C++: IR sanity queries for outgoing edges

These queries have no results on our test cases in the repo, but `ambiguousSuccessors` has results on any large C++ code base, and `unexplainedLoop` has results on Windows builds of ChakraCore.
2026-04-30 03:05:15 +02:00 · 2019-01-23 11:07:49 +01:00
parent aba73f4aac
commit b2e5d235de
6 changed files with 84 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -106,6 +106,32 @@ module InstructionSanity {
    not instr instanceof UnreachedInstruction
  }

+  /**
+   * Holds if there are multiple (`n`) edges of kind `kind` from `source`,
+   * where `target` is among the targets of those edges.
+   */
+  query predicate ambiguousSuccessors(
+    Instruction source, EdgeKind kind, int n, Instruction target
+  ) {
+    n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
+    n > 1 and
+    source.getSuccessor(kind) = target
+  }
+
+  /**
+   * Holds if `instr` in `f` is part of a loop even though the AST of `f`
+   * contains no element that can cause loops.
+   */
+  query predicate unexplainedLoop(Function f, Instruction instr) {
+    exists(IRBlock block |
+      instr.getBlock() = block and
+      block.getFunction() = f and
+      block.getASuccessor+() = block
+    ) and
+    not exists(Loop l | l.getEnclosingFunction() = f) and
+    not exists(GotoStmt s | s.getEnclosingFunction() = f)
+  }
+
  /**
   * Holds if a `Phi` instruction is present in a block with fewer than two
   * predecessors.
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -106,6 +106,32 @@ module InstructionSanity {
    not instr instanceof UnreachedInstruction
  }

+  /**
+   * Holds if there are multiple (`n`) edges of kind `kind` from `source`,
+   * where `target` is among the targets of those edges.
+   */
+  query predicate ambiguousSuccessors(
+    Instruction source, EdgeKind kind, int n, Instruction target
+  ) {
+    n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
+    n > 1 and
+    source.getSuccessor(kind) = target
+  }
+
+  /**
+   * Holds if `instr` in `f` is part of a loop even though the AST of `f`
+   * contains no element that can cause loops.
+   */
+  query predicate unexplainedLoop(Function f, Instruction instr) {
+    exists(IRBlock block |
+      instr.getBlock() = block and
+      block.getFunction() = f and
+      block.getASuccessor+() = block
+    ) and
+    not exists(Loop l | l.getEnclosingFunction() = f) and
+    not exists(GotoStmt s | s.getEnclosingFunction() = f)
+  }
+
  /**
   * Holds if a `Phi` instruction is present in a block with fewer than two
   * predecessors.
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -106,6 +106,32 @@ module InstructionSanity {
    not instr instanceof UnreachedInstruction
  }

+  /**
+   * Holds if there are multiple (`n`) edges of kind `kind` from `source`,
+   * where `target` is among the targets of those edges.
+   */
+  query predicate ambiguousSuccessors(
+    Instruction source, EdgeKind kind, int n, Instruction target
+  ) {
+    n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
+    n > 1 and
+    source.getSuccessor(kind) = target
+  }
+
+  /**
+   * Holds if `instr` in `f` is part of a loop even though the AST of `f`
+   * contains no element that can cause loops.
+   */
+  query predicate unexplainedLoop(Function f, Instruction instr) {
+    exists(IRBlock block |
+      instr.getBlock() = block and
+      block.getFunction() = f and
+      block.getASuccessor+() = block
+    ) and
+    not exists(Loop l | l.getEnclosingFunction() = f) and
+    not exists(GotoStmt s | s.getEnclosingFunction() = f)
+  }
+
  /**
   * Holds if a `Phi` instruction is present in a block with fewer than two
   * predecessors.