Merge pull request #2008 from dave-bartolomeo/dave/IRType2

C++: Implement language-neutral IR type system

Author: jbj

config/identical-files.json

@@ -76,7 +76,11 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" 
+  ],
+  "IR IRType": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
   ],
   "IR Operand Tag": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
@@ -169,22 +173,39 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
   ],
+  "C++ SSA SSAConstructionImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+  ],
   "C++ SSA AliasAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
   ],
-  "C++ SSA SSAConstruction": [
+  "C++ IR ValueNumberingImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+  ],
+  "IR SSA SimpleSSA": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
+  ],
+  "IR SSA SSAConstruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
-  "C++ SSA PrintSSA": [
+  "IR SSA PrintSSA": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
-  "C++ IR ValueNumber": [
+  "IR ValueNumber": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -235,5 +256,9 @@
   "C# IR PrintIRImports": [
     "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
     "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+  ],
+  "C# IR ValueNumberingImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ]
 }

cpp/ql/src/semmle/code/cpp/Type.qll

@@ -610,7 +610,9 @@ class FloatingPointType extends ArithmeticType {
       (
         kind >= 24 and kind <= 32
         or
-        kind = 38
+        kind >= 38 and kind <= 42
+        or
+        kind >= 45 and kind <= 50
       )
     )
   }

cpp/ql/src/semmle/code/cpp/exprs/Expr.qll

@@ -540,6 +540,13 @@ class ErrorExpr extends Expr, @errorexpr {
  */
 class AssumeExpr extends Expr, @assume {
   override string toString() { result = "__assume(...)" }
+
+  override string getCanonicalQLClass() { result = "AssumeExpr" }
+
+  /**
+   * Gets the operand of the `__assume` expressions.
+   */
+  Expr getOperand() { this.hasChild(result, 0) }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll

