C++: Simplify skipInitializer in CFG.qll

jbj · jbj · commit 3edadc311f07 · 2019-01-15T13:03:26.000+01:00
The CFG construction code previously contained half of an approximation
of which address expressions are constant. Now this this property is
properly modelled by `Expr.isConstant`, we can remove this code.

This fixes most discrepancies between the QL-based CFG and the
extractor-based CFG on Wireshark.
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -461,38 +461,16 @@ private predicate skipInitializer(Initializer init) {
  */
 private predicate runtimeExprInStaticInitializer(Expr e) {
   inStaticInitializer(e) and
-  if
-    e instanceof AggregateLiteral
-    or
-    e instanceof PointerArithmeticOperation
-    or
-    // Extractor doesn't populate this specifier at the time of writing, so
-    // this case has not been tested. See CPP-314.
-    e.(FunctionCall).getTarget().hasSpecifier("constexpr")
+  if e instanceof AggregateLiteral
   then runtimeExprInStaticInitializer(e.getAChild())
-  else (
-    // Not constant
-    not e.isConstant() and
-    // Not a function address
-    not e instanceof FunctionAccess and
-    // Not a function address-of (same as above)
-    not e.(AddressOfExpr).getOperand() instanceof FunctionAccess and
-    // Not the address of a global variable
-    not exists(Variable v |
-      v.isStatic()
-      or
-      v instanceof GlobalOrNamespaceVariable
-    |
-      e.(AddressOfExpr).getOperand() = v.getAnAccess()
-    )
-  )
+  else not e.getFullyConverted().isConstant()
 }
 
 /** Holds if `e` is part of the initializer of a local static variable. */
 private predicate inStaticInitializer(Expr e) {
   exists(LocalVariable local |
     local.isStatic() and
-    e.(Node).getParentNode*() = local.getInitializer()
+    e.getParent+() = local.getInitializer()
   )
 }
 
diff --git a/cpp/ql/test/library-tests/qlcfg/cpp11.cpp b/cpp/ql/test/library-tests/qlcfg/cpp11.cpp
@@ -54,6 +54,9 @@ void skip_init() {
 void run_init() {
   int nonstatic;
   static int x1 = global_int;
+
+  // It makes no sense to initialize a static variable to the address of a
+  // non-static variable, but in principle it can be done:
   static int *x2 = &nonstatic;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ void skip_init() {`
`54`	`54`	`void run_init() {`
`55`	`55`	`int nonstatic;`
`56`	`56`	`static int x1 = global_int;`
	`57`	`+`
	`58`	`+ // It makes no sense to initialize a static variable to the address of a`
	`59`	`+ // non-static variable, but in principle it can be done:`
`57`	`60`	`static int *x2 = &nonstatic;`
`58`	`61`	`}`
`59`	`62`