hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 23:35:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19511 from MathiasVP/as-expr-array-aggregate-literal

Browse Source 
C++: Make `node.asExpr() instanceof ArrayAggregateLiteral` satisfiable
This commit is contained in:
Mathias Vorreiter Pedersen
2025-05-19 12:47:28 +01:00
committed by GitHub
parent 93517020ae ff11aaf2bb
commit adb74105fd
5 changed files with 49 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll
View File

@@ -45,6 +45,28 @@ private module Cached {
)
}
private Expr getRankedElementExpr(ArrayAggregateLiteral aggr, int rnk) {
result =
rank[rnk + 1](Expr e, int elementIndex, int position |
e = aggr.getElementExpr(elementIndex, position)
|
e order by elementIndex, position
)
}
private class LastArrayAggregateStore extends StoreInstruction {
ArrayAggregateLiteral aggr;
LastArrayAggregateStore() {
exists(int rnk |
this.getSourceValue().getUnconvertedResultExpression() = getRankedElementExpr(aggr, rnk) and
not exists(getRankedElementExpr(aggr, rnk + 1))
)
}
ArrayAggregateLiteral getArrayAggregateLiteral() { result = aggr }
}
private Expr getConvertedResultExpressionImpl0(Instruction instr) {
// IR construction inserts an additional cast to a `size_t` on the extent
// of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
@@ -95,6 +117,16 @@ private module Cached {
tco.producesExprResult() and
result = asDefinitionImpl0(instr)
)
or
// IR construction breaks an array aggregate literal `{1, 2, 3}` into a
// sequence of `StoreInstruction`s. So there's no instruction `i` for which
// `i.getUnconvertedResultExpression() instanceof ArrayAggregateLiteral`.
// So we map the instruction node corresponding to the last `Store`
// instruction of the sequence to the result of the array aggregate
// literal. This makes sense since this store will immediately flow into
// the indirect node representing the array. So this node does represent
// the array after it has been fully initialized.
result = instr.(LastArrayAggregateStore).getArrayAggregateLiteral()
}
private Expr getConvertedResultExpressionImpl(Instruction instr) {