C++: Remove more address -> value flow in the name of performance.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -130,6 +130,7 @@ private module VirtualDispatch {
    *
    * Used to fix a join ordering issue in flowsFrom.
    */
+  pragma[noinline]
   private predicate returnNodeWithKindAndEnclosingCallable(
     ReturnNode node, ReturnKind kind, DataFlowCallable callable
   ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -809,11 +809,17 @@ private module StoreNodeFlow {
 private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
   // Propagate flow from an instruction to its exact uses.
   // We do this for all instruction/operand pairs, except when the operand is the
-  // side effect operand of a ReturnIndirectionInstruction. This is because we
-  // get this flow through the shared SSA library already, and including this
-  // flow here will create multiple paths from a parameter node to a return node
-  // which creates a blowup when computing dataflow.
-  not any(ReturnIndirectionInstruction ret).getSideEffectOperand() = opTo and
+  // side effect operand of a ReturnIndirectionInstruction, or the load operand of a LoadInstruction.
+  // This is because we get these flows through the shared SSA library already, and including this
+  // flow here will create multiple dataflow paths which creates a blowup in stage 3 of dataflow.
+  (
+    not any(ReturnIndirectionInstruction ret).getSideEffectOperand() = opTo and
+    not any(LoadInstruction load).getSourceValueOperand() = opTo
+    or
+    // We do, however, need the flow from phi instructions as we don't use the phi nodes generated by
+    // the shared SSA library.
+    iFrom instanceof PhiInstruction
+  ) and
   opTo.getDef() = iFrom
   or
   // Since the side effect operand of a `ReadSideEffectInstruction` is never precise we
@@ -825,6 +831,23 @@ private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
   )
 }
 
+pragma[noinline]
+private predicate getAddressType(LoadInstruction load, Type t) {
+  exists(Instruction address |
+    address = load.getSourceAddress() and
+    t = address.getResultType()
+  )
+}
+
+private class ReferenceDereferenceInstruction extends LoadInstruction {
+  ReferenceDereferenceInstruction() {
+    exists(ReferenceType ref |
+      getAddressType(this, ref) and
+      this.getResultType() = ref.getBaseType()
+    )
+  }
+}
+
 private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
   iTo.(CopyInstruction).getSourceValueOperand() = opFrom
   or
@@ -837,6 +860,9 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
   or
   iTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
   or
+  // Conflate references and values like in AST dataflow.
+  iTo.(ReferenceDereferenceInstruction).getSourceAddressOperand() = opFrom
+  or
   // Flow through modeled functions
   modelFlow(opFrom, iTo)
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll

@@ -309,11 +309,22 @@ private Instruction getDefinitionOrChiInstruction(Instruction input) {
 }
 
 private predicate phiHasInput(PhiInstruction phi, Node input) {
-  getDefinitionOrChiInstruction(phi.getAnInput()) =
-    [input.asInstruction(), input.(StoreNode).getStoreInstruction()]
+  getDefinitionOrChiInstruction(phi.getAnInput()) = input.asInstruction()
+  or
+  exists(StoreNode storeNode |
+    storeNode = input and
+    storeNode.isTerminal() and
+    getDefinitionOrChiInstruction(phi.getAnInput()) = storeNode.getStoreInstruction()
+  )
 }
 
-private predicate adjacentDefRead(Node nodeFrom, Node nodeTo) {
+/**
+ * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
+ * written (or read) by `storeOrRead`.
+ */
+cached
+predicate ssaFlow(Node nodeFrom, Node nodeTo) {
+  // Def-use/use-use flow from an `InstructionNode` to an `OperandNode`.
   exists(IRBlock bb1, int i1, IRBlock bb2, int i2, DefOrUse defOrUse, Use use |
     defOrUse.hasRankInBlock(bb1, i1) and
     use.hasRankInBlock(bb2, i2) and
@@ -322,6 +333,7 @@ private predicate adjacentDefRead(Node nodeFrom, Node nodeTo) {
     flowOutOfAddressStep(use.getOperand(), nodeTo)
   )
   or
+  // Use-use flow from a `ReadNode` to an `OperandNode`.
   exists(ReadNode read, IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
     read = nodeFrom and
     use1.hasRankInBlock(bb1, i1) and
@@ -331,6 +343,7 @@ private predicate adjacentDefRead(Node nodeFrom, Node nodeTo) {
     flowOutOfAddressStep(use2.getOperand(), nodeTo)
   )
   or
+  // Def-use flow from a `StoreNode` to an `OperandNode`.
   exists(StoreNode store, IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use |
     store = nodeFrom and
     store.isTerminal() and
@@ -341,9 +354,9 @@ private predicate adjacentDefRead(Node nodeFrom, Node nodeTo) {
     flowOutOfAddressStep(use.getOperand(), nodeTo)
   )
   or
-  // This next case is a bit annoying. The write side effect on an expression like `a = new A;` writes to
-  // a fresh address returned by `operator new`, and there's no easy way to use the `adjacentDefRead`
-  // predicate to hook that up to the assignment to `a`. So instead we flow to the _first_ use of the
+  // This final case is a bit annoying. The write side effect on an expression like `a = new A;` writes
+  // to a fresh address returned by `operator new`, and there's no easy way to use the shared SSA
+  // library to hook that up to the assignment to `a`. So instead we flow to the _first_ use of the
   // value computed by `operator new` that occurs after `nodeFrom` (to avoid a loop in the
   // dataflow graph).
   exists(StoreNode store, WriteSideEffectInstruction write, IRBlock bb, int i1, int i2, Operand op |
@@ -368,19 +381,8 @@ private predicate adjacentDefRead(Node nodeFrom, Node nodeTo) {
   or
   // Flow to phi instructions
   phiHasInput(nodeTo.asInstruction(), nodeFrom)
-  or
-  // Flow out of PostUpdateNodes and into phi instructions
-  nodeFrom.(StoreNode).isTerminal() and
-  phiHasInput(nodeTo.asInstruction(), nodeFrom)
 }
 
-/**
- * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
- * written (or read) by `storeOrRead`.
- */
-cached
-predicate ssaFlow(Node nodeFrom, Node nodeTo) { adjacentDefRead(nodeFrom, nodeTo) }
-
 private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
   // Flow into a read node
   exists(ReadNode readNode | readNode = nTo |

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -82,8 +82,6 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
   )
   or
-  instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
-  or
   // Flow from an element to an array or union that contains it.
   instrTo.(ChiInstruction).getPartialOperand() = opFrom and
   not instrTo.isResultConflated() and

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -107,7 +107,7 @@ void local_references(int &source1, int clean1) {
     int t = clean1;
     int &ref = t;
     t = source();
-    sink(ref); // $ ir MISSING: ast
+    sink(ref); // $ MISSING: ast,ir
   }
 }
 

cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp

@@ -35,12 +35,12 @@ void assignAfterAlias() {
   S s1 = { 0, 0 };
   S &ref1 = s1;
   ref1.m1 = user_input();
-  sink(s1.m1); // $ ir MISSING: ast
+  sink(s1.m1); // $ MISSING: ast,ir
 
   S s2 = { 0, 0 };
   S &ref2 = s2;
   s2.m1 = user_input();
-  sink(ref2.m1); // $ ir MISSING: ast
+  sink(ref2.m1); // $ MISSING: ast,ir
 }
 
 void assignAfterCopy() {
@@ -77,14 +77,14 @@ void pointerIntermediate() {
   Wrapper w = { { 0, 0 } };
   S *s = &w.s;
   s->m1 = user_input();
-  sink(w.s.m1); // $ ir MISSING: ast
+  sink(w.s.m1); // $ MISSING: ast,ir
 }
 
 void referenceIntermediate() {
   Wrapper w = { { 0, 0 } };
   S &s = w.s;
   s.m1 = user_input();
-  sink(w.s.m1); // $ ir MISSING: ast
+  sink(w.s.m1); // $ MISSING: ast,ir
 }
 
