C++: Don't count every conversion as a use.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -208,7 +208,7 @@ private module IteratorIndirections {
 
     override predicate isAdditionalDereference(Instruction deref, Operand address) {
       exists(CallInstruction call |
-        operandForfullyConvertedCall(deref.getAUse(), call) and
+        deref = call and
         this = call.getStaticCallTarget().getClassAndName("operator*") and
         address = call.getThisArgumentOperand()
       )
@@ -585,6 +585,15 @@ private module Cached {
     )
   }
 
+  /** Holds if `op` is the unique use of a conversion-like instruction. */
+  private predicate isConverted(Operand op, boolean isPointerArith) {
+    exists(Instruction def |
+      def = op.getDef() and
+      conversionFlow(_, op.getDef(), isPointerArith) and
+      exists(unique( | | getAUse(def)))
+    )
+  }
+
   /**
    * Holds if `op` is a use of an SSA variable rooted at `base` with `ind` number
    * of indirections.
@@ -602,6 +611,9 @@ private module Cached {
       type = getLanguageType(op) and
       upper = countIndirectionsForCppType(type) and
       isUseImpl(op, base, ind0) and
+      // Don't count every conversion as their own use. Instead, only the first
+      // use (i.e., before any conversions are applied) will count as a use.
+      not isConverted(op, false) and
       ind = ind0 + [0 .. upper] and
       indirectionIndex = ind - ind0
     )

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -533,8 +533,8 @@ void test_set_through_const_pointer(int *e)
 }
 
 void sink_then_source(int* p) {
-    sink(*p);
-    *p = source(); // $ SPURIOUS: ir=537:10 ir=541:9
+    sink(*p); // $ SPURIOUS: ir
+    *p = source();
 }
 
 void test_sink_then_source() {