Merge pull request #2068 from rdmarsh2/rdmarsh/cpp/ir-constructor-side-effects

C++: side effect instrs for constructor qualifiers

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -124,6 +124,16 @@ module InstructionSanity {
     )
   }
 
+  query predicate duplicateChiOperand(
+    ChiInstruction chi, string message, IRFunction func, string funcText
+  ) {
+    chi.getTotal() = chi.getPartial() and
+    message = "Chi instruction for " + chi.getPartial().toString() +
+        " has duplicate operands in function $@" and
+    func = chi.getEnclosingIRFunction() and
+    funcText = Language::getIdentityString(func.getFunction())
+  }
+
   query predicate sideEffectWithoutPrimary(
     SideEffectInstruction instr, string message, IRFunction func, string funcText
   ) {

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -396,7 +396,11 @@ private predicate hasChiNode(Alias::VirtualVariable vvar, OldInstruction def) {
     defLocation.getVirtualVariable() = vvar and
     // If the definition totally (or exactly) overlaps the virtual variable, then there's no need for a `Chi`
     // instruction.
-    Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap
+    (
+      Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap or
+      def.getResultMemoryAccess() instanceof IndirectMayMemoryAccess or
+      def.getResultMemoryAccess() instanceof BufferMayMemoryAccess
+    )
   )
 }
 
@@ -709,7 +713,10 @@ module DefUse {
       defLocation = Alias::getResultMemoryLocation(def) and
       block.getInstruction(index) = def and
       overlap = Alias::getOverlap(defLocation, useLocation) and
-      if overlap instanceof MayPartiallyOverlap
+      if
+        overlap instanceof MayPartiallyOverlap or
+        def.getResultMemoryAccess() instanceof IndirectMayMemoryAccess or
+        def.getResultMemoryAccess() instanceof BufferMayMemoryAccess
       then offset = (index * 2) + 1 // The use will be connected to the definition on the `Chi` instruction.
       else offset = index * 2 // The use will be connected to the definition on the original instruction.
     )

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -124,6 +124,16 @@ module InstructionSanity {
     )
   }
 
+  query predicate duplicateChiOperand(
+    ChiInstruction chi, string message, IRFunction func, string funcText
+  ) {
+    chi.getTotal() = chi.getPartial() and
+    message = "Chi instruction for " + chi.getPartial().toString() +
+        " has duplicate operands in function $@" and
+    func = chi.getEnclosingIRFunction() and
+    funcText = Language::getIdentityString(func.getFunction())
+  }
+
   query predicate sideEffectWithoutPrimary(
     SideEffectInstruction instr, string message, IRFunction func, string funcText
   ) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -352,6 +352,11 @@ class TranslatedSideEffects extends TranslatedElement, TTranslatedSideEffects {
     none()
   }
 
+  override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
+    tag = OnlyInstructionTag() and
+    result = getTranslatedExpr(expr).getInstruction(CallTag())
+  }
+
   /**
    * Gets the `TranslatedFunction` containing this expression.
    */
@@ -365,6 +370,39 @@ class TranslatedSideEffects extends TranslatedElement, TTranslatedSideEffects {
   override Function getFunction() { result = expr.getEnclosingFunction() }
 }
 
+class TranslatedStructorCallSideEffects extends TranslatedSideEffects {
+  TranslatedStructorCallSideEffects() { getParent().(TranslatedStructorCall).hasQualifier() }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType t) {
+    opcode instanceof Opcode::IndirectMayWriteSideEffect and
+    tag instanceof OnlyInstructionTag and
+    t = getTypeForPRValue(expr.getTarget().getDeclaringType())
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    (
+      if exists(getChild(0))
+      then result = getChild(0).getFirstInstruction()
+      else result = getParent().getChildSuccessor(this)
+    ) and
+    tag = OnlyInstructionTag() and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+
+  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof AddressOperandTag and
+    result = getParent().(TranslatedStructorCall).getQualifierResult()
+  }
+
+  final override int getInstructionIndex(InstructionTag tag) {
+    tag = OnlyInstructionTag() and
+    result = -1
+  }
+}
+
 class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEffect {
   Call call;
   Expr arg;