 void nestedAssign() {

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -306,7 +306,6 @@ edges
 | C.cpp:18:12:18:18 | C output argument [s1] | C.cpp:19:8:19:11 | c [s1] |
 | C.cpp:18:12:18:18 | C output argument [s3] | C.cpp:19:8:19:11 | c [s3] |
 | C.cpp:18:12:18:18 | new [post update] [s1] | C.cpp:19:8:19:11 | c [s1] |
-| C.cpp:18:12:18:18 | new [post update] [s3] | C.cpp:19:8:19:11 | c [s3] |
 | C.cpp:19:8:19:11 | c [s1] | C.cpp:27:8:27:11 | this [s1] |
 | C.cpp:19:8:19:11 | c [s3] | C.cpp:27:8:27:11 | this [s3] |
 | C.cpp:22:3:22:3 | ReturnIndirection [s1] | C.cpp:18:12:18:18 | C output argument [s1] |
@@ -315,7 +314,6 @@ edges
 | C.cpp:22:3:22:3 | this [post update] [s1] | C.cpp:22:3:22:3 | ReturnIndirection [s1] |
 | C.cpp:22:9:22:22 | FieldAddress [post update] | C.cpp:22:3:22:3 | this [post update] [s1] |
 | C.cpp:22:12:22:21 | new | C.cpp:22:9:22:22 | FieldAddress [post update] |
-| C.cpp:24:5:24:8 | this [post update] [s3] | C.cpp:18:12:18:18 | new [post update] [s3] |
 | C.cpp:24:5:24:8 | this [post update] [s3] | C.cpp:22:3:22:3 | ReturnIndirection [s3] |
 | C.cpp:24:11:24:12 | s3 [post update] | C.cpp:24:5:24:8 | this [post update] [s3] |
 | C.cpp:24:16:24:25 | new | C.cpp:24:11:24:12 | s3 [post update] |
@@ -421,20 +419,15 @@ edges
 | aliasing.cpp:29:11:29:12 | FieldAddress [read] | aliasing.cpp:29:11:29:12 | m1 |
 | aliasing.cpp:30:8:30:9 | s2 [read] [m1] | aliasing.cpp:30:11:30:12 | FieldAddress [read] |
 | aliasing.cpp:30:11:30:12 | FieldAddress [read] | aliasing.cpp:30:11:30:12 | m1 |
-| aliasing.cpp:37:13:37:22 | call to user_input | aliasing.cpp:38:11:38:12 | m1 |
-| aliasing.cpp:42:11:42:20 | call to user_input | aliasing.cpp:43:13:43:14 | m1 |
 | aliasing.cpp:60:3:60:4 | s2 [post update] [m1] | aliasing.cpp:62:8:62:12 | copy2 [read] [m1] |
 | aliasing.cpp:60:6:60:7 | m1 [post update] | aliasing.cpp:60:3:60:4 | s2 [post update] [m1] |
 | aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:6:60:7 | m1 [post update] |
 | aliasing.cpp:62:8:62:12 | copy2 [read] [m1] | aliasing.cpp:62:14:62:15 | FieldAddress [read] |
 | aliasing.cpp:62:14:62:15 | FieldAddress [read] | aliasing.cpp:62:14:62:15 | m1 |
-| aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 |
-| aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 |
 | aliasing.cpp:92:3:92:3 | w [post update] [s, m1] | aliasing.cpp:93:8:93:8 | w [read] [s, m1] |
 | aliasing.cpp:92:5:92:5 | s [post update] [m1] | aliasing.cpp:92:3:92:3 | w [post update] [s, m1] |
 | aliasing.cpp:92:7:92:8 | m1 [post update] | aliasing.cpp:92:5:92:5 | s [post update] [m1] |
 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:92:7:92:8 | m1 [post update] |
-| aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 |
 | aliasing.cpp:93:8:93:8 | w [read] [s, m1] | aliasing.cpp:93:10:93:10 | s [read] [m1] |
 | aliasing.cpp:93:10:93:10 | s [read] [m1] | aliasing.cpp:93:12:93:13 | FieldAddress [read] |
 | aliasing.cpp:93:12:93:13 | FieldAddress [read] | aliasing.cpp:93:12:93:13 | m1 |
@@ -536,8 +529,6 @@ edges
 | arrays.cpp:36:12:36:14 | arr [post update] [data] | arrays.cpp:36:5:36:10 | nested [post update] [arr, data] |
 | arrays.cpp:36:19:36:22 | data [post update] | arrays.cpp:36:3:36:17 | access to array [post update] [data] |
 | arrays.cpp:36:26:36:35 | call to user_input | arrays.cpp:36:19:36:22 | data [post update] |
-| arrays.cpp:36:26:36:35 | call to user_input | arrays.cpp:37:3:37:6 | data |
