Incorrect data-flow when using methodReturn node #1272
Description
I was using the following snippet to run a test,
int main(int argc, char *argv[]) {
int *tmp = NULL;
int x = 2;
if (argc > 0) {
tmp = &argc;
}
return *tmp;
}x has no influence on the return value here, but
joern> def src = cpg.identifier.name("x")
defined function src
joern> def sink = cpg.method.name("main").methodReturn
defined function sink
joern> sink.reachableByFlows(src).p
res7: List[String] = List(
"""__________________________________________________________
| tracked| lineNumber| method| file |
|=========================================================|
| x = 2 | 6 | main | /Users/jai/dump/ret/main.c |
| int | 4 | main | /Users/jai/dump/ret/main.c |
"""
)Using <node>.ast.isReturn works correctly though,
joern> def src = cpg.method.name("main").parameter.order(1)
defined function src
joern> def sink = cpg.method.name("main").ast.isReturn
defined function sink
joern> sink.reachableByFlows(src).p
res22: List[String] = List()