C++: Fix more FPs on cpp/invalid-pointer-deref

[MathiasVP]

It turns out that the back-edge detection predicate we have on PhiNodes wasn't correct for the purpose it was introduced for. It was meant to block back-edge flow (see #10593), but it turns out that it's blocking too much flow, which we're seeing when add the barrier to fix the testcases introduced in #12960.

Commit-by-commit review recommended: The first commit fixes the FPs by adding said barrier, and the second commit fixes the FNs by fixing what we consider to be a back-edge.

[jketema]

I don't understand why this is correct. What cases are ruled out by switching to a strict dominator, and are we not accidentally excluding cases we do want to report?

[MathiasVP]

I don't understand why this is correct. What cases are ruled out by switching to a strict dominator, and are we not accidentally excluding cases we do want to report?

For some reason some phi nodes have phi edges that goto themselves. I checked whether this is a C/C++ specific issue by adding a consistency check here (which I didn't finish yet because I couldn't compile some of the other extractors 😭), and it looks like all languages have phi nodes that depend directly on themselves. Such phi instructions would be ruled out by using non-strict domination.

I haven't seen any real-world example that's negatively impacted by the change.

[jketema]

For some reason some phi nodes have phi edges that goto themselves

So this seems like a more fundamental problem (bug?).

[MathiasVP]

So this seems like a more fundamental problem (bug?).

Mayybbbeeee. Or it shows that I'm not fully understanding phi edges 😂. There's a phi node phi for i that satisfies localFlowStep(phi, phi) in this example:

void test(int i)
{
  while (i)
  {
    --i;
  }
}

and that seems weird to me since I'd imagine the input of the phi to be from:

• The parameter i
• The result of --i,

but it looks like the input is from:

• The phi itself
• The result of --i.

So it's not like there's a redundant phi edge.

[jketema]

That's weird. It's also not the story the aliased SSA is telling me:

#  434| void test(int)
#  434|   Block 0
#  434|     v434_1(void)       = EnterFunction          : 
#  434|     m434_2(unknown)    = AliasedDefinition      : 
#  434|     m434_3(unknown)    = InitializeNonLocal     : 
#  434|     m434_4(unknown)    = Chi                    : total:m434_2, partial:m434_3
#  434|     r434_5(glval<int>) = VariableAddress[i]     : 
#  434|     m434_6(int)        = InitializeParameter[i] : &:r434_5
#-----|   Goto -> Block 1

#  436|   Block 1
#  436|     m436_1(int)        = Phi                : from 0:m434_6, from 2:m438_5
#  436|     r436_2(glval<int>) = VariableAddress[i] : 
#  436|     r436_3(int)        = Load[i]            : &:r436_2, m436_1
#  436|     r436_4(int)        = Constant[0]        : 
#  436|     r436_5(bool)       = CompareNE          : r436_3, r436_4
#  436|     v436_6(void)       = ConditionalBranch  : r436_5
#-----|   False -> Block 3
#-----|   True -> Block 2

#  438|   Block 2
#  438|     r438_1(glval<int>) = VariableAddress[i] : 
#  438|     r438_2(int)        = Load[i]            : &:r438_1, m436_1
#  438|     r438_3(int)        = Constant[1]        : 
#  438|     r438_4(int)        = Sub                : r438_2, r438_3
#  438|     m438_5(int)        = Store[i]           : &:r438_1, r438_4
#-----|   Goto (back edge) -> Block 1

#  440|   Block 3
#  440|     v440_1(void) = NoOp         : 
#  434|     v434_7(void) = ReturnVoid   : 
#  434|     v434_8(void) = AliasedUse   : m434_3
#  434|     v434_9(void) = ExitFunction : 

[MathiasVP]

That's the IR-based SSA analysis (which is not what we use for dataflow). Dataflow uses the shared SSA library, which has a few differences from the shared SSA library. Notably, the shared library introduces phi edges for SSA reads (in addition to SSA writes).

And yeah, my expectation of what SSA is matches the output of the IR-based SSA. But not the shared SSA library's output 😄.

[jketema]

Because, of course we have multiple ways to do SSA :tableflip:.

[MathiasVP]

Yeah, the IR-based SSA is really good for must-analyses like the one we need in range analysis and value numbering, but not at all what we want for dataflow 😭. For a while we wanted to improve the IR-based analysis to the point where it was usable for dataflow ... but that never happened, and I pulled in the shared SSA library to do the heavy lifting instead.

[jketema]

Mayybbbeeee. Or it shows that I'm not fully understanding phi edges 😂.

Is there any easy way for me to see what the phi edges are for a particular example?

[MathiasVP]

Is there any easy way for me to see what the phi edges are for a particular example?

The easiest way of doing this is probably just to query for SsaPhiNodes and use the getAnInput predicate like:

import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
from SsaPhiNode n, boolean fromBackEdge
select n, n.getAnInput(fromBackEdge), fromBackEdge

If we want to get a more visual representation, we could resurrect the old PrintIRLocalFlow.qll file which can augment the printed IR with dataflow information.

[jketema]

So will this change still be needed after #13059?

[MathiasVP]

So will this change still be needed after #13059?

Yeah, it looks like it.

[jketema]

😕 Do we understand why?

[MathiasVP]

Not yet. I've delayed any investigations until #13059 was merged hoping that it would remove the necessity for this change. I can look into why this change is necessary even after #13059 is merged, but I can also let you do it if you would like to drive the investigation.

[jketema]

Let's wait until the other PR is merged

[jketema]

This indeed still seems needed. Looking at the back-edges of:

    for (char* p = begin; p <= end; ++p) {
        *p = 0; // BAD
    }

There's a back-edge from end to p in p <= end, and those of course live in the same block. It's a bit "funny" though that that's a back-edge. Is this something that comes from the SSA library?

There's more I don't quite understand though. If I repeat the loop, there's also an edge from the p phi node of the first loop to the p phi node of the second loop, although these are two different variables.

[MathiasVP]

There's a back-edge from end to p in p <= end, and those of course live in the same block. It's a bit "funny" though that that's a back-edge. Is this something that comes from the SSA library?

Keep in mind that the location for phi nodes isn't super helpful: they get their location from the enclosing basic block. So just because the location overlaps with a specific variable access doesn't mean it's a phi for that variable. On the snippet above I get 3 back-edges:

• From (the address of) p in ++p to (the address of) p in p <= end
• From (the value of) ++p to (the value of) p in p <= end
• From (the indirection of) ++p to (the indirection of) p in p <= end

[jketema]

I'm also seeing edges from end in p <= end to p. Are you seeing those too?

[MathiasVP]

Oops. I was running with strict domination instead of domination for my above example. Yeah, I'm seeing some additional back-edges other than the ones I mentioned above. Let's discuss it in a sync later today 🤔

[MathiasVP]

@jketema I've pushed the changes from our sync discussion. For everyone else:

It turned out that changing the definition of back-edge from using dominators to strict dominators was not the right way to fix these FPs. Instead, we noticed that the nodes being marked as barriers by the isBarrier definition added in this PR were nodes that represented the back-edge of a phi-read node. In a loop like this:

end = ...
for(p = start; p < end; ++p) {
  *p = 0;
}

there's a phi-read node for end in the basic-block for p < end, and there's a back-edge from the phi-read node for end whose source is end (i.e., end -> phi for end is a back edge).

Previously, this PR excluded this end node from the set of barriers by saying that the back-edge node should not be in the same block as the phi (which it was in the case of the p < end block). Instead, we're now only including back-edges from phi nodes that aren't phi-read nodes.

Now you may ask (as @jketema rightly did): Why do we even need to add a barrier in the configuration that just searches for a dereference of a pointer that's found to be out-of-bounds, and the reason is super subtle. Consider this snippet:

void test19(unsigned len)
{
  int *xs = new int[len];
  int *end = xs + len;
  for (int *x = xs; x <= end; x++)
  {
    int i = *x;
  }
}

The idea is that:

1. Dataflow will flow from len (in new int[len]) to len in xs + len (which is equal to end)
2. Range-analysis will then find that x is non-strictly upper bounds end
3. Dataflow will find flow from x to a dereference to conclude that we're loading an out-of-bounds pointer.

That is all fine, but now consider this example:

void test19(unsigned len)
{
  int *xs = new int[len];
  int *end = xs + len;
  for (int *x = xs; x < end; x++)
  {
    int i = *x;
  }
}

which is totally fine (because we're now using a strict relational operator instead). But (up until this PR) we were generating a FP here because:

1. Dataflow will flow from len (in new int[len]) to len in xs + len (which is equal to end) - just as before.
2. Range-analysis will then find that x (after x++) is non-strictly upper bounds end. This happens at the very last increment of the loop.
3. Dataflow then finds flow from x to the dereference - as before.

The problem is that, while x is equal to end after the very last increment of x++, control-flow will not enter the body of the loop to dereference the pointer. But dataflow doesn't care about that. So we get a FP.

[MathiasVP]

I think DCA looks good. Performance looks unchanged, but we need to double check that the lost results match the FPs we intended to remove 🤞.

[jketema]

Let me check those results (unless you're already doing it).

[MathiasVP]

I haven't done so yet, no. Feel free to do that 🙂.

[jketema]

I'll have a look tomorrow morning. Seems more sensible that I do it, as I need to dive into the FPs of this query anyway.

[jketema]

As far as I can tell the DCA alerts that have disappeared are all of the form we expect. The only one I have trouble with is wireshark__wireshark: epan/dissectors/file-elf.c:1099:13:1099:35. However, as far as I can tell that is a FP, so I'm not too concerned.

[jketema]

LGTM

[jketema]

I wonder if we can introduce this restriction in other places?

[MathiasVP]

Yeah, I wouldn't be surprised if we could construct some FN that would be removed if we did the same trick to the isBarrier2 in the product flow configuration.

[MathiasVP]

As far as I can tell the DCA alerts that have disappeared are all of the form we expect. The only one I have trouble with is wireshark__wireshark: epan/dissectors/file-elf.c:1099:13:1099:35. However, as far as I can tell that is a FP, so I'm not too concerned.

Yeah, I guess there's some complex invariant about when is_cie is true (in which case augmentation_string will be assigned to some non-empty string)