From eb35fa0d5e0d290d378eae4a2e8ffa174ca8686d Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Mar 2026 08:43:49 +0000 Subject: [PATCH 1/8] C++: Unify 'isSourceParameterOf' for this parameters with the implementation for positional parameters. --- .../ir/dataflow/internal/DataFlowNodes.qll | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll index afec2384b23..1d4bb3f8ab5 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll @@ -850,11 +850,6 @@ module Public { { ThisParameterInstructionNode() { instr.getIRVariable() instanceof IRThisVariable } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { - pos.(DirectPosition).getArgumentIndex() = -1 and - instr.getEnclosingFunction() = f - } - override string toStringImpl() { result = "this" } } @@ -1659,6 +1654,11 @@ abstract private class AbstractParameterNode extends Node { /** Gets the `Parameter` associated with this node, if it exists. */ Parameter getParameter() { none() } // overridden by subclasses + + /** + * Holds if this node represents an implicit `this` parameter, if it exists. + */ + predicate isThis() { none() } // overridden by subclasses } abstract private class AbstractIndirectParameterNode extends AbstractParameterNode { @@ -1701,9 +1701,10 @@ private class IndirectInstructionParameterNode extends AbstractIndirectParameter ) } - /** Gets the parameter whose indirection is initialized. */ override Parameter getParameter() { result = init.getParameter() } + override predicate isThis() { init.hasIndex(-1) } + override DataFlowCallable getEnclosingCallable() { result.asSourceCallable() = this.getFunction() } @@ -1738,6 +1739,18 @@ abstract class InstructionDirectParameterNode extends InstructionNode, AbstractD * Gets the `IRVariable` that this parameter references. */ final IRVariable getIRVariable() { result = instr.getIRVariable() } + + override predicate isThis() { instr.hasIndex(-1) } + + override Parameter getParameter() { result = instr.getParameter() } + + override predicate isSourceParameterOf(Function f, ParameterPosition pos) { + this.getFunction() = f and + exists(int argumentIndex | + pos.(DirectPosition).getArgumentIndex() = argumentIndex and + instr.hasIndex(argumentIndex) + ) + } } abstract private class AbstractExplicitParameterNode extends AbstractDirectParameterNode { } @@ -1748,13 +1761,7 @@ private class ExplicitParameterInstructionNode extends AbstractExplicitParameter { ExplicitParameterInstructionNode() { exists(instr.getParameter()) } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { - f.getParameter(pos.(DirectPosition).getArgumentIndex()) = instr.getParameter() - } - override string toStringImpl() { result = instr.getParameter().toString() } - - override Parameter getParameter() { result = instr.getParameter() } } /** From 9cb8edb41a2133467d105969b4ba802cb3a811c0 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Mar 2026 08:45:18 +0000 Subject: [PATCH 2/8] C++: Change 'Function' to 'Declaration' in a few places to handle enclosing callables being fields. --- .../cpp/ir/dataflow/internal/DataFlowNodes.qll | 16 ++++++++-------- .../cpp/ir/dataflow/internal/DataFlowPrivate.qll | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll index 1d4bb3f8ab5..637d8f73eb9 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll @@ -1124,7 +1124,7 @@ class IndirectArgumentOutNode extends PostUpdateNodeImpl { /** * Gets the `Function` that the call targets, if this is statically known. */ - Function getStaticCallTarget() { result = this.getCallInstruction().getStaticCallTarget() } + Declaration getStaticCallTarget() { result = this.getCallInstruction().getStaticCallTarget() } override string toStringImpl() { exists(string prefix | if indirectionIndex > 0 then prefix = "" else prefix = "pointer to " | @@ -1628,7 +1628,7 @@ abstract private class AbstractParameterNode extends Node { * implicit `this` parameter is considered to have position `-1`, and * pointer-indirection parameters are at further negative positions. */ - predicate isSourceParameterOf(Function f, ParameterPosition pos) { none() } + predicate