github · MathiasVP · Nov 7, 2022 · Nov 7, 2022
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp
@@ -19,7 +19,7 @@ void following_pointers(
 
   sink(sourceArray1[0]); // no flow
   sink(*sourceArray1); // no flow
-  sink(&sourceArray1); // $ ast // [should probably be taint only]
+  sink(&sourceArray1); // $ ast,ir // [should probably be taint only]
 
   sink(sourceStruct1.m1); // no flow
   sink(sourceStruct1_ptr->m1); // no flow
@@ -48,5 +48,5 @@ void following_pointers(
 
   int stackArray[2] = { source(), source() };
   stackArray[0] = source();
-  sink(stackArray); // $ ast MISSING: ir
+  sink(stackArray); // $ ast,ir
 }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp
@@ -53,16 +53,16 @@ namespace withoutFields {
     int x1, x2, x3, x4;
 
     assignWrapper(x1, source());
-    sink(x1); // $ ast=55:23 ir SPURIOUS: ast=53:9
+    sink(x1); // $ ast,ir=55:23 SPURIOUS: ast,ir=53:9
 
     notAssign(x2, source());
-    sink(x2); // $ SPURIOUS: ast,ir
+    sink(x2); // $ SPURIOUS: ast ir=53:13 ir=58:19
 
     sourceToParamWrapper(x3);
-    sink(x3); // $ ast=29:11 ir SPURIOUS: ast=53:17
+    sink(x3); // $ ast,ir=29:11 SPURIOUS: ast,ir=53:17
 
     notSource(x4);
-    sink(x4); // $ SPURIOUS: ast,ir
+    sink(x4); // $ SPURIOUS: ast ir=44:11 ir=53:21
   }
 }
 

diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -71,19 +71,19 @@ void identityOperations(int* source1) {
   sink(x4);  // $ ast,ir
 }
 
-void trackUninitialized() { // NOTE: uninitialized tracking for IR dataflow is deprecated
+void trackUninitialized() {
   int u1;
-  sink(u1); // $ ast
+  sink(u1); // $ ast,ir
   u1 = 2;
   sink(u1); // clean
 
   int i1 = 1;
   sink(i1); // clean
 
   int u2;
-  sink(i1 ? u2 : 1); // $ ast
+  sink(i1 ? u2 : 1); // $ ast,ir
   i1 = u2;
-  sink(i1); // $ ast
+  sink(i1); // $ ast,ir
 }
 
 void local_references(int &source1, int clean1) {
@@ -346,7 +346,7 @@ namespace FlowThroughGlobals {
   void taintAndCall() {
     globalVar = source();
     calledAfterTaint();
-    sink(globalVar); // $ ast ir=333:17 ir=347:17
+    sink(globalVar); // $ ast ir ir=333:17 ir=347:17
   }
 }
 
@@ -398,14 +398,14 @@ void flowThroughMemcpy_blockvar_with_local_flow(int source1, int b) {
 void cleanedByMemcpy_ssa(int clean1) { // currently modeled with BlockVar, not SSA
   int tmp;
   memcpy(&tmp, &clean1, sizeof tmp);
-  sink(tmp); // $ SPURIOUS: ast
+  sink(tmp); // $ SPURIOUS: ast,ir
 }
 
 void cleanedByMemcpy_blockvar(int clean1) {
   int tmp;
   int *capture = &tmp;
   memcpy(&tmp, &clean1, sizeof tmp);
-  sink(tmp); // $ SPURIOUS: ast
+  sink(tmp); // $ SPURIOUS: ast,ir
 }
 
 void intRefSource(int &ref_source);
@@ -415,33 +415,33 @@ void intArraySource(int ref_source[], size_t len);
 void intRefSourceCaller() {
   int local;
   intRefSource(local);
-  sink(local); // $ ast=416:7 ast=417:16 MISSING: ir
+  sink(local); // $ ast,ir=416:7 ast,ir=417:16
 }
 
 void intPointerSourceCaller() {
   int local;
   intPointerSource(&local);
-  sink(local); // $ ast=422:7 ast=423:20 MISSING: ir
+  sink(local); // $ ast,ir=422:7 ast,ir=423:20
 }
 
 void intPointerSourceCaller2() {
   int local[1];
   intPointerSource(local);
-  sink(local); // $ ast=428:7 ast=429:20 MISSING: ir
-  sink(*local); // $ ast=428:7 ast=429:20 MISSING: ir
+  sink(local); // $ ast,ir=428:7 ast,ir=429:20
+  sink(*local); // $ ast,ir=428:7 ast,ir=429:20
 }
 
 void intArraySourceCaller() {
   int local;
   intArraySource(&local, 1);
-  sink(local); // $ ast=435:7 ast=436:18 MISSING: ir
+  sink(local); // $ ast,ir=435:7 ast,ir=436:18
 }
 
 void intArraySourceCaller2() {
   int local[2];
   intArraySource(local, 2);
-  sink(local); // $ ast=441:7 ast=442:18 MISSING: ir
-  sink(*local); // $ ast=441:7 ast=442:18 MISSING: ir
+  sink(local); // $ ast,ir=441:7 ast,ir=442:18
+  sink(*local); // $ ast,ir=441:7 ast,ir=442:18
 }
 
 ///////////////////////////////////////////////////////////////////////////////

diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
@@ -24,17 +24,24 @@ module IRTest {
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asParameter().getName().matches("source%")
+      or
+      source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
+      or
+      exists(source.asUninitialized())
     }
 
     override predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
         call.getTarget().getName() = "sink" and
-        sink.asExpr() = call.getAnArgument()
+        call.getAnArgument() in [sink.asExpr(), sink.asIndirectExpr()]
       )
     }
 
     override predicate isBarrier(DataFlow::Node barrier) {
-      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
+      exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
+        barrierExpr.(VariableAccess).getTarget().hasName("barrier")
+      )
+      or
       barrier = DataFlow::InstructionBarrierGuard<testBarrierGuard/3>::getABarrierNode()
     }
   }