C++: Generate int-to-bool conversions in C code

[MathiasVP]

In C++ code we have int-to-bool conversions on myInt in examples like:

void test(int myInt) {
  if(myInt) {
   // ...
  }
}

That is, it's not myInt that is branched on, but rather the result of myInt != 0. In the IR, this manifests as the IR looking like:

r1_5(glval<int>) = VariableAddress[myInt]     :
m1_6(int)        = InitializeParameter[myInt] : &:r1_5
r2_1(glval<int>) = VariableAddress[myInt]     :
r2_2(int)        = Load[myInt]                : &:r2_1, m1_6
r2_3(int)        = Constant[0]                :
r2_4(bool)       = CompareNE                  : r2_2, r2_3
v2_5(void)       = ConditionalBranch          : r2_4

(notice the BranchNE instruction).

This information is important in guard conditions since branching on myInt doesn't tell us that myInt == 1, but rather that (myInt != 0) == 1.

This is all well and good in C++. However, in C, there are no int-to-bool conversions. So when compiling the same code with a C compiler the IR looks like:

r1_5(glval<int>) = VariableAddress[myInt]     :
m1_6(int)        = InitializeParameter[myInt] : &:r1_5
r2_1(glval<int>) = VariableAddress[myInt]     :
r2_2(int)        = Load[myInt]                : &:r2_1, m1_6
v2_5(void)       = ConditionalBranch          : r2_2

(notice that we're now branching on the value of myInt)

Historically, we've worked around this problem in IRGuards specifically (see #16364 and #16533), but upon facing a related problem somewhere else I now feel like we should simply make the IR equivalent in C and C++.

So this PR inserts IR equivalent to what would have been generated for an int-to-bool conversion if it had been present in the database in the places I'm aware of this being a problem. It then removes the workarounds in the guards library that were added to handle these.

Commit-by-commit review recommended (especially for the IR construction related commits).

DCA reveals a few new results and a few lost results:

• The lost cpp/overrun-write and cpp/path-injection results are because both queries use any guard as a barrier, and we now recognize more barriers.
• The cpp/redundant-null-check-simple results are new TPs 🎉

Commits 6dd1c5e to 0d7adac are IR-construction related changes, and commits 9810a4f to 5373e22 are IRGuards-related changes.

[jketema]

It looks like the changes in 6577161 only affect syntax-zoo, and not the IR tests. I think it would make sense to add an IR test, so we can easily see that the generated IR is actually correct.

[jketema]

I need some more explanation here. Does this predicate (and the ones below) every produce anything sensible given that ir is a CompareEQ?

[MathiasVP]

Yeah, I doubt this ever produces anything, really. This was just a result of me copy/pasting the predicate 🙈 I tried to quick-eval this predicate on a couple of local DBs, but nothing came up.

Would you prefer just doing none here instead?

[jketema]

Does that hold for all the predicates below, or are there exceptions?

[MathiasVP]

I was about to write this:

All the "less than"-related predicates are probably not relevant, no. But the "equality"-related predicates certainly are. So we could replace all the them all with none.

But I then realized that if you write:

if(!(a < b)) { }

in a C file then we'll hit this case since the result of a < b has an int type. I've added this as a testcase. A quick MRVA run shows me that we actually hit many GuardConditions that fit this. So I'm actually hesitant to delete them.

Now, as I'm looking at what kinds of bounds we actually get from it I realize that this could be improved. However, the results of this predicate are certainly not incorrect. So I'd actually prefer that we keep them if that's okay with you.

[MathiasVP]

It looks like the changes in 6577161 only affect syntax-zoo, and not the IR tests. I think it would make sense to add an IR test, so we can easily see that the generated IR is actually correct.

Good point. I've added this in 2076c1c. I had to add another file since the existing ir.c is marked as --microsoft which doesn't support the binary conditional operator.

[MathiasVP]

Thanks for the chat, @jketema! Some comments on the commits I just pushed:

• I've added the reference example we saw on MRVA in 54faba2.
• I removed the type test in d0bd6eb. This gives some new good results in the tests for C++ as well (where the operand of the not has a BoolType which meant it was previously not part of this class).

After I removed the type test requirement I reran MRVA and looked for cases where we had results for unary equality (we had lots), binary equality, unary "less than"s, and binary "less than"s. All of these cases had quite a few results, and I've added an example of each case in d5b31eb.

So, unlike what I expressed in our call earlier, I'm not actually sure we should replace the overrides with none() since doing so breaks all the tests added in d5b31eb.

What do you think?

[jketema]

This is no longer up-to-date, I think, as you dropped the non-boolean restriction.

[MathiasVP]

Good point. Fixed in b39a932

[jketema]

DCA reveals a few new results and a few lost results:

• The lost cpp/overrun-write and cpp/path-injection results are because both queries use any guard as a barrier, and we now recognize more barriers.
• The cpp/redundant-null-check-simple results are new TPs 🎉

What about cpp/user-controlled-bypass?

[MathiasVP]

What about cpp/user-controlled-bypass?

We just discussed this offline: There aren't any query result differences. The change is in the number of #select results, but the number of query results remain the same.

[jketema]

LGTM