C++: Use the 'shortestDistances' HOP to count indirections instead of manual recursion. This avoids cyclic problems when we have invalid types.

MathiasVP · aibaars · commit cc8aac5435b7 · 2023-06-02T11:17:08.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -139,6 +139,20 @@ class AllocationInstruction extends CallInstruction {
   AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
 }
 
+private predicate isIndirectionType(Type t) { t instanceof Indirection }
+
+private predicate hasUnspecifiedBaseType(Indirection t, Type base) {
+  base = t.getBaseType().getUnspecifiedType()
+}
+
+/**
+ * Holds if `t2` is the same type as `t1`, but after stripping away `result` number
+ * of indirections.
+ * Furthermore, specifies in `t2` been deeply stripped and typedefs has been resolved.
+ */
+private int getNumberOfIndirectionsImpl(Type t1, Type t2) =
+  shortestDistances(isIndirectionType/1, hasUnspecifiedBaseType/2)(t1, t2, result)
+
 /**
  * An abstract class for handling indirections.
  *
@@ -157,7 +171,10 @@ abstract class Indirection extends Type {
    * For example, the number of indirections of a variable `p` of type
    * `int**` is `3` (i.e., `p`, `*p` and `**p`).
    */
-  abstract int getNumberOfIndirections();
+  final int getNumberOfIndirections() {
+    result =
+      getNumberOfIndirectionsImpl(this.getType(), any(Type end | not end instanceof Indirection))
+  }
 
   /**
    * Holds if `deref` is an instruction that behaves as a `LoadInstruction`
@@ -195,19 +212,11 @@ private class PointerOrArrayOrReferenceTypeIndirection extends Indirection insta
   PointerOrArrayOrReferenceTypeIndirection() {
     baseType = PointerOrArrayOrReferenceType.super.getBaseType()
   }
-
-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
 }
 
 private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper {
   PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() }
 
-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
-
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
@@ -228,10 +237,6 @@ private module IteratorIndirections {
       baseType = super.getValueType()
     }
 
-    override int getNumberOfIndirections() {
-      result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-    }
-
     override predicate isAdditionalDereference(Instruction deref, Operand address) {
       exists(CallInstruction call |
         operandForFullyConvertedCall(getAUse(deref), call) and