@@ -0,0 +1,247 @@
+/**
+ * Minimal, language-neutral type system for the IR.
+ */
+
+private import internal.IRTypeInternal
+
+private newtype TIRType =
+  TIRVoidType() or
+  TIRUnknownType() or
+  TIRErrorType() { Language::hasErrorType() } or
+  TIRBooleanType(int byteSize) { Language::hasBooleanType(byteSize) } or
+  TIRSignedIntegerType(int byteSize) { Language::hasSignedIntegerType(byteSize) } or
+  TIRUnsignedIntegerType(int byteSize) { Language::hasUnsignedIntegerType(byteSize) } or
+  TIRFloatingPointType(int byteSize) { Language::hasFloatingPointType(byteSize) } or
+  TIRAddressType(int byteSize) { Language::hasAddressType(byteSize) } or
+  TIRFunctionAddressType(int byteSize) { Language::hasFunctionAddressType(byteSize) } or
+  TIROpaqueType(Language::OpaqueTypeTag tag, int byteSize) {
+    Language::hasOpaqueType(tag, byteSize)
+  }
+
+/**
+ * The language-neutral type of an IR `Instruction`, `Operand`, or `IRVariable`.
+ * The interface to `IRType` and its subclasses is the same across all languages for which the IR
+ * is supported, so analyses that expect to be used for multiple languages should generally use
+ * `IRType` rather than a language-specific type.
+ *
+ * Many types from the language-specific type system will map to a single canonical `IRType`. Two
+ * types that map to the same `IRType` are considered equivalent by the IR. As an example, in C++,
+ * all pointer types map to the same instance of `IRAddressType`.
+ */
+class IRType extends TIRType {
+  string toString() { none() }
+
+  /**
+   * Gets a string that uniquely identifies this `IRType`. This string is often the same as the
+   * result of `IRType.toString()`, but for some types it may be more verbose to ensure uniqueness.
+   */
+  string getIdentityString() { result = toString() }
+
+  /**
+   * Gets the size of the type, in bytes, if known.
+   *
+   * This will hold for all `IRType` objects except `IRUnknownType`.
+   */
+  int getByteSize() { none() }
+
+  /**
+   * Gets a single instance of `LanguageType` that maps to this `IRType`.
+   */
+  Language::LanguageType getCanonicalLanguageType() { none() }
+}
+
+/**
+ * An unknown type. Generally used to represent results and operands that access an unknown set of
+ * memory locations, such as the side effects of a function call.
+ */
+class IRUnknownType extends IRType, TIRUnknownType {
+  final override string toString() { result = "unknown" }
+
+  final override int getByteSize() { none() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalUnknownType()
+  }
+}
+
+/**
+ * A void type, which has no values. Used to represent the result type of an instruction that does
+ * not produce a result.
+ */
+class IRVoidType extends IRType, TIRVoidType {
+  final override string toString() { result = "void" }
+
+  final override int getByteSize() { result = 0 }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalVoidType()
+  }
+}
+
+/**
+ * An error type. Used when an error in the source code prevents the extractor from determining the
+ * proper type.
+ */
+class IRErrorType extends IRType, TIRErrorType {
+  final override string toString() { result = "error" }
+
+  final override int getByteSize() { result = 0 }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalErrorType()
+  }
+}
+
+private class IRSizedType extends IRType {
+  int byteSize;
+
+  IRSizedType() {
+    this = TIRBooleanType(byteSize) or
+    this = TIRSignedIntegerType(byteSize) or
+    this = TIRUnsignedIntegerType(byteSize) or
+    this = TIRFloatingPointType(byteSize) or
+    this = TIRAddressType(byteSize) or
+    this = TIRFunctionAddressType(byteSize) or
+    this = TIROpaqueType(_, byteSize)
+  }
+
+  final override int getByteSize() { result = byteSize }
+}
+
+/**
+ * A Boolean type, which can hold the values `true` (non-zero) or `false` (zero).
+ */
+class IRBooleanType extends IRSizedType, TIRBooleanType {
+  final override string toString() { result = "bool" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalBooleanType(byteSize)
+  }
+}
+
+/**
+ * A numberic type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and
+ * `IRFloatingPointType`.
+ */
+class IRNumericType extends IRSizedType {
+  IRNumericType() {
+    this = TIRSignedIntegerType(byteSize) or
+    this = TIRUnsignedIntegerType(byteSize) or
+    this = TIRFloatingPointType(byteSize)
+  }
+}
+
+/**
+ * A signed two's-complement integer. Also used to represent enums whose underlying type is a signed
+ * integer, as well as character types whose representation is signed.
+ */
+class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType {
+  final override string toString() { result = "int" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalSignedIntegerType(byteSize)
+  }
+}
+
+/**
+ * An unsigned two's-complement integer. Also used to represent enums whose underlying type is an
+ * unsigned integer, as well as character types whose representation is unsigned.
+ */
+class IRUnsignedIntegerType extends IRNumericType, TIRUnsignedIntegerType {
+  final override string toString() { result = "uint" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalUnsignedIntegerType(byteSize)
+  }
+}
+
+/**
+ * A floating-point type.
+ */
+class IRFloatingPointType extends IRNumericType, TIRFloatingPointType {
+  final override string toString() { result = "float" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalFloatingPointType(byteSize)
+  }
+}
+
+/**
+ * An address type, representing the memory address of data. Used to represent pointers, references,
+ * and lvalues, include those that are garbage collected.
+ *
+ * The address of a function is represented by the separate `IRFunctionAddressType`.
+ */
+class IRAddressType extends IRSizedType, TIRAddressType {
+  final override string toString() { result = "addr" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalAddressType(byteSize)
+  }
+}
+
+/**
+ * An address type, representing the memory address of code. Used to represent function pointers,
+ * function references, and the target of a direct function call.
+ */
+class IRFunctionAddressType extends IRSizedType, TIRFunctionAddressType {
+  final override string toString() { result = "func" + byteSize.toString() }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalFunctionAddressType(byteSize)
+  }
+}
+
+/**
+ * A type with known size that does not fit any of the other kinds of type. Used to represent
+ * classes, structs, unions, fixed-size arrays, pointers-to-member, and more.
+ */
+class IROpaqueType extends IRSizedType, TIROpaqueType {
+  Language::OpaqueTypeTag tag;
+
+  IROpaqueType() { this = TIROpaqueType(tag, byteSize) }
+
+  final override string toString() {
+    result = "opaque" + byteSize.toString() + "{" + tag.toString() + "}"
+  }
+
+  final override string getIdentityString() {
+    result = "opaque" + byteSize.toString() + "{" + Language::getOpaqueTagIdentityString(tag) + "}"
+  }
+
+  final override Language::LanguageType getCanonicalLanguageType() {
+    result = Language::getCanonicalOpaqueType(tag, byteSize)
+  }
+
+  /**
+   * Gets the "tag" that differentiates this type from other incompatible opaque types that have the
+   * same size.
+   */
+  final Language::OpaqueTypeTag getTag() { result = tag }
+}
+
+module IRTypeSanity {
+  query predicate missingCanonicalLanguageType(IRType type, string message) {
+    not exists(type.getCanonicalLanguageType()) and
+    message = "Type does not have a canonical `LanguageType`"
+  }
+
+  query predicate multipleCanonicalLanguageTypes(IRType type, string message) {
+    strictcount(type.getCanonicalLanguageType()) > 1 and
+    message = "Type has multiple canonical `LanguageType`s: " +
+        concat(type.getCanonicalLanguageType().toString(), ", ")
+  }
+
+  query predicate missingIRType(Language::LanguageType type, string message) {
+    not exists(type.getIRType()) and
+    message = "`LanguageType` does not have a corresponding `IRType`."
+  }
+
+  query predicate multipleIRTypes(Language::LanguageType type, string message) {
+    strictcount(type.getIRType()) > 1 and
+    message = "`LanguageType` " + type.getAQlClass() + " has multiple `IRType`s: " +
+        concat(type.getIRType().toString(), ", ")
+  }
+
+  import Language::LanguageTypeSanity
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll

@@ -5,6 +5,7 @@ import IRVariable
 import Operand
 private import internal.IRImports as Imports
 import Imports::EdgeKind
+import Imports::IRType
 import Imports::MemoryAccessKind
 
 private newtype TIRPropertyProvider = MkIRPropertyProvider()

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll

@@ -1,2 +1,3 @@
 private import IR
 import InstructionSanity
+import IRTypeSanity