From a21eea4ee07134616ede87612c3a4b196ec404fa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 11:46:55 +0000 Subject: [PATCH 1/9] C++: Generalize more predicates from booleans to abstract values. --- .../semmle/code/cpp/controlflow/IRGuards.qll | 63 ++++++++++--------- .../code/cpp/ir/implementation/EdgeKind.qll | 9 +++ 2 files changed, 42 insertions(+), 30 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll index e7762fc9fa85..d714c1ecf30d 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll @@ -446,7 +446,10 @@ class IRGuardCondition extends Instruction { /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */ cached predicate comparesEq(Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue) { - compares_eq(this, left, right, k, areEqual, testIsTrue) + exists(BooleanValue value | + compares_eq(this, left, right, k, areEqual, value) and + value.getValue() = testIsTrue + ) } /** @@ -455,8 +458,8 @@ class IRGuardCondition extends Instruction { */ cached predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) { - exists(boolean testIsTrue | - compares_eq(this, left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue) + exists(AbstractValue value | + compares_eq(this, left, right, k, areEqual, value) and this.valueControls(block, value) ) } @@ -468,9 +471,9 @@ class IRGuardCondition extends Instruction { predicate ensuresEqEdge( Operand left, Operand right, int k, IRBlock pred, IRBlock succ, boolean areEqual ) { - exists(boolean testIsTrue | - compares_eq(this, left, right, k, areEqual, testIsTrue) and - this.controlsEdge(pred, succ, testIsTrue) + exists(AbstractValue value | + compares_eq(this, left, right, k, areEqual, value) and + this.valueControlsEdge(pred, succ, value) ) } @@ -572,52 +575,52 @@ private Instruction getBranchForCondition(Instruction guard) { * Beware making mistaken logical implications here relating `areEqual` and `testIsTrue`. */ private predicate compares_eq( - Instruction test, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue + Instruction test, Operand left, Operand right, int k, boolean areEqual, AbstractValue value ) { /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */ - exists(boolean eq | simple_comparison_eq(test, left, right, k, eq) | - areEqual = true and testIsTrue = eq + exists(AbstractValue v | simple_comparison_eq(test, left, right, k, v) | + areEqual = true and value = v or - areEqual = false and testIsTrue = eq.booleanNot() + areEqual = false and value = v.getDualValue() ) or // I think this is handled by forwarding in controlsBlock. //or //logical_comparison_eq(test, left, right, k, areEqual, testIsTrue) /* a == b + k => b == a - k */ - exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, testIsTrue)) + exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, value)) or - complex_eq(test, left, right, k, areEqual, testIsTrue) + complex_eq(test, left, right, k, areEqual, value) or /* (x is true => (left == right + k)) => (!x is false => (left == right + k)) */ - exists(boolean isFalse | testIsTrue = isFalse.booleanNot() | - compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, isFalse) + exists(AbstractValue dual | value = dual.getDualValue() | + compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, dual) ) } /** Rearrange various simple comparisons into `left == right + k` form. */ private predicate simple_comparison_eq( - CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual + CompareInstruction cmp, Operand left, Operand right, int k, AbstractValue value ) { left = cmp.getLeftOperand() and cmp instanceof CompareEQInstruction and right = cmp.getRightOperand() and k = 0 and - areEqual = true + value.(BooleanValue).getValue() = true or left = cmp.getLeftOperand() and cmp instanceof CompareNEInstruction and right = cmp.getRightOperand() and k = 0 and - areEqual = false + value.(BooleanValue).getValue() = false } private predicate complex_eq( - CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue + CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value ) { - sub_eq(cmp, left, right, k, areEqual, testIsTrue) + sub_eq(cmp, left, right, k, areEqual, value) or - add_eq(cmp, left, right, k, areEqual, testIsTrue) + add_eq(cmp, left, right, k, areEqual, value) } /* @@ -768,31 +771,31 @@ private predicate add_lt( // left - x == right + c => left == right + (c+x) // left == (right - x) + c => left == right + (c-x) private predicate sub_eq( - CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue + CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value ) { exists(SubInstruction lhs, int c, int x | - compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and + compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) and k = c + x ) or exists(SubInstruction rhs, int c, int x | - compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and + compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and right = rhs.getLeftOperand() and x = int_value(rhs.getRight()) and k = c - x ) or exists(PointerSubInstruction lhs, int c, int x | - compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and + compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) and k = c + x ) or exists(PointerSubInstruction rhs, int c, int x | - compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and + compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and right = rhs.getLeftOperand() and x = int_value(rhs.getRight()) and k = c - x @@ -802,10 +805,10 @@ private predicate sub_eq( // left + x == right + c => left == right + (c-x) // left == (right + x) + c => left == right + (c+x) private predicate add_eq( - CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, boolean testIsTrue + CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value ) { exists(AddInstruction lhs, int c, int x | - compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and + compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and ( left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) or @@ -815,7 +818,7 @@ private predicate add_eq( ) or exists(AddInstruction rhs, int c, int x | - compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and + compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and ( right = rhs.getLeftOperand() and x = int_value(rhs.getRight()) or @@ -825,7 +828,7 @@ private predicate add_eq( ) or exists(PointerAddInstruction lhs, int c, int x | - compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and + compares_eq(cmp, lhs.getAUse(), right, c, areEqual, value) and ( left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) or @@ -835,7 +838,7 @@ private predicate add_eq( ) or exists(PointerAddInstruction rhs, int c, int x | - compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and + compares_eq(cmp, left, rhs.getAUse(), c, areEqual, value) and ( right = rhs.getLeftOperand() and x = int_value(rhs.getRight()) or diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll index 91e1fe03e233..81db183fa63e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll @@ -90,6 +90,15 @@ class CaseEdge extends EdgeKind, TCaseEdge { * Gets the largest value of the switch expression for which control will flow along this edge. */ final string getMaxValue() { result = maxValue } + + /** + * Gets the unique value of the switch expression for which control will + * flow along this edge, if any. + */ + final string getValue() { + minValue = maxValue and + result = minValue + } } /** From 44045d3eed8403aea446f15e25bbfd451fe715e3 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 12:26:15 +0000 Subject: [PATCH 2/9] C++: Add guards logic for constant comparisons. --- .../semmle/code/cpp/controlflow/IRGuards.qll | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll index d714c1ecf30d..60de332f8471 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll @@ -452,6 +452,21 @@ class IRGuardCondition extends Instruction { ) } + /** Holds if (determined by this guard) `op == k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */ + cached + predicate comparesEq(Operand op, int k, boolean areEqual, boolean testIsTrue) { + exists(MatchValue mv | + compares_eq(this, op, k, areEqual, mv) and + // A match value cannot be dualized, so `testIsTrue` is always true + testIsTrue = true + ) + or + exists(BooleanValue bv | + compares_eq(this, op, k, areEqual, bv) and + bv.getValue() = testIsTrue + ) + } + /** * Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`. * If `areEqual = false` then this implies `left != right + k`. @@ -463,6 +478,17 @@ class IRGuardCondition extends Instruction { ) } + /** + * Holds if (determined by this guard) `op == k` must be `areEqual` in `block`. + * If `areEqual = false` then this implies `op != k`. + */ + cached + predicate ensuresEq(Operand op, int k, IRBlock block, boolean areEqual) { + exists(AbstractValue value | + compares_eq(this, op, k, areEqual, value) and this.valueControls(block, value) + ) + } + /** * Holds if (determined by this guard) `left == right + k` must be `areEqual` on the edge from * `pred` to `succ`. If `areEqual = false` then this implies `left != right + k`. @@ -477,6 +503,18 @@ class IRGuardCondition extends Instruction { ) } + /** + * Holds if (determined by this guard) `op == k` must be `areEqual` on the edge from + * `pred` to `succ`. If `areEqual = false` then this implies `op != k`. + */ + cached + predicate ensuresEqEdge(Operand op, int k, IRBlock pred, IRBlock succ, boolean areEqual) { + exists(AbstractValue value | + compares_eq(this, op, k, areEqual, value) and + this.valueControlsEdge(pred, succ, value) + ) + } + /** * Holds if this condition controls `block`, meaning that `block` is only * entered if the value of this condition is `v`. This helper @@ -598,6 +636,33 @@ private predicate compares_eq( ) } +/** Holds if `op == k` is `areEqual` given that `test` is equal to `value`. */ +private predicate compares_eq( + Instruction test, Operand op, int k, boolean areEqual, AbstractValue value +) { + /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */ + exists(AbstractValue v | simple_comparison_eq(test, op, k, v) | + areEqual = true and value = v + or + areEqual = false and value = v.getDualValue() + ) + or + complex_eq(test, op, k, areEqual, value) + or + /* (x is true => (op == k)) => (!x is false => (op == k)) */ + exists(AbstractValue dual | value = dual.getDualValue() | + compares_eq(test.