C++: Add addresses to Expr.isConstant

Before this change, `Expr.isConstant` only was only true for those
constant expressions that could be represented as QL values: numbers,
Booleans, and string literals. It was not true for string literals
converted from arrays to pointers, and it was not true for addresses of
variables with static lifetime.

The concept of a "constant expression" varies between C and C++ and
between versions of the standard, but they all include addresses of data
with static lifetime. These are modelled by the new library
`AddressConstantExpression.qll`, which is based on the code in
`EscapesTree.qll` and modified for its new purpose.

I've tested the change for performance on Wireshark and for correctness
with the included tests. I've also checked on Wireshark that all static
initializers in C files are considered constant, which was not the case
before.

Author: jbj

cpp/ql/src/semmle/code/cpp/exprs/Expr.qll

@@ -2,6 +2,7 @@
 import semmle.code.cpp.Element
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
+private import semmle.code.cpp.internal.AddressConstantExpression
 
 /**
  * A C/C++ expression.
@@ -84,7 +85,12 @@ class Expr extends StmtParent, @expr {
   string getValueText() { exists(@value v | values(v,_,result) and valuebind(v,underlyingElement(this))) }
 
   /** Holds if this expression has a value that can be determined at compile time. */
-  predicate isConstant() { valuebind(_,underlyingElement(this)) }
+  cached
+  predicate isConstant() {
+    valuebind(_,underlyingElement(this))
+    or
+    addressConstantExpression(this)
+  }
 
   /**
    * Holds if this expression is side-effect free (conservative

cpp/ql/src/semmle/code/cpp/internal/AddressConstantExpression.qll

@@ -0,0 +1,191 @@
+private import cpp
+private import semmle.code.cpp.dataflow.EscapesTree
+
+predicate addressConstantExpression(Expr e) {
+  constantAddressPointer(e)
+  or
+  constantAddressReference(e)
+  or
+  // Special case for function pointers, where `fp == *fp`.
+  constantAddressLValue(e) and
+  e.getType() instanceof FunctionPointerType
+}
+
+/** Holds if `v` is a constexpr variable initialized to a constant address. */
+private predicate addressConstantVariable(Variable v) {
+  addressConstantExpression(v.getInitializer().getExpr().getFullyConverted()) and
+  // Here we should also require that `v` is constexpr, but we don't have that
+  // information in the db. See CPP-314. Instead, we require that the variable
+  // is not assigned to.
+  not exists(VariableAccess va | va.getTarget() = v |
+    // `v` may be assigned to, completely or partially
+    exists(Expr lvalue | variableAccessedAsValue(va, lvalue) |
+      lvalue = any(Assignment a).getLValue().getFullyConverted()
+      or
+      lvalue = any(CrementOperation c).getOperand().getFullyConverted()
+    )
+  )
+}
+
+/**
+ * Holds if `lvalue` is an lvalue whose address is an _address constant
+ * expression_.
+ */
+private predicate constantAddressLValue(Expr lvalue) {
+  lvalue.(VariableAccess).getTarget() = any(Variable v |
+      v.(Variable).isStatic()
+      or
+      v instanceof GlobalOrNamespaceVariable
+    )
+  or
+  // There is no `Conversion` for the implicit conversion from a function type
+  // to a function _pointer_ type. Instead, the type of a `FunctionAccess`
+  // tells us how it's going to be used.
+  lvalue.(FunctionAccess).getType() instanceof RoutineType
+  or
+  // String literals have array types and undergo array-to-pointer conversion.
+  lvalue instanceof StringLiteral
+  or
+  // lvalue -> lvalue
+  exists(Expr prev |
+    constantAddressLValue(prev) and
+    lvalueToLvalueStep(prev, lvalue)
+  )
+  or
+  // pointer -> lvalue
+  exists(Expr prev |
+    constantAddressPointer(prev) and
+    pointerToLvalueStep(prev, lvalue)
+  )
+  or
+  // reference -> lvalue
+  exists(Expr prev |
+    constantAddressReference(prev) and
+    referenceToLvalueStep(prev, lvalue)
+  )
+}
+
+/** Holds if `pointer` is an _address constant expression_ of pointer type. */
+private predicate constantAddressPointer(Expr pointer) {
+  // There is no `Conversion` for the implicit conversion from a function type
+  // to a function _pointer_ type. Instead, the type of a `FunctionAccess`
+  // tells us how it's going to be used.
+  pointer.(FunctionAccess).getType() instanceof FunctionPointerType
+  or
+  addressConstantVariable(pointer.(VariableAccess).getTarget()) and
+  pointer.getType().getUnderlyingType() instanceof PointerType
+  or
+  // pointer -> pointer
+  exists(Expr prev |
+    constantAddressPointer(prev) and
+    pointerToPointerStep(prev, pointer)
+  )
+  or
+  // lvalue -> pointer
+  exists(Expr prev |
+    constantAddressLValue(prev) and
+    lvalueToPointerStep(prev, pointer)
+  )
+}
+
+/** Holds if `reference` is an _address constant expression_ of reference type. */
+private predicate constantAddressReference(Expr reference) {
+  addressConstantVariable(reference.(VariableAccess).getTarget()) and
+  reference.getType().getUnderlyingType() instanceof ReferenceType
+  or
+  addressConstantVariable(reference.(VariableAccess).getTarget()) and
+  reference.getType().getUnderlyingType() instanceof FunctionReferenceType // not a ReferenceType
+  or
+  // reference -> reference
+  exists(Expr prev |
+    constantAddressReference(prev) and
+    referenceToReferenceStep(prev, reference)
+  )
+  or
+  // lvalue -> reference
+  exists(Expr prev |
+    constantAddressLValue(prev) and
+    lvalueToReferenceStep(prev, reference)
+  )
+}
+
+private predicate lvalueToLvalueStep(Expr lvalueIn, Expr lvalueOut) {
+  lvalueIn = lvalueOut.(DotFieldAccess).getQualifier().getFullyConverted()
+  or
+  lvalueIn.getConversion() = lvalueOut.(ParenthesisExpr)
+  or
+  // Special case for function pointers, where `fp == *fp`.
+  lvalueIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted() and
+  lvalueIn.getType() instanceof FunctionPointerType
+}
+
+private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
+  lvalueOut = any(ArrayExpr ae |
+      pointerIn = ae.getArrayBase().getFullyConverted() and
+      hasConstantValue(ae.getArrayOffset().getFullyConverted())
+    )
+  or
+  pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
+  or
+  pointerIn = lvalueOut.(PointerFieldAccess).getQualifier().getFullyConverted()
+}
+
+private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
+  lvalueIn.getConversion() = pointerOut.(ArrayToPointerConversion)
+  or
+  lvalueIn = pointerOut.(AddressOfExpr).getOperand().getFullyConverted()
+}
+
+private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
+  (
+    pointerOut instanceof PointerAddExpr
+    or
+    pointerOut instanceof PointerSubExpr
+  ) and
+  pointerIn = pointerOut.getAChild().getFullyConverted() and
+  pointerIn.getType().getUnspecifiedType() instanceof PointerType and
+  // The pointer arg won't be constant in the sense of `hasConstantValue`, so
+  // this will have to match the integer argument.
+  hasConstantValue(pointerOut.getAChild().getFullyConverted())
+  or
+  pointerIn = pointerOut.(UnaryPlusExpr).getOperand().getFullyConverted()
+  or
+  pointerIn.getConversion() = pointerOut.(Cast)
+  or
+  pointerIn.getConversion() = pointerOut.(ParenthesisExpr)
+  or
+  pointerOut = any(ConditionalExpr cond |
+      cond.getCondition().getFullyConverted().getValue().toInt() != 0 and
+      pointerIn = cond.getThen().getFullyConverted()
+      or
+      cond.getCondition().getFullyConverted().getValue().toInt() = 0 and
+      pointerIn = cond.getElse().getFullyConverted()
+    )
+  or
+  // The comma operator is allowed by C++17 but disallowed by C99. This
+  // disjunct is a compromise that's chosen for being easy to implement.
+  pointerOut = any(CommaExpr comma |
+      hasConstantValue(comma.getLeftOperand()) and
+      pointerIn = comma.getRightOperand().getFullyConverted()
+    )
+}
+
+private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
+  lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
+}
+
+private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
+  // This probably cannot happen. It would require an expression to be
+  // converted to a reference and back again without an intermediate variable
+  // assignment.
+  referenceIn.getConversion() = lvalueOut.(ReferenceDereferenceExpr)
+}
+
+private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
+  referenceIn.getConversion() = referenceOut.(Cast)
+  or
+  referenceIn.getConversion() = referenceOut.(ParenthesisExpr)
+}
+
+/** Holds if `e` is constant according to the database. */
+private predicate hasConstantValue(Expr e) { valuebind(_, underlyingElement(e)) }

cpp/ql/test/library-tests/constants/addresses/addresses.cpp

@@ -0,0 +1,86 @@
+// semmle-extractor-options: --c++14
+
+const int int_const = 1;
+extern const int extern_int_const = 1;
+extern const int extern_int_const_noinit;
+
+int int_var;
+int int_arr[4];
+int int_arr_arr[4][4];
+
+int *const const_ptr = &int_var;
+
+void sideEffect();
+using fptr = void (*)();
+using fref = void (&)();
+
+
+
+// All variables in this function are initialized to constants, as witnessed by
+// the `constexpr` annotation that compiles under C++14.
+void constantAddresses(int param) {
+    constexpr int *ptr_int = &int_var;
+    constexpr int *ptr_deref_chain = &*&int_var;
+    constexpr int *ptr_array = &int_arr[1] + 1;
+    constexpr int (*ptr_to_array)[4] = &int_arr_arr[1] + 1;
+    constexpr int *array2d = &int_arr_arr[1][1] + 1;
+    constexpr int *const_ints = &int_arr_arr[int_const][extern_int_const];
+
+    // Commented out because clang and EDG disagree on whether this is
+    // constant.
+    //constexpr int *stmtexpr_int = &int_arr[ ({ 1; }) ];
+
+    constexpr int *comma_int = &int_arr[ ((void)0, 1) ];
+    constexpr int *comma_addr = ((void)0, &int_var);
+    constexpr int *ternary_true = int_const ? &int_var : &param;
+    constexpr int *ternary_false = !int_const ? &param : &int_var;
+    constexpr int *ternary_overflow = (unsigned char)256 ? &param : &int_var;
+    constexpr int *ternary_ptr_cond = (&int_arr+1) ? &int_var : &param;;
+    constexpr int *ptr_subtract = &int_arr[&int_arr[1] - &int_arr[0]];
+
+    constexpr int *constexpr_va = ptr_subtract + 1;
+
+    constexpr int &ref_int = int_var;
+    constexpr int &ref_array2d = int_arr_arr[1][1];
+    constexpr int &ref_va = ref_array2d;
+    constexpr int &ref_va_arith = *(&ref_array2d + 1);
+
+    constexpr fptr fp_implicit = sideEffect;
+    constexpr fptr fp_explicit = &sideEffect;
+    constexpr fptr fp_chain_addressof = &**&**sideEffect;
+    constexpr fptr fp_chain_deref = **&**&**sideEffect;
+    constexpr fptr fp_shortchain_deref = *&sideEffect;
+
+    constexpr fref fr_int = sideEffect;
+    constexpr fref fr_deref = *&sideEffect;
+    constexpr fref fr_2deref = **sideEffect;
+    constexpr fref fr_va = fr_int;
+
+    constexpr const char *char_ptr = "str";
+    constexpr const char *char_ptr_1 = "str" + 1;
+    constexpr char char_arr[] = "str";
+}
+
+
+
+
+// All variables in this function are initialized to non-const values. Writing
+// `constexpr` in front of any of the variables will be a compile error
+// (C++14).
+void nonConstantAddresses(const int param, int *const pparam, int &rparam, fref frparam) {
+    int *int_param = &int_arr[param];
+    int *int_noinit = &int_arr[extern_int_const_noinit];
+
+    int *side_effect_stmtexpr = &int_arr[ ({ sideEffect(); 1; }) ];
+    int *side_effect_comma_int = &int_arr[ (sideEffect(), 1) ];
+    int *side_effect_comma_addr = (sideEffect(), &int_var);
+    int *side_effect_comma_addr2 = ((void)(sideEffect(), 1), &int_var);
+    int *ternary_int = &int_arr[int_const ? param : 1];
+    const int *ternary_addr = int_const ? &param : &int_var;
+    int *va_non_constexpr = pparam;
+
+    int *&&ref_to_temporary = &int_var; // reference to temporary is not a const
+    int &ref_param = rparam;
+
+    fref fr_param = frparam;
+}

cpp/ql/test/library-tests/constants/addresses/addresses.expected

@@ -0,0 +1,16 @@
+import cpp
+
+from Expr e, string msg, LocalVariable var, Function f
+where
+  e = var.getInitializer().getExpr().getFullyConverted() and
+  var.getFunction() = f and
+  (
+    e.isConstant() and
+    f.getName() = "nonConstantAddresses" and
+    msg = "misclassified as constant"
+    or
+    not e.isConstant() and
+    f.getName() = "constantAddresses" and
+    msg = "misclassified as NOT constant"
+  )
+select e, var.getName(), msg