Merge pull request #1382 from jbj/redundant-null-check-gvn

semmle-qlci · web-flow · commit d741e0b20cd1 · 2019-05-31T16:28:01.000+01:00
Approved by dave-bartolomeo
diff --git a/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql b/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
@@ -13,10 +13,11 @@
 
 /*
  * Note: this query is not assigned a precision yet because we don't want it on
- * LGTM until its performance is well understood. It's also lacking qhelp.
+ * LGTM until its performance is well understood.
  */
 
 import semmle.code.cpp.ir.IR
+import semmle.code.cpp.ir.ValueNumbering
 
 class NullInstruction extends ConstantValueInstruction {
   NullInstruction() {
@@ -25,17 +26,6 @@ class NullInstruction extends ConstantValueInstruction {
   }
 }
 
-/**
- * An instruction that will never have slicing on its result.
- */
-class SingleValuedInstruction extends Instruction {
-  SingleValuedInstruction() {
-    this.getResultMemoryAccess() instanceof IndirectMemoryAccess
-    or
-    not this.hasMemoryResult()
-  }
-}
-
 predicate explicitNullTestOfInstruction(Instruction checked, Instruction bool) {
   bool = any(CompareInstruction cmp |
       exists(NullInstruction null |
@@ -56,22 +46,24 @@ predicate explicitNullTestOfInstruction(Instruction checked, Instruction bool) {
     )
 }
 
-predicate candidateResult(LoadInstruction checked, SingleValuedInstruction sourceValue)
+pragma[noinline]
+predicate candidateResult(LoadInstruction checked, ValueNumber value, IRBlock dominator)
 {
   explicitNullTestOfInstruction(checked, _) and
   not checked.getAST().isInMacroExpansion() and
-  sourceValue = checked.getSourceValue()
+  value.getAnInstruction() = checked and
+  dominator.dominates(checked.getBlock())
 }
 
-from LoadInstruction checked, LoadInstruction deref, SingleValuedInstruction sourceValue
+from LoadInstruction checked, LoadInstruction deref, ValueNumber sourceValue, IRBlock dominator
 where
-  candidateResult(checked, sourceValue) and
-  sourceValue = deref.getSourceAddress().(LoadInstruction).getSourceValue() and
+  candidateResult(checked, sourceValue, dominator) and
+  sourceValue.getAnInstruction() = deref.getSourceAddress() and
   // This also holds if the blocks are equal, meaning that the check could come
   // before the deref. That's still not okay because when they're in the same
   // basic block then the deref is unavoidable even if the check concluded that
   // the pointer was null. To follow this idea to its full generality, we
   // should also give an alert when `check` post-dominates `deref`.
-  deref.getBlock().dominates(checked.getBlock())
+  deref.getBlock() = dominator
 select checked, "This null check is redundant because the value is $@ in any case", deref,
   "dereferenced here"
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
@@ -105,19 +105,10 @@ class ValueNumber extends TValueNumber {
  * definition because it accesses the exact same memory.
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
- *
- * This concept should probably be exposed in the public IR API.
  */
 private class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
-    exists(Instruction def |
-      def = this.getSourceValue() and
-      (
-        def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
-        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
-        not def.hasMemoryResult()
-      )
-    )
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll
@@ -105,19 +105,10 @@ class ValueNumber extends TValueNumber {
  * definition because it accesses the exact same memory.
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
- *
- * This concept should probably be exposed in the public IR API.
  */
 private class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
-    exists(Instruction def |
-      def = this.getSourceValue() and
-      (
-        def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
-        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
-        not def.hasMemoryResult()
-      )
-    )
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll
@@ -105,19 +105,10 @@ class ValueNumber extends TValueNumber {
  * definition because it accesses the exact same memory.
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
- *
- * This concept should probably be exposed in the public IR API.
  */
 private class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
-    exists(Instruction def |
-      def = this.getSourceValue() and
-      (
-        def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
-        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
-        not def.hasMemoryResult()
-      )
-    )
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp
@@ -69,3 +69,44 @@ int test_inverted_logic(int *p) {
     return 0;
   }
 }
+
+void test_indirect_local() {
+  int a = 0;
+  int *p = &a;
+  int **pp = &p;
+  int x;
+  x = **pp;
+  if (*pp == nullptr) { // BAD
+    return;
+  }
+}
+
+void test_field_local(bool boolvar) {
+  int a = 0;
+  struct {
+    int *p;
+  } s = { &a };
+  auto sp = &s;
+
+  if (boolvar) {
+    int x = *sp->p;
+    if (sp->p == nullptr) { // BAD
+      return;
+    }
+  } else {
+    int *x = sp->p;
+    if (sp == nullptr) { // BAD [NOT DETECTED]
+      return;
+    }
+  }
+}
+
+struct S {
+  long **pplong;
+
+  void test_phi() {
+    while (*pplong != nullptr) { // GOOD
+      pplong++;
+    }
+  }
+};
diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected
@@ -1,3 +1,5 @@
 | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because the value is $@ in any case | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | dereferenced here |
 | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because the value is $@ in any case | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | dereferenced here |
 | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because the value is $@ in any case | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | dereferenced here |
+| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because the value is $@ in any case | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | dereferenced here |
+| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because the value is $@ in any case | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | dereferenced here |
