github · jbj · Sep 28, 2018 · Sep 13, 2018 · Sep 14, 2018 · Sep 14, 2018
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -76,6 +76,8 @@ abstract class PointerOffsetOpcode extends PointerArithmeticOpcode {}
 
 abstract class CompareOpcode extends BinaryOpcode {}
 
+abstract class RelationalOpcode extends CompareOpcode {}
+
 abstract class CopyOpcode extends Opcode {}
 
 abstract class MemoryAccessOpcode extends Opcode {}
@@ -117,10 +119,10 @@ module Opcode {
   class LogicalNot extends UnaryOpcode, TLogicalNot { override final string toString() { result = "LogicalNot" } }
   class CompareEQ extends CompareOpcode, TCompareEQ { override final string toString() { result = "CompareEQ" } }
   class CompareNE extends CompareOpcode, TCompareNE { override final string toString() { result = "CompareNE" } }
-  class CompareLT extends CompareOpcode, TCompareLT { override final string toString() { result = "CompareLT" } }
-  class CompareGT extends CompareOpcode, TCompareGT { override final string toString() { result = "CompareGT" } }
-  class CompareLE extends CompareOpcode, TCompareLE { override final string toString() { result = "CompareLE" } }
-  class CompareGE extends CompareOpcode, TCompareGE { override final string toString() { result = "CompareGE" } }
+  class CompareLT extends RelationalOpcode, TCompareLT { override final string toString() { result = "CompareLT" } }
+  class CompareGT extends RelationalOpcode, TCompareGT { override final string toString() { result = "CompareGT" } }
+  class CompareLE extends RelationalOpcode, TCompareLE { override final string toString() { result = "CompareLE" } }
+  class CompareGE extends RelationalOpcode, TCompareGE { override final string toString() { result = "CompareGE" } }
   class PointerAdd extends PointerOffsetOpcode, TPointerAdd { override final string toString() { result = "PointerAdd" } }
   class PointerSub extends PointerOffsetOpcode, TPointerSub { override final string toString() { result = "PointerSub" } }
   class PointerDiff extends PointerArithmeticOpcode, TPointerDiff { override final string toString() { result = "PointerDiff" } }

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
@@ -89,4 +89,12 @@ class IRBlock extends TIRBlock {
     dominates(result.getAPredecessor()) and
     not strictlyDominates(result)
   }
+
+  /**
+   * Holds if this block is reachable from the entry point of its function
+   */
+  final predicate isReachableFromFunctionEntry() {
+    this = getFunctionIR().getEntryBlock() or
+    getAPredecessor().isReachableFromFunctionEntry()
+  }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -310,11 +310,19 @@ class Instruction extends Construction::TInstruction {
   }
 
   /**
-   * Gets the `Expr` whose results is computed by this instruction, if any.
+   * Gets the `Expr` whose result is computed by this instruction, if any.
    */
-  final Expr getResultExpression() {
-    result = Construction::getInstructionResultExpression(this) 
+  final Expr getConvertedResultExpression() {
+    result = Construction::getInstructionConvertedResultExpression(this) 
   }
+
+    /**
+   * Gets the unconverted `Expr` whose result is computed by this instruction, if any.
+   */
+  final Expr getUnconvertedResultExpression() {
+    result = Construction::getInstructionUnconvertedResultExpression(this) 
+  }
+
 
   /**
    * Gets the type of the result produced by this instruction. If the
@@ -967,28 +975,110 @@ class CompareNEInstruction extends CompareInstruction {
   }
 }
 
