C++: Add SimpleRangeAnalysisExpr.dependsOnChild

Author: jbj

cpp/ql/src/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisExpr.qll

@@ -32,8 +32,27 @@ abstract class SimpleRangeAnalysisExpr extends Expr {
    */
   abstract float getUpperBounds();
 
-  /** Holds if this expression depends on the definition `srcDef` for StackVariable `srcVar`. */
+  /**
+   * Holds if the range this expression depends on the definition `srcDef` for
+   * StackVariable `srcVar`.
+   *
+   * Because this predicate cannot be recursive, most implementations should
+   * override `dependsOnChild` instead.
+   */
   predicate dependsOnDef(RangeSsaDefinition srcDef, StackVariable srcVar) { none() }
+
+  /**
+   * Holds if this expression depends on the range of its unconverted
+   * subexpression `child`. This information is used to inform the range
+   * analysis about cyclic dependencies. Without this information, range
+   * analysis might work for simple cases but will go into infinite loops on
+   * complex code.
+   *
+   * For example, when modeling a function call whose return value depends on
+   * all of its arguments, implement this predicate as
+   * `child = this.getAnArgument()`.
+   */
+  abstract predicate dependsOnChild(Expr child);
 }
 
 import SimpleRangeAnalysisInternal

cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -334,7 +334,14 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
   e = srcDef.getAUse(srcVar)
   or
   // A modeled expression for range analysis
-  exists(SimpleRangeAnalysisExpr rae | rae = e | rae.dependsOnDef(srcDef, srcVar))
+  exists(SimpleRangeAnalysisExpr rae | rae = e |
+    rae.dependsOnDef(srcDef, srcVar)
+    or
+    exists(Expr child |
+      rae.dependsOnChild(child) and
+      exprDependsOnDef(child, srcDef, srcVar)
+    )
+  )
 }
 
 /**