C++: Remove infeasible edges to reachable blocks

dave-bartolomeo · dave-bartolomeo · commit 56bb9dcde026 · 2018-12-14T12:13:22.000-08:00
The existing unreachable IR removal code only retargeted an infeasible edge to an `Unreached` instruction if the successor of the edge was an unreachable block. This is too conservative, because it doesn't remove an infeasible edge that targets a block that is still reachable via other paths. The trivial example of this is `do { } while (false);`, where the back edge is infeasible, but the body block is still reachable from the loop entry.

This change retargets all infeasible edges to `Unreached` instructions, regardless of the reachability of the successor block.
diff --git a/config/identical-files.json b/config/identical-files.json
@@ -94,5 +94,9 @@
   "C++ IR Dominance": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+  ],
+  "C++ IR PrintDominance": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ]
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -26,13 +26,9 @@ cached private module Cached {
       hasChiNode(_, oldInstruction)
     } or
     UnreachedTag(OldInstruction oldInstruction, EdgeKind kind) {
-      // We need an `Unreached` instruction for the destination of any edge whose predecessor
-      // instruction is reachable, but whose successor block is not. This should occur only for
-      // infeasible edges.
-      exists(OldIR::Instruction succInstruction |
-        succInstruction = oldInstruction.getSuccessor(kind) and
-        not succInstruction instanceof OldInstruction
-      )
+      // We need an `Unreached` instruction for the destination of each infeasible edge whose
+      // predecessor is reachable.
+      Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)
     }
 
   cached class InstructionTagType extends TInstructionTag {
@@ -213,7 +209,7 @@ cached private module Cached {
     exists(Alias::VirtualVariable vvar, OldBlock phiBlock,
         OldBlock defBlock, int defRank, int defIndex, OldBlock predBlock |
       hasPhiNode(vvar, phiBlock) and
-      predBlock = phiBlock.getAPredecessor() and
+      predBlock = phiBlock.getAFeasiblePredecessor() and
       instr.getTag() = PhiTag(vvar, phiBlock) and
       newPredecessorBlock = getNewBlock(predBlock) and
       hasDefinitionAtRank(vvar, defBlock, defRank, defIndex) and
@@ -266,13 +262,20 @@ cached private module Cached {
       result = getChiInstruction(getOldInstruction(instruction)) and
       kind instanceof GotoEdge
     else (
-      result = getNewInstruction(getOldInstruction(instruction).getSuccessor(kind))
-      or
+      exists(OldInstruction oldInstruction |
+        oldInstruction = getOldInstruction(instruction) and
+        (
+          result.getTag() = UnreachedTag(oldInstruction, kind) or
+          (
+            result = getNewInstruction(oldInstruction.getSuccessor(kind)) and
+            not exists(UnreachedTag(oldInstruction, kind))
+          )
+        )
+      ) or
       exists(OldInstruction oldInstruction |
         instruction = getChiInstruction(oldInstruction) and
         result = getNewInstruction(oldInstruction.getSuccessor(kind))
-      ) or
-      result.getTag() = UnreachedTag(getOldInstruction(instruction), kind)
+      )
     )
   }
 
@@ -380,7 +383,7 @@ cached private module Cached {
 
   pragma[noinline]
   private predicate variableLiveOnExitFromBlock(Alias::VirtualVariable vvar, OldBlock block) {
-    variableLiveOnEntryToBlock(vvar, block.getASuccessor())
+    variableLiveOnEntryToBlock(vvar, block.getAFeasibleSuccessor())
   }
 
   /**
@@ -474,7 +477,7 @@ cached private module Cached {
         useRank) or
       (
         definitionReachesEndOfBlock(vvar, defBlock, defRank,
-          useBlock.getAPredecessor()) and
+          useBlock.getAFeasiblePredecessor()) and
         not definitionReachesUseWithinBlock(vvar, useBlock, _, useBlock, useRank)
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll
@@ -0,0 +1,21 @@
+private import DominanceInternal
+private import ReachableBlockInternal
+private import Dominance
+import IR
+
+private class DominancePropertyProvider extends IRPropertyProvider {
+  override string getBlockProperty(IRBlock block, string key) {
+    exists(IRBlock dominator |
+      blockImmediatelyDominates(dominator, block) and
+      key = "ImmediateDominator" and
+      result = "Block " + dominator.getDisplayIndex().toString()
+    ) or
+    (
+      key = "DominanceFrontier" and
+      result = strictconcat(IRBlock frontierBlock |
+        frontierBlock = getDominanceFrontier(block) |
+        frontierBlock.getDisplayIndex().toString(), ", " order by frontierBlock.getDisplayIndex()
+      )
+    )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll
@@ -3,18 +3,21 @@ private import semmle.code.cpp.ir.internal.IntegerConstant
 private import IR
 private import ConstantAnalysis
 
