C++: Enable range analysis for irreducible CFGs

jbj · jbj · commit 6d09a9b32424 · 2019-01-25T09:31:07.000+01:00
This adds one new test result (`i &gt;= 0` on line 130).
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -559,47 +559,44 @@ private predicate boundedCastExpr(
 private predicate boundedInstruction(
   Instruction i, Bound b, int delta, boolean upper, boolean fromBackEdge, int origdelta, Reason reason
 ) {
-  isReducibleCFG(i.getFunction()) and
-  (
-    i instanceof PhiInstruction and
-    forex(PhiOperand op | op = i.getAnOperand() |
-      boundedPhiCandValidForEdge(i, b, delta, upper, fromBackEdge, origdelta, reason, op)
-    )
-    or
-    i = b.getInstruction(delta) and
-    (upper = true or upper = false) and
-    fromBackEdge = false and
-    origdelta = delta and
-    reason = TNoReason()
-    or
-    exists(Operand mid, int d1, int d2 |
-      boundFlowStep(i, mid, d1, upper) and
-      boundedNonPhiOperand(mid, b, d2, upper, fromBackEdge, origdelta, reason) and
-      delta = d1 + d2 and
-      not exists(getValue(getConstantValue(i)))
-    )
-    or
-    exists(Operand mid, int factor, int d |
-      boundFlowStepMul(i, mid, factor) and
-      boundedNonPhiOperand(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      b instanceof ZeroBound and
-      delta = d*factor and
-      not exists(getValue(getConstantValue(i)))
-    )
-    or
-    exists(Operand mid, int factor, int d |
-      boundFlowStepDiv(i, mid, factor) and
-      boundedNonPhiOperand(mid, b, d, upper, fromBackEdge, origdelta, reason) and
-      d >= 0 and
-      b instanceof ZeroBound and
-      delta = d / factor and
-      not exists(getValue(getConstantValue(i)))
-    )
-    or
-    exists(NarrowingCastInstruction cast |
-      cast = i and
-      safeNarrowingCast(cast, upper.booleanNot()) and
-      boundedCastExpr(cast, b, delta, upper, fromBackEdge, origdelta, reason)
-    )
+  i instanceof PhiInstruction and
+  forex(PhiOperand op | op = i.getAnOperand() |
+    boundedPhiCandValidForEdge(i, b, delta, upper, fromBackEdge, origdelta, reason, op)
+  )
+  or
+  i = b.getInstruction(delta) and
+  (upper = true or upper = false) and
+  fromBackEdge = false and
+  origdelta = delta and
+  reason = TNoReason()
+  or
+  exists(Operand mid, int d1, int d2 |
+    boundFlowStep(i, mid, d1, upper) and
+    boundedNonPhiOperand(mid, b, d2, upper, fromBackEdge, origdelta, reason) and
+    delta = d1 + d2 and
+    not exists(getValue(getConstantValue(i)))
+  )
+  or
+  exists(Operand mid, int factor, int d |
+    boundFlowStepMul(i, mid, factor) and
+    boundedNonPhiOperand(mid, b, d, upper, fromBackEdge, origdelta, reason) and
+    b instanceof ZeroBound and
+    delta = d*factor and
+    not exists(getValue(getConstantValue(i)))
+  )
+  or
+  exists(Operand mid, int factor, int d |
+    boundFlowStepDiv(i, mid, factor) and
+    boundedNonPhiOperand(mid, b, d, upper, fromBackEdge, origdelta, reason) and
+    d >= 0 and
+    b instanceof ZeroBound and
+    delta = d / factor and
+    not exists(getValue(getConstantValue(i)))
+  )
+  or
+  exists(NarrowingCastInstruction cast |
+    cast = i and
+    safeNarrowingCast(cast, upper.booleanNot()) and
+    boundedCastExpr(cast, b, delta, upper, fromBackEdge, origdelta, reason)
   )
 }
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeUtils.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeUtils.qll
@@ -63,22 +63,6 @@ predicate valueFlowStep(Instruction i, Operand op, int delta) {
   )
 }
 
-predicate isReducibleCFG(Function f) {
-  not exists(LabelStmt l, GotoStmt goto |
-    goto.getTarget() = l and
-    l.getLocation().isBefore(goto.getLocation()) and
-    l.getEnclosingFunction() = f
-  ) and
-  not exists(LabelStmt ls, Loop l |
-    ls.getParent*() = l and
-    l.getEnclosingFunction() = f
-  ) and
-  not exists(SwitchCase cs |
-    cs.getSwitchStmt().getStmt() != cs.getParentStmt() and
-    cs.getEnclosingFunction() = f
-  )
-}
-
 predicate backEdge(PhiInstruction phi, PhiOperand op) {
   phi.getAnOperand() = op and
   phi.getBlock() = op.getPredecessorBlock().getBackEdgeSuccessor(_)
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
@@ -36,6 +36,7 @@
 | test.cpp:100:10:100:10 | Load: x | file://:0:0:0:0 | 0 | 1 | true | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
 | test.cpp:102:10:102:10 | Load: x | file://:0:0:0:0 | 0 | 2 | false | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
 | test.cpp:107:5:107:10 | Phi: test10 | test.cpp:114:3:114:6 | Phi: call to sink | -1 | true | CompareLT: ... < ... | test.cpp:115:18:115:22 | test.cpp:115:18:115:22 |
+| test.cpp:130:10:130:10 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
 | test.cpp:140:10:140:10 | Store: i | file://:0:0:0:0 | 0 | 1 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
 | test.cpp:140:10:140:10 | Store: i | test.cpp:135:16:135:16 | InitializeParameter: x | 0 | false | CompareLT: ... < ... | test.cpp:139:11:139:15 | test.cpp:139:11:139:15 |
 | test.cpp:140:10:140:10 | Store: i | test.cpp:138:5:138:5 | Phi: i | 1 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
