C++: Support guards without implicit boolean conversions.

2025-12-21 03:06:31 +01:00 · 2024-04-30 11:45:58 +01:00
parent 806d42852c
commit d736426529
1 changed files with 16 additions and 0 deletions
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -790,6 +790,22 @@ private predicate simple_comparison_eq(Instruction test, Operand op, int k, Abst
    exists(switch.getSuccessor(case)) and
    case.getValue().toInt() = k
  )
+  or
+  // There's no implicit CompareInstruction in files compiled as C since C
+  // doesn't have implicit boolean conversions. So instead we check whether
+  // there's a branch on a value ofpointer or integer type.
+  exists(ConditionalBranchInstruction branch, IRType type |
+    not test instanceof CompareInstruction and
+    (type instanceof IRAddressType or type instanceof IRIntegerType) and
+    test = branch.getCondition() and
+    op.getDef() = test
+  |
+    k = 1 and
+    value.(BooleanValue).getValue() = true
+    or
+    k = 0 and
+    value.(BooleanValue).getValue() = false
+  )
 }

 private predicate complex_eq(