-predicate isInfeasibleEdge(IRBlock block, EdgeKind kind) {
-  exists(ConditionalBranchInstruction instr, int conditionValue |
-    instr = block.getLastInstruction() and
-    conditionValue = getValue(getConstantValue(instr.getCondition())) and
+predicate isInfeasibleInstructionSuccessor(Instruction instr, EdgeKind kind) {
+  exists(int conditionValue |
+    conditionValue = getValue(getConstantValue(instr.(ConditionalBranchInstruction).getCondition())) and
     if conditionValue = 0 then
       kind instanceof TrueEdge
     else
       kind instanceof FalseEdge
   )
 }
 
-IRBlock getAFeasiblePredecessor(IRBlock successor) {
+predicate isInfeasibleEdge(IRBlock block, EdgeKind kind) {
+  isInfeasibleInstructionSuccessor(block.getLastInstruction(), kind)
+}
+
+IRBlock getAFeasiblePredecessorBlock(IRBlock successor) {
   exists(EdgeKind kind |
     result.getSuccessor(kind) = successor and
     not isInfeasibleEdge(result, kind)
@@ -23,7 +26,7 @@ IRBlock getAFeasiblePredecessor(IRBlock successor) {
 
 predicate isBlockReachable(IRBlock block) {
   exists(FunctionIR f |
-    getAFeasiblePredecessor*(block) = f.getEntryBlock()
+    getAFeasiblePredecessorBlock*(block) = f.getEntryBlock()
   )
 }
 
@@ -35,6 +38,14 @@ class ReachableBlock extends IRBlock {
   ReachableBlock() {
     isBlockReachable(this)
   }
+
+  final ReachableBlock getAFeasiblePredecessor() {
+    result = getAFeasiblePredecessorBlock(this)
+  }
+
+  final ReachableBlock getAFeasibleSuccessor() {
+    this = getAFeasiblePredecessorBlock(result)
+  }
 }
 
 class ReachableInstruction extends Instruction {
@@ -51,6 +62,6 @@ module Graph {
   }
 
   predicate blockSuccessor(ReachableBlock pred, ReachableBlock succ) {
-    succ = pred.getASuccessor()
+    succ = pred.getAFeasibleSuccessor()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -26,13 +26,9 @@ cached private module Cached {
       hasChiNode(_, oldInstruction)
     } or
     UnreachedTag(OldInstruction oldInstruction, EdgeKind kind) {
-      // We need an `Unreached` instruction for the destination of any edge whose predecessor
-      // instruction is reachable, but whose successor block is not. This should occur only for
-      // infeasible edges.
-      exists(OldIR::Instruction succInstruction |
-        succInstruction = oldInstruction.getSuccessor(kind) and
-        not succInstruction instanceof OldInstruction
-      )
+      // We need an `Unreached` instruction for the destination of each infeasible edge whose
+      // predecessor is reachable.
+      Reachability::isInfeasibleInstructionSuccessor(oldInstruction, kind)
     }
 
   cached class InstructionTagType extends TInstructionTag {
@@ -213,7 +209,7 @@ cached private module Cached {
     exists(Alias::VirtualVariable vvar, OldBlock phiBlock,
         OldBlock defBlock, int defRank, int defIndex, OldBlock predBlock |
       hasPhiNode(vvar, phiBlock) and
-      predBlock = phiBlock.getAPredecessor() and
+      predBlock = phiBlock.getAFeasiblePredecessor() and
       instr.getTag() = PhiTag(vvar, phiBlock) and
       newPredecessorBlock = getNewBlock(predBlock) and
       hasDefinitionAtRank(vvar, defBlock, defRank, defIndex) and
@@ -266,13 +262,20 @@ cached private module Cached {
       result = getChiInstruction(getOldInstruction(instruction)) and
       kind instanceof GotoEdge
     else (
-      result = getNewInstruction(getOldInstruction(instruction).getSuccessor(kind))
-      or
+      exists(OldInstruction oldInstruction |
+        oldInstruction = getOldInstruction(instruction) and
+        (
+          result.getTag() = UnreachedTag(oldInstruction, kind) or
+          (
+            result = getNewInstruction(oldInstruction.getSuccessor(kind)) and
+            not exists(UnreachedTag(oldInstruction, kind))
+          )
+        )
+      ) or
       exists(OldInstruction oldInstruction |
         instruction = getChiInstruction(oldInstruction) and
         result = getNewInstruction(oldInstruction.getSuccessor(kind))
-      ) or
-      result.getTag() = UnreachedTag(getOldInstruction(instruction), kind)
+      )
     )
   }
 
