Add IndirectUninitializedNode and related helper predicates

[jeongsoolee09]

Add a variant class of UninitializedNode, named IndirectUninitializedNode. The former class only took 0 indirection levels into account. This PR introduces the latter that captures nodes behind indirection levels equal to or greater than 1.

For example, consider this code:

int array[2][3] = {{1, 2, 3}, {4, 5, 6}};

The class UninitializedNode finds uninitialized array of type int[2][3]. However, it is also uninitialized one level down, having type int[3].

any(IndirectUninitializedNode node | node.getIndirectionIndex() = 1 | node) now gets the aforementioned int[3] node.

Also, add DataFlow::Node::asIndirectUninitialized to associate LocalVariable with IndirectUninitializedNode.

[Copilot]

Pull request overview

Adds an indirection-index dimension to Public::UninitializedNode so queries can distinguish uninitialized values at different indirection levels (e.g., arrays-of-arrays).

Changes:

• Extend UninitializedNode to track indirectionIndex rather than hard-coding index 0.
• Expose the indirection level via UninitializedNode::getIndirectionIndex/0.

Comments suppressed due to low confidence (1)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll:785

• The doc comment for getIndirectionIndex() uses different terminology (“level of indirection to get to this node”) than the rest of this file (which consistently says “indirection index”). For consistency and clarity, consider rephrasing to “Gets the indirection index of this node” and (optionally) define what 0/1/... correspond to.

    /** Gets the level of indirection to get to this node. */
    int getIndirectionIndex() { result = indirectionIndex }

[Copilot]

The class-level doc comment for UninitializedNode now understates the behavior: the implementation no longer represents only indirection level 0. Please update the doc comment to mention that the node can represent different indirection indices (and briefly what 0/1/... mean) so query authors don’t misinterpret it.

This issue also appears on line 784 of the same file.

[MathiasVP]

Copilot is right here. The changes here are actually a semantically breaking change (which would need a full deprecation cycle).

Instead of doing what you have here, I suggest you do what I hinted at on Slack:

1. Keep the UninitializedNode as it currently is on main
2. Create a new class IndirectUninitializedNode which basically the the charpred you have here (and indirectionIndex > 1 to avoid overlap with UninitializedNode)
3. Add a new predicate LocalVariable asIndirectUninitializedNode(int indirectionIndex) on DataFlow::Node and an convenience predicate with 0 parameters LocalVariable asIndirectUninitializedNode() implemented as result = this.asIndirectUninitializedNode(_).

This avoids a breaking change to the UninitializedNode class and the asUninitializedNode predicate.

[jeongsoolee09]

Addressed in d3066af.

[MathiasVP]

The code changes LGTM. I'll leave the formal approval to someone from the C team. I also don't really understand why CI hasn't run all the checks on this PR 🤔 I'm sure they can help you with that as well!

We also need a library change note. Probably a "feature" change note.

[jketema]

I think if would be good if the QLDoc could be made more consistent with what happens elsewhere in the dataflow library.

Still needs a change note.

Otherwise LGTM.

I will run some DCA on this.

[jketema]

Thanks for addressing my comments. The only thing missing now is a change note.