C++: Simplify the definition of 'SemExpr' by instead making non-overflowing conversions copy value expressions.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/SimpleRangeAnalysis.qll

@@ -100,7 +100,7 @@ predicate exprMightOverflowNegatively(Expr expr) {
   lowerBound(expr) < exprMinVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getUnconverted().getAst() = expr and
+    semExpr.getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(false, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, false, _, _, _)
   )
@@ -126,7 +126,7 @@ predicate exprMightOverflowPositively(Expr expr) {
   upperBound(expr) > exprMaxVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getUnconverted().getAst() = expr and
+    semExpr.getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(true, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, true, _, _, _)
   )

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll

@@ -4,6 +4,7 @@
 
 private import Semantic
 private import SemanticExprSpecific::SemanticExprConfig as Specific
+private import SemanticType
 
 /**
  * An language-neutral expression.
@@ -241,8 +242,21 @@ class SemConvertExpr extends SemUnaryExpr {
   SemConvertExpr() { opcode instanceof Opcode::Convert }
 }
 
+private import semmle.code.cpp.ir.IR as IR
+
+/** A conversion instruction which is guaranteed to not overflow. */
+private class SafeConversion extends IR::ConvertInstruction {
+  SafeConversion() {
+    exists(SemType tFrom, SemType tTo |
+      tFrom = getSemanticType(super.getUnary().getResultIRType()) and
+      tTo = getSemanticType(super.getResultIRType()) and
+      conversionCannotOverflow(tFrom, tTo)
+    )
+  }
+}
+
 class SemCopyValueExpr extends SemUnaryExpr {
-  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue }
+  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue or this instanceof SafeConversion }
 }
 
 class SemNegateExpr extends SemUnaryExpr {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -12,87 +12,10 @@ private import semmle.code.cpp.ir.ValueNumbering
 module SemanticExprConfig {
   class Location = Cpp::Location;
 
-  /** A `ConvertInstruction` or a `CopyValueInstruction`. */
-  private class Conversion extends IR::UnaryInstruction {
-    Conversion() {
-      this instanceof IR::CopyValueInstruction
-      or
-      this instanceof IR::ConvertInstruction
-    }
-
-    /** Holds if this instruction converts a value of type `tFrom` to a value of type `tTo`. */
-    predicate converts(SemType tFrom, SemType tTo) {
-      tFrom = getSemanticType(this.getUnary().getResultIRType()) and
-      tTo = getSemanticType(this.getResultIRType())
-    }
-  }
-
-  /**
-   * Gets a conversion-like instruction that consumes `op`, and
-   * which is guaranteed to not overflow.
-   */
-  private IR::Instruction safeConversion(IR::Operand op) {
-    exists(Conversion conv, SemType tFrom, SemType tTo |
-      conv.converts(tFrom, tTo) and
-      conversionCannotOverflow(tFrom, tTo) and
-      conv.getUnaryOperand() = op and
-      result = conv
-    )
-  }
-
-  /** Holds if `i1 = i2` or if `i2` is a safe conversion that consumes `i1`. */
-  private predicate idOrSafeConversion(IR::Instruction i1, IR::Instruction i2) {
-    not i1.getResultIRType() instanceof IR::IRVoidType and
-    (
-      i1 = i2
-      or
-      i2 = safeConversion(i1.getAUse()) and
-      i1.getBlock() = i2.getBlock()
-    )
-  }
-
-  module Equiv = QlBuiltins::EquivalenceRelation<IR::Instruction, idOrSafeConversion/2>;
-
   /**
    * The expressions on which we perform range analysis.
    */
-  class Expr extends Equiv::EquivalenceClass {
-    /** Gets the n'th instruction in this equivalence class. */
-    private IR::Instruction getInstruction(int n) {
-      result =
-        rank[n + 1](IR::Instruction instr, int i, IR::IRBlock block |
-          this = Equiv::getEquivalenceClass(instr) and block.getInstruction(i) = instr
-        |
-          instr order by i
-        )
-    }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = this.getUnconverted().toString() }
-
-    /** Gets the basic block of this expression. */
-    IR::IRBlock getBlock() { result = this.getUnconverted().getBlock() }
-
-    /** Gets the unconverted instruction associated with this expression. */
-    IR::Instruction getUnconverted() { result = this.getInstruction(0) }
-
-    /**
-     * Gets the final instruction associated with this expression. This
-     * represents the result after applying all the safe conversions.
-     */
-    IR::Instruction getConverted() {
-      exists(int n |
-        result = this.getInstruction(n) and
-        not exists(this.getInstruction(n + 1))
-      )
-    }
-
-    /** Gets the type of the result produced by this instruction. */
-    IR::IRType getResultIRType() { result = this.getConverted().getResultIRType() }
-
-    /** Gets the location of the source code for this expression. */
-    Location getLocation() { result = this.getUnconverted().getLocation() }
-  }
+  class Expr = IR::Instruction;
 
   SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }
 
@@ -139,12 +62,12 @@ module SemanticExprConfig {
 
   predicate stringLiteral(Expr expr, SemType type, string value) {
     anyConstantExpr(expr, type, value) and
-    expr.getUnconverted() instanceof IR::StringConstantInstruction
+    expr instanceof IR::StringConstantInstruction
   }
 
   predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
     exists(IR::BinaryInstruction instr |
-      instr = expr.getUnconverted() and
+      instr = expr and
       type = getSemanticType(instr.getResultIRType()) and
       leftOperand = getSemanticExpr(instr.getLeft()) and
       rightOperand = getSemanticExpr(instr.getRight()) and
@@ -154,14 +77,14 @@ module SemanticExprConfig {
   }
 
   predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    exists(IR::UnaryInstruction instr | instr = expr.getUnconverted() |
+    exists(IR::UnaryInstruction instr | instr = expr |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getUnary()) and
       // REVIEW: Merge the two operand types.
       opcode.toString() = instr.getOpcode().toString()
     )
     or
-    exists(IR::StoreInstruction instr | instr = expr.getUnconverted() |
+    exists(IR::StoreInstruction instr | instr = expr |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getSourceValue()) and
       opcode instanceof Opcode::Store
@@ -170,13 +93,13 @@ module SemanticExprConfig {
 
   predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
     exists(IR::LoadInstruction load |
-      load = expr.getUnconverted() and
+      load = expr and
       type = getSemanticType(load.getResultIRType()) and
       opcode instanceof Opcode::Load
     )
     or
     exists(IR::InitializeParameterInstruction init |
-      init = expr.getUnconverted() and
+      init = expr and
       type = getSemanticType(init.getResultIRType()) and
       opcode instanceof Opcode::InitializeParameter
     )
@@ -290,9 +213,9 @@ module SemanticExprConfig {
   }
 
   Expr getAUse(SsaVariable v) {
-    result.getUnconverted().(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    result.(IR::LoadInstruction).getSourceValue() = v.asInstruction()
     or
-    result.getUnconverted() = v.asPointerArithGuard().getAnInstruction()
+    result = v.asPointerArithGuard().getAnInstruction()
   }
 
   SemType getSsaVariableType(SsaVariable v) {
@@ -433,7 +356,7 @@ module SemanticExprConfig {
   }
 
   /** Gets the expression associated with `instr`. */
-  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
+  SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
 }
 
 predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;