C++ IR: Fix soundness of ConstantAnalysis

Now that `PhiInstruction.getAnInput` only has results for congruent operands, a previous optimization I made to `getConstantValue` is no longer sound. We have to check that all phi inputs give the same value, not just the congruent ones. After this change, if there are any non-congruent operands on a phi instruction, the whole aggregate will have no result.
2019-07-11 15:51:09 +02:00 · 2019-07-11 15:51:09 +02:00 · 2324ce77ae
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll
@ -10,16 +10,8 @@ int getConstantValue(Instruction instr) {
  result = getConstantValue(instr.(CopyInstruction).getSourceValue()) or
  exists(PhiInstruction phi |
    phi = instr and
-    result = max(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def)) and
-    result = min(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def))
-  )
-}
-
-pragma[noinline]
-int getConstantValueToPhi(Instruction def) {
-  exists(PhiInstruction phi |
-    result = getConstantValue(def) and
-    def = phi.getAnInput()
+    result = max(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef())) and
+    result = min(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll
@ -10,16 +10,8 @@ int getConstantValue(Instruction instr) {
  result = getConstantValue(instr.(CopyInstruction).getSourceValue()) or
  exists(PhiInstruction phi |
    phi = instr and
-    result = max(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def)) and
-    result = min(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def))
-  )
-}
-
-pragma[noinline]
-int getConstantValueToPhi(Instruction def) {
-  exists(PhiInstruction phi |
-    result = getConstantValue(def) and
-    def = phi.getAnInput()
+    result = max(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef())) and
+    result = min(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll
@ -10,16 +10,8 @@ int getConstantValue(Instruction instr) {
  result = getConstantValue(instr.(CopyInstruction).getSourceValue()) or
  exists(PhiInstruction phi |
    phi = instr and
-    result = max(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def)) and
-    result = min(Instruction def | def = phi.getAnInput() | getConstantValueToPhi(def))
-  )
-}
-
-pragma[noinline]
-int getConstantValueToPhi(Instruction def) {
-  exists(PhiInstruction phi |
-    result = getConstantValue(def) and
-    def = phi.getAnInput()
+    result = max(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef())) and
+    result = min(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
  )
 }