof WriteSideEffectInstruction and
-    chi.getPartialOperand() = opFrom and
+    chi.getPartialOperand().getDef() = iFrom.(WriteSideEffectInstruction) and
    not chi.isResultConflated()
  )
  or
  // Flow from stores to structs with a single field to a load of that field.
-  iTo.(LoadInstruction).getSourceValueOperand() = opFrom and
+  iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = iFrom and
  exists(int size, Type type, Class cTo |
-    type = opFrom.getAnyDef().getResultType() and
+    type = iFrom.getResultType() and
    cTo = iTo.getResultType() and
    cTo.getSize() = size and
    getFieldSizeOfClass(cTo, type, size)
  )
  or
  // Flow through modeled functions
-  modelFlow(opFrom, iTo)
+  modelFlow(iFrom, iTo)
 }

-private predicate modelFlow(Operand opFrom, Instruction iTo) {
+private predicate modelFlow(Instruction iFrom, Instruction iTo) {
  exists(
    CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut
  |
@@ -628,17 +640,17 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
    (
      exists(int index |
        modelIn.isParameter(index) and
-        opFrom = call.getPositionalArgumentOperand(index)
+        iFrom = call.getPositionalArgument(index)
      )
      or
      exists(int index, ReadSideEffectInstruction read |
        modelIn.isParameterDeref(index) and
        read = getSideEffectFor(call, index) and
-        opFrom = read.getSideEffectOperand()
+        iFrom = read.getSideEffectOperand().getAnyDef()
      )
      or
      modelIn.isQualifierAddress() and
-      opFrom = call.getThisArgumentOperand()
+      iFrom = call.getThisArgument()
      // TODO: add read side effects for qualifiers
    )
  )
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -6,43 +6,57 @@ edges
 | A.cpp:57:10:57:25 | Argument -1 indirection [c] | A.cpp:57:28:57:30 | call to get |
 | A.cpp:57:11:57:24 | B output argument [c] | A.cpp:57:10:57:25 | Argument -1 indirection [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | B output argument [c] |
-| A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Chi [a] |
+| A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Store |
 | A.cpp:100:5:100:13 | Chi [a] | A.cpp:101:8:101:9 | Argument 0 indirection [a] |
+| A.cpp:100:5:100:13 | Store | A.cpp:100:5:100:13 | Chi [a] |
 | A.cpp:101:8:101:9 | Argument 0 indirection [a] | A.cpp:103:14:103:14 | *c [a] |
 | A.cpp:103:14:103:14 | *c [a] | A.cpp:107:16:107:16 | a |
 | A.cpp:126:5:126:5 | Chi [c] | A.cpp:131:8:131:8 | f7 output argument [c] |
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:126:5:126:5 | Chi [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | set output argument [c] |
-| A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:132:13:132:13 | c |
+| A.cpp:131:8:131:8 | Chi [c] | A.cpp:132:13:132:13 | c |
+| A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:131:8:131:8 | Chi [c] |
 | A.cpp:142:7:142:20 | Chi [c] | A.cpp:151:18:151:18 | D output argument [c] |
-| A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Chi [c] |
+| A.cpp:142:7:142:20 | Store | A.cpp:142:7:142:20 | Chi [c] |
+| A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Store |
 | A.cpp:143:7:143:31 | Chi [b] | A.cpp:151:12:151:24 | D output argument [b] |
-| A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Chi [b] |
+| A.cpp:143:7:143:31 | Store | A.cpp:143:7:143:31 | Chi [b] |
+| A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Store |
 | A.cpp:150:12:150:18 | new | A.cpp:151:18:151:18 | b |
-| A.cpp:151:12:151:24 | D output argument [b] | A.cpp:152:13:152:13 | b |
-| A.cpp:151:18:151:18 | D output argument [c] | A.cpp:154:13:154:13 | c |
+| A.cpp:151:12:151:24 | Chi [b] | A.cpp:152:13:152:13 | b |
+| A.cpp:151:12:151:24 | D output argument [b] | A.cpp:151:12:151:24 | Chi [b] |
+| A.cpp:151:18:151:18 | Chi [c] | A.cpp:154:13:154:13 | c |
+| A.cpp:151:18:151:18 | D output argument [c] | A.cpp:151:18:151:18 | Chi [c] |
 | A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | D output argument [b] |
 | C.cpp:18:12:18:18 | C output argument [s1] | C.cpp:19:5:19:5 | Argument -1 indirection [s1] |
 | C.cpp:18:12:18:18 | C output argument [s3] | C.cpp:19:5:19:5 | Argument -1 indirection [s3] |
 | C.cpp:19:5:19:5 | Argument -1 indirection [s1] | C.cpp:27:8:27:11 | *#this [s1] |
 | C.cpp:19:5:19:5 | Argument -1 indirection [s3] | C.cpp:27:8:27:11 | *#this [s3] |
 | C.cpp:22:12:22:21 | Chi [s1] | C.cpp:24:5:24:25 | Chi [s1] |
-| C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Chi [s1] |
+| C.cpp:22:12:22:21 | Store | C.cpp:22:12:22:21 | Chi [s1] |
+| C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Store |
 | C.cpp:24:5:24:25 | Chi [s1] | C.cpp:18:12:18:18 | C output argument [s1] |
 | C.cpp:24:5:24:25 | Chi [s3] | C.cpp:18:12:18:18 | C output argument [s3] |
-| C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Chi [s3] |
+| C.cpp:24:5:24:25 | Store | C.cpp:24:5:24:25 | Chi [s3] |
+| C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Store |
 | C.cpp:27:8:27:11 | *#this [s1] | C.cpp:29:10:29:11 | s1 |
 | C.cpp:27:8:27:11 | *#this [s3] | C.cpp:31:10:31:11 | s3 |
 | aliasing.cpp:9:3:9:22 | Chi [m1] | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] |
-| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:3:9:22 | Chi [m1] |
+| aliasing.cpp:9:3:9:22 | Store | aliasing.cpp:9:3:9:22 | Chi [m1] |
+| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:3:9:22 | Store |
 | aliasing.cpp:13:3:13:21 | Chi [m1] | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] |
-| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:3:13:21 | Chi [m1] |
-| aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | aliasing.cpp:29:11:29:12 | m1 |
-| aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | aliasing.cpp:30:11:30:12 | m1 |
+| aliasing.cpp:13:3:13:21 | Store | aliasing.cpp:13:3:13:21 | Chi [m1] |
+| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:3:13:21 | Store |
+| aliasing.cpp:25:17:25:19 | Chi [m1] | aliasing.cpp:29:11:29:12 | m1 |
+| aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | aliasing.cpp:25:17:25:19 | Chi [m1] |
+| aliasing.cpp:26:19:26:20 | Chi [m1] | aliasing.cpp:30:11:30:12 | m1 |
+| aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | aliasing.cpp:26:19:26:20 | Chi [m1] |
 | aliasing.cpp:37:13:37:22 | call to user_input | aliasing.cpp:38:11:38:12 | m1 |
 | aliasing.cpp:42:11:42:20 | call to user_input | aliasing.cpp:43:13:43:14 | m1 |
-| aliasing.cpp:60:3:60:22 | Chi [m1] | aliasing.cpp:62:14:62:15 | m1 |
-| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:3:60:22 | Chi [m1] |
+| aliasing.cpp:60:3:60:22 | Chi [m1] | aliasing.cpp:61:13:61:14 | Store [m1] |
+| aliasing.cpp:60:3:60:22 | Store | aliasing.cpp:60:3:60:22 | Chi [m1] |
+| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:3:60:22 | Store |
+| aliasing.cpp:61:13:61:14 | Store [m1] | aliasing.cpp:62:14:62:15 | m1 |
 | aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 |
 | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 |
 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 |
@@ -60,14 +74,20 @@ edges
 | by_reference.cpp:69:22:69:23 | Argument 0 indirection [a] | by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] |
-| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:3:84:25 | Chi [a] |
+| by_reference.cpp:84:3:84:25 | Store | by_reference.cpp:84:3:84:25 | Chi [a] |
+| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:3:84:25 | Store |
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] |
-| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Chi [a] |
-| by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:110:27:110:27 | a |
-| by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:114:29:114:29 | a |
-| by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:130:27:130:27 | a |
-| by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:134:29:134:29 | a |
+| by_reference.cpp:88:3:88:24 | Store | by_reference.cpp:88:3:88:24 | Chi [a] |
+| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Store |
+| by_reference.cpp:102:21:102:39 | Chi [a] | by_reference.cpp:110:27:110:27 | a |
+| by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:21:102:39 | Chi [a] |
+| by_reference.cpp:106:21:106:41 | Chi [a] | by_reference.cpp:114:29:114:29 | a |
+| by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:106:21:106:41 | Chi [a] |
+| by_reference.cpp:122:21:122:38 | Chi [a] | by_reference.cpp:130:27:130:27 | a |
+| by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:21:122:38 | Chi [a] |
+| by_reference.cpp:126:21:126:40 | Chi [a] | by_reference.cpp:134:29:134:29 | a |
