C++: Fixup queries which assumes that a guard is always an expression.

Author: MathiasVP

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -136,7 +136,7 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) {
     exists(GuardCondition gc, GVN gvn |
-      gc.getAChild*() = gvn.getAnExpr() and
+      gc.(Expr).getAChild*() = gvn.getAnExpr() and
       globalValueNumber(node.asExpr()) = gvn and
       gc.controls(node.asExpr().getBasicBlock(), _)
     )

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql

@@ -29,7 +29,7 @@ module VerifyResultConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SslGetVerifyResultCall }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
+    exists(GuardCondition guard | guard.(Expr).getAChild*() = sink.asExpr())
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

@@ -115,15 +115,15 @@ predicate checksPath(Expr check, Expr checkPath) {
 
 pragma[nomagic]
 predicate checkPathControlsUse(Expr check, Expr checkPath, Expr use) {
-  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
+  exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) |
     guard.controls(use.getBasicBlock(), _)
   ) and
   checksPath(pragma[only_bind_into](check), checkPath)
 }
 
 pragma[nomagic]
 predicate fileNameOperationControlsUse(Expr check, Expr checkPath, Expr use) {
-  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
+  exists(GuardCondition guard | referenceTo(check, guard.(Expr).getAChild*()) |
     guard.controls(use.getBasicBlock(), _)
   ) and
   pragma[only_bind_into](check) = filenameOperation(checkPath)

cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql

@@ -51,7 +51,7 @@ class ReallocCallLeak extends FunctionCall {
   predicate mayHandleByTermination() {
     exists(GuardCondition guard, CallMayNotReturn exit |
       this.(ControlFlowNode).getASuccessor*() = guard and
-      guard.getAChild*() = v.getAnAccess() and
+      guard.(Expr).getAChild*() = v.getAnAccess() and
       guard.controls(exit.getBasicBlock(), _)
     )
   }

cpp/ql/test/examples/docs-examples/analyzing-data-flow-in-cpp/index-flow-from-ntohl.ql

@@ -22,7 +22,7 @@ module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) {
     exists(GuardCondition gc, Variable v |
-      gc.getAChild*() = v.getAnAccess() and
+      gc.(Expr).getAChild*() = v.getAnAccess() and
       node.asExpr() = v.getAnAccess() and
       gc.controls(node.asExpr().getBasicBlock(), _) and
       not exists(Loop loop | loop.getControllingExpr() = gc)