C++: Insert int-to-bool conversions at binary conditional expressions.

2026-04-25 16:55:19 +02:00 · 2024-11-20 11:06:07 +00:00
parent 9d3bc7f510
commit 65771614ef
2 changed files with 55 additions and 2 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -41,6 +41,8 @@ newtype TInstructionTag =
  ValueConditionCompareTag() or
  ValueConditionConstantTag() or
  ValueConditionConditionalBranchTag() or
+  ValueConditionConditionalConstantTag() or
+  ValueConditionConditionalCompareTag() or
  ConditionValueTrueTempAddressTag() or
  ConditionValueTrueConstantTag() or
  ConditionValueTrueStoreTag() or
@@ -171,6 +173,10 @@ string getInstructionTagId(TInstructionTag tag) {
  or
  tag = ValueConditionConditionalBranchTag() and result = "ValCondCondBranch"
  or
+  tag = ValueConditionConditionalConstantTag() and result = "ValueConditionConditionalConstant"
+  or
+  tag = ValueConditionConditionalCompareTag() and result = "ValueConditionConditionalCompare"
+  or
  tag = ValueConditionCompareTag() and result = "ValCondCondCompare"
  or
  tag = ValueConditionConstantTag() and result = "ValCondConstant"
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -2965,6 +2965,10 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
    result = this.getCondition().getFirstInstruction(kind)
  }

+  private Type getConditionType() {
+    result = this.getCondition().getExprType().getUnspecifiedType()
+  }
+
  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    super.hasInstruction(opcode, tag, resultType)
    or
@@ -2972,11 +2976,35 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
    tag = ValueConditionConditionalBranchTag() and
    opcode instanceof Opcode::ConditionalBranch and
    resultType = getVoidType()
+    or
+    exists(Type t |
+      t = this.getConditionType() and
+      not t instanceof BoolType
+    |
+      tag = ValueConditionConditionalConstantTag() and
+      opcode instanceof Opcode::Constant and
+      resultType = getTypeForPRValue(t)
+      or
+      tag = ValueConditionConditionalCompareTag() and
+      opcode instanceof Opcode::CompareNE and
+      resultType = getBoolType()
+    )
  }

  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
    result = super.getInstructionSuccessorInternal(tag, kind)
    or
+    not this.getConditionType() instanceof BoolType and
+    (
+      tag = ValueConditionConditionalConstantTag() and
+      kind instanceof GotoEdge and
+      result = this.getInstruction(ValueConditionConditionalCompareTag())
+      or
+      tag = ValueConditionConditionalCompareTag() and
+      kind instanceof GotoEdge and
+      result = this.getInstruction(ValueConditionConditionalBranchTag())
+    )
+    or
    tag = ValueConditionConditionalBranchTag() and
    (
      kind instanceof TrueEdge and
@@ -2992,7 +3020,19 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
    or
    tag = ValueConditionConditionalBranchTag() and
    operandTag instanceof ConditionOperandTag and
-    result = this.getCondition().getResult()
+    if this.getConditionType() instanceof BoolType
+    then result = this.getCondition().getResult()
+    else result = this.getInstruction(ValueConditionConditionalCompareTag())
+    or
+    not this.getConditionType() instanceof BoolType and
+    tag = ValueConditionConditionalCompareTag() and
+    (
+      operandTag instanceof LeftOperandTag and
+      result = this.getCondition().getResult()
+      or
+      operandTag instanceof RightOperandTag and
+      result = this.getInstruction(ValueConditionConditionalConstantTag())
+    )
  }

  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
@@ -3000,7 +3040,9 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
    or
    kind instanceof GotoEdge and
    child = this.getCondition() and
-    result = this.getInstruction(ValueConditionConditionalBranchTag())
+    if this.getConditionType() instanceof BoolType
+    then result = this.getInstruction(ValueConditionConditionalBranchTag())
+    else result = this.getInstruction(ValueConditionConditionalConstantTag())
  }

  private TranslatedExpr getCondition() {
@@ -3017,6 +3059,11 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
    // always converting the "then" operand to `bool`, which is almost always the wrong type.
    result = getTranslatedExpr(expr.getThen().getExplicitlyConverted())
  }
+
+  override string getInstructionConstantValue(InstructionTag tag) {
+    tag = ValueConditionConditionalConstantTag() and
+    result = "0"
+  }
 }

 /**