C++: Handle C++17 switch initializers

2026-05-04 05:05:12 +02:00 · 2022-04-29 16:18:25 +02:00
parent ebbd9c5b90
commit 71c019e126
11 changed files with 568 additions and 12 deletions
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -679,6 +679,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
    or
    s.(IfStmt).getElse() = e and pred = "getElse()"
    or
+    s.(SwitchStmt).getInitialization() = e and pred = "getInitialization()"
+    or
    s.(SwitchStmt).getExpr() = e and pred = "getExpr()"
    or
    s.(SwitchStmt).getStmt() = e and pred = "getStmt()"
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -708,30 +708,33 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
  or
  scope =
    any(SwitchStmt s |
+      // SwitchStmt [-> init] -> expr
      i = -1 and ni = s and spec.isAt()
      or
-      i = 0 and ni = s.getExpr() and spec.isAround()
+      i = 0 and ni = s.getInitialization() and spec.isAround()
+      or
+      i = 1 and ni = s.getExpr() and spec.isAround()
      or
      // If the switch body is not a block then this step is skipped, and the
      // expression jumps directly to the cases.
-      i = 1 and ni = s.getStmt().(BlockStmt) and spec.isAt()
+      i = 2 and ni = s.getStmt().(BlockStmt) and spec.isAt()
      or
-      i = 2 and ni = s.getASwitchCase() and spec.isBefore()
+      i = 3 and ni = s.getASwitchCase() and spec.isBefore()
      or
      // If there is no default case, we can jump to after the block. Note: `i`
      // is same value as above.
      not s.getASwitchCase() instanceof DefaultCase and
-      i = 2 and
+      i = 3 and
      ni = s.getStmt() and
      spec.isAfter()
      or
-      i = 3 and /* BARRIER */ ni = s and spec.isBarrier()
+      i = 4 and /* BARRIER */ ni = s and spec.isBarrier()
      or
-      i = 4 and ni = s.getStmt() and spec.isAfter()
+      i = 5 and ni = s.getStmt() and spec.isAfter()
      or
-      i = 5 and ni = s and spec.isAroundDestructors()
+      i = 6 and ni = s and spec.isAroundDestructors()
      or
-      i = 6 and ni = s and spec.isAfter()
+      i = 7 and ni = s and spec.isAfter()
    )
  or
  scope =
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -717,14 +717,28 @@ class TranslatedSwitchStmt extends TranslatedStmt {
    result = getTranslatedExpr(stmt.getExpr().getFullyConverted())
  }

+  private Instruction getFirstExprInstruction() { result = getExpr().getFirstInstruction() }
+
  private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }

-  override Instruction getFirstInstruction() { result = getExpr().getFirstInstruction() }
+  override Instruction getFirstInstruction() {
+    if hasInitialization()
+    then result = getInitialization().getFirstInstruction()
+    else result = getFirstExprInstruction()
+  }

  override TranslatedElement getChild(int id) {
-    id = 0 and result = getExpr()
+    id = 0 and result = getInitialization()
    or
-    id = 1 and result = getBody()
+    id = 1 and result = getExpr()
+    or
+    id = 2 and result = getBody()
+  }
+
+  private predicate hasInitialization() { exists(stmt.getInitialization()) }
+
+  private TranslatedStmt getInitialization() {
+    result = getTranslatedStmt(stmt.getInitialization())
  }

  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -754,6 +768,8 @@ class TranslatedSwitchStmt extends TranslatedStmt {
  }

  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getInitialization() and result = getFirstExprInstruction()
+    or
    child = getExpr() and result = getInstruction(SwitchBranchTag())
    or
    child = getBody() and result = getParent().getChildSuccessor(this)
--- a/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
@@ -1512,6 +1512,28 @@ class DefaultCase extends SwitchCase {
 class SwitchStmt extends ConditionalStmt, @stmt_switch {
  override string getAPrimaryQlClass() { result = "SwitchStmt" }

+  /**
+   * Gets the initialization statement of this 'switch' statement.
+   *
+   * For example, for
+   * ```
+   * switch (x = y; b) { }
+   * ```
+   * the result is `x = y;`.
+   *
+   * Does not hold if the initialization statement is missing or an empty statement, as in
+   * ```
+   * switch (b) { }
+   * ```
+   * or
+   * ```
+   * switch (; b) { }
+   * ```
+   */
+  Stmt getInitialization() {
+    switch_initialization(underlyingElement(this), unresolveElement(result))
+  }
+
  /**
   * Gets the expression that this 'switch' statement switches on.
   *
@@ -1527,7 +1549,7 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
   * ```
   * the result is `i`.
   */
-  Expr getExpr() { result = this.getChild(0) }
+  Expr getExpr() { result = this.getChild(1) }

  override Expr getControllingExpr() { result = this.getExpr() }

--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1903,6 +1903,11 @@ do_body(
    int body_id: @stmt ref
 );

+switch_initialization(
+    unique int switch_stmt: @stmt_switch ref,
+    int init_id: @stmt ref
+);
+
 #keyset[switch_stmt, index]
 switch_case(
    int switch_stmt: @stmt_switch ref,