You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/guards.rst
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,6 +3,7 @@ Using the guards library in C and C++
3
3
4
4
Overview
5
5
--------
6
+
6
7
The guards library (defined in ``semmle.code.cpp.controlflow.Guards``) provides a class `GuardCondition <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/controlflow/Guards.qll/type.Guards$GuardCondition.html>`__ representing Boolean values that are used to make control flow decisions.
7
8
A ``GuardCondition`` is considered to guard a basic block if the block can only be reached if the ``GuardCondition`` is evaluated a certain way. For instance, in the following code, ``x < 10`` is a ``GuardCondition``, and it guards all the code before the return statement.
8
9
@@ -20,6 +21,7 @@ A ``GuardCondition`` is considered to guard a basic block if the block can only
20
21
21
22
The ``controls`` predicate
22
23
------------------------------------------------
24
+
23
25
The ``controls`` predicate helps determine which blocks are only run when the ``GuardCondition`` evaluates a certain way. ``guard.controls(block, testIsTrue)`` holds if ``block`` is only entered if the value of this condition is ``testIsTrue``.
24
26
25
27
In the following code sample, the call to ``isValid`` controls the calls to ``performAction`` and ``logFailure`` but not the return statement.
@@ -35,7 +37,8 @@ In the following code sample, the call to ``isValid`` controls the calls to ``pe
35
37
}
36
38
return succeeded;
37
39
38
-
In the following code sample, the call to `isValid` controls the body of the if and also the code after the if.
40
+
In the following code sample, the call to ``isValid`` controls the body of the
41
+
``if`` statement, and also the code after the ``if``.
39
42
40
43
.. code-block:: cpp
41
44
@@ -48,14 +51,18 @@ In the following code sample, the call to `isValid` controls the body of the if
48
51
49
52
The ``ensuresEq`` and ``ensuresLt`` predicates
50
53
----------------------------------------------
54
+
51
55
The ``ensuresEq`` and ``ensuresLt`` predicates are the main way of determining what, if any, guarantees the ``GuardCondition`` provides for a given basic block.
52
56
53
57
The ``ensuresEq`` predicate
54
58
***************************
59
+
60
+
55
61
When ``ensuresEq(left, right, k, block, true)`` holds, then ``block`` is only executed if ``left`` was equal to ``right + k`` at their last evaluation. When ``ensuresEq(left, right, k, block, false)`` holds, then ``block`` is only executed if ``left`` was not equal to ``right + k`` at their last evaluation.
56
62
57
63
The ``ensuresLt`` predicate
58
64
***************************
65
+
59
66
When ``ensuresLt(left, right, k, block, true)`` holds, then ``block`` is only executed if ``left`` was strictly less than ``right + k`` at their last evaluation. When ``ensuresLt(left, right, k, block, false)`` holds, then ``block`` is only executed if ``left`` was greater than or equal to ``right + k`` at their last evaluation.
60
67
61
68
In the following code sample, the comparison on the first line ensures that ``index`` is less than ``size`` in the "then" block, and that ``index`` is greater than or equal to ``size`` in the "else" block.
@@ -71,13 +78,16 @@ In the following code sample, the comparison on the first line ensures that ``in
71
78
72
79
The ``comparesEq`` and ``comparesLt`` predicates
73
80
------------------------------------------------
81
+
74
82
The ``comparesEq`` and ``comparesLt`` predicates help determine if the ``GuardCondition`` evaluates to true.
75
83
76
84
The ``comparesEq`` predicate
77
85
****************************
86
+
78
87
``comparesEq(left, right, k, true, testIsTrue)`` holds if ``left`` equals ``right + k`` when the expression evaluates to ``testIsTrue``.
79
88
80
89
The ``comparesLt`` predicate
81
90
****************************
91
+
82
92
``comparesLt(left, right, k, isLessThan, testIsTrue)`` holds if ``left < right + k`` evaluates to ``isLessThan`` when the expression evaluates to ``testIsTrue``.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/range-analysis.rst
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,20 +3,24 @@ Using range analysis for C and C++
3
3
4
4
Overview
5
5
--------
6
+
6
7
Range analysis determines upper and lower bounds for an expression.
7
8
8
9
The range analysis library (defined in ``semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis``) provides a set of predicates for determining constant upper and lower bounds on expressions, as well as recognizing integer overflows. For performance, the library performs automatic widening and therefore may not provide the tightest possible bounds.
9
10
10
11
Bounds predicates
11
12
-----------------
13
+
12
14
The ``upperBound`` and ``lowerBound`` predicates provide constant bounds on expressions. No conversions of the argument are included in the bound. In the common case that your query needs to take conversions into account, call them on the converted form, such as ``upperBound(expr.getFullyConverted())``.
13
15
14
16
Overflow predicates
15
17
-------------------
18
+
16
19
``exprMightOverflow`` and related predicates hold if the relevant expression might overflow, as determined by the range analysis library. The ``convertedExprMightOverflow`` family of predicates will take conversions into account.
17
20
18
21
Example
19
22
-------
23
+
20
24
This query uses ``upperBound`` to determine whether the result of ``snprintf`` is checked when used in a loop.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/value-numbering-hash-cons.rst
+12-4Lines changed: 12 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,9 @@
1
1
Hash consing and value numbering
2
2
=================================================
3
+
3
4
Overview
4
5
--------
6
+
5
7
In C and C++ QL databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically.
6
8
7
9
The `hash consing <https://en.wikipedia.org/wiki/Hash_consing>`__ library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. The `global value numbering <https://en.wikipedia.org/wiki/Value_numbering>`__ library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime.
@@ -41,10 +43,12 @@ However, in the next example, the uses of ``x + y`` will have different value nu
41
43
42
44
Value numbering
43
45
---------------
46
+
44
47
The value numbering library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime. Value numbering is useful when your primary concern is with the values being produced or the eventual machine code being run. For instance, value numbering might be used to determine whether a check is being done against the same value as the operation it is guarding.
45
48
46
49
The value numbering API
47
50
~~~~~~~~~~~~~~~~~~~~~~~
51
+
48
52
The value numbering library exposes its interface primarily through the ``GVN`` class. Each instance of ``GVN`` represents a set of expressions that will always evaluate to the same value. To get an expression in the set represented by a particular ``GVN``, use the ``getAnExpr()`` member predicate.
49
53
50
54
To get the ``GVN`` of an ``Expr``, use the ``globalValueNumber`` predicate.
@@ -55,10 +59,11 @@ To get the ``GVN`` of an ``Expr``, use the ``globalValueNumber`` predicate.
55
59
56
60
Why not a predicate?
57
61
~~~~~~~~~~~~~~~~~~~~
62
+
58
63
The obvious interface for this library would be a predicate ``equivalent(Expr e1, Expr e2)``. However, this predicate would be very large, with a quadratic number of rows for each set of equivalent expressions. By using a class as an intermediate step, the number of rows can be kept linear, and therefore can be cached.
59
64
60
-
Example Queries
61
-
~~~~~~~~~~~~~~~
65
+
Example query
66
+
~~~~~~~~~~~~~
62
67
63
68
This query uses the ``GVN`` class to identify calls to ``strncpy`` where the size argument is derived from the source rather than the destination
64
69
@@ -76,10 +81,12 @@ This query uses the ``GVN`` class to identify calls to ``strncpy`` where the siz
76
81
77
82
Hash consing
78
83
------------
84
+
79
85
The hash consing library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. Hash consing is useful when your primary concern is with the text of the code. For instance, hash consing might be used to detect duplicate code within a function.
80
86
81
87
The hash consing API
82
88
~~~~~~~~~~~~~~~~~~~~
89
+
83
90
The hash consing library exposes its interface primarily through the ``HashCons`` class. Each instance of ``HashCons`` represents a set of expressions within one function that have the same syntax (including referring to the same variables). To get an expression in the set represented by a particular ``HashCons``, use the ``getAnExpr()`` member predicate.
84
91
85
92
.. note::
@@ -88,8 +95,8 @@ The hash consing library exposes its interface primarily through the ``HashCons`
88
95
89
96
To get the ``HashCons`` of an ``Expr``, use the ``hashCons`` predicate.
0 commit comments