From a2de057c26ebd30c3f6a70d8eab38e9791d8451c Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Tue, 5 Mar 2019 14:29:19 +0100
Subject: [PATCH 1/2] C++: Test for StmtExpr data flow

---
 .../dataflow/dataflow-tests/test.cpp            | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
index 9fa3ad7f2f35..c9a1a8b94aff 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -491,3 +491,20 @@ void intArraySourceCaller2() {
   sink(local); // tainted
   sink(*local); // clean
 }
+
+///////////////////////////////////////////////////////////////////////////////
+
+void throughStmtExpr(int source1, int clean1) {
+  sink( ({ source1; }) ); // tainted (FALSE NEGATIVE)
+  sink( ({ clean1; }) ); // clean
+
+  int local = ({
+    int tmp;
+    if (clean1)
+      tmp = source1;
+    else
+      tmp = clean1;
+    tmp;
+  });
+  sink(local); // tainted (FALSE NEGATIVE)
+}

From 0a57767cc6daba68a04891111b0f5d6c5db906a7 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jonas@semmle.com>
Date: Thu, 10 Jan 2019 15:39:56 +0100
Subject: [PATCH 2/2] C++: Data flow through StmtExpr

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll | 4 ++++
 cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp    | 4 ++--
 .../test/library-tests/dataflow/dataflow-tests/test.expected  | 2 ++
 .../library-tests/dataflow/dataflow-tests/test_diff.expected  | 2 ++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 23b1dc15cdd6..db4643c53db5 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -275,6 +275,10 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
     fromExpr = op.getOperand()
   )
   or
+  toExpr = any(StmtExpr stmtExpr |
+    fromExpr = stmtExpr.getResultExpr()
+  )
+  or
   toExpr = any(Call call |
     exists(DataFlowFunction f, FunctionInput inModel , FunctionOutput outModel, int iIn |
       call.getTarget() = f and
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
index c9a1a8b94aff..1dc2e7ba159a 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -495,7 +495,7 @@ void intArraySourceCaller2() {
 ///////////////////////////////////////////////////////////////////////////////
 
 void throughStmtExpr(int source1, int clean1) {
-  sink( ({ source1; }) ); // tainted (FALSE NEGATIVE)
+  sink( ({ source1; }) ); // tainted
   sink( ({ clean1; }) ); // clean
 
   int local = ({
@@ -506,5 +506,5 @@ void throughStmtExpr(int source1, int clean1) {
       tmp = clean1;
     tmp;
   });
-  sink(local); // tainted (FALSE NEGATIVE)
+  sink(local); // tainted
 }
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
index 38cbbc1bc4bc..da1a2c593f35 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -35,6 +35,8 @@
 | test.cpp:478:8:478:12 | local | test.cpp:477:20:477:24 | ref arg local |
 | test.cpp:485:8:485:12 | local | test.cpp:484:18:484:23 | ref arg & ... |
 | test.cpp:491:8:491:12 | local | test.cpp:490:18:490:22 | ref arg local |
+| test.cpp:498:9:498:22 | (statement expression) | test.cpp:497:26:497:32 | source1 |
+| test.cpp:509:8:509:12 | local | test.cpp:497:26:497:32 | source1 |
 | true_upon_entry.cpp:21:8:21:8 | x | true_upon_entry.cpp:17:11:17:16 | call to source |
 | true_upon_entry.cpp:29:8:29:8 | x | true_upon_entry.cpp:27:9:27:14 | call to source |
 | true_upon_entry.cpp:39:8:39:8 | x | true_upon_entry.cpp:33:11:33:16 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
index 1eccb0fedf19..e7c81ea15c86 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -17,6 +17,8 @@
 | test.cpp:477:20:477:24 | test.cpp:478:8:478:12 | AST only |
 | test.cpp:484:18:484:23 | test.cpp:485:8:485:12 | AST only |
 | test.cpp:490:18:490:22 | test.cpp:491:8:491:12 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:498:9:498:22 | AST only |
+| test.cpp:497:26:497:32 | test.cpp:509:8:509:12 | AST only |
 | true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
 | true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
 | true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |