C++: fix range analysis back edge detection for irreducible CFGs

2025-12-24 04:36:35 +01:00 · 2023-06-21 17:54:52 -04:00
parent 9c774ac97f
commit ba7cb8f4ae
2 changed files with 39 additions and 0 deletions
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
@@ -70,6 +70,21 @@ predicate semBackEdge(SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionP
  // Conservatively assume that every edge is a back edge if we don't have dominance information.
  (
    phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
+    trimmedReachable(phi.getBasicBlock(), edge.getOrigBlock()) or
    not edge.getOrigBlock().hasDominanceInformation()
  )
 }
+
+private predicate trimmedReachable(SemBasicBlock b1, SemBasicBlock b2) {
+  b1 = b2
+  or
+  exists(SemBasicBlock mid |
+    trimmedReachable(b1, mid) and
+    trimmedEdges(mid, b2)
+  )
+}
+
+private predicate trimmedEdges(SemBasicBlock pred, SemBasicBlock succ) {
+  pred.getASuccessor() = succ and
+  not succ.bbDominates(pred)
+}
--- a/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
@@ -70,3 +70,27 @@ int f4(int x) {
    }
  }
 }
+
+// No interesting ranges to check here - this irreducible CFG caused an infinite loop due to back edge detection
+void gotoLoop(bool b1, bool b2)
+{
+  int j;
+
+  if (b1)
+    return;
+
+  if (!b2)
+  {
+    for (j = 0; j < 10; ++j)
+    {
+     goto main_decode_loop;
+    }
+  }
+  else
+  {
+    for (j = 0; j < 10; ++j)
+    {
+      main_decode_loop:
+    }
+  }
+}