C++: Reformulate the sanitizer in 'NonConstantFormat.ql'. It should no longer incorrectly sanitize indirect nodes for which there is no result for 'asIndirectExpr'.

MathiasVP · MathiasVP · commit e8db563e98e0 · 2023-01-27T10:04:48.000Z
diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
@@ -120,8 +120,7 @@ pragma[noinline]
 predicate isSanitizerNode(DataFlow::Node node) {
   underscoreMacro(node.asExpr())
   or
-  not exists(node.asIndirectExpr()) and
-  not exists(node.asDefiningArgument()) and
+  exists(node.asExpr()) and
   cannotContainString(node.getType(), false)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -120,8 +120,7 @@ pragma[noinline]`
`120`	`120`	`predicate isSanitizerNode(DataFlow::Node node) {`
`121`	`121`	`underscoreMacro(node.asExpr())`
`122`	`122`	`or`
`123`		`- not exists(node.asIndirectExpr()) and`
`124`		`- not exists(node.asDefiningArgument()) and`
	`123`	`+ exists(node.asExpr()) and`
`125`	`124`	`cannotContainString(node.getType(), false)`
`126`	`125`	`}`
`127`	`126`