C++: Initial implementation of new range analysis

Robert Marsh · Robert Marsh · commit ed68f9150ab2 · 2019-01-08T09:34:23.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll
@@ -280,6 +280,17 @@ class IRGuardCondition extends Instruction {
           ne.controls(controlled, testIsTrue.booleanNot())) 
     }
 
+    cached predicate controlsEdge(ConditionalBranchInstruction branch, IRBlock succ, boolean testIsTrue) {
+      branch.getCondition() = this and
+      (
+        testIsTrue = true and
+        succ.getFirstInstruction() = branch.getTrueSuccessor()
+        or
+        testIsTrue = false and
+        succ.getFirstInstruction() = branch.getFalseSuccessor()
+      )
+    }
+
     /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
     cached predicate comparesLt(Operand left, Operand right, int k, boolean isLessThan, boolean testIsTrue) {
         compares_lt(this, left, right, k, isLessThan, testIsTrue)
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll
@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll
@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/Bound.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/Bound.qll
@@ -0,0 +1,74 @@
+import cpp
+private import semmle.code.cpp.ir.IR
+
+private newtype TBound =
+  TBoundZero() or
+  TBoundInstruction(Instruction i) {
+    i.getResultType() instanceof IntegralType or
+    i.getResultType() instanceof PointerType
+  } or
+  TBoundOperand(Operand o) {
+    o.getDefinitionInstruction().getResultType() instanceof IntegralType or
+    o.getDefinitionInstruction().getResultType() instanceof PointerType
+  }
+
+/**
+ * A bound that may be inferred for an expression plus/minus an integer delta.
+ */
+abstract class Bound extends TBound {
+  abstract string toString();
+
+// FIXME: operands?
+  /** Gets an expression that equals this bound plus `delta`. */
+  abstract Instruction getInstruction(int delta);
+
+  /** Gets an expression that equals this bound. */
+  Instruction getInstruction() { result = getInstruction(0) }
+
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
+  }
+}
+
+
+/**
+ * The bound that corresponds to the integer 0. This is used to represent all
+ * integer bounds as bounds are always accompanied by an added integer delta.
+ */
+class ZeroBound extends Bound, TBoundZero {
+  override string toString() { result = "0" }
+
+  override Instruction getInstruction(int delta) { result.(ConstantValueInstruction).getValue().toInt() = delta }
+}
+
+/**
+ * A bound corresponding to the value of an `Instruction`.
+ */
+class InstructionBound extends Bound, TBoundInstruction {
+  /** Gets the SSA variable that equals this bound. */
+  override Instruction getInstruction(int delta) { this = TBoundInstruction(result) and delta = 0}
+
+  override string toString() { result = getInstruction().toString() }
+
+  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    getInstruction().getLocation().hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
+
+
+class OperandBound extends Bound, TBoundOperand {
+  Operand getOperand() {
+    this = TBoundOperand(result)
+  }
+
+  override Instruction getInstruction(int delta) {
+    this = TBoundOperand(result.getAUse()) and
+    delta = 0
+  } 
+
+  override string toString() { result = getOperand().toString() }
+
+  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    getOperand().getLocation().hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeUtils.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeUtils.qll
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.c b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.c

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ module InstructionSanity {`
`130`	`130`	`query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {`
`131`	`131`	`blockCount = count(instr.getBlock()) and`
`132`	`132`	`blockCount != 1`
`133`		`- }`
	`133`	`+ }`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`/**`
`@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {`
`750`	`750`	`final Instruction getRightOperand() {`
`751`	`751`	`result = getAnOperand().(RightOperand).getDefinitionInstruction()`
`752`	`752`	`}`
	`753`	`+`
	`754`	`+ final predicate hasOperands(Operand op1, Operand op2) {`
	`755`	`+ op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)`
	`756`	`+ or`
	`757`	`+ op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)`
	`758`	`+ }`
`753`	`759`	`}`
`754`	`760`
`755`	`761`	`class AddInstruction extends BinaryInstruction {`
Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {`
`107`	`107`	`def = this.getSourceValue() and`
`108`	`108`	`(`
`109`	`109`	`def.getResultMemoryAccess() instanceof IndirectMemoryAccess or`
	`110`	`+ def.getResultMemoryAccess() instanceof PhiMemoryAccess or`
`110`	`111`	`not def.hasMemoryResult()`
`111`	`112`	`)`
`112`	`113`	`)`