C++: Handle the extent of 'new[]' in 'getConvertedResultExpressionImpl0' and add a few more comments.

MathiasVP · MathiasVP · commit 7d2c12e63dd4 · 2023-09-12T10:28:36.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1088,15 +1088,31 @@ private module GetConvertedResultExpression {
   }
 
   private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
     exists(TranslatedAssignOperation tao |
       result = tao.getExpr() and
       instr = tao.getInstruction(any(AssignmentStoreTag tag))
     )
     or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
     exists(TranslatedCrementOperation tco |
       result = tco.getExpr() and
       instr = tco.getInstruction(any(CrementStoreTag tag))
     )
+    or
+    // IR construction inserts an additional cast to a `size_t` on the extent
+    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
+    // a result for `getConvertedResultExpression`. We remap this here so that
+    // this `ConvertInstruction` maps to the result of the expression that
+    // represents the extent.
+    exists(TranslatedNonConstantAllocationSize tas |
+      result = tas.getExtent().getExpr() and
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
+    )
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -1956,9 +1956,7 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
     result = this.getExtent().getResult()
   }
 
-  private TranslatedExpr getExtent() {
-    result = getTranslatedExpr(expr.getExtent().getFullyConverted())
-  }
+  TranslatedExpr getExtent() { result = getTranslatedExpr(expr.getExtent().getFullyConverted()) }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -1956,9 +1956,7 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {`
`1956`	`1956`	`result = this.getExtent().getResult()`
`1957`	`1957`	`}`
`1958`	`1958`
`1959`		`- private TranslatedExpr getExtent() {`
`1960`		`- result = getTranslatedExpr(expr.getExtent().getFullyConverted())`
`1961`		`- }`
	`1959`	`+ TranslatedExpr getExtent() { result = getTranslatedExpr(expr.getExtent().getFullyConverted()) }`
`1962`	`1960`	`}`
`1963`	`1961`
`1964`	`1962`	`/**`