C++: allow phi nodes to self-bound

Robert Marsh · Robert Marsh · commit 567eee111474 · 2019-01-08T09:34:27.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -118,7 +118,7 @@ private import RangeAnalysisCache
 import RangeAnalysisPublic
 
 /**
- * Gets a condition that tests whether `op` equals `bound + delta`.
+ * Gets a condition that tests whether `vn` equals `bound + delta`.
  *
  * If the condition evaluates to `testIsTrue`:
  * - `isEq = true`  : `i == bound + delta`
@@ -151,11 +151,11 @@ private predicate boundFlowStepSsa(
 }
 
 /**
- * Gets a condition that tests whether `op` is bounded by `bound + delta`.
+ * Gets a condition that tests whether `vn` is bounded by `bound + delta`.
  *
  * If the condition evaluates to `testIsTrue`:
- * - `upper = true`  : `op <= bound + delta`
- * - `upper = false` : `op >= bound + delta`
+ * - `upper = true`  : `vn <= bound + delta`
+ * - `upper = false` : `vn >= bound + delta`
  */
 private IRGuardCondition boundFlowCond(ValueNumber vn, NonPhiOperand bound, int delta, boolean upper,
   boolean testIsTrue)
@@ -549,7 +549,6 @@ private predicate boundedInstruction(
     boundedPhiCandValidForEdge(i, b, delta, upper, fromBackEdge, origdelta, reason, op)
   )
   or
-  not i instanceof PhiInstruction and
   i = b.getInstruction(delta) and
   (upper = true or upper = false) and
   fromBackEdge = false and
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
@@ -35,3 +35,6 @@
 | test.cpp:97:10:97:10 | Load: x | file://:0:0:0:0 | 0 | 1 | false | CompareLT: ... < ... | test.cpp:94:7:94:11 | test.cpp:94:7:94:11 |
 | test.cpp:100:10:100:10 | Load: x | file://:0:0:0:0 | 0 | 1 | true | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
 | test.cpp:102:10:102:10 | Load: x | file://:0:0:0:0 | 0 | 2 | false | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
+| test.cpp:106:5:106:10 | Phi: test10 | test.cpp:113:3:113:6 | Phi: call to sink | -1 | true | CompareLT: ... < ... | test.cpp:114:18:114:22 | test.cpp:114:18:114:22 |
+| test.cpp:106:5:106:10 | Phi: test10 | test.cpp:114:18:114:18 | Phi: i | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
+| test.cpp:106:5:106:10 | Phi: test10 | test.cpp:114:18:114:18 | Phi: i | 0 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.cpp b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.cpp
@@ -102,3 +102,16 @@ void test9(int x) {
     sink(x);
   }
 }
+
+int test10(int y, int z, bool use_y) {
+  int x;
+  if(use_y) {
+    x = y;
+  } else {
+    x = z;
+  }
+  sink();
+  for(int i = 0; i < x; i++) {
+    return i;
+  }
+}
