C++: Data flow through StmtExpr

jbj · jbj · commit 0a57767cc6da · 2019-03-05T14:36:40.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -275,6 +275,10 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
     fromExpr = op.getOperand()
   )
   or
+  toExpr = any(StmtExpr stmtExpr |
+    fromExpr = stmtExpr.getResultExpr()
+  )
+  or
   toExpr = any(Call call |
     exists(DataFlowFunction f, FunctionInput inModel , FunctionOutput outModel, int iIn |
       call.getTarget() = f and
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -495,7 +495,7 @@ void intArraySourceCaller2() {
 ///////////////////////////////////////////////////////////////////////////////
 
 void throughStmtExpr(int source1, int clean1) {
-  sink( ({ source1; }) ); // tainted (FALSE NEGATIVE)
+  sink( ({ source1; }) ); // tainted
   sink( ({ clean1; }) ); // clean
 
   int local = ({
@@ -506,5 +506,5 @@ void throughStmtExpr(int source1, int clean1) {
       tmp = clean1;
     tmp;
   });
-  sink(local); // tainted (FALSE NEGATIVE)
+  sink(local); // tainted
 }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -35,6 +35,8 @@
 | test.cpp:478:8:478:12 | local | test.cpp:477:20:477:24 | ref arg local |
 | test.cpp:485:8:485:12 | local | test.cpp:484:18:484:23 | ref arg & ... |
 | test.cpp:491:8:491:12 | local | test.cpp:490:18:490:22 | ref arg local |
+| test.cpp:498:9:498:22 | (statement expression) | test.cpp:497:26:497:32 | source1 |
+| test.cpp:509:8:509:12 | local | test.cpp:497:26:497:32 | source1 |
 | true_upon_entry.cpp:21:8:21:8 | x | true_upon_entry.cpp:17:11:17:16 | call to source |
 | true_upon_entry.cpp:29:8:29:8 | x | true_upon_entry.cpp:27:9:27:14 | call to source |
 | true_upon_entry.cpp:39:8:39:8 | x | true_upon_entry.cpp:33:11:33:16 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -17,6 +17,8 @@
 | test.cpp:477:20:477:24 | test.cpp:478:8:478:12 | AST only |
 | test.cpp:484:18:484:23 | test.cpp:485:8:485:12 | AST only |
 | test.cpp:490:18:490:22 | test.cpp:491:8:491:12 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:498:9:498:22 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:509:8:509:12 | AST only |
 | true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
 | true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
 | true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |
