Create IndirectUninitializedNode and add a bridge from it to LocalVariable

This way the changes do not alter the meaning of `UninitializedNode`. In the meantime, the code still provides a specialized `Node` type `IndirectUninitializedNode` to access the nodes behind levels of indirection.
2026-03-31 20:58:16 +02:00 · 2026-03-13 11:39:57 -07:00
parent 8c03136c25
commit d3066af2e2
1 changed files with 47 additions and 0 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
@@ -617,6 +617,25 @@ module Public {
     */
    LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }

+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * the given levels of indirection, if any.
+     */
+    LocalVariable asIndirectUninitialized(int indirectionIndex) {
+      exists(IndirectUninitializedNode indirectUninitializedNode |
+        this = indirectUninitializedNode and
+        indirectUninitializedNode.getIndirectionIndex() = indirectionIndex
+      |
+        result = indirectUninitializedNode.getLocalVariable()
+      )
+    }
+
+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * any levels of indirection, if any.
+     */
+    LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
+
    /**
     * Gets the positional parameter corresponding to the node that represents
     * the value of the parameter after `index` number of loads, if any. For
@@ -781,6 +800,34 @@ module Public {
    LocalVariable getLocalVariable() { result = v }
  }

+  /**
+   * The value of an uninitialized local variable behind one or more levels of
+   * indirection, viewed as a node in a data flow graph.
+   *
+   * NOTE: For the direct value of the uninitialized local variable, see
+   * `UninitializedNode`.
+   */
+  class IndirectUninitializedNode extends Node {
+    LocalVariable v;
+    int indirectionIndex;
+
+    IndirectUninitializedNode() {
+      exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
+        def.getIndirectionIndex() = indirectionIndex and
+        indirectionIndex > 0 and // With `indirectionIndex` = 0, this class becomes the same as `UninitializedNode`.
+        def.getValue().asInstruction() instanceof UninitializedInstruction and
+        SsaImpl::defToNode(this, def, sv) and
+        v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
+      )
+    }
+
+    /** Gets the uninitialized local variable corresponding to this node. */
+    LocalVariable getLocalVariable() { result = v }
+
+    /** Gets the level of indirection to get to this node. */
+    int getIndirectionIndex() { result = indirectionIndex }
+  }
+
  /**
   * The value of a parameter at function entry, viewed as a node in a data
   * flow graph. This includes both explicit parameters such as `x` in `f(x)`