Merge pull request #633 from Semmle/rdmarsh/cpp/range-analysis

C++: New range analysis

Author: jbj

cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll

@@ -280,6 +280,32 @@ class IRGuardCondition extends Instruction {
           ne.controls(controlled, testIsTrue.booleanNot())) 
     }
 
+    /**
+     * Holds if `branch` jumps directly to `succ` when this condition is `testIsTrue`.
+     * 
+     * This predicate is intended to help with situations in which an inference can only be made
+     * based on an edge between a block with multiple successors and a block with multiple
+     * predecessors. For example, in the following situation, an inference can be made about the
+     * value of `x` at the end of the `if` statement, but there is no block which is controlled by
+     * the `if` statement when `x >= y`.
+     * ```
+     * if (x < y) {
+     *   x = y;
+     * }
+     * return x;
+     * ```
+     */
+    predicate hasBranchEdge(ConditionalBranchInstruction branch, IRBlock succ, boolean testIsTrue) {
+      branch.getCondition() = this and
+      (
+        testIsTrue = true and
+        succ.getFirstInstruction() = branch.getTrueSuccessor()
+        or
+        testIsTrue = false and
+        succ.getFirstInstruction() = branch.getFalseSuccessor()
+      )
+    }
+
     /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
     cached predicate comparesLt(Operand left, Operand right, int k, boolean isLessThan, boolean testIsTrue) {
         compares_lt(this, left, right, k, isLessThan, testIsTrue)

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,15 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  /**
+   * Holds if this instruction's operands are `op1` and `op2`, in either order.
+   */
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll

@@ -83,6 +83,10 @@ class ValueNumber extends TValueNumber {
       instr order by instr.getBlock().getDisplayIndex(), instr.getDisplayIndexInBlock()
     )
   }
+  
+  final Operand getAUse() {
+    this = valueNumber(result.getDefinitionInstruction())
+  }
 }
 
 /**
@@ -107,6 +111,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )
@@ -211,14 +216,21 @@ private predicate uniqueValueNumber(Instruction instr, FunctionIR funcIR) {
 /**
  * Gets the value number assigned to `instr`, if any. Returns at most one result.
  */
-ValueNumber valueNumber(Instruction instr) {
+cached ValueNumber valueNumber(Instruction instr) {
   result = nonUniqueValueNumber(instr) or
   exists(FunctionIR funcIR |
     uniqueValueNumber(instr, funcIR) and
     result = TUniqueValueNumber(funcIR, instr)
   )
 }
 
+/**
+ * Gets the value number assigned to `instr`, if any. Returns at most one result.
+ */
+ValueNumber valueNumberOfOperand(Operand op) {
+  result = valueNumber(op.getDefinitionInstruction())
+}
+
 /**
  * Gets the value number assigned to `instr`, if any, unless that instruction is assigned a unique
  * value number.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll

@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -130,7 +130,7 @@ module InstructionSanity {
   query predicate instructionWithoutUniqueBlock(Instruction instr, int blockCount) {
     blockCount = count(instr.getBlock()) and
     blockCount != 1
-  } 
+  }
 }
 
 /**
@@ -750,6 +750,12 @@ class BinaryInstruction extends Instruction {
   final Instruction getRightOperand() {
     result = getAnOperand().(RightOperand).getDefinitionInstruction()
   }
+  
+  final predicate hasOperands(Operand op1, Operand op2) {
+    op1 = getAnOperand().(LeftOperand) and op2 = getAnOperand().(RightOperand)
+    or
+    op1 = getAnOperand().(RightOperand) and op2 = getAnOperand().(LeftOperand)
+  }
 }
 
 class AddInstruction extends BinaryInstruction {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -21,6 +21,10 @@ class Operand extends TOperand {
     result = "Operand"
   }
 
+  Location getLocation() {
+    result = getInstruction().getLocation()
+  }
+
   /**
    * Gets the `Instruction` that consumes this operand.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll

@@ -107,6 +107,7 @@ private class CongruentCopyInstruction extends CopyInstruction {
       def = this.getSourceValue() and
       (
         def.getResultMemoryAccess() instanceof IndirectMemoryAccess or
+        def.getResultMemoryAccess() instanceof PhiMemoryAccess or
         not def.hasMemoryResult()
       )
     )