C++: improve cast and ptr handling in taint test

cpp/ql/test/library-tests/dataflow/taint-tests/IRTaintTestCommon.qll

@@ -1,4 +1,5 @@
 import cpp
+import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.TaintTracking
 
 /** Common data flow configuration to be used by tests. */
@@ -6,7 +7,7 @@ class TestAllocationConfig extends TaintTracking::Configuration {
   TestAllocationConfig() { this = "TestAllocationConfig" }
 
   override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(FunctionCall).getTarget().getName() = "source"
+    source.(DataFlow::ExprNode).getConvertedExpr().(FunctionCall).getTarget().getName() = "source"
     or
     source.asParameter().getName().matches("source%")
     or
@@ -17,8 +18,20 @@ class TestAllocationConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall call |
       call.getTarget().getName() = "sink" and
-      sink.asExpr() = call.getAnArgument()
+      sink.(DataFlow::ExprNode).getConvertedExpr() = call.getAnArgument()
+      or
+      call.getTarget().getName() = "sink" and
+      sink.(DataFlow::ExprNode).asExpr() = call.getAnArgument() and
+      sink.(DataFlow::ExprNode).getConvertedExpr() instanceof ReferenceDereferenceExpr
     )
+    or
+    sink
+        .asInstruction()
+        .(ReadSideEffectInstruction)
+        .getPrimaryInstruction()
+        .(CallInstruction)
+        .getStaticCallTarget()
+        .hasName("sink")
   }
 