-| arrays.cpp:36:26:36:35 | call to user_input | arrays.cpp:37:24:37:27 | data |
 | arrays.cpp:37:3:37:6 | data | arrays.cpp:37:24:37:27 | sink output argument |
 | arrays.cpp:37:3:37:6 | data | realistic.cpp:41:17:41:17 | o |
 | arrays.cpp:37:8:37:8 | o [post update] [nested, arr, data] | arrays.cpp:38:8:38:8 | o [read] [nested, arr, data] |
@@ -1156,8 +1147,6 @@ edges
 | struct_init.c:20:13:20:14 | VariableAddress [post update] [a] | struct_init.c:24:10:24:12 | & ... indirection [a] |
 | struct_init.c:20:17:20:36 | FieldAddress [post update] | struct_init.c:20:13:20:14 | VariableAddress [post update] [a] |
 | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:17:20:36 | FieldAddress [post update] |
-| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:22:3:22:6 | a |
-| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:22:11:22:11 | a |
 | struct_init.c:22:3:22:6 | a | realistic.cpp:41:17:41:17 | o |
 | struct_init.c:22:3:22:6 | a | struct_init.c:22:11:22:11 | sink output argument |
 | struct_init.c:22:8:22:9 | ab [post update] [a] | struct_init.c:24:10:24:12 | & ... indirection [a] |
@@ -1172,8 +1161,6 @@ edges
 | struct_init.c:26:23:29:3 | FieldAddress [post update] [a] | struct_init.c:26:16:26:20 | VariableAddress [post update] [nestedAB, a] |
 | struct_init.c:27:5:27:23 | FieldAddress [post update] | struct_init.c:26:23:29:3 | FieldAddress [post update] [a] |
 | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:5:27:23 | FieldAddress [post update] |
-| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:3:31:6 | a |
-| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:23:31:23 | a |
 | struct_init.c:31:3:31:6 | a | realistic.cpp:41:17:41:17 | o |
 | struct_init.c:31:3:31:6 | a | struct_init.c:31:23:31:23 | sink output argument |
 | struct_init.c:31:8:31:12 | outer [post update] [nestedAB, a] | struct_init.c:36:11:36:15 | outer [read] [nestedAB, a] |
@@ -1451,7 +1438,6 @@ nodes
 | C.cpp:18:12:18:18 | C output argument [s1] | semmle.label | C output argument [s1] |
 | C.cpp:18:12:18:18 | C output argument [s3] | semmle.label | C output argument [s3] |
 | C.cpp:18:12:18:18 | new [post update] [s1] | semmle.label | new [post update] [s1] |
-| C.cpp:18:12:18:18 | new [post update] [s3] | semmle.label | new [post update] [s3] |
 | C.cpp:19:8:19:11 | c [s1] | semmle.label | c [s1] |
 | C.cpp:19:8:19:11 | c [s3] | semmle.label | c [s3] |
 | C.cpp:22:3:22:3 | ReturnIndirection [s1] | semmle.label | ReturnIndirection [s1] |
@@ -1567,20 +1553,12 @@ nodes
 | aliasing.cpp:30:8:30:9 | s2 [read] [m1] | semmle.label | s2 [read] [m1] |
 | aliasing.cpp:30:11:30:12 | FieldAddress [read] | semmle.label | FieldAddress [read] |
 | aliasing.cpp:30:11:30:12 | m1 | semmle.label | m1 |
-| aliasing.cpp:37:13:37:22 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:38:11:38:12 | m1 | semmle.label | m1 |
-| aliasing.cpp:42:11:42:20 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 |
 | aliasing.cpp:60:3:60:4 | s2 [post update] [m1] | semmle.label | s2 [post update] [m1] |
 | aliasing.cpp:60:6:60:7 | m1 [post update] | semmle.label | m1 [post update] |
 | aliasing.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:62:8:62:12 | copy2 [read] [m1] | semmle.label | copy2 [read] [m1] |
 | aliasing.cpp:62:14:62:15 | FieldAddress [read] | semmle.label | FieldAddress [read] |
 | aliasing.cpp:62:14:62:15 | m1 | semmle.label | m1 |
-| aliasing.cpp:79:11:79:20 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:80:12:80:13 | m1 | semmle.label | m1 |
