C++: Initial implementation of back-edge detection

jbj · jbj · commit 38f7ec7d1818 · 2019-01-23T11:40:12.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
@@ -90,6 +90,10 @@ class IRBlock extends IRBlockBase {
     blockSuccessor(this, result, kind)
   }
 
+  final IRBlock getBackEdgeSuccessor(EdgeKind kind) {
+    backEdgeSuccessor(this, result, kind)
+  }
+
   final predicate immediatelyDominates(IRBlock block) {
     blockImmediatelyDominates(this, block)
   }
@@ -132,7 +136,10 @@ private predicate startsBasicBlock(Instruction instr) {
     exists(Instruction predecessor, EdgeKind kind |
       instr = predecessor.getSuccessor(kind) and
       not kind instanceof GotoEdge
-    )  // Incoming edge is not a GotoEdge
+    ) or  // Incoming edge is not a GotoEdge
+    exists(Instruction predecessor |
+      instr = predecessor.getBackEdgeSuccessor(_)
+    )  // A back edge enters this instruction
   )
 }
 
@@ -184,6 +191,14 @@ private cached module Cached {
     )
   }
 
+  cached predicate backEdgeSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = predLast.getBackEdgeSuccessor(kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
   cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ) {
     blockSuccessor(pred, succ, _)
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -463,6 +463,16 @@ class Instruction extends Construction::TInstruction {
     result = Construction::getInstructionSuccessor(this, kind)
   }
 
+  /**
+   * Gets the a _back-edge successor_ of this instruction along the control
+   * flow edge specified by `kind`. A back edge in the control-flow graph is
+   * intuitively the edge that goes back around a loop. If all back edges are
+   * removed from the control-flow graph, it becomes acyclic.
+   */
+  final Instruction getBackEdgeSuccessor(EdgeKind kind) {
+    result = Construction::getInstructionBackEdgeSuccessor(this, kind)
+  }
+
   /**
    * Gets all direct successors of this instruction.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -278,6 +278,14 @@ cached private module Cached {
     )
   }
 
+  cached Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
+    exists(OldInstruction oldInstruction |
+      oldInstruction = getOldInstruction(instruction) and
+      result = getNewInstruction(oldInstruction.getBackEdgeSuccessor(kind)) and
+      not Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)
+    )
+  }
+
   cached IRVariable getInstructionVariable(Instruction instruction) {
     result = getNewIRVariable(getOldInstruction(instruction).(OldIR::VariableInstruction).getVariable())
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
@@ -90,6 +90,10 @@ class IRBlock extends IRBlockBase {
     blockSuccessor(this, result, kind)
   }
 
+  final IRBlock getBackEdgeSuccessor(EdgeKind kind) {
+    backEdgeSuccessor(this, result, kind)
+  }
+
   final predicate immediatelyDominates(IRBlock block) {
     blockImmediatelyDominates(this, block)
   }
@@ -132,7 +136,10 @@ private predicate startsBasicBlock(Instruction instr) {
     exists(Instruction predecessor, EdgeKind kind |
       instr = predecessor.getSuccessor(kind) and
       not kind instanceof GotoEdge
-    )  // Incoming edge is not a GotoEdge
+    ) or  // Incoming edge is not a GotoEdge
+    exists(Instruction predecessor |
+      instr = predecessor.getBackEdgeSuccessor(_)
+    )  // A back edge enters this instruction
   )
 }
 
@@ -184,6 +191,14 @@ private cached module Cached {
     )
   }
 
+  cached predicate backEdgeSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = predLast.getBackEdgeSuccessor(kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
   cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ) {
     blockSuccessor(pred, succ, _)
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -463,6 +463,16 @@ class Instruction extends Construction::TInstruction {
     result = Construction::getInstructionSuccessor(this, kind)
   }
 
+  /**
+   * Gets the a _back-edge successor_ of this instruction along the control
+   * flow edge specified by `kind`. A back edge in the control-flow graph is
+   * intuitively the edge that goes back around a loop. If all back edges are
+   * removed from the control-flow graph, it becomes acyclic.
+   */
+  final Instruction getBackEdgeSuccessor(EdgeKind kind) {
+    result = Construction::getInstructionBackEdgeSuccessor(this, kind)
+  }
+
   /**
    * Gets all direct successors of this instruction.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -5,6 +5,7 @@ private import semmle.code.cpp.ir.internal.TempVariableTag
 private import InstructionTag
 private import TranslatedElement
 private import TranslatedExpr
+private import TranslatedStmt
 private import TranslatedFunction
 
 class InstructionTagType extends TInstructionTag {
@@ -104,6 +105,92 @@ cached private module Cached {
       instruction.getTag(), kind)
   }
 
+  // This predicate has pragma[noopt] because otherwise the `getAChild*` calls
+  // get joined too early. The join order for the loop cases goes like this:
+  // - Find all loops of that type (tens of thousands).
+  // - Find all edges into the start of the loop (x 2).
+  // - Restrict to edges that originate within the loop (/ 2).
+  pragma[noopt]
+  cached Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
+    // Any edge from within the body of the loop to the condition of the loop
+    // is a back edge. This includes edges from `continue` and the fall-through
+    // edge(s) after the last instruction(s) in the body.
+    exists(TranslatedWhileStmt s |
+      s instanceof TranslatedWhileStmt and
+      result = s.getFirstConditionInstruction() and
+      exists(TranslatedElement inBody, InstructionTag tag |
+        result = inBody.getInstructionSuccessor(tag, kind) and
+        exists(TranslatedElement body | body = s.getBody() | inBody = body.getAChild*()) and
+        instruction = inBody.getInstruction(tag)
+      )
+    )
+    or
+    // The back edge should be the (unique) edge from the condition to the
+    // body. This ensures that it's the back edge that will be pruned in a `do
+    // { ... } while (0)` statement. Note that all `continue` statements in a
+    // do-while loop produce forward edges.
+    exists(TranslatedDoStmt s |
+      s instanceof TranslatedDoStmt and
+      exists(TranslatedStmt body | body = s.getBody() | result = body.getFirstInstruction()) and
+      exists(TranslatedElement inCondition, InstructionTag tag |
+        result = inCondition.getInstructionSuccessor(tag, kind) and
+        exists(TranslatedElement condition | condition = s.getCondition() |
+          inCondition = condition.getAChild*()
+        ) and
+        instruction = inCondition.getInstruction(tag)
+      )
+    )
+    or
+    // Any edge from within the body or update of the loop to the condition of
+    // the loop is a back edge.  This includes edges from `continue` and the
+    // fall-through edge(s) after the last instruction(s) in the body. A `for`
+    // loop may not have a condition, in which case
+    // `getFirstConditionInstruction` returns the body instead.
+    exists(TranslatedForStmt s |
+      s instanceof TranslatedForStmt and
+      result = s.getFirstConditionInstruction() and
+      exists(TranslatedElement inLoop, InstructionTag tag |
+        result = inLoop.getInstructionSuccessor(tag, kind) and
+        exists(TranslatedElement bodyOrUpdate |
+          bodyOrUpdate = s.getBody()
+          or
+          bodyOrUpdate = s.getUpdate()
+        |
+          inLoop = bodyOrUpdate.getAChild*()
+        ) and
+        instruction = inLoop.getInstruction(tag)
+      )
+    )
+    or
+    // As a conservative approximation, any edge out of `goto` is a back edge
+    // unless it goes strictly forward in the program text. A `goto` whose
+    // source and target are both inside a macro will be seen as having the
+    // same location for source and target, so we conservatively assume that
+    // such a `goto` creates a back edge.
+    exists(TranslatedElement s, GotoStmt goto |
+      goto instanceof GotoStmt and
+      not isStrictlyForwardGoto(goto) and
+      goto = s.getAST() and
+      exists(InstructionTag tag |
+        result = s.getInstructionSuccessor(tag, kind) and
+        instruction = s.getInstruction(tag)
+      )
+    )
+  }
+
+  /** Holds if `goto` jumps strictly forward in the program text. */
+  private predicate isStrictlyForwardGoto(GotoStmt goto) {
+    exists(string gotoFile, int gotoLine, string targetFile, int targetLine |
+      goto.getLocation().hasLocationInfo(gotoFile, gotoLine, _, _, _) and
+      goto.getTarget().getLocation().hasLocationInfo(targetFile, targetLine, _, _, _) and
+      targetLine > gotoLine and
+      // We avoid `=` for equality here since that might tempt the join orderer
+      // into joining on the file name too early.
+      gotoFile >= targetFile and
+      gotoFile <= targetFile
+    )
+  }
+
   cached IRVariable getInstructionVariable(Instruction instruction) {
     result = getInstructionTranslatedElement(instruction).getInstructionVariable(
       instruction.getTag())
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -632,7 +632,7 @@ class TranslatedForStmt extends TranslatedLoop {
     exists(forStmt.getInitialization())
   }
   
-  private TranslatedExpr getUpdate() {
+  TranslatedExpr getUpdate() {
     result = getTranslatedExpr(forStmt.getUpdate().getFullyConverted())
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
@@ -90,6 +90,10 @@ class IRBlock extends IRBlockBase {
     blockSuccessor(this, result, kind)
   }
 
+  final IRBlock getBackEdgeSuccessor(EdgeKind kind) {
+    backEdgeSuccessor(this, result, kind)
+  }
+
   final predicate immediatelyDominates(IRBlock block) {
     blockImmediatelyDominates(this, block)
   }
@@ -132,7 +136,10 @@ private predicate startsBasicBlock(Instruction instr) {
     exists(Instruction predecessor, EdgeKind kind |
       instr = predecessor.getSuccessor(kind) and
       not kind instanceof GotoEdge
-    )  // Incoming edge is not a GotoEdge
+    ) or  // Incoming edge is not a GotoEdge
+    exists(Instruction predecessor |
+      instr = predecessor.getBackEdgeSuccessor(_)
+    )  // A back edge enters this instruction
   )
 }
 
@@ -184,6 +191,14 @@ private cached module Cached {
     )
   }
 
+  cached predicate backEdgeSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = predLast.getBackEdgeSuccessor(kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
   cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ) {
     blockSuccessor(pred, succ, _)
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -463,6 +463,16 @@ class Instruction extends Construction::TInstruction {
     result = Construction::getInstructionSuccessor(this, kind)
   }
 
+  /**
+   * Gets the a _back-edge successor_ of this instruction along the control
+   * flow edge specified by `kind`. A back edge in the control-flow graph is
+   * intuitively the edge that goes back around a loop. If all back edges are
+   * removed from the control-flow graph, it becomes acyclic.
+   */
+  final Instruction getBackEdgeSuccessor(EdgeKind kind) {
+    result = Construction::getInstructionBackEdgeSuccessor(this, kind)
+  }
+
   /**
    * Gets all direct successors of this instruction.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -278,6 +278,14 @@ cached private module Cached {
     )
   }
 
+  cached Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
+    exists(OldInstruction oldInstruction |
+      oldInstruction = getOldInstruction(instruction) and
+      result = getNewInstruction(oldInstruction.getBackEdgeSuccessor(kind)) and
+      not Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)
+    )
+  }
+
   cached IRVariable getInstructionVariable(Instruction instruction) {
     result = getNewIRVariable(getOldInstruction(instruction).(OldIR::VariableInstruction).getVariable())
   }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,10 @@ class IRBlock extends IRBlockBase {`
`90`	`90`	`blockSuccessor(this, result, kind)`
`91`	`91`	`}`
`92`	`92`
	`93`	`+ final IRBlock getBackEdgeSuccessor(EdgeKind kind) {`
	`94`	`+ backEdgeSuccessor(this, result, kind)`
	`95`	`+ }`
	`96`	`+`
`93`	`97`	`final predicate immediatelyDominates(IRBlock block) {`
`94`	`98`	`blockImmediatelyDominates(this, block)`
`95`	`99`	`}`
`@@ -132,7 +136,10 @@ private predicate startsBasicBlock(Instruction instr) {`
`132`	`136`	`exists(Instruction predecessor, EdgeKind kind \|`
`133`	`137`	`instr = predecessor.getSuccessor(kind) and`
`134`	`138`	`not kind instanceof GotoEdge`
`135`		`- ) // Incoming edge is not a GotoEdge`
	`139`	`+ ) or // Incoming edge is not a GotoEdge`
	`140`	`+ exists(Instruction predecessor \|`
	`141`	`+ instr = predecessor.getBackEdgeSuccessor(_)`
	`142`	`+ ) // A back edge enters this instruction`
`136`	`143`	`)`
`137`	`144`	`}`
`138`	`145`
`@@ -184,6 +191,14 @@ private cached module Cached {`
`184`	`191`	`)`
`185`	`192`	`}`
`186`	`193`
	`194`	`+ cached predicate backEdgeSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {`
	`195`	`+ exists(Instruction predLast, Instruction succFirst \|`
	`196`	`+ predLast = getInstruction(pred, getInstructionCount(pred) - 1) and`
	`197`	`+ succFirst = predLast.getBackEdgeSuccessor(kind) and`
	`198`	`+ succ = MkIRBlock(succFirst)`
	`199`	`+ )`
	`200`	`+ }`
	`201`	`+`
`187`	`202`	`cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ) {`
`188`	`203`	`blockSuccessor(pred, succ, _)`
`189`	`204`	`}`
Original file line number	Diff line number	Diff line change
`@@ -278,6 +278,14 @@ cached private module Cached {`
`278`	`278`	`)`
`279`	`279`	`}`
`280`	`280`
	`281`	`+ cached Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {`
	`282`	`+ exists(OldInstruction oldInstruction \|`
	`283`	`+ oldInstruction = getOldInstruction(instruction) and`
	`284`	`+ result = getNewInstruction(oldInstruction.getBackEdgeSuccessor(kind)) and`
	`285`	`+ not Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)`
	`286`	`+ )`
	`287`	`+ }`
	`288`	`+`
`281`	`289`	`cached IRVariable getInstructionVariable(Instruction instruction) {`
`282`	`290`	`result = getNewIRVariable(getOldInstruction(instruction).(OldIR::VariableInstruction).getVariable())`
`283`	`291`	`}`
Original file line number	Diff line number	Diff line change
`@@ -632,7 +632,7 @@ class TranslatedForStmt extends TranslatedLoop {`
`632`	`632`	`exists(forStmt.getInitialization())`
`633`	`633`	`}`
`634`	`634`
`635`		`- private TranslatedExpr getUpdate() {`
	`635`	`+ TranslatedExpr getUpdate() {`
`636`	`636`	`result = getTranslatedExpr(forStmt.getUpdate().getFullyConverted())`
`637`	`637`	`}`
`638`	`638`