@@ -380,7 +383,7 @@ cached private module Cached {
 
   pragma[noinline]
   private predicate variableLiveOnExitFromBlock(Alias::VirtualVariable vvar, OldBlock block) {
-    variableLiveOnEntryToBlock(vvar, block.getASuccessor())
+    variableLiveOnEntryToBlock(vvar, block.getAFeasibleSuccessor())
   }
 
   /**
@@ -474,7 +477,7 @@ cached private module Cached {
         useRank) or
       (
         definitionReachesEndOfBlock(vvar, defBlock, defRank,
-          useBlock.getAPredecessor()) and
+          useBlock.getAFeasiblePredecessor()) and
         not definitionReachesUseWithinBlock(vvar, useBlock, _, useBlock, useRank)
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll
@@ -0,0 +1,21 @@
+private import DominanceInternal
+private import ReachableBlockInternal
+private import Dominance
+import IR
+
+private class DominancePropertyProvider extends IRPropertyProvider {
+  override string getBlockProperty(IRBlock block, string key) {
+    exists(IRBlock dominator |
+      blockImmediatelyDominates(dominator, block) and
+      key = "ImmediateDominator" and
+      result = "Block " + dominator.getDisplayIndex().toString()
+    ) or
+    (
+      key = "DominanceFrontier" and
+      result = strictconcat(IRBlock frontierBlock |
+        frontierBlock = getDominanceFrontier(block) |
+        frontierBlock.getDisplayIndex().toString(), ", " order by frontierBlock.getDisplayIndex()
+      )
+    )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll
@@ -3,18 +3,21 @@ private import semmle.code.cpp.ir.internal.IntegerConstant
 private import IR
 private import ConstantAnalysis
 
-predicate isInfeasibleEdge(IRBlock block, EdgeKind kind) {
-  exists(ConditionalBranchInstruction instr, int conditionValue |
-    instr = block.getLastInstruction() and
-    conditionValue = getValue(getConstantValue(instr.getCondition())) and
+predicate isInfeasibleInstructionSuccessor(Instruction instr, EdgeKind kind) {
+  exists(int conditionValue |
+    conditionValue = getValue(getConstantValue(instr.(ConditionalBranchInstruction).getCondition())) and
     if conditionValue = 0 then
       kind instanceof TrueEdge
     else
       kind instanceof FalseEdge
   )
 }
 
-IRBlock getAFeasiblePredecessor(IRBlock successor) {
+predicate isInfeasibleEdge(IRBlock block, EdgeKind kind) {
+  isInfeasibleInstructionSuccessor(block.getLastInstruction(), kind)
+}
+
+IRBlock getAFeasiblePredecessorBlock(IRBlock successor) {
   exists(EdgeKind kind |
     result.getSuccessor(kind) = successor and
     not isInfeasibleEdge(result, kind)
@@ -23,7 +26,7 @@ IRBlock getAFeasiblePredecessor(IRBlock successor) {
 
 predicate isBlockReachable(IRBlock block) {
   exists(FunctionIR f |
-    getAFeasiblePredecessor*(block) = f.getEntryBlock()
+    getAFeasiblePredecessorBlock*(block) = f.getEntryBlock()
   )
 }
 
@@ -35,6 +38,14 @@ class ReachableBlock extends IRBlock {
   ReachableBlock() {
     isBlockReachable(this)
   }
+
+  final ReachableBlock getAFeasiblePredecessor() {
+    result = getAFeasiblePredecessorBlock(this)
+  }
+
+  final ReachableBlock getAFeasibleSuccessor() {
+    this = getAFeasiblePredecessorBlock(result)
+  }
 }
 
 class ReachableInstruction extends Instruction {
@@ -51,6 +62,6 @@ module Graph {
   }
 
