SSA: Update data flow integration and BarrierGuard interface to use GuardValue.

2025-12-17 01:03:14 +01:00 · 2025-07-28 10:25:31 +02:00
parent 37b508bf43
commit 3b8234ecec
11 changed files with 122 additions and 72 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -1982,19 +1982,23 @@ module IteratorFlow {

    predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }

+    class GuardValue = Void;
+
    class Guard extends Void {
-      predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      predicate hasValueBranchEdge(
+        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
+      ) {
        none()
      }

-      predicate controlsBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
+      predicate valueControlsBranchEdge(
+        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
      ) {
        none()
      }
    }

-    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
+    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue val) {
      none()
    }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -961,6 +961,8 @@ class GlobalDef extends Definition {
 private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;

 private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
+  private import codeql.util.Boolean
+
  class Expr extends Instruction {
    Expr() {
      exists(IRBlock bb, int i |
@@ -992,10 +994,14 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
    result instanceof FalseEdge
  }

+  class GuardValue = Boolean;
+
  class Guard instanceof IRGuards::IRGuardCondition {
    string toString() { result = super.toString() }

-    predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+    predicate hasValueBranchEdge(
+      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
+    ) {
      exists(EdgeKind kind |
        super.getBlock() = bb1 and
        kind = getConditionalEdge(branch) and
@@ -1003,12 +1009,14 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
      )
    }

-    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
-      this.hasBranchEdge(bb1, bb2, branch)
+    predicate valueControlsBranchEdge(
+      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
+    ) {
+      this.hasValueBranchEdge(bb1, bb2, branch)
    }
  }

-  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
+  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue branch) {
    guard.(IRGuards::IRGuardCondition).controls(bb, branch)
  }

@@ -1037,7 +1045,8 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
  }

  private predicate guardChecks(
-    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, boolean branch, int indirectionIndex
+    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def,
+    DataFlowIntegrationInput::GuardValue branch, int indirectionIndex
  ) {
    exists(UseImpl use |
      guardChecksNode(g, use.getNode(), branch, indirectionIndex) and