Merge pull request #15005 from jketema/ir-guards-ternary-fix

C++: Fix IRGuards ternary behaviour
2026-04-25 16:55:19 +02:00 · 2023-12-05 15:04:56 +01:00
parent e6a5c50ebc 4d702e2eee
commit 30e5e74a78
3 changed files with 49 additions and 3 deletions
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -5,6 +5,8 @@

 import cpp
 import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag

 /**
 * Holds if `block` consists of an `UnreachedInstruction`.
@@ -201,10 +203,25 @@ private class GuardConditionFromIR extends GuardCondition {
   * `&&` and `||`. See the detailed explanation on predicate `controls`.
   */
  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb |
+    exists(IRBlock irb, Instruction instr |
      ir.controls(irb, testIsTrue) and
-      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb)
+      instr = irb.getAnInstruction() and
+      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb) and
+      not this.excludeAsControlledInstruction(instr)
+    )
+  }
+
+  private predicate excludeAsControlledInstruction(Instruction instr) {
+    // Exclude the temporaries generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      instr = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
+      or
+      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
    )
  }
 }
--- a/cpp/ql/test/library-tests/controlflow/guards-ir/test.c
+++ b/cpp/ql/test/library-tests/controlflow/guards-ir/test.c
@@ -167,3 +167,10 @@ int ptr_test(int *x, int *y) {

    return 0;
 }
+
+int foo(const char*, int);
+
+int ternary_test(const char *path, int mode)
+{
+    return (foo(path, mode) == 0 ? 1 : 0);
+}
--- a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected
+++ b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected
@@ -34,6 +34,7 @@ astGuards
 | test.c:159:9:159:19 | ... == ... |
 | test.c:162:9:162:18 | ... < ... |
 | test.c:165:9:165:18 | ... < ... |
+| test.c:175:13:175:32 | ... == ... |
 | test.cpp:18:8:18:10 | call to get |
 | test.cpp:31:7:31:13 | ... == ... |
 | test.cpp:42:13:42:20 | call to getABool |
@@ -158,6 +159,10 @@ astGuardsCompare
 | 165 | x >= y+-42 when ... < ... is false |
 | 165 | y < x+43 when ... < ... is false |
 | 165 | y >= x+43 when ... < ... is true |
+| 175 | 0 != call to foo+0 when ... == ... is false |
+| 175 | 0 == call to foo+0 when ... == ... is true |
+| 175 | call to foo != 0+0 when ... == ... is false |
+| 175 | call to foo == 0+0 when ... == ... is true |
 astGuardsControl
 | test.c:7:9:7:13 | ... > ... | false | 10 | 11 |
 | test.c:7:9:7:13 | ... > ... | true | 7 | 9 |
@@ -248,6 +253,8 @@ astGuardsControl
 | test.c:159:9:159:19 | ... == ... | true | 159 | 160 |
 | test.c:162:9:162:18 | ... < ... | true | 162 | 163 |
 | test.c:165:9:165:18 | ... < ... | true | 165 | 166 |
+| test.c:175:13:175:32 | ... == ... | false | 175 | 175 |
+| test.c:175:13:175:32 | ... == ... | true | 175 | 175 |
 | test.cpp:18:8:18:10 | call to get | true | 19 | 19 |
 | test.cpp:31:7:31:13 | ... == ... | false | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | false | 34 | 34 |
@@ -420,6 +427,10 @@ astGuardsEnsure
 | test.c:165:9:165:18 | ... < ... | test.c:165:9:165:9 | x | < | test.c:165:13:165:18 | ... - ... | 0 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:13 | y | >= | test.c:165:9:165:9 | x | 43 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:18 | ... - ... | >= | test.c:165:9:165:9 | x | 1 | 165 | 166 |
+| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | != | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
+| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
+| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | != | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
+| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | == | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
@@ -458,6 +469,7 @@ irGuards
 | test.c:159:9:159:19 | CompareEQ: ... == ... |
 | test.c:162:9:162:18 | CompareLT: ... < ... |
 | test.c:165:9:165:18 | CompareLT: ... < ... |
+| test.c:175:13:175:32 | CompareEQ: ... == ... |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... |
 | test.cpp:42:13:42:20 | Call: call to getABool |
@@ -566,6 +578,10 @@ irGuardsCompare
 | 165 | x >= y+-42 when CompareLT: ... < ... is false |
 | 165 | y < x+43 when CompareLT: ... < ... is false |
 | 165 | y >= x+43 when CompareLT: ... < ... is true |
+| 175 | 0 != call to foo+0 when CompareEQ: ... == ... is false |
+| 175 | 0 == call to foo+0 when CompareEQ: ... == ... is true |
+| 175 | call to foo != 0+0 when CompareEQ: ... == ... is false |
+| 175 | call to foo == 0+0 when CompareEQ: ... == ... is true |
 irGuardsControl
 | test.c:7:9:7:13 | CompareGT: ... > ... | false | 11 | 11 |
 | test.c:7:9:7:13 | CompareGT: ... > ... | true | 8 | 8 |
@@ -649,6 +665,8 @@ irGuardsControl
 | test.c:159:9:159:19 | CompareEQ: ... == ... | true | 159 | 160 |
 | test.c:162:9:162:18 | CompareLT: ... < ... | true | 162 | 163 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | true | 165 | 166 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | false | 175 | 175 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | true | 175 | 175 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | true | 19 | 19 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | false | 34 | 34 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | true | 30 | 30 |
@@ -804,6 +822,10 @@ irGuardsEnsure
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:9:165:9 | Load: x | < | test.c:165:13:165:18 | PointerSub: ... - ... | 0 | 165 | 166 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:13:165:13 | Load: y | >= | test.c:165:9:165:9 | Load: x | 43 | 165 | 166 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:13:165:18 | PointerSub: ... - ... | >= | test.c:165:9:165:9 | Load: x | 1 | 165 | 166 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | != | test.c:175:32:175:32 | Constant: 0 | 0 | 175 | 175 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | == | test.c:175:32:175:32 | Constant: 0 | 0 | 175 | 175 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:32:175:32 | Constant: 0 | != | test.c:175:13:175:15 | Call: call to foo | 0 | 175 | 175 |
+| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:32:175:32 | Constant: 0 | == | test.c:175:13:175:15 | Call: call to foo | 0 | 175 | 175 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | test.cpp:18:8:18:10 | Call: call to get | != | test.cpp:18:8:18:12 | Constant: (bool)... | 0 | 19 | 19 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | test.cpp:18:8:18:12 | Constant: (bool)... | != | test.cpp:18:8:18:10 | Call: call to get | 0 | 19 | 19 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | != | test.cpp:31:12:31:13 | Constant: - ... | 0 | 34 | 34 |