-| aliasing.cpp:86:10:86:19 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:87:12:87:13 | m1 | semmle.label | m1 |
 | aliasing.cpp:92:3:92:3 | w [post update] [s, m1] | semmle.label | w [post update] [s, m1] |
 | aliasing.cpp:92:5:92:5 | s [post update] [m1] | semmle.label | s [post update] [m1] |
 | aliasing.cpp:92:7:92:8 | m1 [post update] | semmle.label | m1 [post update] |
@@ -2446,11 +2424,7 @@ subpaths
 | E.cpp:32:13:32:18 | buffer | E.cpp:29:21:29:29 | argument_source output argument | E.cpp:32:13:32:18 | buffer | buffer flows from $@ | E.cpp:29:21:29:29 | argument_source output argument | argument_source output argument |
 | aliasing.cpp:29:11:29:12 | m1 | aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:29:11:29:12 | m1 | m1 flows from $@ | aliasing.cpp:9:11:9:20 | call to user_input | call to user_input |
 | aliasing.cpp:30:11:30:12 | m1 | aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:30:11:30:12 | m1 | m1 flows from $@ | aliasing.cpp:13:10:13:19 | call to user_input | call to user_input |
-| aliasing.cpp:38:11:38:12 | m1 | aliasing.cpp:37:13:37:22 | call to user_input | aliasing.cpp:38:11:38:12 | m1 | m1 flows from $@ | aliasing.cpp:37:13:37:22 | call to user_input | call to user_input |
-| aliasing.cpp:43:13:43:14 | m1 | aliasing.cpp:42:11:42:20 | call to user_input | aliasing.cpp:43:13:43:14 | m1 | m1 flows from $@ | aliasing.cpp:42:11:42:20 | call to user_input | call to user_input |
 | aliasing.cpp:62:14:62:15 | m1 | aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:62:14:62:15 | m1 | m1 flows from $@ | aliasing.cpp:60:11:60:20 | call to user_input | call to user_input |
-| aliasing.cpp:80:12:80:13 | m1 | aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 | m1 flows from $@ | aliasing.cpp:79:11:79:20 | call to user_input | call to user_input |
-| aliasing.cpp:87:12:87:13 | m1 | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 | m1 flows from $@ | aliasing.cpp:86:10:86:19 | call to user_input | call to user_input |
 | aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input | call to user_input |
 | aliasing.cpp:143:8:143:16 | access to array | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:143:8:143:16 | access to array | access to array flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | aliasing.cpp:159:8:159:14 | * ... | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:159:8:159:14 | * ... | * ... flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected

@@ -10,6 +10,10 @@
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | AST only |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | AST only |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | AST only |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | AST only |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected

@@ -14,10 +14,6 @@
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp

@@ -7,7 +7,7 @@ void test_unique_ptr_int() {
 	std::unique_ptr<int> p1(new int(source()));
 	std::unique_ptr<int> p2 = std::make_unique<int>(source());
 
-	sink(*p1); // $ ir MISSING: ast
+	sink(*p1); // $ MISSING: ast,ir
 	sink(*p2); // $ ast ir=8:50
 }
 
@@ -31,7 +31,7 @@ void test_shared_ptr_int() {
 	std::shared_ptr<int> p1(new int(source()));
 	std::shared_ptr<int> p2 = std::make_shared<int>(source());
 
-	sink(*p1); // $ ast ir
+	sink(*p1); // $ ast MISSING: ir
 	sink(*p2); // $ ast ir=32:50 
 }