CPP: Fix for LocalScopeReachability.

2026-04-30 03:05:15 +02:00 · 2019-05-23 12:30:27 +01:00
parent f4b4ddbdaf
commit 56adcff2c9
3 changed files with 25 additions and 23 deletions
--- a/cpp/ql/src/semmle/code/cpp/controlflow/LocalScopeVariableReachability.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/LocalScopeVariableReachability.qll
@@ -131,20 +131,27 @@ private predicate bbLoopEntryConditionAlwaysTrueAt(BasicBlock bb, int i, Control
 }

 /**
- * Basic block `pred` ends with a condition belonging to a loop, and that
- * condition is provably true upon entry. Basic block `succ` is a successor
- * of `pred`, and `skipsLoop` indicates whether `succ` is the false-successor
- * of `pred`.
+ * Basic block `pred` contains all or part of the condition belonging to a loop,
+ * and there is an edge from `pred` to `succ` that concludes the condition.
+ * If the edge corrseponds with the loop condition being found to be `true`, then
+ * `skipsLoop` is `false`.  Otherwise the edge corresponds with the loop condition
+ * being found to be `false` and `skipsLoop` is `true`.  Non-concluding edges
+ * within a complex loop condition are not matched by this predicate.
 */
 private predicate bbLoopConditionAlwaysTrueUponEntrySuccessor(BasicBlock pred, BasicBlock succ, boolean skipsLoop) {
-  succ = pred.getASuccessor() and
-  exists(ControlFlowNode last |
-    last = pred.getEnd() and
-    loopConditionAlwaysTrueUponEntry(_, last) and
-    if succ = pred.getAFalseSuccessor() then
-      skipsLoop = true
-    else
-      skipsLoop = false
+  exists(ControlFlowNode loop |
+    loopConditionAlwaysTrueUponEntry(loop, _) and
+    (
+      (
+        succ = loop.(Loop).getFollowingStmt() and
+        pred.getAFalseSuccessor() = succ and
+        skipsLoop = true
+      ) or (
+        succ = loop.(Loop).getStmt() and
+        pred.getATrueSuccessor() = succ and
+        skipsLoop = false
+      )
+    )
  )
 }

@@ -176,7 +183,7 @@ predicate bbSuccessorEntryReachesLoopInvariant(BasicBlock pred, BasicBlock succ,
      // The edge from `pred` to `succ` is _not_ from a loop condition provably
      // true upon entry, so the values of `predSkipsFirstLoopAlwaysTrueUponEntry`
      // and `succSkipsFirstLoopAlwaysTrueUponEntry` must be the same.
-      not bbLoopConditionAlwaysTrueUponEntrySuccessor(pred, _, _) and
+      not bbLoopConditionAlwaysTrueUponEntrySuccessor(pred, succ, _) and
      succSkipsFirstLoopAlwaysTrueUponEntry = predSkipsFirstLoopAlwaysTrueUponEntry and
      // Moreover, if `pred` contains the entry point of a loop where the
      // condition is provably true upon entry, then `succ` is not allowed