isSourceParameterOf(Declaration f, ParameterPosition pos) { none() } /** * Holds if this node is the parameter of `sc` at the specified position. The @@ -1711,7 +1711,7 @@ private class IndirectInstructionParameterNode extends AbstractIndirectParameter override Declaration getFunction() { result = init.getEnclosingFunction() } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { + override predicate isSourceParameterOf(Declaration f, ParameterPosition pos) { this.getFunction() = f and exists(int argumentIndex, int indirectionIndex | indirectPositionHasArgumentIndexAndIndex(pos, argumentIndex, indirectionIndex) and @@ -1744,7 +1744,7 @@ abstract class InstructionDirectParameterNode extends InstructionNode, AbstractD override Parameter getParameter() { result = instr.getParameter() } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { + override predicate isSourceParameterOf(Declaration f, ParameterPosition pos) { this.getFunction() = f and exists(int argumentIndex | pos.(DirectPosition).getArgumentIndex() = argumentIndex and @@ -1789,9 +1789,9 @@ private class DirectBodyLessParameterNode extends AbstractExplicitParameterNode, { DirectBodyLessParameterNode() { indirectionIndex = 0 } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { + override predicate isSourceParameterOf(Declaration f, ParameterPosition pos) { this.getFunction() = f and - f.getParameter(pos.(DirectPosition).getArgumentIndex()) = p + f.(Function).getParameter(pos.(DirectPosition).getArgumentIndex()) = p } override Parameter getParameter() { result = p } @@ -1802,10 +1802,10 @@ private class IndirectBodyLessParameterNode extends AbstractIndirectParameterNod { IndirectBodyLessParameterNode() { not this instanceof DirectBodyLessParameterNode } - override predicate isSourceParameterOf(Function f, ParameterPosition pos) { + override predicate isSourceParameterOf(Declaration f, ParameterPosition pos) { exists(int argumentPosition | this.getFunction() = f and - f.getParameter(argumentPosition) = p and + f.(Function).getParameter(argumentPosition) = p and indirectPositionHasArgumentIndexAndIndex(pos, argumentPosition, indirectionIndex) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 6dd953b16ab..83f240ddae5 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -1170,7 +1170,7 @@ class DataFlowCall extends TDataFlowCall { /** * Gets the `Function` that the call targets, if this is statically known. */ - Function getStaticCallSourceTarget() { none() } + Declaration getStaticCallSourceTarget() { none() } /** * Gets the target of this call. We use the following strategy for deciding @@ -1182,7 +1182,7 @@ class DataFlowCall extends TDataFlowCall { * whether is it manual or generated. */ final DataFlowCallable getStaticCallTarget() { - exists(Function target | target = this.getStaticCallSourceTarget() | + exists(Declaration target | target = this.getStaticCallSourceTarget() | // Don't use the source callable if there is a manual model for the // target not exists(SummarizedCallable sc | @@ -1242,7 +1242,7 @@ private class NormalCall extends DataFlowCall, TNormalCall { override CallTargetOperand getCallTargetOperand() { result = call.getCallTargetOperand() } - override Function getStaticCallSourceTarget() { result = call.getStaticCallTarget() } + override Declaration getStaticCallSourceTarget() { result = call.getStaticCallTarget() } override ArgumentOperand getArgumentOperand(int index) { result = call.getArgumentOperand(index) } From 599b7a66534fcb147f300f001f00e45961cdd5e1 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Mar 2026 08:46:57 +0000 Subject: [PATCH 3/8] C++: Handle fields in 'getThisType'. --- .../code/cpp/ir/dataflow/internal/SsaImplCommon.qll | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll index 4d109c0716d..e4734f285fa 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll @@ -11,13 +11,18 @@ private import TypeFlow private import semmle.code.cpp.ir.ValueNumbering /** - * Gets the C++ type of `this` in the member function `f`. + * Gets the C++ type of `this` in an `IRFunction` generated from `f`. * The result is a glvalue if `isGLValue` is true, and * a prvalue if `isGLValue` is false. */ bindingset[isGLValue] -private CppType getThisType(Cpp::MemberFunction f, boolean isGLValue) { - result.hasType(f.getTypeOfThis(), isGLValue) +private CppType getThisType(Cpp::Declaration f, boolean isGLValue) { + result.hasType(f.