C++: fix range analysis back edge detection for irreducible CFGs

rdmarsh2 · rdmarsh2 · commit ba7cb8f4ae4b · 2023-06-21T17:54:52.000-04:00
diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
@@ -70,6 +70,21 @@ predicate semBackEdge(SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionP
   // Conservatively assume that every edge is a back edge if we don't have dominance information.
   (
     phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
+    trimmedReachable(phi.getBasicBlock(), edge.getOrigBlock()) or
     not edge.getOrigBlock().hasDominanceInformation()
   )
 }
+
+private predicate trimmedReachable(SemBasicBlock b1, SemBasicBlock b2) {
+  b1 = b2
+  or
+  exists(SemBasicBlock mid |
+    trimmedReachable(b1, mid) and
+    trimmedEdges(mid, b2)
+  )
+}
+
+private predicate trimmedEdges(SemBasicBlock pred, SemBasicBlock succ) {
+  pred.getASuccessor() = succ and
+  not succ.bbDominates(pred)
+}
diff --git a/cpp/ql/test/library-tests/ir/range-analysis/test.cpp b/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
@@ -70,3 +70,27 @@ int f4(int x) {
     }
   }
 }
+
+// No interesting ranges to check here - this irreducible CFG caused an infinite loop due to back edge detection
+void gotoLoop(bool b1, bool b2)
+{
+  int j;
+
+  if (b1)
+    return;
+
+  if (!b2)
+  {
+    for (j = 0; j < 10; ++j)
+    {
+     goto main_decode_loop;
+    }
+  }
+  else
+  {
+    for (j = 0; j < 10; ++j)
+    {
+      main_decode_loop:
+    }
+  }
+}
