C++: Add a new consistency check for branching on non-boolean values.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -29,4 +29,6 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+nonBooleanOperand
+| try_except.c:35:13:35:13 | ConditionalBranch: b | Conditional branch instruction ConditionalBranch: b with non-Boolean condition, in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -29,4 +29,6 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+nonBooleanOperand
+| try_except.c:35:13:35:13 | ConditionalBranch: b | Conditional branch instruction ConditionalBranch: b with non-Boolean condition, in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -38,4 +38,6 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+nonBooleanOperand
+| try_except.c:35:13:35:13 | ConditionalBranch: b | Conditional branch instruction ConditionalBranch: b with non-Boolean condition, in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected

@@ -29,4 +29,6 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+nonBooleanOperand
+| try_except.c:35:13:35:13 | ConditionalBranch: b | Conditional branch instruction ConditionalBranch: b with non-Boolean condition, in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected

@@ -29,4 +29,6 @@ fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 | ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
 nonUniqueIRVariable
+nonBooleanOperand
+| try_except.c:35:13:35:13 | ConditionalBranch: b | Conditional branch instruction ConditionalBranch: b with non-Boolean condition, in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
 missingCppType

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected

@@ -28,4 +28,5 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
+nonBooleanOperand
 missingCppType

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected

@@ -28,4 +28,5 @@ nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
 thisArgumentIsNonPointer
 nonUniqueIRVariable
+nonBooleanOperand
 missingCppType