(Cpp::MemberFunction).getTypeOfThis(), isGLValue) + or + exists(Cpp::PointerType pt | + pt.getBaseType() = f.(Cpp::Field).getDeclaringType() and + result.hasType(pt, isGLValue) + ) } /** From 503c15334a6545eaa3167ee8d35a80fd65d155df Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Mar 2026 08:47:45 +0000 Subject: [PATCH 4/8] C++: Accept test changes. --- .../dataflow-tests/test-source-sink.expected | 1 + .../dataflow/dataflow-tests/test.cpp | 2 +- .../dataflow-tests/type-bugs.expected | 6 ----- .../test/library-tests/dataflow/fields/C.cpp | 2 +- .../dataflow/fields/ir-path-flow.expected | 24 +++++++++++++++++++ 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 420bd110e1f..5ee2ca86cbc 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -391,6 +391,7 @@ irFlow | test.cpp:1308:7:1308:12 | call to source | test.cpp:1309:8:1309:16 | ... ++ | | test.cpp:1312:7:1312:12 | call to source | test.cpp:1313:8:1313:24 | ... ? ... : ... | | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x | +| test.cpp:1318:13:1318:18 | call to source | test.cpp:1327:10:1327:10 | i | | test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index ca240eb7b2b..892d49b0085 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1324,7 +1324,7 @@ struct nsdmi { void nsdmi_test() { nsdmi x; - sink(x.i); // $ MISSING: ir ast + sink(x.i); // $ ir MISSING: ast nsdmi y(source()); sink(y.i); // $ ir ast diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected index b5f4db887b6..87ebdc9e83a 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected @@ -36,12 +36,6 @@ irTypeBugs | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element[*] in operator-> | | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[**] in operator-> | | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[*] in operator-> | -| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field | -| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field | -| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field | -| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i | -| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i | -| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i | incorrectBaseType | clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * | | clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * | diff --git a/cpp/ql/test/library-tests/dataflow/fields/C.cpp b/cpp/ql/test/library-tests/dataflow/fields/C.cpp index 6e5165caa9a..0c092928272 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/C.cpp +++ b/cpp/ql/test/library-tests/dataflow/fields/C.cpp @@ -27,7 +27,7 @@ public: void func() { sink(s1); // $ ast,ir - sink(s2); // $ MISSING: ast,ir + sink(s2); // $ ir MISSING: ast sink(s3); // $ ast,ir sink(s4); // $ MISSING: ast,ir } diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index cc8cd2826bf..2e38382150f 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -187,23 +187,34 @@ edges | B.cpp:46:7:46:10 | *this [post update] [*box1, elem2] | B.cpp:44:5:44:8 | *this [Return] [*box1, elem2] | provenance | | | B.cpp:46:7:46:21 | *... = ... [elem1] | B.cpp:46:7:46:10 | *this [post update] [*box1, elem1] | provenance | | | B.cpp:46:7:46:21 | *... = ... [elem2] | B.cpp:46:7:46:10 | *this [post update] [*box1, elem2] | provenance | | +| C.cpp:10:15:10:16 | *s2 [post update] [s2] | C.cpp:10:15:10:16 | *this [Return] [s2] | provenance | | +| C.cpp:10:15:10:16 | *this [Return] [s2] | C.cpp:22:3:22:3 | s2 output argument [s2] | provenance | | +| C.cpp:10:20:10:29 | new | C.cpp:10:15:10:16 | *s2 [post update] [s2] | provenance | | +| C.cpp:10:20:10:29 | new | C.cpp:10:20:10:29 | new | provenance | | | C.cpp:18:12:18:18 | *new [s1] | C.cpp:19:5:19:5 | *c [s1] | provenance | | +| C.cpp:18:12:18:18 | *new [s2] | C.cpp:19:5:19:5 | *c [s2] | provenance | | | C.cpp:18:12:18:18 | *new [s3] | C.cpp:19:5:19:5 | *c [s3] | provenance | | | C.cpp:18:12:18:18 | call to C [s1] | C.cpp:18:12:18:18 | *new [s1] | provenance | | +| C.cpp:18:12:18:18 | call to C [s2] | C.cpp:18:12:18:18 | *new [s2] | provenance | | | C.cpp:18:12:18:18 | call to C [s3] | C.cpp:18:12:18:18 | *new [s3] | provenance | | | C.cpp:19:5:19:5 | *c [s1] | C.cpp:27:8:27:11 | *this [s1] | provenance | | +| C.cpp:19:5:19:5 | *c [s2] | C.cpp:27:8:27:11 | *this [s2] | provenance | | | C.cpp:19:5:19:5 | *c [s3] | C.cpp:27:8:27:11 | *this [s3] | provenance | | | C.cpp:22:3:22:3 | *C [post update] [s1] | C.cpp:22:3:22:3 | *this [Return] [s1] | provenance | | | C.cpp:22:3:22:3 | *this [Return] [s1] | C.cpp:18:12:18:18 | call to C [s1] | provenance | | +| C.cpp:22:3:22:3 | *this [Return] [s2] | C.cpp:18:12:18:18 | call to C [s2] | provenance | | | C.cpp:22:3:22:3 | *this [Return] [s3] | C.cpp:18:12:18:18 | call to C [s3] | provenance | | +| C.cpp:22:3:22:3 | s2 output argument [s2] | C.cpp:22:3:22:3 | *this [Return] [s2] | provenance | | | C.cpp:22:12:22:21 | new | C.cpp:22:3:22:3 | *C [post update] [s1] | provenance | | | C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | new | provenance | | | C.cpp:24:5:24:8 | *this [post update] [s3] | C.cpp:22:3:22:3 | *this [Return] [s3] | provenance | | | C.cpp:24:5:24:25 | ... = ... | C.cpp:24:5:24:8 | *this [post update] [s3] | provenance | | | C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | ... = ... | provenance | | | C.cpp:27:8:27:11 | *this [s1] | C.cpp:29:10:29:11 | *this [s1] | provenance | | +| C.cpp:27:8:27:11 | *this [s2] | C.cpp:30:10:30:11 | *this [s2] | provenance | | | C.cpp:27:8:27:11 | *this [s3] | C.cpp:31:10:31:11 | *this [s3] | provenance | | | C.cpp:29:10:29:11 | *this [s1] | C.cpp:29:10:29:11 | s1 | provenance | | +| C.cpp:30:10:30:11 | *this [s2] | C.cpp:30:10:30:11 | s2 | provenance | | | C.cpp:31:10:31:11 | *this [s3] | C.cpp:31:10:31:11 | s3 | provenance | | | D.cpp:10:11:10:17 | *this [elem] | D.cpp:10:30:10:33 | *this [elem] | provenance | | | D.cpp:10:30:10:33 | *this [elem] | D.cpp:10:30:10:33 | elem | provenance | | @@ -1116,24 +1127,36 @@ nodes | B.cpp:46:7:46:10 | *this [post update] [*box1, elem2] | semmle.label | *this [post update] [*box1, elem2] | | B.cpp:46:7:46:21 | *... = ... [elem1] | semmle.label | *... = ... [elem1] | | B.cpp:46:7:46:21 | *... = ... [elem2] | semmle.label | *... = ... [elem2] | +| C.cpp:10:15:10:16 | *s2 [post update] [s2] | semmle.label | *s2 [post update] [s2] | +| C.cpp:10:15:10:16 | *this [Return] [s2] | semmle.label | *this [Return] [s2] | +| C.cpp:10:20:10:29 | new | semmle.label | new | +| C.cpp:10:20:10:29 | new | semmle.label | new | | C.cpp:18:12:18:18 | *new [s1] | semmle.label | *new [s1] | +| C.cpp:18:12:18:18 | *new [s2] | semmle.label | *new [s2] | | C.cpp:18:12:18:18 | *new [s3] | semmle.label | *new [s3] | | C.cpp:18:12:18:18 | call to C [s1] | semmle.label | call to C [s1] | +| C.cpp:18:12:18:18 | call to C [s2] | semmle.label | call to C [s2] | | C.cpp:18:12:18:18 | call to C [s3] | semmle.label | call to C [s3] | | C.cpp:19:5:19:5 | *c [s1] | semmle.label | *c [s1] | +| C.cpp:19:5:19:5 | *c [s2] | semmle.label | *c [s2] | | C.cpp:19:5:19:5 | *c [s3] | semmle.label | *c [s3] | | C.cpp:22:3:22:3 | *C [post update] [s1] | semmle.label | *C [post update] [s1] | | C.cpp:22:3:22:3 | *this [Return] [s1] | semmle.label | *this [Return] [s1] | +| C.cpp:22:3:22:3 | *this [Return] [s2] | semmle.label | *this [Return] [s2] | | C.cpp:22:3:22:3 | *this [Return] [s3] | semmle.label | *this [Return] [s3] | +| C.cpp:22:3:22:3 | s2 output argument [s2] | semmle.label | s2 output argument [s2] | | C.cpp:22:12:22:21 | new | semmle.label | new | | C.cpp:22:12:22:21 | new | semmle.label | new | | C.cpp:24:5:24:8 | *this [post update] [s3] | semmle.label | *this [post update] [s3] | | C.cpp:24:5:24:25 | ... = ... | semmle.label | ... = ... | | C.cpp:24:16:24:25 | new | semmle.label | new | | C.cpp:27:8:27:11 | *this [s1] | semmle.label | *this [s1] | +| C.cpp:27:8:27:11 | *this [s2] | semmle.label | *this [s2] | | C.cpp:27:8:27:11 | *this [s3] | semmle.label | *this [s3] | | C.cpp:29:10:29:11 | *this [s1] | semmle.label | *this [s1] | | C.cpp:29:10:29:11 | s1 | semmle.label | s1 | +| C.cpp:30:10:30:11 | *this [s2] | semmle.label | *this [s2] | +| C.cpp:30:10:30:11 | s2 | semmle.label | s2 | | C.cpp:31:10:31:11 | *this [s3] | semmle.label | *this [s3] | | C.cpp:31:10:31:11 | s3 | semmle.label | s3 | | D.cpp:10:11:10:17 | *getElem | semmle.label | *getElem | @@ -1958,6 +1981,7 @@ subpaths | B.cpp:9:10:9:24 | elem1 | B.cpp:6:15:6:24 | new | B.cpp:9:10:9:24 | elem1 | elem1 flows from $@ | B.cpp:6:15:6:24 | new | new | | B.cpp:19:10:19:24 | elem2 | B.cpp:15:15:15:27 | new | B.cpp:19:10:19:24 | elem2 | elem2 flows from $@ | B.cpp:15:15:15:27 | new | new | | C.cpp:29:10:29:11 | s1 | C.cpp:22:12:22:21 | new | C.cpp:29:10:29:11 | s1 | s1 flows from $@ | C.cpp:22:12:22:21 | new | new | +| C.cpp:30:10:30:11 | s2 | C.cpp:10:20:10:29 | new | C.cpp:30:10:30:11 | s2 | s2 flows from $@ | C.cpp:10:20:10:29 | new | new | | C.cpp:31:10:31:11 | s3 | C.cpp:24:16:24:25 | new | C.cpp:31:10:31:11 | s3 | s3 flows from $@ | C.cpp:24:16:24:25 | new | new | | D.cpp:22:10:22:33 | call to getElem | D.cpp:28:15:28:24 | new | D.cpp:22:10:22:33 | call to getElem | call to getElem flows from $@ | D.cpp:28:15:28:24 | new | new | | D.cpp:22:10:22:33 | call to getElem | D.cpp:35:15:35:24 | new | D.cpp:22:10:22:33 | call to getElem | call to getElem flows from $@ | D.cpp:35:15:35:24 | new | new | From 78c0c7cb76ff3a1e78aba140e222e616ce492618 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Mar 2026 14:17:10 +0000 Subject: [PATCH 5/8] C++: Exclude flow summaries from 'irTypeBugs'. --- .../dataflow-tests/type-bugs.expected | 36 ------------------- .../dataflow/dataflow-tests/type-bugs.ql | 4 +++ 2 files changed, 4 insertions(+), 36 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected index 87ebdc9e83a..2ba0cf2928b 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected @@ -1,41 +1,5 @@ astTypeBugs irTypeBugs -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary param] *0 in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary param] this in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[****] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[***] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[**] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[*] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[****] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[***] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[**] in iterator | -| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[*] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary param] *0 in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary param] this in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[****] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[***] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[**] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[*] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[****] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[***] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[**] in iterator | -| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[*] in iterator | -| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary param] this in operator* | -| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] read: Argument[this].Element in operator* | -| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] read: Argument[this].Element[*] in operator* | -| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] to write: ReturnValue[**] in operator* | -| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] to write: ReturnValue[*] in operator* | -| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary param] this in operator-> | -| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element in operator-> | -| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element[*] in