github · jbj · Oct 26, 2018 · Oct 12, 2018 · Oct 12, 2018
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
@@ -81,19 +81,21 @@ int getBufferSize(Expr bufferExpr, Element why) {
     // buffer is a fixed size dynamic allocation
     isFixedSizeAllocationExpr(bufferExpr, result) and
     why = bufferExpr
-  ) or (
+  ) or exists(DataFlow::ExprNode bufferExprNode |
     // dataflow (all sources must be the same size)
+    bufferExprNode = DataFlow::exprNode(bufferExpr) and
+
     result = min(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       getBufferSize(def, _)
     ) and result = max(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       getBufferSize(def, _)
     ) and
 
     // find reason
     exists(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       why = def or
       exists(getBufferSize(def, why))
     )

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll b/cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll
@@ -124,11 +124,17 @@ cached library class SSAHelper extends int {
      * Modern Compiler Implementation by Andrew Appel.
      */
     private predicate frontier_phi_node(LocalScopeVariable v, BasicBlock b) {
-        exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn(v, _, x, _))
+        exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn_rec(v, x))
         /* We can also eliminate those nodes where the variable is not live on any incoming edge */
         and live_at_start_of_bb(v, b)
     }
 
+    private predicate ssa_defn_rec(LocalScopeVariable v, BasicBlock b) {
+        phi_node(v, b)
+        or
+        variableUpdate(v, _, b, _)
+    }
+
     /**
      * Holds if `v` is defined, for the purpose of SSA, at `node`, which is at
      * position `index` in block `b`. This includes definitions from phi nodes.