+| by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:126:21:126:40 | Chi [a] |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:51:16:51:16 | Argument -1 indirection [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:51:16:51:16 | Argument -1 indirection [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:52:16:52:16 | Argument -1 indirection [b_] |
@@ -131,18 +151,22 @@ edges
 | simple.cpp:48:9:48:9 | Argument 0 indirection [b_] | simple.cpp:26:15:26:15 | *f [b_] |
 | simple.cpp:51:9:51:9 | Argument 0 indirection [a_] | simple.cpp:26:15:26:15 | *f [a_] |
 | simple.cpp:51:9:51:9 | Argument 0 indirection [b_] | simple.cpp:26:15:26:15 | *f [b_] |
-| simple.cpp:65:5:65:22 | Store [i] | simple.cpp:67:13:67:13 | i |
+| simple.cpp:65:5:65:22 | Store [i] | simple.cpp:66:12:66:12 | Store [i] |
 | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] |
+| simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i |
 | simple.cpp:83:9:83:28 | Chi [f1] | simple.cpp:84:14:84:20 | Argument -1 indirection [f1] |
-| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Chi [f1] |
+| simple.cpp:83:9:83:28 | Store | simple.cpp:83:9:83:28 | Chi [f1] |
+| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Store |
 | simple.cpp:84:14:84:20 | Argument -1 indirection [f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
 | struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:12:15:12 | a |
 | struct_init.c:20:20:20:29 | Chi [a] | struct_init.c:24:10:24:12 | Argument 0 indirection [a] |
-| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | Chi [a] |
+| struct_init.c:20:20:20:29 | Store | struct_init.c:20:20:20:29 | Chi [a] |
+| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | Store |
 | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:22:11:22:11 | a |
 | struct_init.c:24:10:24:12 | Argument 0 indirection [a] | struct_init.c:14:24:14:25 | *ab [a] |
 | struct_init.c:27:7:27:16 | Chi [a] | struct_init.c:36:10:36:24 | Argument 0 indirection [a] |
-| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | Chi [a] |
+| struct_init.c:27:7:27:16 | Store | struct_init.c:27:7:27:16 | Chi [a] |
+| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | Store |
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:23:31:23 | a |
 | struct_init.c:36:10:36:24 | Argument 0 indirection [a] | struct_init.c:14:24:14:25 | *ab [a] |
 nodes
@@ -157,20 +181,26 @@ nodes
 | A.cpp:57:28:57:30 | call to get | semmle.label | call to get |
 | A.cpp:98:12:98:18 | new | semmle.label | new |
 | A.cpp:100:5:100:13 | Chi [a] | semmle.label | Chi [a] |
+| A.cpp:100:5:100:13 | Store | semmle.label | Store |
 | A.cpp:101:8:101:9 | Argument 0 indirection [a] | semmle.label | Argument 0 indirection [a] |
 | A.cpp:103:14:103:14 | *c [a] | semmle.label | *c [a] |
 | A.cpp:107:16:107:16 | a | semmle.label | a |
 | A.cpp:126:5:126:5 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:126:5:126:5 | set output argument [c] | semmle.label | set output argument [c] |
 | A.cpp:126:12:126:18 | new | semmle.label | new |
+| A.cpp:131:8:131:8 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] |
 | A.cpp:132:13:132:13 | c | semmle.label | c |
 | A.cpp:142:7:142:20 | Chi [c] | semmle.label | Chi [c] |
+| A.cpp:142:7:142:20 | Store | semmle.label | Store |
 | A.cpp:142:14:142:20 | new | semmle.label | new |
 | A.cpp:143:7:143:31 | Chi [b] | semmle.label | Chi [b] |
+| A.cpp:143:7:143:31 | Store | semmle.label | Store |
 | A.cpp:143:25:143:31 | new | semmle.label | new |
 | A.cpp:150:12:150:18 | new | semmle.label | new |
+| A.cpp:151:12:151:24 | Chi [b] | semmle.label | Chi [b] |
 | A.cpp:151:12:151:24 | D output argument [b] | semmle.label | D output argument [b] |
+| A.cpp:151:18:151:18 | Chi [c] | semmle.label | Chi [c] |
 | A.cpp:151:18:151:18 | D output argument [c] | semmle.label | D output argument [c] |
 | A.cpp:151:18:151:18 | b | semmle.label | b |
 | A.cpp:152:13:152:13 | b | semmle.label | b |
@@ -180,19 +210,25 @@ nodes
 | C.cpp:19:5:19:5 | Argument -1 indirection [s1] | semmle.label | Argument -1 indirection [s1] |
 | C.cpp:19:5:19:5 | Argument -1 indirection [s3] | semmle.label | Argument -1 indirection [s3] |
 | C.cpp:22:12:22:21 | Chi [s1] | semmle.label | Chi [s1] |
+| C.cpp:22:12:22:21 | Store | semmle.label | Store |
 | C.cpp:22:12:22:21 | new | semmle.label | new |
 | C.cpp:24:5:24:25 | Chi [s1] | semmle.label | Chi [s1] |
