Merge pull request #21212 from MathiasVP/fix-as-definition

C++: Fix missing results for `Node.asDefinition`
2026-02-11 20:51:06 +01:00 · 2026-01-23 19:39:22 +00:00
parent e36080061d 6c2a3a68b6
commit cabcb83b2f
5 changed files with 53 additions and 3 deletions
--- a/cpp/ql/lib/change-notes/2026-01-23-as-definition.md
+++ b/cpp/ql/lib/change-notes/2026-01-23-as-definition.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -312,6 +312,13 @@ class Node extends TIRDataFlowNode {
   */
  Expr asDefinition() { result = this.asDefinition(_) }

+  private predicate isCertainStore() {
+    exists(SsaImpl::Definition def |
+      SsaImpl::defToNode(this, def, _) and
+      def.isCertain()
+    )
+  }
+
  /**
   * Gets the definition associated with this node, if any.
   *
@@ -361,11 +368,10 @@ class Node extends TIRDataFlowNode {
   * pointed to by `p`.
   */
  Expr asDefinition(boolean uncertain) {
-    exists(StoreInstruction store, SsaImpl::Definition def |
+    exists(StoreInstruction store |
      store = this.asInstruction() and
      result = asDefinitionImpl(store) and
-      SsaImpl::defToNode(this, def, _) and
-      if def.isCertain() then uncertain = false else uncertain = true
+      if this.isCertainStore() then uncertain = false else uncertain = true
    )
  }

--- a/cpp/ql/test/library-tests/dataflow/asDefinition/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/asDefinition/test.cpp
@@ -0,0 +1,18 @@
+struct S {
+  int x;
+};
+
+void use(int);
+
+void test() {
+  int y = 43; // $ asDefinition=43
+  use(y);
+  y = 44; // $ asDefinition="... = ..."
+  use(y);
+
+  int x = 43; // $ asDefinition=43
+  x = 44; // $ asDefinition="... = ..."
+
+  S s;
+  s.x = 42; // $ asDefinition="... = ..."
+}
--- a/cpp/ql/test/library-tests/dataflow/asDefinition/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/asDefinition/test.expected
--- a/cpp/ql/test/library-tests/dataflow/asDefinition/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/asDefinition/test.ql
@@ -0,0 +1,22 @@
+import cpp
+import utils.test.InlineExpectationsTest
+import semmle.code.cpp.dataflow.new.DataFlow::DataFlow
+
+bindingset[s]
+string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
+
+module AsDefinitionTest implements TestSig {
+  string getARelevantTag() { result = "asDefinition" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Node n, Expr e |
+      e = n.asDefinition() and
+      location = e.getLocation() and
+      element = n.toString() and
+      tag = "asDefinition" and
+      value = quote(e.toString())
+    )
+  }
+}
+
+import MakeTest<AsDefinitionTest>