C++: Fix IRGuards ternary behaviour

Author: jketema

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -5,6 +5,8 @@
 
 import cpp
 import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
 
 /**
  * Holds if `block` consists of an `UnreachedInstruction`.
@@ -201,10 +203,25 @@ private class GuardConditionFromIR extends GuardCondition {
    * `&&` and `||`. See the detailed explanation on predicate `controls`.
    */
   private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb |
+    exists(IRBlock irb, Instruction instr |
       ir.controls(irb, testIsTrue) and
-      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb)
+      instr = irb.getAnInstruction() and
+      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb) and
+      not this.excludeAsControlledInstruction(instr)
+    )
+  }
+
+  private predicate excludeAsControlledInstruction(Instruction instr) {
+    // Exclude the temporaries generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      instr = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
+      or
+      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
     )
   }
 }

cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected

@@ -253,9 +253,7 @@ astGuardsControl
 | test.c:159:9:159:19 | ... == ... | true | 159 | 160 |
 | test.c:162:9:162:18 | ... < ... | true | 162 | 163 |
 | test.c:165:9:165:18 | ... < ... | true | 165 | 166 |
-| test.c:175:13:175:32 | ... == ... | false | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | false | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | true | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | true | 175 | 175 |
 | test.cpp:18:8:18:10 | call to get | true | 19 | 19 |
 | test.cpp:31:7:31:13 | ... == ... | false | 30 | 30 |
@@ -429,13 +427,9 @@ astGuardsEnsure
 | test.c:165:9:165:18 | ... < ... | test.c:165:9:165:9 | x | < | test.c:165:13:165:18 | ... - ... | 0 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:13 | y | >= | test.c:165:9:165:9 | x | 43 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:18 | ... - ... | >= | test.c:165:9:165:9 | x | 1 | 165 | 166 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | != | test.c:175:32:175:32 | 0 | 0 | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | != | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | test.c:175:32:175:32 | 0 | 0 | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | != | test.c:175:13:175:15 | call to foo | 0 | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | != | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | == | test.c:175:13:175:15 | call to foo | 0 | 174 | 175 |
 | test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | == | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 34 | 34 |