C++: Fix a object->pointer conflation problem. This piece of code was

MathiasVP · MathiasVP · commit 0783d46767fa · 2021-10-27T16:00:27.000+01:00
supposed to send flow from the `InitializeIndirection` instruction to
the next use of the memory defined by that instruction, but it didn't
actually call `flowOutOfAddressStep` on the result of the call to
`ssaFlow` to ensure that we moved from the pointer to the object.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -734,21 +734,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   or
   // Adjacent-def-use and adjacent-use-use flow
   adjacentDefUseFlow(nodeFrom, nodeTo)
-  or
-  // When we want to transfer flow out of a `StoreNode` we perform two steps:
-  // 1. Find the next use of the address being stored to
-  // 2. Find the `LoadInstruction` that loads the address
-  // When the address being stored into doesn't have a `LoadInstruction` associated with it because it's
-  // passed into a `CallInstruction` we transfer flow to the `ReadSideEffect`, which will then flow into
-  // the callee. We then pickup the flow from the `InitializeIndirectionInstruction` and use the shared
-  // SSA library to determine where the next use of the address that received the flow is.
-  exists(Node init |
-    nodeFrom.asInstruction().(InitializeIndirectionInstruction).getIRVariable() =
-      init.asInstruction().(InitializeParameterInstruction).getIRVariable() and
-    // No need for the flow if the next use is the instruction that returns the flow out of the callee.
-    not nodeTo.asInstruction() instanceof ReturnIndirectionInstruction and
-    Ssa::ssaFlow(init, nodeTo)
-  )
 }
 
 private predicate adjacentDefUseFlow(Node nodeFrom, Node nodeTo) {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
@@ -403,6 +403,24 @@ private module Cached {
     fromPhiNode(nodeFrom, nodeTo)
     or
     toPhiNode(nodeFrom, nodeTo)
+    or
+    // When we want to transfer flow out of a `StoreNode` we perform two steps:
+    // 1. Find the next use of the address being stored to
+    // 2. Find the `LoadInstruction` that loads the address
+    // When the address being stored into doesn't have a `LoadInstruction` associated with it because it's
+    // passed into a `CallInstruction` we transfer flow to the `ReadSideEffect`, which will then flow into
+    // the callee. We then pickup the flow from the `InitializeIndirectionInstruction` and use the shared
+    // SSA library to determine where the next use of the address that received the flow is.
+    exists(Node init, Node mid |
+      nodeFrom.asInstruction().(InitializeIndirectionInstruction).getIRVariable() =
+        init.asInstruction().(InitializeParameterInstruction).getIRVariable() and
+      // No need for the flow if the next use is the instruction that returns the flow out of the callee.
+      not mid.asInstruction() instanceof ReturnIndirectionInstruction and
+      // Find the next use of the address
+      ssaFlow(init, mid) and
+      // And flow to the next load of that address
+      flowOutOfAddressStep([mid.asInstruction().getAUse(), mid.asOperand()], nodeTo)
+    )
   }
 
   private predicate valueFlow(Instruction iFrom, Instruction iTo) {
