Merge branch 'github:main' into couchdb

Author: mbaluda

cpp/ql/lib/change-notes/2026-01-02-constant-folding.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -688,15 +688,9 @@ private module Cached {
       conversionFlow(mid, instr, false, _)
     )
     or
-    exists(int ind0 |
-      exists(Operand address |
-        isDereference(operand.getDef(), address, _) and
-        isUseImpl(address, base, ind0)
-      )
-      or
-      isUseImpl(operand.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
-    |
-      ind0 = ind - 1
+    exists(Operand address |
+      isDereference(operand.getDef(), address, _) and
+      isUseImpl(address, base, ind - 1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2679,7 +2679,7 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr, St
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(getEnclosingFunction(expr)).getInitializeThisInstruction()
+    result = getTranslatedFunction(getEnclosingFunction(expr)).getLoadThisInstruction()
   }
 
   final override Field getInstructionField(InstructionTag tag) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -306,11 +306,11 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
   final predicate hasReturnValue() { hasReturnValue(func) }
 
   /**
-   * Gets the single `InitializeThis` instruction for this function. Holds only
-   * if the function is an instance member function, constructor, or destructor.
+   * Gets the first load of `this` for this function. Holds only if the function
+   * is an instance member function, constructor, or destructor.
    */
-  final Instruction getInitializeThisInstruction() {
-    result = getTranslatedThisParameter(func).getInstruction(InitializerStoreTag())
+  final Instruction getLoadThisInstruction() {
+    result = getTranslatedThisParameter(func).getInstruction(InitializerIndirectAddressTag())
   }
 
   /**
@@ -639,7 +639,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
   }
 
   override Instruction getTargetAddress() {
-    result = getTranslatedFunction(func).getInitializeThisInstruction()
+    result = getTranslatedFunction(func).getLoadThisInstruction()
   }
 
   override Type getTargetType() { result = getTranslatedFunction(func).getThisType() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -950,7 +950,7 @@ abstract class TranslatedBaseStructorCall extends TranslatedStructorCallFromStru
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
   }
 
   final override predicate getInstructionInheritance(
@@ -1000,7 +1000,7 @@ class TranslatedConstructorDelegationInit extends TranslatedConstructorCallFromC
   }
 
   final override Instruction getReceiver() {
-    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -158,22 +158,6 @@ private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
   }
 }
 
-/**
- * Gets the floor of `v`, with additional logic to work around issues with
- * large numbers.
- */
-bindingset[v]
-float safeFloor(float v) {
-  // return the floor of v
-  v.abs() < 2.pow(31) and
-  result = v.floor()
-  or
-  // `floor()` doesn't work correctly on large numbers (since it returns an integer),
-  // so fall back to unrounded numbers at this scale.
-  not v.abs() < 2.pow(31) and
-  result = v
-}
-
 /** A `MulExpr` where exactly one operand is constant. */
 private class MulByConstantExpr extends MulExpr {
   float constant;
@@ -1266,7 +1250,7 @@ private float getLowerBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = safeFloor(left / 2.pow(right))
+      result = (left / 2.pow(right)).floorFloat()
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and
@@ -1475,7 +1459,7 @@ private float getUpperBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = safeFloor(left / 2.pow(right))
+      result = (left / 2.pow(right)).floorFloat()
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and

cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql

@@ -25,11 +25,16 @@ import UnsignedGEZero
 //
 // So to reduce the number of false positives, we do not report a result if
 // the comparison is in a macro expansion. Similarly for template
-// instantiations.
+// instantiations, static asserts, non-type template arguments, enum constants,
+// and constexprs.
 from ComparisonOperation cmp, SmallSide ss, float left, float right, boolean value, string reason
 where
   not cmp.isInMacroExpansion() and
   not cmp.isFromTemplateInstantiation(_) and
+  not exists(StaticAssert s | s.getCondition() = cmp.getParent*()) and
+  not exists(Declaration d | d.getATemplateArgument() = cmp.getParent*()) and
+  not exists(Variable v | v.isConstexpr() | v.getInitializer().getExpr() = cmp.getParent*()) and
+  not exists(EnumConstant e | e.getInitializer().getExpr() = cmp.getParent*()) and
   not functionContainsDisabledCode(cmp.getEnclosingFunction()) and
   reachablePointlessComparison(cmp, left, right, value, ss) and
   // a comparison between an enum and zero is always valid because whether

cpp/ql/src/change-notes/2026-01-02-constant-comparison.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.

cpp/ql/test/library-tests/constants/addresses/addresses.cpp

@@ -26,9 +26,7 @@ void constantAddresses(int param) {
     constexpr int *array2d = &int_arr_arr[1][1] + 1;
     constexpr int *const_ints = &int_arr_arr[int_const][extern_int_const];
 
-    // Commented out because clang and EDG disagree on whether this is
-    // constant.
-    //constexpr int *stmtexpr_int = &int_arr[ ({ 1; }) ];
+    constexpr int *stmtexpr_int = &int_arr[ ({ 1; }) ];
 
     constexpr int *comma_int = &int_arr[ ((void)0, 1) ];
     constexpr int *comma_addr = ((void)0, &int_var);

cpp/ql/test/library-tests/constants/addresses/addresses.expected

@@ -0,0 +1,5 @@
+| addresses.cpp:29:35:29:54 | & ... | stmtexpr_int | misclassified as NOT constant |
+| addresses.cpp:31:32:31:55 | & ... | comma_int | misclassified as NOT constant |
+| addresses.cpp:36:39:36:70 | ... ? ... : ... | ternary_ptr_cond | misclassified as NOT constant |
+| addresses.cpp:37:35:37:69 | & ... | ptr_subtract | misclassified as NOT constant |
+| addresses.cpp:39:35:39:50 | ... + ... | constexpr_va | misclassified as NOT constant |