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -121,6 +121,7 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
   private predicate hasUninitializedInstruction() {
     not exists(getInitialization()) or
     getInitialization() instanceof TranslatedListInitialization or
+    getInitialization() instanceof TranslatedConstructorInitialization or
     getInitialization().(TranslatedStringLiteralInitialization).zeroInitRange(_, _)
   }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -380,8 +380,10 @@ newtype TTranslatedElement =
   TTranslatedAllocationSize(NewOrNewArrayExpr newExpr) { not ignoreExpr(newExpr) } or
   // The declaration/initialization part of a `ConditionDeclExpr`
   TTranslatedConditionDecl(ConditionDeclExpr expr) { not ignoreExpr(expr) } or
-  // The side effects of a `Call` {
-  TTranslatedSideEffects(Call expr) { exists(TTranslatedArgumentSideEffect(expr, _, _, _)) } or // A precise side effect of an argument to a `Call` {
+  // The side effects of a `Call`
+  TTranslatedSideEffects(Call expr) {
+    exists(TTranslatedArgumentSideEffect(expr, _, _, _)) or expr instanceof ConstructorCall
+  } or // A precise side effect of an argument to a `Call`
   TTranslatedArgumentSideEffect(Call call, Expr expr, int n, boolean isWrite) {
     (
       expr = call.getArgument(n).getFullyConverted()

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -124,6 +124,16 @@ module InstructionSanity {
     )
   }
 
+  query predicate duplicateChiOperand(
+    ChiInstruction chi, string message, IRFunction func, string funcText
+  ) {
+    chi.getTotal() = chi.getPartial() and
+    message = "Chi instruction for " + chi.getPartial().toString() +
+        " has duplicate operands in function $@" and
+    func = chi.getEnclosingIRFunction() and
+    funcText = Language::getIdentityString(func.getFunction())
+  }
+
   query predicate sideEffectWithoutPrimary(
     SideEffectInstruction instr, string message, IRFunction func, string funcText
   ) {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -396,7 +396,11 @@ private predicate hasChiNode(Alias::VirtualVariable vvar, OldInstruction def) {
     defLocation.getVirtualVariable() = vvar and
     // If the definition totally (or exactly) overlaps the virtual variable, then there's no need for a `Chi`
     // instruction.
-    Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap
+    (
+      Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap or
+      def.getResultMemoryAccess() instanceof IndirectMayMemoryAccess or
+      def.getResultMemoryAccess() instanceof BufferMayMemoryAccess
+    )
   )
 }
 
@@ -709,7 +713,10 @@ module DefUse {
       defLocation = Alias::getResultMemoryLocation(def) and
       block.getInstruction(index) = def and
       overlap = Alias::getOverlap(defLocation, useLocation) and
-      if overlap instanceof MayPartiallyOverlap
+      if
+        overlap instanceof MayPartiallyOverlap or
+        def.getResultMemoryAccess() instanceof IndirectMayMemoryAccess or
+        def.getResultMemoryAccess() instanceof BufferMayMemoryAccess
       then offset = (index * 2) + 1 // The use will be connected to the definition on the `Chi` instruction.
       else offset = index * 2 // The use will be connected to the definition on the original instruction.
     )

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -30,7 +30,11 @@ private predicate isVariableModeled(IRVariable var) {
     hasResultMemoryAccess(instr, var, type, bitOffset)
   |
     bitOffset = 0 and
-    type.getIRType() = var.getIRType()
+    type.getIRType() = var.getIRType() and
+    not (
+      instr.getResultMemoryAccess() instanceof IndirectMayMemoryAccess or
+      instr.getResultMemoryAccess() instanceof BufferMayMemoryAccess
+    )
   ) and
   forall(MemoryOperand operand, Language::LanguageType type, IntValue bitOffset |
     hasOperandMemoryAccess(operand, var, type, bitOffset)

cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected

@@ -1,8 +1,13 @@
 missingOperand
+| ir.cpp:809:7:809:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
+| ir.cpp:810:7:810:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
+| ir.cpp:823:7:823:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
+| ir.cpp:824:7:824:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
 missingOperandType
+duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 ambiguousSuccessors