Dataflow: Introduce NodeRegions for use in isUnreachableInCall.

2026-04-23 07:45:17 +02:00 · 2024-04-25 15:36:26 +02:00
parent 486eaad566
commit bc8ca1af86
12 changed files with 142 additions and 31 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -502,6 +502,18 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
  override Location getLocation() { result = c.getLocation() }
 }

+private predicate id(BasicBlock x, BasicBlock y) { x = y }
+
+private predicate idOf(BasicBlock x, int y) = equivalenceRelation(id/2)(x, y)
+
+class NodeRegion instanceof BasicBlock {
+  string toString() { result = "NodeRegion" }
+
+  predicate contains(Node n) { n.asExpr().getBasicBlock() = this }
+
+  int totalOrder() { idOf(this, result) }
+}
+
 /** Holds if `e` is an expression that always has the same Boolean value `val`. */
 private predicate constantBooleanExpr(Expr e, boolean val) {
  e.(CompileTimeConstantExpr).getBooleanValue() = val
@@ -522,9 +534,9 @@ private class ConstantBooleanArgumentNode extends ArgumentNode, ExprNode {
 }

 /**
- * Holds if the node `n` is unreachable when the call context is `call`.
+ * Holds if the nodes in `nr` are unreachable when the call context is `call`.
 */
-predicate isUnreachableInCall(Node n, DataFlowCall call) {
+predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) {
  exists(
    ExplicitParameterNode paramNode, ConstantBooleanArgumentNode arg, SsaImplicitInit param,
    Guard guard
@@ -537,7 +549,7 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
    param.getAUse() = guard and
    // which controls `n` with the opposite value of `arg`
    guard
-        .controls(n.asExpr().getBasicBlock(),
+        .controls(nr,
          pragma[only_bind_into](pragma[only_bind_out](arg.getBooleanValue()).booleanNot()))
  )
 }