   predicate blockSuccessor(ReachableBlock pred, ReachableBlock succ) {
-    succ = pred.getASuccessor()
+    succ = pred.getAFeasibleSuccessor()
   }
 }
diff --git a/cpp/ql/test/library-tests/ir/constant_func/constant_func.cpp b/cpp/ql/test/library-tests/ir/constant_func/constant_func.cpp
@@ -58,3 +58,13 @@ int UnreachableIf(bool b) {
     }
   }
 }
+
+int DoWhileFalse() {
+  int i = 0;
+  do {
+    i++;
+  } while (false);
+
+  return i;
+}
+
diff --git a/cpp/ql/test/library-tests/ir/constant_func/constant_func.expected b/cpp/ql/test/library-tests/ir/constant_func/constant_func.expected
@@ -3,3 +3,4 @@
 | constant_func.cpp:25:5:25:25 | IR: ReturnConstantPhiLoop | 7 |
 | constant_func.cpp:34:5:34:22 | IR: UnreachableViaGoto | 0 |
 | constant_func.cpp:41:5:41:17 | IR: UnreachableIf | 0 |
+| constant_func.cpp:62:5:62:16 | IR: DoWhileFalse | 1 |
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -6754,3 +6754,31 @@ ir.cpp:
 # 1044|                   Type = int
 # 1044|                   Value = 1
 # 1044|                   ValueCategory = prvalue
+# 1049| DoWhileFalse() -> int
+# 1049|   params: 
+# 1049|   body: { ... }
+# 1050|     0: declaration
+# 1050|       0: definition of i
+# 1050|           Type = int
+# 1050|         init: initializer for i
+# 1050|           expr: 0
+# 1050|               Type = int
+# 1050|               Value = 0
+# 1050|               ValueCategory = prvalue
+# 1051|     1: do (...) ...
+# 1053|       0: 0
+# 1053|           Type = bool
+# 1053|           Value = 0
+# 1053|           ValueCategory = prvalue
+# 1051|       1: { ... }
+# 1052|         0: ExprStmt
+# 1052|           0: ... ++
+# 1052|               Type = int
+# 1052|               ValueCategory = prvalue
+# 1052|             0: i
+# 1052|                 Type = int
+# 1052|                 ValueCategory = lvalue
+# 1055|     2: return ...
+# 1055|       0: i
+# 1055|           Type = int
+# 1055|           ValueCategory = prvalue(load)
diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ir.expected
@@ -4621,3 +4621,34 @@ ir.cpp:
 
 # 1044|   Block 7
 # 1044|     v7_0(void) = Unreached : 
+
+# 1049| DoWhileFalse() -> int
+# 1049|   Block 0
+# 1049|     v0_0(void)       = EnterFunction       : 
+# 1049|     m0_1(unknown)    = AliasedDefinition   : 
+# 1049|     mu0_2(unknown)   = UnmodeledDefinition : 
+# 1050|     r0_3(glval<int>) = VariableAddress[i]  : 
+# 1050|     r0_4(int)        = Constant[0]         : 
+# 1050|     m0_5(int)        = Store               : r0_3, r0_4
+# 1052|     r0_6(glval<int>) = VariableAddress[i]  : 
+# 1052|     r0_7(int)        = Load                : r0_6, m0_5
+# 1052|     r0_8(int)        = Constant[1]         : 
+# 1052|     r0_9(int)        = Add                 : r0_7, r0_8
+# 1052|     m0_10(int)       = Store               : r0_6, r0_9
+# 1053|     r0_11(bool)      = Constant[0]         : 
+# 1053|     v0_12(void)      = ConditionalBranch   : r0_11
+#-----|   False -> Block 1
+#-----|   True -> Block 2
+
+# 1055|   Block 1
+# 1055|     r1_0(glval<int>) = VariableAddress[#return] : 
+# 1055|     r1_1(glval<int>) = VariableAddress[i]       : 
+# 1055|     r1_2(int)        = Load                     : r1_1, m0_10
+# 1055|     m1_3(int)        = Store                    : r1_0, r1_2
+# 1049|     r1_4(glval<int>) = VariableAddress[#return] : 
+# 1049|     v1_5(void)       = ReturnValue              : r1_4, m1_3
+# 1049|     v1_6(void)       = UnmodeledUse             : mu*
+# 1049|     v1_7(void)       = ExitFunction             : 
+
+# 1052|   Block 2
+# 1052|     v2_0(void) = Unreached : 
diff --git a/cpp/ql/test/library-tests/ir/ir/ir.cpp b/cpp/ql/test/library-tests/ir/ir/ir.cpp
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
diff --git a/cpp/ql/test/library-tests/ir/ir/ssa_block_count.expected b/cpp/ql/test/library-tests/ir/ir/ssa_block_count.expected
diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ir.expected

Original file line number	Diff line number	Diff line change
`@@ -94,5 +94,9 @@`
`94`	`94`	`"C++ IR Dominance": [`
`95`	`95`	`"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",`
`96`	`96`	`"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"`
	`97`	`+ ],`
	`98`	`+ "C++ IR PrintDominance": [`
	`99`	`+ "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",`
	`100`	`+ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"`
`97`	`101`	`]`
`98`	`102`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,3 +58,13 @@ int UnreachableIf(bool b) {`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+int DoWhileFalse() {`
	`63`	`+ int i = 0;`
	`64`	`+ do {`
	`65`	`+ i++;`
	`66`	`+ } while (false);`
	`67`	`+`
	`68`	`+ return i;`
	`69`	`+}`
	`70`	`+`