Merge pull request #16242 from MathiasVP/fix-tostring-on-nodes

C++: Fix `toString` on non-`ExprNode`s
github · Apr 18, 2024 · a108fcd · a108fcd
2 parents decd576 + 45b1a5e
commit a108fcd
Show file tree

Hide file tree

Showing 21 changed files with 246 additions and 236 deletions.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll
@@ -3,12 +3,26 @@
  * `toString` for `Instruction` and `Operand` dataflow nodes.
  */
 
+private import cpp
 private import semmle.code.cpp.ir.IR
 private import codeql.util.Unit
 private import Node0ToString
 private import DataFlowUtil
 private import DataFlowPrivate
 
+/**
+ * Gets the string representation of the unconverted expression `loc` if
+ * `loc` is an `Expression`.
+ *
+ * Otherwise, this gets the string representation of `loc`.
+ */
+private string unconvertedAstToString(Locatable loc) {
+  result = loc.(Expr).getUnconverted().toString()
+  or
+  not loc instanceof Expr and
+  result = loc.toString()
+}
+
 private class NormalNode0ToString extends Node0ToString {
   NormalNode0ToString() {
     // Silence warning about `this` not being bound.
@@ -18,14 +32,10 @@ private class NormalNode0ToString extends Node0ToString {
   override string instructionToString(Instruction i) {
     if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
     then result = "this"
-    else result = i.getAst().toString()
+    else result = unconvertedAstToString(i.getAst())
   }
 
-  override string operandToString(Operand op) {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
+  override string operandToString(Operand op) { result = this.instructionToString(op.getDef()) }
 
   override string toExprString(Node n) {
     result = n.asExpr(0).toString()

diff --git a/...sts/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/...sts/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
@@ -1,13 +1,13 @@
 edges
-| test.cpp:22:17:22:21 | (size_t)... | test.cpp:23:33:23:37 | size1 | provenance |  |
-| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | (size_t)... | provenance |  |
+| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance |  |
+| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance |  |
 | test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size | provenance |  |
 | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size | provenance |  |
 nodes
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
 | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
-| test.cpp:22:17:22:21 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
 | test.cpp:30:18:30:32 | ... * ... | semmle.label | ... * ... |

diff --git a/...imental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/...imental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -18,9 +18,9 @@ edges
 | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... | provenance |  |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p | provenance |  |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf | provenance |  |
-| test.cpp:85:21:85:36 | (char *)... | test.cpp:87:5:87:31 | access to array | provenance |  |
-| test.cpp:85:21:85:36 | (char *)... | test.cpp:88:5:88:27 | access to array | provenance |  |
-| test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | (char *)... | provenance |  |
+| test.cpp:85:21:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance |  |
+| test.cpp:85:21:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance |  |
+| test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | buf | provenance |  |
 | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance |  |
 | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance |  |
 | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance |  |
@@ -42,12 +42,12 @@ edges
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance |  |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance |  |
 | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance |  |
-| test.cpp:218:16:218:28 | (int *)... | test.cpp:220:5:220:11 | access to array | provenance |  |
-| test.cpp:218:16:218:28 | (int *)... | test.cpp:221:5:221:11 | access to array | provenance |  |
-| test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | (int *)... | provenance |  |
-| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:231:5:231:10 | access to array | provenance |  |
-| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:232:5:232:10 | access to array | provenance |  |
-| test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | (vec2 *)... | provenance |  |
+| test.cpp:218:16:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance |  |
+| test.cpp:218:16:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance |  |
+| test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | buffer | provenance |  |
+| test.cpp:229:17:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance |  |
+| test.cpp:229:17:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance |  |
+| test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | array | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance |  |
@@ -111,7 +111,7 @@ nodes
 | test.cpp:77:32:77:34 | buf | semmle.label | buf |
 | test.cpp:79:27:79:34 | buf | semmle.label | buf |
 | test.cpp:79:32:79:34 | buf | semmle.label | buf |
-| test.cpp:85:21:85:36 | (char *)... | semmle.label | (char *)... |
+| test.cpp:85:21:85:36 | buf | semmle.label | buf |
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
 | test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
@@ -137,11 +137,11 @@ nodes
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... |
-| test.cpp:218:16:218:28 | (int *)... | semmle.label | (int *)... |
+| test.cpp:218:16:218:28 | buffer | semmle.label | buffer |
 | test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
 | test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
 | test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
-| test.cpp:229:17:229:29 | (vec2 *)... | semmle.label | (vec2 *)... |
+| test.cpp:229:17:229:29 | array | semmle.label | array |
 | test.cpp:229:25:229:29 | array | semmle.label | array |
 | test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
 | test.cpp:232:5:232:10 | access to array | semmle.label | access to array |

diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected
@@ -125,8 +125,8 @@
 | test.cpp:384:16:384:23 | *& ... | test.cpp:384:3:384:8 | *call to memcpy |
 | test.cpp:384:16:384:23 | *& ... | test.cpp:384:10:384:13 | memcpy output argument |
 | test.cpp:384:16:384:23 | *& ... | test.cpp:384:16:384:23 | *& ... |
-| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:3:384:8 | **call to memcpy |
-| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:10:384:13 | memcpy output argument |
+| test.cpp:384:16:384:23 | **& ... | test.cpp:384:3:384:8 | **call to memcpy |
+| test.cpp:384:16:384:23 | **& ... | test.cpp:384:10:384:13 | memcpy output argument |
 | test.cpp:384:17:384:23 | *source1 | test.cpp:384:16:384:23 | *& ... |
 | test.cpp:384:17:384:23 | source1 | test.cpp:384:16:384:23 | & ... |
 | test.cpp:388:53:388:59 | source1 | test.cpp:391:16:391:23 | *& ... |
@@ -152,8 +152,8 @@
 | test.cpp:391:16:391:23 | *& ... | test.cpp:391:3:391:8 | *call to memcpy |
 | test.cpp:391:16:391:23 | *& ... | test.cpp:391:10:391:13 | memcpy output argument |
 | test.cpp:391:16:391:23 | *& ... | test.cpp:391:16:391:23 | *& ... |
-| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:3:391:8 | **call to memcpy |
-| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:10:391:13 | memcpy output argument |
+| test.cpp:391:16:391:23 | **& ... | test.cpp:391:3:391:8 | **call to memcpy |
+| test.cpp:391:16:391:23 | **& ... | test.cpp:391:10:391:13 | memcpy output argument |
 | test.cpp:391:17:391:23 | *source1 | test.cpp:391:16:391:23 | *& ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
 | test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp |

diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected
@@ -7,12 +7,12 @@ incorrectBaseType
 | flowOut.cpp:84:9:84:10 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
 | flowOut.cpp:101:13:101:14 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
 | self_parameter_flow.cpp:8:8:8:9 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
-| test.cpp:67:28:67:37 | (reference dereference) | Expected 'Node.getType()' to be const int, but it was int * |
+| test.cpp:67:28:67:37 | call to move | Expected 'Node.getType()' to be const int, but it was int * |
 | test.cpp:531:39:531:40 | *& ... | Expected 'Node.getType()' to be int, but it was const int * |
 | test.cpp:615:13:615:21 | *& ... | Expected 'Node.getType()' to be int, but it was void |
 | test.cpp:704:22:704:25 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
 | test.cpp:715:24:715:25 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
-| test.cpp:848:23:848:25 | (reference dereference) | Expected 'Node.getType()' to be int, but it was int * |
+| test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * |
 | test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
 | test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
 | test.cpp:1062:52:1062:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |

diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -58,13 +58,13 @@ edges
 | A.cpp:100:5:100:6 | *c1 [post update] [a] | A.cpp:101:8:101:9 | *c1 [a] | provenance |  |
 | A.cpp:100:5:100:13 | ... = ... | A.cpp:100:5:100:6 | *c1 [post update] [a] | provenance |  |
 | A.cpp:101:8:101:9 | *c1 [a] | A.cpp:103:14:103:14 | *c [a] | provenance |  |
-| A.cpp:103:14:103:14 | *c [a] | A.cpp:105:18:105:38 | *dynamic_cast<C1 *>... [a] | provenance |  |
-| A.cpp:103:14:103:14 | *c [a] | A.cpp:110:18:110:38 | *dynamic_cast<C2 *>... [a] | provenance |  |
-| A.cpp:105:18:105:38 | *dynamic_cast<C1 *>... [a] | A.cpp:107:12:107:13 | *c1 [a] | provenance |  |
+| A.cpp:103:14:103:14 | *c [a] | A.cpp:105:18:105:38 | *c [a] | provenance |  |
+| A.cpp:103:14:103:14 | *c [a] | A.cpp:110:18:110:38 | *c [a] | provenance |  |
+| A.cpp:105:18:105:38 | *c [a] | A.cpp:107:12:107:13 | *c1 [a] | provenance |  |
 | A.cpp:107:12:107:13 | *c1 [a] | A.cpp:107:12:107:16 | a | provenance |  |
-| A.cpp:110:18:110:38 | *dynamic_cast<C2 *>... [a] | A.cpp:112:7:112:13 | *... = ... [a] | provenance |  |
-| A.cpp:112:7:112:13 | *... = ... [a] | A.cpp:118:18:118:39 | *dynamic_cast<C1 *>... [a] | provenance |  |
-| A.cpp:118:18:118:39 | *dynamic_cast<C1 *>... [a] | A.cpp:120:12:120:13 | *c1 [a] | provenance |  |
+| A.cpp:110:18:110:38 | *c [a] | A.cpp:112:7:112:13 | *... = ... [a] | provenance |  |
+| A.cpp:112:7:112:13 | *... = ... [a] | A.cpp:118:18:118:39 | *cc [a] | provenance |  |
+| A.cpp:118:18:118:39 | *cc [a] | A.cpp:120:12:120:13 | *c1 [a] | provenance |  |
 | A.cpp:120:12:120:13 | *c1 [a] | A.cpp:120:12:120:16 | a | provenance |  |
 | A.cpp:124:14:124:14 | *b [c] | A.cpp:131:8:131:8 | f7 output argument [c] | provenance |  |
 | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:124:14:124:14 | *b [c] | provenance |  |
@@ -906,12 +906,12 @@ nodes
 | A.cpp:100:5:100:13 | ... = ... | semmle.label | ... = ... |
 | A.cpp:101:8:101:9 | *c1 [a] | semmle.label | *c1 [a] |
 | A.cpp:103:14:103:14 | *c [a] | semmle.label | *c [a] |
-| A.cpp:105:18:105:38 | *dynamic_cast<C1 *>... [a] | semmle.label | *dynamic_cast<C1 *>... [a] |
+| A.cpp:105:18:105:38 | *c [a] | semmle.label | *c [a] |
 | A.cpp:107:12:107:13 | *c1 [a] | semmle.label | *c1 [a] |
 | A.cpp:107:12:107:16 | a | semmle.label | a |
-| A.cpp:110:18:110:38 | *dynamic_cast<C2 *>... [a] | semmle.label | *dynamic_cast<C2 *>... [a] |
+| A.cpp:110:18:110:38 | *c [a] | semmle.label | *c [a] |
 | A.cpp:112:7:112:13 | *... = ... [a] | semmle.label | *... = ... [a] |
-| A.cpp:118:18:118:39 | *dynamic_cast<C1 *>... [a] | semmle.label | *dynamic_cast<C1 *>... [a] |
+| A.cpp:118:18:118:39 | *cc [a] | semmle.label | *cc [a] |
 | A.cpp:120:12:120:13 | *c1 [a] | semmle.label | *c1 [a] |
 | A.cpp:120:12:120:16 | a | semmle.label | a |
 | A.cpp:124:14:124:14 | *b [c] | semmle.label | *b [c] |