C++: Always convert the condition of a 'two' operand conditional expr…

…ession to a boolean before performing the negation.
github · Nov 18, 2024 · f32b4ab · f32b4ab
1 parent 06d9282
commit f32b4ab
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -41,6 +41,8 @@ newtype TInstructionTag =
   ValueConditionCompareTag() or
   ValueConditionConstantTag() or
   ValueConditionConditionalBranchTag() or
+  ValueConditionConditionalConstantTag() or
+  ValueConditionConditionalCompareTag() or
   ConditionValueTrueTempAddressTag() or
   ConditionValueTrueConstantTag() or
   ConditionValueTrueStoreTag() or

diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -2969,11 +2969,33 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
     tag = ValueConditionConditionalBranchTag() and
     opcode instanceof Opcode::ConditionalBranch and
     resultType = getVoidType()
+    or
+    not hasBooleanConversion(expr.getCondition()) and
+    (
+      tag = ValueConditionConditionalConstantTag() and
+      opcode instanceof Opcode::Constant and
+      resultType = getIntType()
+      or
+      tag = ValueConditionConditionalCompareTag() and
+      opcode instanceof Opcode::CompareNE and
+      resultType = getBoolType()
+    )
   }
 
   override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
     result = super.getInstructionSuccessorInternal(tag, kind)
     or
+    not hasBooleanConversion(expr.getCondition()) and
+    (
+      tag = ValueConditionConditionalConstantTag() and
+      kind instanceof GotoEdge and
+      result = this.getInstruction(ValueConditionConditionalCompareTag())
+      or
+      tag = ValueConditionConditionalCompareTag() and
+      kind instanceof GotoEdge and
+      result = this.getInstruction(ValueConditionConditionalBranchTag())
+    )
+    or
     tag = ValueConditionConditionalBranchTag() and
     (
       kind instanceof TrueEdge and
@@ -2989,15 +3011,29 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
     or
     tag = ValueConditionConditionalBranchTag() and
     operandTag instanceof ConditionOperandTag and
-    result = this.getCondition().getResult()
+    if hasBooleanConversion(expr.getCondition())
+    then result = this.getCondition().getResult()
+    else result = this.getInstruction(ValueConditionConditionalCompareTag())
+    or
+    not hasBooleanConversion(expr.getCondition()) and
+    tag = ValueConditionConditionalCompareTag() and
+    (
+      operandTag instanceof LeftOperandTag and
+      result = this.getCondition().getResult()
+      or
+      operandTag instanceof RightOperandTag and
+      result = this.getInstruction(ValueConditionConditionalConstantTag())
+    )
   }
 
   override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
     result = super.getChildSuccessorInternal(child, kind)
     or
     kind instanceof GotoEdge and
     child = this.getCondition() and
-    result = this.getInstruction(ValueConditionConditionalBranchTag())
+    if hasBooleanConversion(expr.getCondition())
+    then result = this.getInstruction(ValueConditionConditionalBranchTag())
+    else result = this.getInstruction(ValueConditionConditionalConstantTag())
   }
 
   private TranslatedExpr getCondition() {
@@ -3014,6 +3050,11 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
     // always converting the "then" operand to `bool`, which is almost always the wrong type.
     result = getTranslatedExpr(expr.getThen().getExplicitlyConverted())
   }
+
+  override string getInstructionConstantValue(InstructionTag tag) {
+    tag = ValueConditionConditionalConstantTag() and
+    result = "0"
+  }
 }
 
 /**