   override predicate isSanitizer(DataFlow::Node barrier) {

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -36,9 +36,7 @@
 | movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
 | movableclass.cpp:65:11:65:21 | movableclass.cpp:65:13:65:18 | IR only |
 | smart_pointer.cpp:12:10:12:10 | smart_pointer.cpp:11:52:11:57 | AST only |
-| smart_pointer.cpp:13:10:13:10 | smart_pointer.cpp:11:52:11:57 | AST only |
 | smart_pointer.cpp:24:10:24:10 | smart_pointer.cpp:23:52:23:57 | AST only |
-| smart_pointer.cpp:25:10:25:10 | smart_pointer.cpp:23:52:23:57 | AST only |
 | smart_pointer.cpp:52:12:52:14 | smart_pointer.cpp:51:52:51:57 | AST only |
 | smart_pointer.cpp:57:12:57:14 | smart_pointer.cpp:56:52:56:57 | AST only |
 | standalone_iterators.cpp:40:10:40:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
@@ -52,15 +50,12 @@
 | string.cpp:38:13:38:17 | string.cpp:14:10:14:15 | AST only |
 | string.cpp:42:13:42:17 | string.cpp:14:10:14:15 | AST only |
 | string.cpp:45:13:45:17 | string.cpp:14:10:14:15 | AST only |
-| string.cpp:55:7:55:8 | string.cpp:50:19:50:26 | IR only |
 | string.cpp:56:7:56:8 | string.cpp:50:19:50:24 | AST only |
 | string.cpp:69:7:69:8 | string.cpp:61:19:61:24 | AST only |
 | string.cpp:70:7:70:8 | string.cpp:61:19:61:24 | AST only |
 | string.cpp:92:8:92:9 | string.cpp:87:18:87:23 | AST only |
 | string.cpp:93:8:93:9 | string.cpp:88:20:88:25 | AST only |
-| string.cpp:94:8:94:9 | string.cpp:90:8:90:13 | AST only |
 | string.cpp:113:8:113:9 | string.cpp:109:32:109:37 | AST only |
-| string.cpp:114:8:114:9 | string.cpp:111:20:111:25 | AST only |
 | string.cpp:121:8:121:8 | string.cpp:119:16:119:21 | AST only |
 | string.cpp:125:8:125:8 | string.cpp:119:16:119:21 | AST only |
 | string.cpp:129:8:129:8 | string.cpp:119:16:119:21 | AST only |
@@ -159,19 +154,11 @@
 | string.cpp:555:8:555:8 | string.cpp:549:27:549:32 | AST only |
 | string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
 | string.cpp:557:8:557:8 | string.cpp:551:18:551:23 | AST only |
-| stringstream.cpp:32:11:32:11 | stringstream.cpp:32:14:32:21 | IR only |
 | stringstream.cpp:32:11:32:22 | stringstream.cpp:32:14:32:19 | IR only |
-| stringstream.cpp:32:11:32:22 | stringstream.cpp:32:14:32:21 | IR only |
-| stringstream.cpp:33:20:33:20 | stringstream.cpp:33:23:33:30 | IR only |
 | stringstream.cpp:33:20:33:31 | stringstream.cpp:33:23:33:28 | IR only |
-| stringstream.cpp:33:20:33:31 | stringstream.cpp:33:23:33:30 | IR only |
-| stringstream.cpp:34:23:34:23 | stringstream.cpp:34:14:34:21 | IR only |
 | stringstream.cpp:34:23:34:31 | stringstream.cpp:34:14:34:19 | IR only |
-| stringstream.cpp:34:23:34:31 | stringstream.cpp:34:14:34:21 | IR only |
 | stringstream.cpp:35:11:35:11 | stringstream.cpp:29:16:29:21 | AST only |
-| stringstream.cpp:38:7:38:9 | stringstream.cpp:32:14:32:19 | AST only |
 | stringstream.cpp:39:7:39:9 | stringstream.cpp:33:23:33:28 | AST only |
-| stringstream.cpp:40:7:40:9 | stringstream.cpp:34:14:34:19 | AST only |
 | stringstream.cpp:41:7:41:9 | stringstream.cpp:29:16:29:21 | AST only |
 | stringstream.cpp:43:11:43:13 | stringstream.cpp:32:14:32:19 | AST only |
 | stringstream.cpp:44:11:44:13 | stringstream.cpp:33:23:33:28 | AST only |
@@ -196,9 +183,7 @@
 | stringstream.cpp:107:7:107:9 | stringstream.cpp:100:31:100:36 | AST only |
 | stringstream.cpp:121:7:121:9 | stringstream.cpp:113:24:113:29 | AST only |
 | stringstream.cpp:123:7:123:9 | stringstream.cpp:115:24:115:29 | AST only |
-| stringstream.cpp:143:11:143:11 | stringstream.cpp:143:14:143:21 | IR only |
 | stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
-| stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:21 | IR only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
 | swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |
@@ -216,7 +201,6 @@
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |
 | taint.cpp:137:7:137:9 | taint.cpp:120:11:120:16 | AST only |
-| taint.cpp:173:8:173:13 | taint.cpp:164:19:164:24 | AST only |
 | taint.cpp:195:7:195:7 | taint.cpp:192:23:192:28 | AST only |
 | taint.cpp:195:7:195:7 | taint.cpp:193:6:193:6 | AST only |
 | taint.cpp:236:3:236:6 | taint.cpp:223:10:223:15 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

