Merge pull request #21212 from MathiasVP/fix-as-definition

MathiasVP · web-flow · commit cabcb83b2fa5 · 2026-01-23T19:39:22.000Z
C++: Fix missing results for `Node.asDefinition`
diff --git a/cpp/ql/lib/change-notes/2026-01-23-as-definition.md b/cpp/ql/lib/change-notes/2026-01-23-as-definition.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -312,6 +312,13 @@ class Node extends TIRDataFlowNode {
    */
   Expr asDefinition() { result = this.asDefinition(_) }
 
+  private predicate isCertainStore() {
+    exists(SsaImpl::Definition def |
+      SsaImpl::defToNode(this, def, _) and
+      def.isCertain()
+    )
+  }
+
   /**
    * Gets the definition associated with this node, if any.
    *
@@ -361,11 +368,10 @@ class Node extends TIRDataFlowNode {
    * pointed to by `p`.
    */
   Expr asDefinition(boolean uncertain) {
-    exists(StoreInstruction store, SsaImpl::Definition def |
+    exists(StoreInstruction store |
       store = this.asInstruction() and
       result = asDefinitionImpl(store) and
-      SsaImpl::defToNode(this, def, _) and
-      if def.isCertain() then uncertain = false else uncertain = true
+      if this.isCertainStore() then uncertain = false else uncertain = true
     )
   }
 
diff --git a/cpp/ql/test/library-tests/dataflow/asDefinition/test.cpp b/cpp/ql/test/library-tests/dataflow/asDefinition/test.cpp
@@ -0,0 +1,18 @@
+struct S {
+  int x;
+};
+
+void use(int);
+
+void test() {
+  int y = 43; // $ asDefinition=43
+  use(y);
+  y = 44; // $ asDefinition="... = ..."
+  use(y);
+
+  int x = 43; // $ asDefinition=43
+  x = 44; // $ asDefinition="... = ..."
+
+  S s;
+  s.x = 42; // $ asDefinition="... = ..."
+}
diff --git a/cpp/ql/test/library-tests/dataflow/asDefinition/test.expected b/cpp/ql/test/library-tests/dataflow/asDefinition/test.expected
diff --git a/cpp/ql/test/library-tests/dataflow/asDefinition/test.ql b/cpp/ql/test/library-tests/dataflow/asDefinition/test.ql
@@ -0,0 +1,22 @@
+import cpp
+import utils.test.InlineExpectationsTest
+import semmle.code.cpp.dataflow.new.DataFlow::DataFlow
+
+bindingset[s]
+string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
+
+module AsDefinitionTest implements TestSig {
+  string getARelevantTag() { result = "asDefinition" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Node n, Expr e |
+      e = n.asDefinition() and
+      location = e.getLocation() and
+      element = n.toString() and
+      tag = "asDefinition" and
+      value = quote(e.toString())
+    )
+  }
+}
+
+import MakeTest<AsDefinitionTest>

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments.