C++: Handle relational operators in constant analysis

Author: dave-bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll

@@ -13,7 +13,13 @@ IntValue getConstantValue(Instruction instr) {
       binInstr instanceof AddInstruction and result = add(left, right) or
       binInstr instanceof SubInstruction and result = sub(left, right) or
       binInstr instanceof MulInstruction and result = mul(left, right) or
-      binInstr instanceof DivInstruction and result = div(left, right)
+      binInstr instanceof DivInstruction and result = div(left, right) or
+      binInstr instanceof CompareEQInstruction and result = compareEQ(left, right) or
+      binInstr instanceof CompareNEInstruction and result = compareNE(left, right) or
+      binInstr instanceof CompareLTInstruction and result = compareLT(left, right) or
+      binInstr instanceof CompareGTInstruction and result = compareGT(left, right) or
+      binInstr instanceof CompareLEInstruction and result = compareLE(left, right) or
+      binInstr instanceof CompareGEInstruction and result = compareGE(left, right)
     )
   ) or
   exists(UnaryInstruction unaryInstr, IntValue src |

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll

@@ -13,7 +13,13 @@ IntValue getConstantValue(Instruction instr) {
       binInstr instanceof AddInstruction and result = add(left, right) or
       binInstr instanceof SubInstruction and result = sub(left, right) or
       binInstr instanceof MulInstruction and result = mul(left, right) or
-      binInstr instanceof DivInstruction and result = div(left, right)
+      binInstr instanceof DivInstruction and result = div(left, right) or
+      binInstr instanceof CompareEQInstruction and result = compareEQ(left, right) or
+      binInstr instanceof CompareNEInstruction and result = compareNE(left, right) or
+      binInstr instanceof CompareLTInstruction and result = compareLT(left, right) or
+      binInstr instanceof CompareGTInstruction and result = compareGT(left, right) or
+      binInstr instanceof CompareLEInstruction and result = compareLE(left, right) or
+      binInstr instanceof CompareGEInstruction and result = compareGE(left, right)
     )
   ) or
   exists(UnaryInstruction unaryInstr, IntValue src |

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll

@@ -13,7 +13,13 @@ IntValue getConstantValue(Instruction instr) {
       binInstr instanceof AddInstruction and result = add(left, right) or
       binInstr instanceof SubInstruction and result = sub(left, right) or
       binInstr instanceof MulInstruction and result = mul(left, right) or
-      binInstr instanceof DivInstruction and result = div(left, right)
+      binInstr instanceof DivInstruction and result = div(left, right) or
+      binInstr instanceof CompareEQInstruction and result = compareEQ(left, right) or
+      binInstr instanceof CompareNEInstruction and result = compareNE(left, right) or
+      binInstr instanceof CompareLTInstruction and result = compareLT(left, right) or
+      binInstr instanceof CompareGTInstruction and result = compareGT(left, right) or
+      binInstr instanceof CompareLEInstruction and result = compareLE(left, right) or
+      binInstr instanceof CompareGEInstruction and result = compareGE(left, right)
     )
   ) or
   exists(UnaryInstruction unaryInstr, IntValue src |

cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll

@@ -102,6 +102,96 @@ IntValue div(IntValue a, IntValue b) {
     result = unknown()
 }
 
+/**
+ * Returns `a == b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareEQ(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a = b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
+/**
+ * Returns `a != b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareNE(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a != b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
+/**
+ * Returns `a < b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareLT(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a < b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
+/**
+ * Returns `a > b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareGT(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a > b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
+/**
+ * Returns `a <= b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareLE(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a <= b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
+/**
+ * Returns `a >= b`. If either input is unknown, the result is unknown.
+ */
+bindingset[a, b]
+IntValue compareGE(IntValue a, IntValue b) {
+  if hasValue(a) and hasValue(b) then (
+    if a >= b then
+      result = 1
+    else
+      result = 0
+  )
+  else
+    result = unknown()
+}
+
 /**
  * Return `-a`. If `a` is unknown, the result is unknown.
  */

cpp/ql/test/library-tests/ir/constant_func/constant_func.cpp

@@ -39,16 +39,18 @@ int UnreachableViaGoto() {
 }
 
 int UnreachableIf(bool b) {
+  int x = 5;
+  int y = 10;
   if (b) {
-    if (false) {
+    if (x == y) {
       return 1;
     }
     else {
       return 0;
     }
   }
   else {
-    if (true) {
+    if (x < y) {
       return 0;
     }
     else {

cpp/ql/test/library-tests/ir/constants/constants.expected

@@ -21,15 +21,49 @@
 | -1 * -INT_MAX | 2147483647 |
 | -1 - -INT_MAX | 2147483646 |
 | -1 - INT_MAX | unknown |
+| -3 != 6 | 1 |
+| -3 != -3 | 0 |
+| -3 != unknown | unknown |
+| -3 < 6 | 1 |
+| -3 < -3 | 0 |
+| -3 < -7 | 0 |
+| -3 < unknown | unknown |
+| -3 <= 6 | 1 |
+| -3 <= -3 | 1 |
+| -3 <= -7 | 0 |
+| -3 <= unknown | unknown |
+| -3 == 6 | 0 |
+| -3 == -3 | 1 |
+| -3 == unknown | unknown |
+| -3 > 6 | 0 |
+| -3 > -3 | 0 |
+| -3 > -7 | 1 |
+| -3 > unknown | unknown |
+| -3 >= 6 | 0 |
+| -3 >= -3 | 1 |
+| -3 >= -7 | 1 |
+| -3 >= unknown | unknown |
 | -35 / 7 | -5 |
 | -35 / 8 | -4 |
 | -35 / -7 | 5 |
 | -35 / -8 | 4 |
 | INT_MAX * INT_MAX | unknown |
 | INT_MAX / 0 | unknown |
+| unknown != 6 | unknown |
+| unknown != unknown | unknown |
 | unknown + 5 | unknown |
 | unknown + unknown | unknown |
 | unknown - 5 | unknown |
 | unknown - unknown | unknown |
 | unknown / 3 | unknown |
 | unknown / unknown | unknown |
+| unknown < 6 | unknown |
+| unknown < unknown | unknown |
+| unknown <= 6 | unknown |
+| unknown <= unknown | unknown |
+| unknown == 6 | unknown |
+| unknown == unknown | unknown |
+| unknown > 6 | unknown |
+| unknown > unknown | unknown |
+| unknown >= 6 | unknown |
+| unknown >= unknown | unknown |

cpp/ql/test/library-tests/ir/constants/constants.ql

@@ -45,5 +45,39 @@ where
   expr = "INT_MAX / 0" and res = Ints::div(Ints::maxValue(), 0) or
   expr = "0 / unknown" and res = Ints::div(0, Ints::unknown()) or
   expr = "unknown / 3" and res = Ints::div(Ints::unknown(), 3) or
-  expr = "unknown / unknown" and res = Ints::div(Ints::unknown(), Ints::unknown())
+  expr = "unknown / unknown" and res = Ints::div(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 == -3" and res = Ints::compareEQ(-3, -3) or
+  expr = "-3 == 6" and res = Ints::compareEQ(-3, 6) or
+  expr = "-3 == unknown" and res = Ints::compareEQ(-3, Ints::unknown()) or
+  expr = "unknown == 6" and res = Ints::compareEQ(Ints::unknown(), 6) or
+  expr = "unknown == unknown" and res = Ints::compareEQ(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 != -3" and res = Ints::compareNE(-3, -3) or
+  expr = "-3 != 6" and res = Ints::compareNE(-3, 6) or
+  expr = "-3 != unknown" and res = Ints::compareNE(-3, Ints::unknown()) or
+  expr = "unknown != 6" and res = Ints::compareNE(Ints::unknown(), 6) or
+  expr = "unknown != unknown" and res = Ints::compareNE(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 < -3" and res = Ints::compareLT(-3, -3) or
+  expr = "-3 < 6" and res = Ints::compareLT(-3, 6) or
+  expr = "-3 < -7" and res = Ints::compareLT(-3, -7) or
+  expr = "-3 < unknown" and res = Ints::compareLT(-3, Ints::unknown()) or
+  expr = "unknown < 6" and res = Ints::compareLT(Ints::unknown(), 6) or
+  expr = "unknown < unknown" and res = Ints::compareLT(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 > -3" and res = Ints::compareGT(-3, -3) or
+  expr = "-3 > 6" and res = Ints::compareGT(-3, 6) or
+  expr = "-3 > -7" and res = Ints::compareGT(-3, -7) or
+  expr = "-3 > unknown" and res = Ints::compareGT(-3, Ints::unknown()) or
+  expr = "unknown > 6" and res = Ints::compareGT(Ints::unknown(), 6) or
+  expr = "unknown > unknown" and res = Ints::compareGT(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 <= -3" and res = Ints::compareLE(-3, -3) or
+  expr = "-3 <= 6" and res = Ints::compareLE(-3, 6) or
+  expr = "-3 <= -7" and res = Ints::compareLE(-3, -7) or
+  expr = "-3 <= unknown" and res = Ints::compareLE(-3, Ints::unknown()) or
+  expr = "unknown <= 6" and res = Ints::compareLE(Ints::unknown(), 6) or
+  expr = "unknown <= unknown" and res = Ints::compareLE(Ints::unknown(), Ints::unknown()) or
+  expr = "-3 >= -3" and res = Ints::compareGE(-3, -3) or
+  expr = "-3 >= 6" and res = Ints::compareGE(-3, 6) or
+  expr = "-3 >= -7" and res = Ints::compareGE(-3, -7) or
+  expr = "-3 >= unknown" and res = Ints::compareGE(-3, Ints::unknown()) or
+  expr = "unknown >= 6" and res = Ints::compareGE(Ints::unknown(), 6) or
+  expr = "unknown >= unknown" and res = Ints::compareGE(Ints::unknown(), Ints::unknown())
 select expr, resultString(res)

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -6688,43 +6688,69 @@ ir.cpp:
 # 1028|     0: b
 # 1028|         Type = bool
 # 1028|   body: { ... }
-# 1029|     0: if (...) ... 
-# 1029|       0: b
-# 1029|           Type = bool
-# 1029|           ValueCategory = prvalue(load)
-# 1029|       1: { ... }
-# 1030|         0: if (...) ... 
-# 1030|           0: 0
-# 1030|               Type = bool
-# 1030|               Value = 0
+# 1029|     0: declaration
+# 1029|       0: definition of x
+# 1029|           Type = int
+# 1029|         init: initializer for x
+# 1029|           expr: 5
+# 1029|               Type = int
+# 1029|               Value = 5
+# 1029|               ValueCategory = prvalue
+# 1030|     1: declaration
+# 1030|       0: definition of y
+# 1030|           Type = int
+# 1030|         init: initializer for y
+# 1030|           expr: 10
+# 1030|               Type = int
+# 1030|               Value = 10
 # 1030|               ValueCategory = prvalue
-# 1030|           1: { ... }
-# 1031|             0: return ...
-# 1031|               0: 1
-# 1031|                   Type = int
-# 1031|                   Value = 1
-# 1031|                   ValueCategory = prvalue
-# 1033|           2: { ... }
-# 1034|             0: return ...
-# 1034|               0: 0
-# 1034|                   Type = int
-# 1034|                   Value = 0
-# 1034|                   ValueCategory = prvalue
-# 1037|       2: { ... }
-# 1038|         0: if (...) ... 
-# 1038|           0: 1
-# 1038|               Type = bool
-# 1038|               Value = 1
-# 1038|               ValueCategory = prvalue
-# 1038|           1: { ... }
-# 1039|             0: return ...
-# 1039|               0: 0
-# 1039|                   Type = int
-# 1039|                   Value = 0
-# 1039|                   ValueCategory = prvalue
-# 1041|           2: { ... }
-# 1042|             0: return ...
-# 1042|               0: 1
-# 1042|                   Type = int
-# 1042|                   Value = 1
-# 1042|                   ValueCategory = prvalue
+# 1031|     2: if (...) ... 
+# 1031|       0: b
+# 1031|           Type = bool
+# 1031|           ValueCategory = prvalue(load)
+# 1031|       1: { ... }
+# 1032|         0: if (...) ... 
+# 1032|           0: ... == ...
+# 1032|               Type = bool
+# 1032|               ValueCategory = prvalue
+# 1032|             0: x
+# 1032|                 Type = int
+# 1032|                 ValueCategory = prvalue(load)
+# 1032|             1: y
+# 1032|                 Type = int
+# 1032|                 ValueCategory = prvalue(load)
+# 1032|           1: { ... }
+# 1033|             0: return ...
+# 1033|               0: 1
+# 1033|                   Type = int
+# 1033|                   Value = 1
+# 1033|                   ValueCategory = prvalue
+# 1035|           2: { ... }
+# 1036|             0: return ...
+# 1036|               0: 0
+# 1036|                   Type = int
+# 1036|                   Value = 0
+# 1036|                   ValueCategory = prvalue
+# 1039|       2: { ... }
+# 1040|         0: if (...) ... 
+# 1040|           0: ... < ...
+# 1040|               Type = bool
+# 1040|               ValueCategory = prvalue
+# 1040|             0: x
+# 1040|                 Type = int
+# 1040|                 ValueCategory = prvalue(load)
+# 1040|             1: y
+# 1040|                 Type = int
+# 1040|                 ValueCategory = prvalue(load)
+# 1040|           1: { ... }
+# 1041|             0: return ...
+# 1041|               0: 0
+# 1041|                   Type = int
+# 1041|                   Value = 0
+# 1041|                   ValueCategory = prvalue
+# 1043|           2: { ... }
+# 1044|             0: return ...
+# 1044|               0: 1
+# 1044|                   Type = int
+# 1044|                   Value = 1
+# 1044|                   ValueCategory = prvalue