operator-> | -| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[**] in operator-> | -| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[*] in operator-> | incorrectBaseType | clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * | | clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql index 3e5f9165ef8..84fd3e6bbe4 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql @@ -17,9 +17,13 @@ import AstTest module IrTest { private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil + private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes query predicate irTypeBugs(Location location, Node node) { exists(int n | + // Flow summary nodes don't have a type since we don't (necessary) have + // the source code in the database. + not node instanceof FlowSummaryNode and n = count(node.getType()) and location = node.getLocation() and n != 1 From 29768bbed481cb4fc2c61123d0ed25d5955818bd Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 30 Mar 2026 11:26:24 +0100 Subject: [PATCH 6/8] Update cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql index 84fd3e6bbe4..3fcf39ef1c5 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql @@ -21,7 +21,7 @@ module IrTest { query predicate irTypeBugs(Location location, Node node) { exists(int n | - // Flow summary nodes don't have a type since we don't (necessary) have + // Flow summary nodes don't have a type since we don't necessarily have // the source code in the database. not node instanceof FlowSummaryNode and n = count(node.getType()) and From 9247e6af0c5b9890da02913d62419a84afcc903e Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 30 Mar 2026 11:30:17 +0100 Subject: [PATCH 7/8] C++: Add change note. --- cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md diff --git a/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md b/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md new file mode 100644 index 00000000000..8bf87900330 --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added dataflow through members initialized via non-static data member initialization (NSDMI). \ No newline at end of file From 5db069eb5689773f760f8bc854bddb2efe2689b4 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 30 Mar 2026 12:08:08 +0100 Subject: [PATCH 8/8] C++: Fix more consistency errors. --- .../code/cpp/ir/dataflow/internal/DataFlowNodes.qll | 9 +++++++-- .../syntax-zoo/dataflow-ir-consistency.expected | 2 -- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll index 637d8f73eb9..bcf6a0d512c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll @@ -1687,7 +1687,9 @@ private class IndirectInstructionParameterNode extends AbstractIndirectParameter InitializeParameterInstruction init; IndirectInstructionParameterNode() { - IndirectInstruction.super.hasInstructionAndIndirectionIndex(init, _) + IndirectInstruction.super.hasInstructionAndIndirectionIndex(init, _) and + // We don't model catch parameters as parameter nodes + not exists(init.getParameter().getCatchBlock()) } int getArgumentIndex() { init.hasIndex(result) } @@ -1759,7 +1761,10 @@ abstract private class AbstractExplicitParameterNode extends AbstractDirectParam private class ExplicitParameterInstructionNode extends AbstractExplicitParameterNode, InstructionDirectParameterNode { - ExplicitParameterInstructionNode() { exists(instr.getParameter()) } + ExplicitParameterInstructionNode() { + // We don't model catch parameters as parameter nodes. + exists(instr.getParameter().getFunction()) + } override string toStringImpl() { result = instr.getParameter().toString() } } diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected index 984335d1251..e6556b1a89c 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected @@ -29,8 +29,6 @@ postWithInFlow | try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition -| ir.cpp:726:6:726:13 | TryCatch | *0 | ir.cpp:737:22:737:22 | *s | Parameters with overlapping positions. | -| ir.cpp:726:6:726:13 | TryCatch | *0 | ir.cpp:740:24:740:24 | *e | Parameters with overlapping positions. | uniqueParameterNodePosition uniqueContentApprox identityLocalStep