Merge pull request #21239 from MathiasVP/logical-binary-fix-guards-cpp

C++: Ensure that there are AST `GuardCondition`s for `||` and `&&`

Author: MathiasVP

cpp/ql/lib/change-notes/2026-01-30-guard-condition-logical-operators.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a bug in the `GuardCondition` library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using `GuardCondition` may see improved results.

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -8,7 +8,8 @@ import semmle.code.cpp.ir.IR
 private import codeql.util.Void
 private import codeql.controlflow.Guards as SharedGuards
 private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr as TE
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedFunction as TF
 private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
 
 private class BasicBlock = IRCfg::BasicBlock;
@@ -683,24 +684,26 @@ final class GuardCondition = GuardConditionImpl;
  */
 private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl instanceof Cpp::BinaryLogicalOperation
 {
+  GuardConditionImpl l;
+  GuardConditionImpl r;
+
+  GuardConditionFromBinaryLogicalOperator() {
+    super.getLeftOperand() = l and
+    super.getRightOperand() = r
+  }
+
   override predicate valueControls(Cpp::BasicBlock controlled, GuardValue v) {
-    exists(Cpp::BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
-      this = binop and
-      lhs = binop.getLeftOperand() and
-      rhs = binop.getRightOperand() and
-      lhs.valueControls(controlled, v) and
-      rhs.valueControls(controlled, v)
-    )
+    // `l || r` does not control `r` even though `l` does.
+    not r.(Cpp::Expr).getBasicBlock() = controlled and
+    l.valueControls(controlled, v)
+    or
+    r.valueControls(controlled, v)
   }
 
   override predicate valueControlsEdge(Cpp::BasicBlock pred, Cpp::BasicBlock succ, GuardValue v) {
-    exists(Cpp::BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
-      this = binop and
-      lhs = binop.getLeftOperand() and
-      rhs = binop.getRightOperand() and
-      lhs.valueControlsEdge(pred, succ, v) and
-      rhs.valueControlsEdge(pred, succ, v)
-    )
+    l.valueControlsEdge(pred, succ, v)
+    or
+    r.valueControlsEdge(pred, succ, v)
   }
 
   pragma[nomagic]
@@ -1026,7 +1029,7 @@ private class GuardConditionFromIR extends GuardConditionImpl {
 
 private predicate excludeAsControlledInstruction(Instruction instr) {
   // Exclude the temporaries generated by a ternary expression.
-  exists(TranslatedConditionalExpr tce |
+  exists(TE::TranslatedConditionalExpr tce |
     instr = tce.getInstruction(ConditionValueFalseStoreTag())
     or
     instr = tce.getInstruction(ConditionValueTrueStoreTag())
@@ -1038,6 +1041,14 @@ private predicate excludeAsControlledInstruction(Instruction instr) {
   or
   // Exclude unreached instructions, as their AST is the whole function and not a block.
   instr instanceof UnreachedInstruction
+  or
+  // Exclude instructions generated by a translated function as they map to the function itself
+  // and the function is considered the last basic block of a function body.
+  any(TF::TranslatedFunction tf).getInstruction(_) = instr
+  or
+  // `ChiInstruction`s generated by instructions in the above case don't come from `getInstruction` (since they are generated by AliasedSSA)
+  // so we need to special case them.
+  excludeAsControlledInstruction(instr.(ChiInstruction).getPartial())
 }
 