 | C.cpp:24:5:24:25 | Chi [s3] | semmle.label | Chi [s3] |
+| C.cpp:24:5:24:25 | Store | semmle.label | Store |
 | C.cpp:24:16:24:25 | new | semmle.label | new |
 | C.cpp:27:8:27:11 | *#this [s1] | semmle.label | *#this [s1] |
 | C.cpp:27:8:27:11 | *#this [s3] | semmle.label | *#this [s3] |
 | C.cpp:29:10:29:11 | s1 | semmle.label | s1 |
 | C.cpp:31:10:31:11 | s3 | semmle.label | s3 |
 | aliasing.cpp:9:3:9:22 | Chi [m1] | semmle.label | Chi [m1] |
+| aliasing.cpp:9:3:9:22 | Store | semmle.label | Store |
 | aliasing.cpp:9:11:9:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:13:3:13:21 | Chi [m1] | semmle.label | Chi [m1] |
+| aliasing.cpp:13:3:13:21 | Store | semmle.label | Store |
 | aliasing.cpp:13:10:13:19 | call to user_input | semmle.label | call to user_input |
+| aliasing.cpp:25:17:25:19 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | semmle.label | pointerSetter output argument [m1] |
+| aliasing.cpp:26:19:26:20 | Chi [m1] | semmle.label | Chi [m1] |
 | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | semmle.label | referenceSetter output argument [m1] |
 | aliasing.cpp:29:11:29:12 | m1 | semmle.label | m1 |
 | aliasing.cpp:30:11:30:12 | m1 | semmle.label | m1 |
@@ -201,7 +237,9 @@ nodes
 | aliasing.cpp:42:11:42:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 |
 | aliasing.cpp:60:3:60:22 | Chi [m1] | semmle.label | Chi [m1] |
+| aliasing.cpp:60:3:60:22 | Store | semmle.label | Store |
 | aliasing.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input |
+| aliasing.cpp:61:13:61:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:62:14:62:15 | m1 | semmle.label | m1 |
 | aliasing.cpp:79:11:79:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:80:12:80:13 | m1 | semmle.label | m1 |
@@ -226,14 +264,20 @@ nodes
 | by_reference.cpp:69:8:69:20 | call to nonMemberGetA | semmle.label | call to nonMemberGetA |
 | by_reference.cpp:69:22:69:23 | Argument 0 indirection [a] | semmle.label | Argument 0 indirection [a] |
 | by_reference.cpp:84:3:84:25 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:84:3:84:25 | Store | semmle.label | Store |
 | by_reference.cpp:84:14:84:23 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:88:3:88:24 | Chi [a] | semmle.label | Chi [a] |
+| by_reference.cpp:88:3:88:24 | Store | semmle.label | Store |
 | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input |
+| by_reference.cpp:102:21:102:39 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
+| by_reference.cpp:106:21:106:41 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:110:27:110:27 | a | semmle.label | a |
 | by_reference.cpp:114:29:114:29 | a | semmle.label | a |
+| by_reference.cpp:122:21:122:38 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
+| by_reference.cpp:126:21:126:40 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:130:27:130:27 | a | semmle.label | a |
 | by_reference.cpp:134:29:134:29 | a | semmle.label | a |
@@ -303,18 +347,22 @@ nodes
 | simple.cpp:51:9:51:9 | Argument 0 indirection [b_] | semmle.label | Argument 0 indirection [b_] |
 | simple.cpp:65:5:65:22 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
+| simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:67:13:67:13 | i | semmle.label | i |
 | simple.cpp:83:9:83:28 | Chi [f1] | semmle.label | Chi [f1] |
+| simple.cpp:83:9:83:28 | Store | semmle.label | Store |
 | simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:84:14:84:20 | Argument -1 indirection [f1] | semmle.label | Argument -1 indirection [f1] |
 | simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 |
 | struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] |
 | struct_init.c:15:12:15:12 | a | semmle.label | a |
 | struct_init.c:20:20:20:29 | Chi [a] | semmle.label | Chi [a] |
+| struct_init.c:20:20:20:29 | Store | semmle.label | Store |
 | struct_init.c:20:20:20:29 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:22:11:22:11 | a | semmle.label | a |
 | struct_init.c:24:10:24:12 | Argument 0 indirection [a] | semmle.label | Argument 0 indirection [a] |
 | struct_init.c:27:7:27:16 | Chi [a] | semmle.label | Chi [a] |
+| struct_init.c:27:7:27:16 | Store | semmle.label | Store |
 | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:31:23:31:23 | a | semmle.label | a |
 | struct_init.c:36:10:36:24 | Argument 0 indirection [a] | semmle.label | Argument 0 indirection [a] |