Merge pull request #16139 from MathiasVP/enable-sound-ir

C++: Enable sound IR

Author: MathiasVP

cpp/ql/lib/change-notes/2024-04-05-sound-ir.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.

cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll

@@ -41,5 +41,5 @@ class IREscapeAnalysisConfiguration extends TIREscapeAnalysisConfiguration {
    * Holds if the escape analysis done by SSA construction should be sound. By default, the SSA is
    * built assuming that no variable's address ever escapes.
    */
-  predicate useSoundEscapeAnalysis() { none() }
+  predicate useSoundEscapeAnalysis() { any() }
 }

cpp/ql/test/experimental/library-tests/rangeanalysis/arraylengthanalysis/ArrayLengthAnalysisTest.expected

@@ -1,12 +1,12 @@
 | test.cpp:15:8:15:11 | Load: aptr | VNLength(InitializeParameter: count) | 0 | ZeroOffset | 0 |
-| test.cpp:19:8:19:8 | Load: a | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
-| test.cpp:21:8:21:8 | Load: a | VNLength(Chi: ptr) | -1 | ZeroOffset | 0 |
-| test.cpp:23:8:23:8 | Load: a | VNLength(Chi: ptr) | 1 | ZeroOffset | 0 |
-| test.cpp:27:8:27:8 | Load: c | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
-| test.cpp:28:8:28:24 | Convert: (unsigned char *)... | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
-| test.cpp:30:8:30:8 | Load: v | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
+| test.cpp:19:8:19:8 | Load: a | VNLength(Load: count) | 0 | ZeroOffset | 0 |
+| test.cpp:21:8:21:8 | Load: a | VNLength(Load: count) | -1 | ZeroOffset | 0 |
+| test.cpp:23:8:23:8 | Load: a | VNLength(Load: count) | 1 | ZeroOffset | 0 |
+| test.cpp:27:8:27:8 | Load: c | VNLength(Load: count) | 0 | ZeroOffset | 0 |
+| test.cpp:28:8:28:24 | Convert: (unsigned char *)... | VNLength(Load: count) | 0 | ZeroOffset | 0 |
+| test.cpp:30:8:30:8 | Load: v | VNLength(Load: count) | 0 | ZeroOffset | 0 |
 | test.cpp:34:8:34:12 | Convert: array to pointer conversion | ZeroLength | 100 | ZeroOffset | 0 |
-| test.cpp:37:10:37:10 | Load: b | VNLength(Chi: ptr) | 0 | ZeroOffset | 0 |
+| test.cpp:37:10:37:10 | Load: b | VNLength(Load: count) | 0 | ZeroOffset | 0 |
 | test.cpp:44:8:44:8 | Load: a | VNLength(InitializeParameter: count) | 0 | ZeroOffset | 2 |
 | test.cpp:53:10:53:10 | Load: a | VNLength(InitializeParameter: count) | 0 | ZeroOffset | 2 |
 | test.cpp:56:10:56:10 | Load: a | VNLength(InitializeParameter: count) | 0 | ZeroOffset | 3 |

cpp/ql/test/experimental/library-tests/rangeanalysis/signanalysis/SignAnalysis.expected

@@ -16,7 +16,8 @@
 | inline_assembly.c:10:3:10:7 | Store: ... = ... | positive strictlyPositive |
 | inline_assembly.c:10:7:10:7 | Constant: (unsigned int)... | positive strictlyPositive |
 | inline_assembly.c:12:32:12:32 | Load: y | positive strictlyPositive |
-| inline_assembly.c:21:32:21:32 | Load: y | positive strictlyPositive |
+| inline_assembly.c:21:29:21:29 | Load: x | positive |
+| inline_assembly.c:21:32:21:32 | Load: y | positive |
 | minmax.c:16:9:16:10 | Constant: 1 | positive strictlyPositive |
 | minmax.c:16:9:16:10 | Store: 1 | positive strictlyPositive |
 | minmax.c:16:16:16:17 | Constant: 2 | positive strictlyPositive |

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

@@ -354,7 +354,7 @@ void test_vector_output_iterator(int b) {
 	for(std::vector<int>::iterator it = v4.begin(); it != v4.end(); ++it) {
 		taint_vector_output_iterator(it);
 	}
-	sink(v4); // $ ast,ir
+	sink(v4); // $ ast MISSING: ir
 
 	std::vector<int>::iterator i5 = v5.begin();
 	*i5 = source();
@@ -389,15 +389,15 @@ void test_vector_output_iterator(int b) {
 	*i9 = source();
 	taint_vector_output_iterator(i9);
 
-	sink(v9); // $ ast=330:10 ir=330:10 ir SPURIOUS: ast=389:8 ir=389:8
+	sink(v9); // $ ast=330:10 MISSING: ir SPURIOUS: ast=389:8
 
 	std::vector<int>::iterator i10 = v10.begin();
 	vector_iterator_assign_wrapper(i10, 10);
 	sink(v10);
 
 	std::vector<int>::iterator i11 = v11.begin();
 	vector_iterator_assign_wrapper(i11, source());
-	sink(v11); // $ ast,ir
+	sink(v11); // $ ast MISSING: ir
 
 	std::vector<int>::iterator i12 = v12.begin();
 	*i12++ = 0;

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -9,25 +9,25 @@ struct S {
 };
 
 void unique_ptr_init(S s) {
-    unique_ptr<S> p(new S); //$ussa=dynamic{1}
-    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
-    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    unique_ptr<S> p(new S); // MISSING: $ussa=dynamic{1}
+    int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
     unique_ptr<S> q = std::move(p);
-    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    *(q.get()) = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> t(std::move(q));
-    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
-    *t = s; //$ussa=dynamic{1}[0..4)<S>
-    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+    t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
 }
 
 void shared_ptr_init(S s) {
-    shared_ptr<S> p(new S); //$ussa=dynamic{1}
-    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
-    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> p(new S); //$ MISSING: ussa=dynamic{1}
+    int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> q = std::move(p);
-    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    *(q.get()) = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> t(q);
-    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
-    *t = s; //$ussa=dynamic{1}[0..4)<S>
-    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+    t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
 }