 /**

cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected

@@ -384,7 +384,9 @@ astGuardsControl
 | test.c:126:7:126:7 | 1 | true | 131 | 132 |
 | test.c:126:7:126:7 | 1 | true | 134 | 123 |
 | test.c:126:7:126:28 | ... && ... | true | 126 | 128 |
+| test.c:126:7:126:28 | ... && ... | true | 131 | 131 |
 | test.c:126:7:126:28 | ... && ... | true | 131 | 132 |
+| test.c:126:7:126:28 | ... && ... | true | 134 | 123 |
 | test.c:126:12:126:26 | call to test3_condition | true | 126 | 128 |
 | test.c:126:12:126:26 | call to test3_condition | true | 131 | 132 |
 | test.c:131:7:131:7 | b | true | 131 | 132 |
@@ -405,9 +407,7 @@ astGuardsControl
 | test.c:181:9:181:9 | x | true | 181 | 182 |
 | test.c:181:9:181:9 | x | true | 186 | 180 |
 | test.cpp:18:8:18:10 | call to get | true | 19 | 19 |
-| test.cpp:31:7:31:13 | ... == ... | false | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | false | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | true | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | true | 31 | 32 |
 | test.cpp:42:13:42:20 | call to getABool | true | 43 | 45 |
 astGuardsEnsure
@@ -589,13 +589,9 @@ astGuardsEnsure
 | test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | != | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | == | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 31 | 32 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | != | test.cpp:31:7:31:7 | x | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | != | test.cpp:31:7:31:7 | x | 0 | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 31 | 32 |
 astGuardsEnsure_const
 | test.c:7:9:7:13 | ... > ... | test.c:7:9:7:13 | ... > ... | != | 0 | 7 | 9 |
@@ -793,13 +789,21 @@ astGuardsEnsure_const
 | test.c:126:7:126:7 | 1 | test.c:126:7:126:7 | 1 | == | 1 | 131 | 132 |
 | test.c:126:7:126:7 | 1 | test.c:126:7:126:7 | 1 | == | 1 | 134 | 123 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | != | 0 | 126 | 128 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | != | 0 | 131 | 131 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | != | 0 | 131 | 132 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | != | 0 | 134 | 123 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | == | 1 | 126 | 128 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | == | 1 | 131 | 131 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | == | 1 | 131 | 132 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:7:126:7 | 1 | == | 1 | 134 | 123 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | != | 0 | 126 | 128 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | != | 0 | 131 | 131 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | != | 0 | 131 | 132 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | != | 0 | 134 | 123 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | == | 1 | 126 | 128 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | == | 1 | 131 | 131 |
 | test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | == | 1 | 131 | 132 |
+| test.c:126:7:126:28 | ... && ... | test.c:126:12:126:26 | call to test3_condition | == | 1 | 134 | 123 |
 | test.c:126:12:126:26 | call to test3_condition | test.c:126:12:126:26 | call to test3_condition | != | 0 | 126 | 128 |
 | test.c:126:12:126:26 | call to test3_condition | test.c:126:12:126:26 | call to test3_condition | != | 0 | 131 | 132 |
 | test.c:126:12:126:26 | call to test3_condition | test.c:126:12:126:26 | call to test3_condition | == | 1 | 126 | 128 |
@@ -846,17 +850,11 @@ astGuardsEnsure_const
 | test.c:181:9:181:9 | x | test.c:181:9:181:9 | x | == | 1 | 186 | 180 |
 | test.cpp:18:8:18:10 | call to get | test.cpp:18:8:18:10 | call to get | != | 0 | 19 | 19 |
 | test.cpp:18:8:18:10 | call to get | test.cpp:18:8:18:10 | call to get | == | 1 | 19 | 19 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | != | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | != | 0 | 31 | 32 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | != | 1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | != | 1 | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | == | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | == | 0 | 34 | 34 |
-| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | == | 1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:13 | ... == ... | == | 1 | 31 | 32 |
 | test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | != | 0 | 43 | 45 |
 | test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | == | 1 | 43 | 45 |

cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected

@@ -105,9 +105,13 @@
 | test.c:126:7:126:7 | 1 | true | test.c:131:10:132:16 | { ... } |
 | test.c:126:7:126:7 | 1 | true | test.c:134:1:123:10 | return ... |
 | test.c:126:7:126:28 | ... && ... | not 0 | test.c:126:31:128:16 | { ... } |
+| test.c:126:7:126:28 | ... && ... | not 0 | test.c:131:3:131:7 | if (...) ...  |
 | test.c:126:7:126:28 | ... && ... | not 0 | test.c:131:10:132:16 | { ... } |
+| test.c:126:7:126:28 | ... && ... | not 0 | test.c:134:1:123:10 | return ... |
 | test.c:126:7:126:28 | ... && ... | true | test.c:126:31:128:16 | { ... } |
+| test.c:126:7:126:28 | ... && ... | true | test.c:131:3:131:7 | if (...) ...  |
 | test.c:126:7:126:28 | ... && ... | true | test.c:131:10:132:16 | { ... } |
+| test.c:126:7:126:28 | ... && ... | true | test.c:134:1:123:10 | return ... |
 | test.c:126:12:126:26 | call to test3_condition | not 0 | test.c:126:31:128:16 | { ... } |
 | test.c:126:12:126:26 | call to test3_condition | not 0 | test.c:131:10:132:16 | { ... } |
 | test.c:126:12:126:26 | call to test3_condition | true | test.c:126:31:128:16 | { ... } |
@@ -162,17 +166,11 @@
 | test.c:219:9:219:22 | call to __builtin_expect | true | test.c:219:25:221:5 | { ... } |
 | test.cpp:18:8:18:10 | call to get | not null | test.cpp:19:5:19:14 | ExprStmt |
 | test.cpp:18:8:18:10 | call to get | true | test.cpp:19:5:19:14 | ExprStmt |
-| test.cpp:30:22:30:22 | x | -1 | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:30:22:30:22 | x | -1 | test.cpp:31:16:32:21 | { ... } |
-| test.cpp:30:22:30:22 | x | not -1 | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:30:22:30:22 | x | not -1 | test.cpp:34:1:34:1 | return ... |
-| test.cpp:31:7:31:7 | x | -1 | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:31:7:31:7 | x | -1 | test.cpp:31:16:32:21 | { ... } |
-| test.cpp:31:7:31:7 | x | not -1 | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:31:7:31:7 | x | not -1 | test.cpp:34:1:34:1 | return ... |
-| test.cpp:31:7:31:13 | ... == ... | false | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:31:7:31:13 | ... == ... | false | test.cpp:34:1:34:1 | return ... |
-| test.cpp:31:7:31:13 | ... == ... | true | test.cpp:30:6:30:16 | doSomething |
 | test.cpp:31:7:31:13 | ... == ... | true | test.cpp:31:16:32:21 | { ... } |
 | test.cpp:42:13:42:20 | call to getABool | true | test.cpp:43:9:45:23 | { ... } |
 | test.cpp:60:31:60:31 | i | 0 | test.cpp:62:5:64:12 | case ...: |
@@ -408,19 +406,11 @@
 | test.cpp:400:11:400:25 | call to testEnumWrapper | 2 | test.cpp:404:5:406:12 | case ...: |
 | test.cpp:400:27:400:27 | b | false | test.cpp:404:5:406:12 | case ...: |
 | test.cpp:400:27:400:27 | b | true | test.cpp:401:5:403:12 | case ...: |
-| test.cpp:410:26:410:26 | o | not null | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:410:26:410:26 | o | not null | test.cpp:412:1:412:1 | return ... |
-| test.cpp:410:26:410:26 | o | null | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:410:26:410:26 | o | null | test.cpp:411:11:411:18 | ExprStmt |
-| test.cpp:411:7:411:8 | ! ... | false | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:7:411:8 | ! ... | false | test.cpp:412:1:412:1 | return ... |
-| test.cpp:411:7:411:8 | ! ... | true | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:7:411:8 | ! ... | true | test.cpp:411:11:411:18 | ExprStmt |
-| test.cpp:411:8:411:8 | o | false | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:8:411:8 | o | false | test.cpp:411:11:411:18 | ExprStmt |
-| test.cpp:411:8:411:8 | o | not null | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:8:411:8 | o | not null | test.cpp:412:1:412:1 | return ... |
-| test.cpp:411:8:411:8 | o | null | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:8:411:8 | o | null | test.cpp:411:11:411:18 | ExprStmt |
-| test.cpp:411:8:411:8 | o | true | test.cpp:410:6:410:18 | ensureNotNull |
 | test.cpp:411:8:411:8 | o | true | test.cpp:412:1:412:1 | return ... |