(LogicalNotInstruction).getUnary(), op, k, areEqual, dual) + ) + or + // ((test is `areEqual` => op == const + k2) and const == `k1`) => + // test is `areEqual` => op == k1 + k2 + exists(int k1, int k2, ConstantInstruction const | + compares_eq(test, op, const.getAUse(), k2, areEqual, value) and + int_value(const) = k1 and + k = k1 + k2 + ) +} + /** Rearrange various simple comparisons into `left == right + k` form. */ private predicate simple_comparison_eq( CompareInstruction cmp, Operand left, Operand right, int k, AbstractValue value @@ -615,6 +680,15 @@ private predicate simple_comparison_eq( value.(BooleanValue).getValue() = false } +/** Rearrange various simple comparisons into `op == k` form. */ +private predicate simple_comparison_eq(Instruction test, Operand op, int k, AbstractValue value) { + exists(SwitchInstruction switch | + test = switch.getExpression() and + op.getDef() = test and + value.(MatchValue).getCase().getValue().toInt() = k + ) +} + private predicate complex_eq( CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value ) { @@ -623,6 +697,14 @@ private predicate complex_eq( add_eq(cmp, left, right, k, areEqual, value) } +private predicate complex_eq( + Instruction test, Operand op, int k, boolean areEqual, AbstractValue value +) { + sub_eq(test, op, k, areEqual, value) + or + add_eq(test, op, k, areEqual, value) +} + /* * Simplification of inequality expressions * Simplify conditions in the source to the canonical form l < r + k. @@ -802,6 +884,23 @@ private predicate sub_eq( ) } +// op - x == c => op == (c+x) +private predicate sub_eq(Instruction test, Operand op, int k, boolean areEqual, AbstractValue value) { + exists(SubInstruction sub, int c, int x | + compares_eq(test, sub.getAUse(), c, areEqual, value) and + op = sub.getLeftOperand() and + x = int_value(sub.getRight()) and + k = c + x + ) + or + exists(PointerSubInstruction sub, int c, int x | + compares_eq(test, sub.getAUse(), c, areEqual, value) and + op = sub.getLeftOperand() and + x = int_value(sub.getRight()) and + k = c + x + ) +} + // left + x == right + c => left == right + (c-x) // left == (right + x) + c => left == right + (c+x) private predicate add_eq( @@ -848,5 +947,30 @@ private predicate add_eq( ) } +// left + x == right + c => left == right + (c-x) +private predicate add_eq( + Instruction test, Operand left, int k, boolean areEqual, AbstractValue value +) { + exists(AddInstruction lhs, int c, int x | + compares_eq(test, lhs.getAUse(), c, areEqual, value) and + ( + left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) + or + left = lhs.getRightOperand() and x = int_value(lhs.getLeft()) + ) and + k = c - x + ) + or + exists(PointerAddInstruction lhs, int c, int x | + compares_eq(test, lhs.getAUse(), c, areEqual, value) and + ( + left = lhs.getLeftOperand() and x = int_value(lhs.getRight()) + or + left = lhs.getRightOperand() and x = int_value(lhs.getLeft()) + ) and + k = c - x + ) +} + /** The int value of integer constant expression. */ private int int_value(Instruction i) { result = i.(IntegerConstantInstruction).getValue().toInt() } From decede51dc1ee2db399631bd80f25aa650213071 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 13:54:30 +0000 Subject: [PATCH 3/9] C++: Use the new predicate in 'ScanfChecks.qll'. --- cpp/ql/src/Critical/ScanfChecks.qll | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/cpp/ql/src/Critical/ScanfChecks.qll b/cpp/ql/src/Critical/ScanfChecks.qll index b2464ecc9f48..403df4715f3e 100644 --- a/cpp/ql/src/Critical/ScanfChecks.qll +++ b/cpp/ql/src/Critical/ScanfChecks.qll @@ -11,7 +11,7 @@ private predicate exprInBooleanContext(Expr e) { exists(IRGuardCondition gc | exists(Instruction i | i.getUnconvertedResultExpression() = e and - gc.comparesEq(valueNumber(i).getAUse(), zero(), 0, _, _) + gc.comparesEq(valueNumber(i).getAUse(), 0, _, _) ) or gc.getUnconvertedResultExpression() = e @@ -36,10 +36,6 @@ private string getEofValue() { ) } -private ConstantInstruction getEofInstruction() { result.getValue() = getEofValue() } - -private Operand eof() { result.getDef() = getEofInstruction() } - /** * Holds if the value of `call` has been checked to not equal `EOF`. */ @@ -47,7 +43,7 @@ private predicate checkedForEof(ScanfFunctionCall call) { exists(IRGuardCondition gc | exists(Instruction i | i.getUnconvertedResultExpression() = call | // call == EOF - gc.comparesEq(valueNumber(i).getAUse(), eof(), 0, _, _) + gc.comparesEq(valueNumber(i).getAUse(), getEofValue().toInt(), _, _) or // call < 0 (EOF is guaranteed to be negative) gc.comparesLt(valueNumber(i).getAUse(), zero(), 0, true, _) From dbd47b387afb25bce808877198cb5a2bfb0714de Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 16:26:36 +0000 Subject: [PATCH 4/9] C++: Add AST wrappers for the new predicates. --- .../semmle/code/cpp/controlflow/IRGuards.qll | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll index 60de332f8471..ddc380c304f7 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll @@ -137,6 +137,17 @@ class GuardCondition extends Expr { */ cached predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) { none() } + + /** Holds if (determined by this guard) `e == k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */ + cached + predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) { none() } + + /** + * Holds if (determined by this guard) `e == k` must be `areEqual` in `block`. + * If `areEqual = false` then this implies `e != k`. + */ + cached + predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) { none() } } /** @@ -184,6 +195,20 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition { this.comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue) ) } + + override predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) { + exists(boolean partIsTrue, GuardCondition part | + this.(BinaryLogicalOperation).impliesValue(part, partIsTrue, testIsTrue) + | + part.comparesEq(e, k, areEqual, partIsTrue) + ) + } + + override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) { + exists(boolean testIsTrue | + this.comparesEq(e, k, areEqual, testIsTrue) and this.controls(block, testIsTrue) + ) + } } /** @@ -245,6 +270,21 @@ private class GuardConditionFromIR extends GuardCondition { ) } + override predicate comparesEq(Expr e, int k, boolean areEqual, boolean testIsTrue) { + exists(Instruction i | + i.getUnconvertedResultExpression() = e and + ir.comparesEq(i.getAUse(), k, areEqual, testIsTrue) + ) + } + + override predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual) { + exists(Instruction i, boolean testIsTrue | + i.getUnconvertedResultExpression() = e and + ir.comparesEq(i.getAUse(), k, areEqual, testIsTrue) and + this.controls(block, testIsTrue) + ) + } + /** * Holds if this condition controls `block`, meaning that `block` is only * entered if the value of this condition is `v`. This helper From 032678a367bc849f55dfa90baba9f2548436212d Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 16:27:10 +0000 Subject: [PATCH 5/9] C++: Extend tests to also test the new predicates. --- .../controlflow/guards-ir/tests.ql | 89 ++++++++++++++----- .../controlflow/guards/GuardsCompare.ql | 28 ++++-- 2 files changed, 87 insertions(+), 30 deletions(-) diff --git a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.ql b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.ql index fe3d92d2c2b5..263c30c2fec5 100644 --- a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.ql +++ b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.ql @@ -4,22 +4,32 @@ import semmle.code.cpp.controlflow.IRGuards query predicate astGuards(GuardCondition guard) { any() } query predicate astGuardsCompare(int startLine, string msg) { - exists(GuardCondition guard, Expr left, Expr right, int k, string which, string op | + exists(GuardCondition guard, Expr left, int k, string which, string op | exists(boolean sense | sense = true and which = "true" or sense = false and which = "false" | - guard.comparesLt(left, right, k, true, sense) and op = " < " + exists(Expr right | + guard.comparesLt(left, right, k, true, sense) and op = " < " + or + guard.comparesLt(left, right, k, false, sense) and op = " >= " + or + guard.comparesEq(left, right, k, true, sense) and op = " == " + or + guard.comparesEq(left, right, k, false, sense) and op = " != " + | + msg = left + op + right + "+" + k + " when " + guard + " is " + which + ) or - guard.comparesLt(left, right, k, false, sense) and op = " >= " - or - guard.comparesEq(left, right, k, true, sense) and op = " == " - or - guard.comparesEq(left, right, k, false, sense) and op = " != " + ( + guard.comparesEq(left, k, true, sense) and op = " == " + or + guard.comparesEq(left, k, false, sense) and op = " != " + ) and + msg = left + op + k + " when " + guard + " is " + which ) and - startLine = guard.getLocation().getStartLine() and - msg = left + op + right + "+" + k + " when " + guard + " is " + which + startLine = guard.getLocation().getStartLine() ) } @@ -46,28 +56,52 @@ query predicate astGuardsEnsure( ) } +query predicate astGuardsEnsure_const( + GuardCondition guard, Expr left, string op, int k, int start, int end +) { + exists(BasicBlock block | + guard.ensuresEq(left, k, block, true) and op = "==" + or + guard.ensuresEq(left, k, block, false) and op = "!=" + | + block.hasLocationInfo(_, start, _, end, _) + ) +} + query predicate irGuards(IRGuardCondition guard) { any() } query predicate irGuardsCompare(int startLine, string msg) { - exists(IRGuardCondition guard, Operand left, Operand right, int k, string which, string op | + exists(IRGuardCondition guard, Operand left, int k, string which, string op | exists(boolean sense | sense = true and which = "true" or sense = false and which = "false" | - guard.comparesLt(left, right, k, true, sense) and op = " < " + exists(Operand right | + guard.comparesLt(left, right, k, true, sense) and op = " < " + or + guard.comparesLt(left, right, k, false, sense) and op = " >= " + or + guard.comparesEq(left, right, k, true, sense) and op = " == " + or + guard.comparesEq(left, right, k, false, sense) and op = " != " + | + msg = + left.getAnyDef().getUnconvertedResultExpression() + op + + right.getAnyDef().getUnconvertedResultExpression() + "+" + k + " when " + guard + " is " + + which + ) or - guard.comparesLt(left, right, k, false, sense) and op = " >= " - or - guard.comparesEq(left, right, k, true, sense) and op = " == " - or - guard.comparesEq(left, right, k, false, sense) and op = " != " + ( + guard.comparesEq(left, k, true, sense) and op = " == " + or + guard.comparesEq(left, k, false, sense) and op = " != " + ) and + msg = + left.getAnyDef().getUnconvertedResultExpression() + op + k + " when " + guard + " is " + + which ) and - startLine = guard.getLocation().getStartLine() and - msg = - left.getAnyDef().getUnconvertedResultExpression() + op + - right.getAnyDef().getUnconvertedResultExpression() + "+" + k + " when " + guard + " is " + - which + startLine = guard.getLocation().getStartLine() ) } @@ -95,3 +129,16 @@ query predicate irGuardsEnsure( block.getLocation().hasLocationInfo(_, start, _, end, _) ) } + +query predicate irGuardsEnsure_const( + IRGuardCondition guard, Instruction left, string op, int k, int start, int end +) { + exists(IRBlock block, Operand leftOp | + guard.ensuresEq(leftOp, k, block, true) and op = "==" + or + guard.ensuresEq(leftOp, k, block, false) and op = "!=" + | + leftOp = left.getAUse() and + block.getLocation().hasLocationInfo(_, start, _, end, _) + ) +} diff --git a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.ql b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.ql index a1373b2923b2..17d4fcaae941 100644 --- a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.ql +++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.ql @@ -7,20 +7,30 @@ import cpp import semmle.code.cpp.controlflow.Guards -from GuardCondition guard, Expr left, Expr right, int k, string which, string op, string msg +from GuardCondition guard, Expr left, int k, string which, string op, string msg where exists(boolean sense | sense = true and which = "true" or sense = false and which = "false" | - guard.comparesLt(left, right, k, true, sense) and op = " < " + exists(Expr right | + guard.comparesLt(left, right, k, true, sense) and op = " < " + or + guard.comparesLt(left, right, k, false, sense) and op = " >= " + or + guard.comparesEq(left, right, k, true, sense) and op = " == " + or + guard.comparesEq(left, right, k, false, sense) and op = " != " + | + msg = left + op + right + "+" + k + " when " + guard + " is " + which + ) or - guard.comparesLt(left, right, k, false, sense) and op = " >= " - or - guard.comparesEq(left, right, k, true, sense) and op = " == " - or - guard.comparesEq(left, right, k, false, sense) and op = " != " - ) and - msg = left + op + right + "+" + k + " when " + guard + " is " + which + ( + guard.comparesEq(left, k, true, sense) and op = " == " + or + guard.comparesEq(left, k, false, sense) and op = " != " + ) and + msg = left + op + k + " when " + guard + " is " + which + ) select guard.getLocation().getStartLine(), msg From 40dbc6fdd9e50c7b8d5cfc49fd741510e9b001e3 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 18 Mar 2024 16:27:18 +0000 Subject: [PATCH 6/9] C++: Accept test changes. --- .../controlflow/guards-ir/tests.expected | 88 +++++++++++++++++++ .../controlflow/guards/GuardsCompare.expected | 27 ++++++ 2 files changed, 115 insertions(+) diff --git a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected index ac8068e768dc..2eb749580b4c 100644 --- a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected +++ b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected @@ -62,7 +62,9 @@ astGuardsCompare | 26 | x >= 0+1 when ... > ... is true | | 31 | - ... != x+0 when ... == ... is false | | 31 | - ... == x+0 when ... == ... is true | +| 31 | x != -1 when ... == ... is false | | 31 | x != - ...+0 when ... == ... is false | +| 31 | x == -1 when ... == ... is true | | 31 | x == - ...+0 when ... == ... is true | | 34 | 10 < j+1 when ... < ... is false | | 34 | 10 >= j+1 when ... < ... is true | @@ -86,15 +88,20 @@ astGuardsCompare | 58 | 0 < y+1 when ... \|\| ... is false | | 58 | 0 == x+0 when ... == ... is true | | 58 | 0 >= y+1 when ... < ... is true | +| 58 | x != 0 when ... == ... is false | +| 58 | x != 0 when ... \|\| ... is false | | 58 | x != 0+0 when ... == ... is false | | 58 | x != 0+0 when ... \|\| ... is false | +| 58 | x == 0 when ... == ... is true | | 58 | x == 0+0 when ... == ... is true | | 58 | y < 0+0 when ... < ... is true | | 58 | y >= 0+0 when ... < ... is false | | 58 | y >= 0+0 when ... \|\| ... is false | | 75 | 0 != x+0 when ... == ... is false | | 75 | 0 == x+0 when ... == ... is true | +| 75 | x != 0 when ... == ... is false | | 75 | x != 0+0 when ... == ... is false | +| 75 | x == 0 when ... == ... is true | | 75 | x == 0+0 when ... == ... is true | | 85 | 0 != x+0 when ... == ... is false | | 85 | 0 != y+0 when ... != ... is true | @@ -102,15 +109,23 @@ astGuardsCompare | 85 | 0 == x+0 when ... && ... is true | | 85 | 0 == x+0 when ... == ... is true | | 85 | 0 == y+0 when ... != ... is false | +| 85 | x != 0 when ... == ... is false | | 85 | x != 0+0 when ... == ... is false | +| 85 | x == 0 when ... && ... is true | +| 85 | x == 0 when ... == ... is true | | 85 | x == 0+0 when ... && ... is true | | 85 | x == 0+0 when ... == ... is true | +| 85 | y != 0 when ... != ... is true | +| 85 | y != 0 when ... && ... is true | | 85 | y != 0+0 when ... != ... is true | | 85 | y != 0+0 when ... && ... is true | +| 85 | y == 0 when ... != ... is false | | 85 | y == 0+0 when ... != ... is false | | 94 | 0 != x+0 when ... != ... is true | | 94 | 0 == x+0 when ... != ... is false | +| 94 | x != 0 when ... != ... is true | | 94 | x != 0+0 when ... != ... is true | +| 94 | x == 0 when ... != ... is false | | 94 | x == 0+0 when ... != ... is false | | 102 | 10 < j+1 when ... < ... is false | | 102 | 10 >= j+1 when ... < ... is true | @@ -122,8 +137,11 @@ astGuardsCompare | 109 | 0 < y+1 when ... \|\| ... is false | | 109 | 0 == x+0 when ... == ... is true | | 109 | 0 >= y+1 when ... < ... is true | +| 109 | x != 0 when ... == ... is false | +| 109 | x != 0 when ... \|\| ... is false | | 109 | x != 0+0 when ... == ... is false | | 109 | x != 0+0 when ... \|\| ... is false | +| 109 | x == 0 when ... == ... is true | | 109 | x == 0+0 when ... == ... is true | | 109 | y < 0+0 when ... < ... is true | | 109 | y >= 0+0 when ... < ... is false | @@ -162,7 +180,9 @@ astGuardsCompare | 165 | y >= x+43 when ... < ... is true | | 175 | 0 != call to foo+0 when ... == ... is false | | 175 | 0 == call to foo+0 when ... == ... is true | +| 175 | call to foo != 0 when ... == ... is false | | 175 | call to foo != 0+0 when ... == ... is false | +| 175 | call to foo == 0 when ... == ... is true | | 175 | call to foo == 0+0 when ... == ... is true | astGuardsControl | test.c:7:9:7:13 | ... > ... | false | 10 | 11 | @@ -443,6 +463,34 @@ astGuardsEnsure | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | != | test.cpp:31:7:31:7 | x | 0 | 34 | 34 | | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 30 | 30 | | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 31 | 32 | +astGuardsEnsure_const +| test.c:58:9:58:14 | ... == ... | test.c:58:9:58:9 | x | != | 0 | 58 | 58 | +| test.c:58:9:58:14 | ... == ... | test.c:58:9:58:9 | x | != | 0 | 62 | 62 | +| test.c:58:9:58:23 | ... \|\| ... | test.c:58:9:58:9 | x | != | 0 | 62 | 62 | +| test.c:75:9:75:14 | ... == ... | test.c:75:9:75:9 | x | != | 0 | 78 | 79 | +| test.c:75:9:75:14 | ... == ... | test.c:75:9:75:9 | x | == | 0 | 75 | 77 | +| test.c:85:8:85:13 | ... == ... | test.c:85:8:85:8 | x | == | 0 | 85 | 85 | +| test.c:85:8:85:13 | ... == ... | test.c:85:8:85:8 | x | == | 0 | 86 | 86 | +| test.c:85:8:85:23 | ... && ... | test.c:85:8:85:8 | x | == | 0 | 86 | 86 | +| test.c:85:8:85:23 | ... && ... | test.c:85:18:85:18 | y | != | 0 | 86 | 86 | +| test.c:85:18:85:23 | ... != ... | test.c:85:18:85:18 | y | != | 0 | 86 | 86 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | != | 0 | 94 | 96 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 70 | 70 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 99 | 102 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 102 | 102 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 107 | 109 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 109 | 109 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 109 | 117 | +| test.c:94:11:94:16 | ... != ... | test.c:94:11:94:11 | x | == | 0 | 113 | 113 | +| test.c:109:9:109:14 | ... == ... | test.c:109:9:109:9 | x | != | 0 | 109 | 109 | +| test.c:109:9:109:14 | ... == ... | test.c:109:9:109:9 | x | != | 0 | 113 | 113 | +| test.c:109:9:109:23 | ... \|\| ... | test.c:109:9:109:9 | x | != | 0 | 113 | 113 | +| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | != | 0 | 175 | 175 | +| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | 0 | 175 | 175 | +| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 30 | 30 | +| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 | +| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 | +| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 | irGuards | test.c:7:9:7:13 | CompareGT: ... > ... | | test.c:17:8:17:12 | CompareLT: ... < ... | @@ -497,7 +545,9 @@ irGuardsCompare | 26 | x >= 0+1 when CompareGT: ... > ... is true | | 31 | - ... != x+0 when CompareEQ: ... == ... is false | | 31 | - ... == x+0 when CompareEQ: ... == ... is true | +| 31 | x != -1 when CompareEQ: ... == ... is false | | 31 | x != - ...+0 when CompareEQ: ... == ... is false | +| 31 | x == -1 when CompareEQ: ... == ... is true | | 31 | x == - ...+0 when CompareEQ: ... == ... is true | | 34 | 10 < j+1 when CompareLT: ... < ... is false | | 34 | 10 >= j+1 when CompareLT: ... < ... is true | @@ -519,25 +569,35 @@ irGuardsCompare | 58 | 0 < y+1 when CompareLT: ... < ... is false | | 58 | 0 == x+0 when CompareEQ: ... == ... is true | | 58 | 0 >= y+1 when CompareLT: ... < ... is true | +| 58 | x != 0 when CompareEQ: ... == ... is false | | 58 | x != 0+0 when CompareEQ: ... == ... is false | +| 58 | x == 0 when CompareEQ: ... == ... is true | | 58 | x == 0+0 when CompareEQ: ... == ... is true | | 58 | y < 0+0 when CompareLT: ... < ... is true | | 58 | y >= 0+0 when CompareLT: ... < ... is false | | 75 | 0 != x+0 when CompareEQ: ... == ... is false | | 75 | 0 == x+0 when CompareEQ: ... == ... is true | +| 75 | x != 0 when CompareEQ: ... == ... is false | | 75 | x != 0+0 when CompareEQ: ... == ... is false | +| 75 | x == 0 when CompareEQ: ... == ... is true | | 75 | x == 0+0 when CompareEQ: ... == ... is true | | 85 | 0 != x+0 when CompareEQ: ... == ... is false | | 85 | 0 != y+0 when CompareNE: ... != ... is true | | 85 | 0 == x+0 when CompareEQ: ... == ... is true | | 85 | 0 == y+0 when CompareNE: ... != ... is false | +| 85 | x != 0 when CompareEQ: ... == ... is false | | 85 | x != 0+0 when CompareEQ: ... == ... is false | +| 85 | x == 0 when CompareEQ: ... == ... is true | | 85 | x == 0+0 when CompareEQ: ... == ... is true | +| 85 | y != 0 when CompareNE: ... != ... is true | | 85 | y != 0+0 when CompareNE: ... != ... is true | +| 85 | y == 0 when CompareNE: ... != ... is false | | 85 | y == 0+0 when CompareNE: ... != ... is false | | 94 | 0 != x+0 when CompareNE: ... != ... is true | | 94 | 0 == x+0 when CompareNE: ... != ... is false | +| 94 | x != 0 when CompareNE: ... != ... is true | | 94 | x != 0+0 when CompareNE: ... != ... is true | +| 94 | x == 0 when CompareNE: ... != ... is false | | 94 | x == 0+0 when CompareNE: ... != ... is false | | 102 | 10 < j+1 when CompareLT: ... < ... is false | | 102 | 10 >= j+1 when CompareLT: ... < ... is true | @@ -547,7 +607,9 @@ irGuardsCompare | 109 | 0 < y+1 when CompareLT: ... < ... is false | | 109 | 0 == x+0 when CompareEQ: ... == ... is true | | 109 | 0 >= y+1 when CompareLT: ... < ... is true | +| 109 | x != 0 when CompareEQ: ... == ... is false | | 109 | x != 0+0 when CompareEQ: ... == ... is false | +| 109 | x == 0 when CompareEQ: ... == ... is true | | 109 | x == 0+0 when CompareEQ: ... == ... is true | | 109 | y < 0+0 when CompareLT: ... < ... is true | | 109 | y >= 0+0 when CompareLT: ... < ... is false | @@ -585,7 +647,9 @@ irGuardsCompare | 165 | y >= x+43 when CompareLT: ... < ... is true | | 175 | 0 != call to foo+0 when CompareEQ: ... == ... is false | | 175 | 0 == call to foo+0 when CompareEQ: ... == ... is true | +| 175 | call to foo != 0 when CompareEQ: ... == ... is false | | 175 | call to foo != 0+0 when CompareEQ: ... == ... is false | +| 175 | call to foo == 0 when CompareEQ: ... == ... is true | | 175 | call to foo == 0+0 when CompareEQ: ... == ... is true | irGuardsControl | test.c:7:9:7:13 | CompareGT: ... > ... | false | 11 | 11 | @@ -841,3 +905,27 @@ irGuardsEnsure | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:12:31:13 | Constant: - ... | != | test.cpp:31:7:31:7 | Load: x | 0 | 34 | 34 | | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:12:31:13 | Constant: - ... | == | test.cpp:31:7:31:7 | Load: x | 0 | 30 | 30 | | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:12:31:13 | Constant: - ... | == | test.cpp:31:7:31:7 | Load: x | 0 | 32 | 32 | +irGuardsEnsure_const +| test.c:58:9:58:14 | CompareEQ: ... == ... | test.c:58:9:58:9 | Load: x | != | 0 | 58 | 58 | +| test.c:58:9:58:14 | CompareEQ: ... == ... | test.c:58:9:58:9 | Load: x | != | 0 | 62 | 62 | +| test.c:75:9:75:14 | CompareEQ: ... == ... | test.c:75:9:75:9 | Load: x | != | 0 | 79 | 79 | +| test.c:75:9:75:14 | CompareEQ: ... == ... | test.c:75:9:75:9 | Load: x | == | 0 | 76 | 76 | +| test.c:85:8:85:13 | CompareEQ: ... == ... | test.c:85:8:85:8 | Load: x | == | 0 | 85 | 85 | +| test.c:85:8:85:13 | CompareEQ: ... == ... | test.c:85:8:85:8 | Load: x | == | 0 | 86 | 86 | +| test.c:85:18:85:23 | CompareNE: ... != ... | test.c:85:18:85:18 | Load: y | != | 0 | 86 | 86 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | != | 0 | 95 | 95 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 70 | 70 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 99 | 99 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 102 | 102 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 103 | 103 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 107 | 107 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 109 | 109 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 110 | 110 | +| test.c:94:11:94:16 | CompareNE: ... != ... | test.c:94:11:94:11 | Load: x | == | 0 | 113 | 113 | +| test.c:109:9:109:14 | CompareEQ: ... == ... | test.c:109:9:109:9 | Load: x | != | 0 | 109 | 109 | +| test.c:109:9:109:14 | CompareEQ: ... == ... | test.c:109:9:109:9 | Load: x | != | 0 | 113 | 113 | +| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | != | 0 | 175 | 175 | +| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | == | 0 | 175 | 175 | +| test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | != | -1 | 34 | 34 | +| test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 30 | 30 | +| test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 32 | 32 | diff --git a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected index 58068f3991df..5f714676b5c8 100644 --- a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected +++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected @@ -20,7 +20,9 @@ | 26 | x >= 0+1 when ... > ... is true | | 31 | - ... != x+0 when ... == ... is false | | 31 | - ... == x+0 when ... == ... is true | +| 31 | x != -1 when ... == ... is false | | 31 | x != - ...+0 when ... == ... is false | +| 31 | x == -1 when ... == ... is true | | 31 | x == - ...+0 when ... == ... is true | | 34 | 10 < j+1 when ... < ... is false | | 34 | 10 >= j+1 when ... < ... is true | @@ -44,31 +46,53 @@ | 58 | 0 < y+1 when ... \|\| ... is false | | 58 | 0 == x+0 when ... == ... is true | | 58 | 0 >= y+1 when ... < ... is true | +| 58 | x != 0 when ... == ... is false | +| 58 | x != 0 when ... \|\| ... is false | | 58 | x != 0+0 when ... == ... is false | | 58 | x != 0+0 when ... \|\| ... is false | +| 58 | x == 0 when ... == ... is true | | 58 | x == 0+0 when ... == ... is true | | 58 | y < 0+0 when ... < ... is true | | 58 | y >= 0+0 when ... < ... is false | | 58 | y >= 0+0 when ... \|\| ... is false | +| 61 | i == 0 when i is true | +| 61 | i == 1 when i is true | +| 61 | i == 2 when i is true | +| 74 | i == 0 when i is true | +| 74 | i == 1 when i is true | +| 74 | i == 2 when i is true | | 75 | 0 != x+0 when ... == ... is false | | 75 | 0 == x+0 when ... == ... is true | +| 75 | x != 0 when ... == ... is false | | 75 | x != 0+0 when ... == ... is false | +| 75 | x == 0 when ... == ... is true | | 75 | x == 0+0 when ... == ... is true | +| 84 | i == 0 when i is true | +| 84 | i == 1 when i is true | +| 84 | i == 2 when i is true | | 85 | 0 != x+0 when ... == ... is false | | 85 | 0 != y+0 when ... != ... is true | | 85 | 0 != y+0 when ... && ... is true | | 85 | 0 == x+0 when ... && ... is true | | 85 | 0 == x+0 when ... == ... is true | | 85 | 0 == y+0 when ... != ... is false | +| 85 | x != 0 when ... == ... is false | | 85 | x != 0+0 when ... == ... is false | +| 85 | x == 0 when ... && ... is true | +| 85 | x == 0 when ... == ... is true | | 85 | x == 0+0 when ... && ... is true | | 85 | x == 0+0 when ... == ... is true | +| 85 | y != 0 when ... != ... is true | +| 85 | y != 0 when ... && ... is true | | 85 | y != 0+0 when ... != ... is true | | 85 | y != 0+0 when ... && ... is true | +| 85 | y == 0 when ... != ... is false | | 85 | y == 0+0 when ... != ... is false | | 94 | 0 != x+0 when ... != ... is true | | 94 | 0 == x+0 when ... != ... is false | +| 94 | x != 0 when ... != ... is true | | 94 | x != 0+0 when ... != ... is true | +| 94 | x == 0 when ... != ... is false | | 94 | x == 0+0 when ... != ... is false | | 102 | 10 < j+1 when ... < ... is false | | 102 | 10 >= j+1 when ... < ... is true | @@ -80,8 +104,11 @@ | 109 | 0 < y+1 when ... \|\| ... is false | | 109 | 0 == x+0 when ... == ... is true | | 109 | 0 >= y+1 when ... < ... is true | +| 109 | x != 0 when ... == ... is false | +| 109 | x != 0 when ... \|\| ... is false | | 109 | x != 0+0 when ... == ... is false | | 109 | x != 0+0 when ... \|\| ... is false | +| 109 | x == 0 when ... == ... is true | | 109 | x == 0+0 when ... == ... is true | | 109 | y < 0+0 when ... < ... is true | | 109 | y >= 0+0 when ... < ... is false | From 0c3d9f75f4a48308ee2b40043d541ceee8ce9227 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Mar 2024 09:41:58 +0000 Subject: [PATCH 7/9] C++: Add change note. --- .../2024-03-19-predicates-for-switches-as-guards.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2024-03-19-predicates-for-switches-as-guards.md diff --git a/cpp/ql/lib/change-notes/2024-03-19-predicates-for-switches-as-guards.md b/cpp/ql/lib/change-notes/2024-03-19-predicates-for-switches-as-guards.md new file mode 100644 index 000000000000..3dde8805599f --- /dev/null +++ b/cpp/ql/lib/change-notes/2024-03-19-predicates-for-switches-as-guards.md @@ -0,0 +1,5 @@ +--- +category: feature +--- +* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. +* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant. \ No newline at end of file From 350b239ed62d5747195bb68c73239f36acbcbfd0 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Mar 2024 10:29:43 +0000 Subject: [PATCH 8/9] C++: Fix cartesian product in 'simple_comparison_eq'. --- cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll index ddc380c304f7..ab67d77f5cd0 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll @@ -722,10 +722,12 @@ private predicate simple_comparison_eq( /** Rearrange various simple comparisons into `op == k` form. */ private predicate simple_comparison_eq(Instruction test, Operand op, int k, AbstractValue value) { - exists(SwitchInstruction switch | + exists(SwitchInstruction switch, CaseEdge case | test = switch.getExpression() and op.getDef() = test and - value.(MatchValue).getCase().getValue().toInt() = k + case = value.(MatchValue).getCase() and + exists(switch.getSuccessor(case)) and + case.getValue().toInt() = k ) } From d7afd7b2e1d2797528aaf9322cc997b76cb61d23 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 19 Mar 2024 10:54:35 +0000 Subject: [PATCH 9/9] C++: Accept test changes. --- .../library-tests/controlflow/guards/GuardsCompare.expected | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected index 5f714676b5c8..1057e8e10466 100644 --- a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected +++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected @@ -58,18 +58,12 @@ | 61 | i == 0 when i is true | | 61 | i == 1 when i is true | | 61 | i == 2 when i is true | -| 74 | i == 0 when i is true | -| 74 | i == 1 when i is true | -| 74 | i == 2 when i is true | | 75 | 0 != x+0 when ... == ... is false | | 75 | 0 == x+0 when ... == ... is true | | 75 | x != 0 when ... == ... is false | | 75 | x != 0+0 when ... == ... is false | | 75 | x == 0 when ... == ... is true | | 75 | x == 0+0 when ... == ... is true | -| 84 | i == 0 when i is true | -| 84 | i == 1 when i is true | -| 84 | i == 2 when i is true | | 85 | 0 != x+0 when ... == ... is false | | 85 | 0 != y+0 when ... != ... is true | | 85 | 0 != y+0 when ... && ... is true |