@@ -24,7 +24,6 @@
 | copyableclass.cpp:65:8:65:9 | s1 | copyableclass.cpp:60:40:60:45 | call to source |
 | copyableclass.cpp:66:8:66:9 | s2 | copyableclass.cpp:63:24:63:29 | call to source |
 | copyableclass.cpp:67:11:67:21 | (reference dereference) | copyableclass.cpp:67:13:67:18 | call to source |
-| format.cpp:157:7:157:22 | (int)... | format.cpp:147:12:147:25 | call to source |
 | format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
 | format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
 | movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
@@ -34,42 +33,22 @@
 | movableclass.cpp:55:8:55:9 | s2 | movableclass.cpp:52:23:52:28 | call to source |
 | movableclass.cpp:64:8:64:9 | s2 | movableclass.cpp:23:55:23:60 | call to source |
 | movableclass.cpp:65:11:65:21 | (reference dereference) | movableclass.cpp:65:13:65:18 | call to source |
-| string.cpp:28:7:28:7 | (const char *)... | string.cpp:24:12:24:17 | call to source |
+| smart_pointer.cpp:13:10:13:10 | Argument 0 indirection | smart_pointer.cpp:11:52:11:57 | call to source |
+| smart_pointer.cpp:25:10:25:10 | Argument 0 indirection | smart_pointer.cpp:23:52:23:57 | call to source |
 | string.cpp:28:7:28:7 | a | string.cpp:24:12:24:17 | call to source |
 | string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:24 | call to source |
-| string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:26 | (const char *)... |
+| string.cpp:94:8:94:9 | Argument 0 indirection | string.cpp:90:8:90:13 | call to source |
+| string.cpp:114:8:114:9 | Argument 0 indirection | string.cpp:111:20:111:25 | call to source |
 | stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:19 | call to source |
-| stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:21 | (const char *)... |
-| stringstream.cpp:32:11:32:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:32:14:32:19 | call to source |
-| stringstream.cpp:32:11:32:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:32:14:32:21 | (const char *)... |
 | stringstream.cpp:32:11:32:22 | (reference dereference) | stringstream.cpp:32:14:32:19 | call to source |
-| stringstream.cpp:32:11:32:22 | (reference dereference) | stringstream.cpp:32:14:32:21 | (const char *)... |
-| stringstream.cpp:32:11:32:22 | (reference to) | stringstream.cpp:32:14:32:19 | call to source |
-| stringstream.cpp:32:11:32:22 | (reference to) | stringstream.cpp:32:14:32:21 | (const char *)... |
 | stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:28 | call to source |
-| stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:30 | (const char *)... |
-| stringstream.cpp:33:20:33:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:33:23:33:28 | call to source |
-| stringstream.cpp:33:20:33:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:33:23:33:30 | (const char *)... |
 | stringstream.cpp:33:20:33:31 | (reference dereference) | stringstream.cpp:33:23:33:28 | call to source |
-| stringstream.cpp:33:20:33:31 | (reference dereference) | stringstream.cpp:33:23:33:30 | (const char *)... |
-| stringstream.cpp:33:20:33:31 | (reference to) | stringstream.cpp:33:23:33:28 | call to source |
-| stringstream.cpp:33:20:33:31 | (reference to) | stringstream.cpp:33:23:33:30 | (const char *)... |
 | stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:19 | call to source |
-| stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:21 | (const char *)... |
-| stringstream.cpp:34:23:34:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:34:14:34:19 | call to source |
-| stringstream.cpp:34:23:34:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:34:14:34:21 | (const char *)... |
 | stringstream.cpp:34:23:34:31 | (reference dereference) | stringstream.cpp:34:14:34:19 | call to source |
-| stringstream.cpp:34:23:34:31 | (reference dereference) | stringstream.cpp:34:14:34:21 | (const char *)... |
-| stringstream.cpp:34:23:34:31 | (reference to) | stringstream.cpp:34:14:34:19 | call to source |
-| stringstream.cpp:34:23:34:31 | (reference to) | stringstream.cpp:34:14:34:21 | (const char *)... |
+| stringstream.cpp:38:7:38:9 | Argument 0 indirection | stringstream.cpp:32:14:32:19 | call to source |
+| stringstream.cpp:40:7:40:9 | Argument 0 indirection | stringstream.cpp:34:14:34:19 | call to source |
 | stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
-| stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:21 | (const char *)... |
-| stringstream.cpp:143:11:143:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:143:14:143:19 | call to source |
-| stringstream.cpp:143:11:143:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:143:14:143:21 | (const char *)... |
 | stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:19 | call to source |
-| stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:21 | (const char *)... |
-| stringstream.cpp:143:11:143:22 | (reference to) | stringstream.cpp:143:14:143:19 | call to source |
-| stringstream.cpp:143:11:143:22 | (reference to) | stringstream.cpp:143:14:143:21 | (const char *)... |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -127,6 +106,7 @@
 | taint.cpp:151:7:151:12 | call to select | taint.cpp:151:20:151:25 | call to source |
 | taint.cpp:167:8:167:13 | call to source | taint.cpp:167:8:167:13 | call to source |
 | taint.cpp:168:8:168:14 | tainted | taint.cpp:164:19:164:24 | call to source |
+| taint.cpp:173:8:173:13 | Argument 0 indirection | taint.cpp:164:19:164:24 | call to source |
 | taint.cpp:181:8:181:9 | * ... | taint.cpp:185:11:185:16 | call to source |
 | taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source |
 | taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source |