Merge pull request #20040 from MathiasVP/fix-global-variable-recursion-fp

jketema · web-flow · commit 2ed54d52addc · 2025-07-14T18:59:34.000+02:00
C++: Fix global variable dataflow FP
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -153,6 +153,10 @@ private predicate isGlobalDefImpl(
   GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
 ) {
   exists(VariableAddressInstruction vai |
+    // The right-hand side of an initialization of a global variable
+    // creates its own `IRFunction`. We don't want flow into that `IRFunction`
+    // since the variable is only initialized once.
+    not vai.getEnclosingFunction() = v and
     vai.getEnclosingIRFunction() = f and
     vai.getAstVariable() = v and
     isUse(_, _, vai, indirection, indirectionIndex) and
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -6,9 +6,15 @@ uniqueEnclosingCallable
 | test.cpp:1126:33:1129:1 | {...} | Node should have one enclosing callable but has 0. |
 | test.cpp:1127:3:1127:13 | reads_input | Node should have one enclosing callable but has 0. |
 | test.cpp:1128:3:1128:21 | not_does_read_input | Node should have one enclosing callable but has 0. |
+| test.cpp:1158:18:1158:21 | call to sink | Node should have one enclosing callable but has 0. |
+| test.cpp:1158:18:1158:42 | ... , ... | Node should have one enclosing callable but has 0. |
+| test.cpp:1158:23:1158:31 | recursion | Node should have one enclosing callable but has 0. |
+| test.cpp:1158:35:1158:40 | call to source | Node should have one enclosing callable but has 0. |
 uniqueCallEnclosingCallable
 | test.cpp:864:47:864:54 | call to source | Call should have one enclosing callable but has 0. |
 | test.cpp:872:46:872:51 | call to source | Call should have one enclosing callable but has 0. |
+| test.cpp:1158:18:1158:21 | call to sink | Call should have one enclosing callable but has 0. |
+| test.cpp:1158:35:1158:40 | call to source | Call should have one enclosing callable but has 0. |
 uniqueType
 uniqueNodeLocation
 missingLocation
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -1153,4 +1153,6 @@ namespace conflation_regression {
     *p = source(0);
     read_deref_deref(p);
   }
-}
+}
+
+int recursion = (sink(recursion), source()); // clean
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected
@@ -1,9 +1,6 @@
 edges
-| consts.cpp:24:7:24:9 | **gv1 | consts.cpp:25:2:25:4 | *a | provenance |  |
 | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:30:9:30:14 | *access to array | provenance |  |
 | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:123:2:123:12 | *... = ... | provenance |  |
-| consts.cpp:25:2:25:4 | *a | consts.cpp:26:2:26:4 | *{...} | provenance |  |
-| consts.cpp:26:2:26:4 | *{...} | consts.cpp:24:7:24:9 | **gv1 | provenance |  |
 | consts.cpp:29:7:29:25 | **nonConstFuncToArray | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | provenance |  |
 | consts.cpp:30:9:30:14 | *access to array | consts.cpp:29:7:29:25 | **nonConstFuncToArray | provenance |  |
 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | provenance |  |
@@ -38,8 +35,6 @@ edges
 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | provenance |  |
 nodes
 | consts.cpp:24:7:24:9 | **gv1 | semmle.label | **gv1 |
-| consts.cpp:25:2:25:4 | *a | semmle.label | *a |
-| consts.cpp:26:2:26:4 | *{...} | semmle.label | *{...} |
 | consts.cpp:29:7:29:25 | **nonConstFuncToArray | semmle.label | **nonConstFuncToArray |
 | consts.cpp:30:9:30:14 | *access to array | semmle.label | *access to array |
 | consts.cpp:85:7:85:8 | gets output argument | semmle.label | gets output argument |

Original file line number	Diff line number	Diff line change
`@@ -1153,4 +1153,6 @@ namespace conflation_regression {`
`1153`	`1153`	`*p = source(0);`
`1154`	`1154`	`read_deref_deref(p);`
`1155`	`1155`	`}`
`1156`		`-}`
	`1156`	`+}`
	`1157`	`+`
	`1158`	`+int recursion = (sink(recursion), source()); // clean`