C++: Add sanity test for definitions that don't dominate their uses.

2026-05-01 03:35:13 +02:00 · 2019-08-01 15:01:42 -07:00
parent 912679ef8c
commit 6370391dbd
8 changed files with 152 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -215,6 +215,55 @@ module InstructionSanity {
      ) and
    fromInstr != fromBlock
  }
+
+  /**
+   * Gets the point in the function at which the specified operand is evaluated. For most operands,
+   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
+   * of evaluation is at the end of the corresponding predecessor block.
+   */
+  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
+    (
+      block = operand.(PhiInputOperand).getPredecessorBlock() and
+      index = block.getInstructionCount()
+    ) or
+    exists (Instruction use |
+      use = operand.(NonPhiOperand).getUse() and
+      block.getInstruction(index) = use
+    )
+  }
+
+  /**
+   * Holds if `useOperand` has a definition that does not dominate the use.
+   */
+  query predicate useNotDominatedByDefinition(Operand useOperand, string message, IRFunction func,
+    string funcText) {
+
+    exists (IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
+      not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      pointOfEvaluation(useOperand, useBlock, useIndex) and
+      defInstr = useOperand.getAnyDef() and
+      (
+        (
+          defInstr instanceof PhiInstruction and
+          defBlock = defInstr.getBlock() and
+          defIndex = -1
+        )
+        or
+          defBlock.getInstruction(defIndex) = defInstr
+      ) and
+      not (
+        defBlock.strictlyDominates(useBlock) or
+        (
+          defBlock = useBlock and
+          defIndex < useIndex
+        )
+      ) and
+      message = "Operand '" + useOperand.toString() +
+        "' is not dominated by its definition in function '$@'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -215,6 +215,55 @@ module InstructionSanity {
      ) and
    fromInstr != fromBlock
  }
+
+  /**
+   * Gets the point in the function at which the specified operand is evaluated. For most operands,
+   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
+   * of evaluation is at the end of the corresponding predecessor block.
+   */
+  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
+    (
+      block = operand.(PhiInputOperand).getPredecessorBlock() and
+      index = block.getInstructionCount()
+    ) or
+    exists (Instruction use |
+      use = operand.(NonPhiOperand).getUse() and
+      block.getInstruction(index) = use
+    )
+  }
+
+  /**
+   * Holds if `useOperand` has a definition that does not dominate the use.
+   */
+  query predicate useNotDominatedByDefinition(Operand useOperand, string message, IRFunction func,
+    string funcText) {
+
+    exists (IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
+      not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      pointOfEvaluation(useOperand, useBlock, useIndex) and
+      defInstr = useOperand.getAnyDef() and
+      (
+        (
+          defInstr instanceof PhiInstruction and
+          defBlock = defInstr.getBlock() and
+          defIndex = -1
+        )
+        or
+          defBlock.getInstruction(defIndex) = defInstr
+      ) and
+      not (
+        defBlock.strictlyDominates(useBlock) or
+        (
+          defBlock = useBlock and
+          defIndex < useIndex
+        )
+      ) and
+      message = "Operand '" + useOperand.toString() +
+        "' is not dominated by its definition in function '$@'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -215,6 +215,55 @@ module InstructionSanity {
      ) and
    fromInstr != fromBlock
  }
+
+  /**
+   * Gets the point in the function at which the specified operand is evaluated. For most operands,
+   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
+   * of evaluation is at the end of the corresponding predecessor block.
+   */
+  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
+    (
+      block = operand.(PhiInputOperand).getPredecessorBlock() and
+      index = block.getInstructionCount()
+    ) or
+    exists (Instruction use |
+      use = operand.(NonPhiOperand).getUse() and
+      block.getInstruction(index) = use
+    )
+  }
+
+  /**
+   * Holds if `useOperand` has a definition that does not dominate the use.
+   */
+  query predicate useNotDominatedByDefinition(Operand useOperand, string message, IRFunction func,
+    string funcText) {
+
+    exists (IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
+      not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      pointOfEvaluation(useOperand, useBlock, useIndex) and
+      defInstr = useOperand.getAnyDef() and
+      (
+        (
+          defInstr instanceof PhiInstruction and
+          defBlock = defInstr.getBlock() and
+          defIndex = -1
+        )
+        or
+          defBlock.getInstruction(defIndex) = defInstr
+      ) and
+      not (
+        defBlock.strictlyDominates(useBlock) or
+        (
+          defBlock = useBlock and
+          defIndex < useIndex
+        )
+      ) and
+      message = "Operand '" + useOperand.toString() +
+        "' is not dominated by its definition in function '$@'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

 /**
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected
@@ -12,3 +12,4 @@ instructionWithoutUniqueBlock
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
+useNotDominatedByDefinition
--- a/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected
@@ -12,3 +12,4 @@ instructionWithoutUniqueBlock
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
+useNotDominatedByDefinition
--- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected
+++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected
@@ -12,3 +12,4 @@ instructionWithoutUniqueBlock
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
+useNotDominatedByDefinition
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected
@@ -12,3 +12,4 @@ instructionWithoutUniqueBlock
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
+useNotDominatedByDefinition
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected
@@ -12,3 +12,4 @@ instructionWithoutUniqueBlock
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
+useNotDominatedByDefinition