C++: Move the new range-analysis library out of experimental and into an 'internal' directory.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/SimpleRangeAnalysis.qll

@@ -0,0 +1,132 @@
+/**
+ * Wrapper for the semantic range analysis library that mimics the
+ * interface of the simple range analysis library.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
+
+/**
+ * Gets the lower bound of the expression.
+ *
+ * Note: expressions in C/C++ are often implicitly or explicitly cast to a
+ * different result type. Such casts can cause the value of the expression
+ * to overflow or to be truncated. This predicate computes the lower bound
+ * of the expression without including the effect of the casts. To compute
+ * the lower bound of the expression after all the casts have been applied,
+ * call `lowerBound` like this:
+ *
+ *    `lowerBound(expr.getFullyConverted())`
+ */
+float lowerBound(Expr expr) {
+  exists(Instruction i, SemBound b | i.getAst() = expr and b instanceof SemZeroBound |
+    semBounded(getSemanticExpr(i), b, result, false, _)
+  )
+}
+
+/**
+ * Gets the upper bound of the expression.
+ *
+ * Note: expressions in C/C++ are often implicitly or explicitly cast to a
+ * different result type. Such casts can cause the value of the expression
+ * to overflow or to be truncated. This predicate computes the upper bound
+ * of the expression without including the effect of the casts. To compute
+ * the upper bound of the expression after all the casts have been applied,
+ * call `upperBound` like this:
+ *
+ *    `upperBound(expr.getFullyConverted())`
+ */
+float upperBound(Expr expr) {
+  exists(Instruction i, SemBound b | i.getAst() = expr and b instanceof SemZeroBound |
+    semBounded(getSemanticExpr(i), b, result, true, _)
+  )
+}
+
+/**
+ * Holds if the upper bound of `expr` may have been widened. This means the
+ * upper bound is in practice likely to be overly wide.
+ */
+predicate upperBoundMayBeWidened(Expr e) { none() }
+
+/**
+ * Holds if `expr` has a provably empty range. For example:
+ *
+ *   10 < expr and expr < 5
+ *
+ * The range of an expression can only be empty if it can never be
+ * executed. For example:
+ *
+ * ```cpp
+ * if (10 < x) {
+ *   if (x < 5) {
+ *     // Unreachable code
+ *     return x; // x has an empty range: 10 < x && x < 5
+ *   }
+ * }
+ * ```
+ */
+predicate exprWithEmptyRange(Expr expr) { lowerBound(expr) > upperBound(expr) }
+
+/** Holds if the definition might overflow negatively. */
+predicate defMightOverflowNegatively(RangeSsaDefinition def, StackVariable v) { none() }
+
+/** Holds if the definition might overflow positively. */
+predicate defMightOverflowPositively(RangeSsaDefinition def, StackVariable v) { none() }
+
+/**
+ * Holds if the definition might overflow (either positively or
+ * negatively).
+ */
+predicate defMightOverflow(RangeSsaDefinition def, StackVariable v) {
+  defMightOverflowNegatively(def, v) or
+  defMightOverflowPositively(def, v)
+}
+
+/**
+ * Holds if the expression might overflow negatively. This predicate
+ * does not consider the possibility that the expression might overflow
+ * due to a conversion.
+ */
+predicate exprMightOverflowNegatively(Expr expr) { none() }
+
+/**
+ * Holds if the expression might overflow negatively. Conversions
+ * are also taken into account. For example the expression
+ * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
+ * due to the addition.
+ */
+predicate convertedExprMightOverflowNegatively(Expr expr) {
+  exprMightOverflowNegatively(expr) or
+  convertedExprMightOverflowNegatively(expr.getConversion())
+}
+
+/**
+ * Holds if the expression might overflow positively. This predicate
+ * does not consider the possibility that the expression might overflow
+ * due to a conversion.
+ */
+predicate exprMightOverflowPositively(Expr expr) { none() }
+
+/**
+ * Holds if the expression might overflow positively. Conversions
+ * are also taken into account. For example the expression
+ * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
+ * due to the addition.
+ */
+predicate convertedExprMightOverflowPositively(Expr expr) {
+  exprMightOverflowPositively(expr) or
+  convertedExprMightOverflowPositively(expr.getConversion())
+}
+
+/**
+ * Holds if the expression might overflow (either positively or
+ * negatively). The possibility that the expression might overflow
+ * due to an implicit or explicit cast is also considered.
+ */
+predicate convertedExprMightOverflow(Expr expr) {
+  convertedExprMightOverflowNegatively(expr) or
+  convertedExprMightOverflowPositively(expr)
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/Semantic.qll

@@ -0,0 +1,7 @@
+import SemanticExpr
+import SemanticBound
+import SemanticSSA
+import SemanticGuard
+import SemanticCFG
+import SemanticType
+import SemanticOpcode

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticBound.qll

@@ -0,0 +1,45 @@
+/**
+ * Semantic wrapper around the language-specific bounds library.
+ */
+
+private import SemanticExpr
+private import SemanticExprSpecific::SemanticExprConfig as Specific
+private import SemanticSSA
+private import SemanticLocation
+
+/**
+ * A valid base for an expression bound.
+ *
+ * Can be either a variable (`SemSsaBound`) or zero (`SemZeroBound`).
+ */
+class SemBound instanceof Specific::Bound {
+  final string toString() { result = super.toString() }
+
+  final SemLocation getLocation() { result = super.getLocation() }
+
+  final SemExpr getExpr(int delta) { result = Specific::getBoundExpr(this, delta) }
+}
+
+/**
+ * A bound that is a constant zero.
+ */
+class SemZeroBound extends SemBound {
+  SemZeroBound() { Specific::zeroBound(this) }
+}
+
+/**
+ * A bound that is an SSA definition.
+ */
+class SemSsaBound extends SemBound {
+  /**
+   * The variables whose value is used as the bound.
+   *
+   * Can be multi-valued in some implementations. If so, all variables will be equivalent.
+   */
+  SemSsaVariable var;
+
+  SemSsaBound() { Specific::ssaBound(this, var) }
+
+  /** Gets a variable whose value is used as the bound. */
+  final SemSsaVariable getAVariable() { result = var }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -0,0 +1,22 @@
+/**
+ * Semantic interface to the control flow graph.
+ */
+
+private import Semantic
+private import SemanticExprSpecific::SemanticExprConfig as Specific
+
+/**
+ * A basic block in the control-flow graph.
+ */
+class SemBasicBlock extends Specific::BasicBlock {
+  /** Holds if this block (transitively) dominates `otherblock`. */
+  final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
+
+  /** Holds if this block has dominance information. */
+  final predicate hasDominanceInformation() { Specific::hasDominanceInformation(this) }
+
+  /** Gets an expression that is evaluated in this basic block. */
+  final SemExpr getAnExpr() { result.getBasicBlock() = this }
+
+  final int getUniqueId() { result = Specific::getBasicBlockUniqueId(this) }
+}