-class CompareLTInstruction extends CompareInstruction {
+/**
+ * Represents an instruction that does a relative comparison of two values, such as `<` or `>=`.
+ */
+class RelationalInstruction extends CompareInstruction {
+  RelationalInstruction() {
+    opcode instanceof RelationalOpcode
+  }
+  /**
+   * Gets the operand on the "greater" (or "greater-or-equal") side
+   * of this relational instruction, that is, the side that is larger
+   * if the overall instruction evaluates to `true`; for example on
+   * `x <= 20` this is the `20`, and on `y > 0` it is `y`.
+   */
+  Instruction getGreaterOperand() {
+    none()
+  }
+
+  /**
+   * Gets the operand on the "lesser" (or "lesser-or-equal") side
+   * of this relational instruction, that is, the side that is smaller
+   * if the overall instruction evaluates to `true`; for example on
+   * `x <= 20` this is `x`, and on `y > 0` it is the `0`.
+   */
+  Instruction getLesserOperand() {
+    none()
+  }
+  /**
+   * Holds if this relational instruction is strict (is not an "or-equal" instruction).
+   */
+  predicate isStrict() {
+    none()
+  }
+}
+
+class CompareLTInstruction extends RelationalInstruction {
   CompareLTInstruction() {
     opcode instanceof Opcode::CompareLT
   }
+
+  override Instruction getLesserOperand() {
+    result = getLeftOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getRightOperand()
+  }
+
+  override predicate isStrict() {
+    any()
+  }
 }
 
-class CompareGTInstruction extends CompareInstruction {
+class CompareGTInstruction extends RelationalInstruction {
   CompareGTInstruction() {
     opcode instanceof Opcode::CompareGT
   }
+
+  override Instruction getLesserOperand() {
+    result = getRightOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getLeftOperand()
+  }
+
+  override predicate isStrict() {
+    any()
+  }
 }
 
-class CompareLEInstruction extends CompareInstruction {
+class CompareLEInstruction extends RelationalInstruction {
   CompareLEInstruction() {
     opcode instanceof Opcode::CompareLE
   }
+
+  override Instruction getLesserOperand() {
+    result = getLeftOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getRightOperand()
+  }
+
+  override predicate isStrict() {
+    none()
+  }
 }
 
-class CompareGEInstruction extends CompareInstruction {
+class CompareGEInstruction extends RelationalInstruction {
   CompareGEInstruction() {
     opcode instanceof Opcode::CompareGE
   }
+
+  override Instruction getLesserOperand() {
+    result = getRightOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getLeftOperand()
+  }
+
+  override predicate isStrict() {
+    none()
+  }
 }
 
 class SwitchInstruction extends Instruction {

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -197,8 +197,12 @@ cached private module Cached {
     )
   }
 
-  cached Expr getInstructionResultExpression(Instruction instruction) {
-    result = getOldInstruction(instruction).getResultExpression()
+  cached Expr getInstructionConvertedResultExpression(Instruction instruction) {
+    result = getOldInstruction(instruction).getConvertedResultExpression()
+  }
+
+  cached Expr getInstructionUnconvertedResultExpression(Instruction instruction) {
+    result = getOldInstruction(instruction).getUnconvertedResultExpression()
   }
 
   cached Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
@@ -89,4 +89,12 @@ class IRBlock extends TIRBlock {
     dominates(result.getAPredecessor()) and
     not strictlyDominates(result)
   }
+
+  /**
+   * Holds if this block is reachable from the entry point of its function
+   */
+  final predicate isReachableFromFunctionEntry() {
+    this = getFunctionIR().getEntryBlock() or
+    getAPredecessor().isReachableFromFunctionEntry()
+  }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -310,11 +310,19 @@ class Instruction extends Construction::TInstruction {
   }
 
   /**
-   * Gets the `Expr` whose results is computed by this instruction, if any.
+   * Gets the `Expr` whose result is computed by this instruction, if any.
    */
-  final Expr getResultExpression() {
-    result = Construction::getInstructionResultExpression(this) 
+  final Expr getConvertedResultExpression() {
+    result = Construction::getInstructionConvertedResultExpression(this) 
   }
+
+    /**
+   * Gets the unconverted `Expr` whose result is computed by this instruction, if any.
+   */
+  final Expr getUnconvertedResultExpression() {
+    result = Construction::getInstructionUnconvertedResultExpression(this) 
+  }
+
 
   /**
    * Gets the type of the result produced by this instruction. If the
@@ -967,28 +975,110 @@ class CompareNEInstruction extends CompareInstruction {
   }
 }
 
-class CompareLTInstruction extends CompareInstruction {
+/**
+ * Represents an instruction that does a relative comparison of two values, such as `<` or `>=`.
+ */
+class RelationalInstruction extends CompareInstruction {
+  RelationalInstruction() {
+    opcode instanceof RelationalOpcode
+  }
+  /**
+   * Gets the operand on the "greater" (or "greater-or-equal") side
+   * of this relational instruction, that is, the side that is larger
+   * if the overall instruction evaluates to `true`; for example on
+   * `x <= 20` this is the `20`, and on `y > 0` it is `y`.
+   */
+  Instruction getGreaterOperand() {
+    none()
+  }
+
+  /**
+   * Gets the operand on the "lesser" (or "lesser-or-equal") side
+   * of this relational instruction, that is, the side that is smaller
+   * if the overall instruction evaluates to `true`; for example on
+   * `x <= 20` this is `x`, and on `y > 0` it is the `0`.
+   */
+  Instruction getLesserOperand() {
+    none()
+  }
+  /**
+   * Holds if this relational instruction is strict (is not an "or-equal" instruction).
+   */
+  predicate isStrict() {
+    none()
+  }
+}
+
+class CompareLTInstruction extends RelationalInstruction {
   CompareLTInstruction() {
     opcode instanceof Opcode::CompareLT
   }
+
+  override Instruction getLesserOperand() {
+    result = getLeftOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getRightOperand()
+  }
+
+  override predicate isStrict() {
+    any()
+  }
 }
 
-class CompareGTInstruction extends CompareInstruction {
+class CompareGTInstruction extends RelationalInstruction {
   CompareGTInstruction() {
     opcode instanceof Opcode::CompareGT
   }
+
+  override Instruction getLesserOperand() {
+    result = getRightOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getLeftOperand()
+  }
+
+  override predicate isStrict() {
+    any()
+  }
 }
 
-class CompareLEInstruction extends CompareInstruction {
+class CompareLEInstruction extends RelationalInstruction {
   CompareLEInstruction() {
     opcode instanceof Opcode::CompareLE
   }
+
+  override Instruction getLesserOperand() {
+    result = getLeftOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getRightOperand()
+  }
+
+  override predicate isStrict() {
+    none()
+  }
 }
 
-class CompareGEInstruction extends CompareInstruction {
+class CompareGEInstruction extends RelationalInstruction {
   CompareGEInstruction() {
     opcode instanceof Opcode::CompareGE
   }
+
+  override Instruction getLesserOperand() {
+    result = getRightOperand()
+  }
+
+  override Instruction getGreaterOperand() {
+    result = getLeftOperand()
+  }
+
+  override predicate isStrict() {
+    none()
+  }
 }
 
 class SwitchInstruction extends Instruction {

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -74,13 +74,25 @@ cached private module Cached {
     none()
   }
 
-  cached Expr getInstructionResultExpression(Instruction instruction) {
+  cached Expr getInstructionConvertedResultExpression(Instruction instruction) {
     exists(TranslatedExpr translatedExpr |
       translatedExpr = getTranslatedExpr(result) and
       instruction = translatedExpr.getResult()
     )
   }
 
+  cached Expr getInstructionUnconvertedResultExpression(Instruction instruction) {
+    exists(Expr converted, TranslatedExpr translatedExpr |
+      result = converted.(Conversion).getExpr+()
+      or
+      result = converted
+      |
+      not result instanceof Conversion and
+      translatedExpr = getTranslatedExpr(converted) and
+      instruction = translatedExpr.getResult()
+    )
+  }
+
   cached Instruction getInstructionOperand(Instruction instruction, OperandTag tag) {
     result = getInstructionTranslatedElement(instruction).getInstructionOperand(
       instruction.getTag(), tag)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
@@ -89,4 +89,12 @@ class IRBlock extends TIRBlock {
     dominates(result.getAPredecessor()) and
     not strictlyDominates(result)
   }
+
+  /**
+   * Holds if this block is reachable from the entry point of its function
+   */
+  final predicate isReachableFromFunctionEntry() {
+    this = getFunctionIR().getEntryBlock() or
+    getAPredecessor().isReachableFromFunctionEntry()
+  }
 }