C++: Ignore addresses of 'InitializeDynamicAllocationInstruction' in 'unique' when converting between instructions and expression in dataflow.

2025-12-22 11:46:32 +01:00 · 2023-09-18 17:55:19 +01:00
parent 3df36ec89c
commit d2e66a1186
1 changed files with 14 additions and 1 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1066,6 +1066,10 @@ private module GetConvertedResultExpression {
  private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
  private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag

+  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
+    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
+  }
+
  /**
   * Gets the expression that should be returned as the result expression from `instr`.
   *
@@ -1074,7 +1078,16 @@ private module GetConvertedResultExpression {
   */
  Expr getConvertedResultExpression(Instruction instr, int n) {
    // Only fully converted instructions has a result for `asConvertedExpr`
-    not conversionFlow(unique( | | getAUse(instr)), _, false, false) and
+    not conversionFlow(unique(Operand op |
+        // The address operand of a `InitializeDynamicAllocationInstruction` is
+        // special: we need to handle it during dataflow (since it's
+        // effectively a store to an indirection), but it doesn't appear in
+        // source syntax, so dataflow node <-> expression conversion shouldn't
+        // care about it.
+        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
+      |
+        op
+      ), _, false, false) and
    result = getConvertedResultExpressionImpl(instr) and
    n = 0
    or