Merge pull request #2772 from MathiasVP/more-gvn-loads

C++: Better value numbering support for loading fields in IR

Author: jbj

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll

@@ -52,6 +52,11 @@ newtype TValueNumber =
   ) {
     inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand)
   } or
+  TLoadTotalOverlapValueNumber(
+    IRFunction irFunc, IRType type, ValueNumber memOperand, ValueNumber operand
+  ) {
+    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
+  } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
 /**
@@ -101,12 +106,18 @@ class ValueNumber extends TValueNumber {
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
  */
-private class CongruentCopyInstruction extends CopyInstruction {
+class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
     this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
+class LoadTotalOverlapInstruction extends LoadInstruction {
+  LoadTotalOverlapInstruction() {
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustTotallyOverlap
+  }
+}
+
 /**
  * Holds if this library knows how to assign a value number to the specified instruction, other than
  * a `unique` value number that is never shared by multiple instructions.
@@ -131,6 +142,8 @@ private predicate numberableInstruction(Instruction instr) {
   instr instanceof PointerArithmeticInstruction
   or
   instr instanceof CongruentCopyInstruction
+  or
+  instr instanceof LoadTotalOverlapInstruction
 }
 
 private predicate variableAddressValueNumber(
@@ -205,6 +218,7 @@ private predicate unaryValueNumber(
   instr.getEnclosingIRFunction() = irFunc and
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
+  not instr instanceof FieldAddressInstruction and
   instr.getOpcode() = opcode and
   instr.getResultIRType() = type and
   valueNumber(instr.getUnary()) = operand
@@ -221,6 +235,16 @@ private predicate inheritanceConversionValueNumber(
   valueNumber(instr.getUnary()) = operand
 }
 
+private predicate loadTotalOverlapValueNumber(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, ValueNumber memOperand,
+  ValueNumber operand
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  valueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
+  valueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -313,6 +337,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
           TPointerArithmeticValueNumber(irFunc, opcode, type, elementSize, leftOperand, rightOperand)
       )
       or
+      exists(IRType type, ValueNumber memOperand, ValueNumber operand |
+        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+      )
+      or
       // The value number of a copy is just the value number of its source value.
       result = valueNumber(instr.(CongruentCopyInstruction).getSourceValue())
     )

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll

@@ -52,6 +52,11 @@ newtype TValueNumber =
   ) {
     inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand)
   } or
+  TLoadTotalOverlapValueNumber(
+    IRFunction irFunc, IRType type, ValueNumber memOperand, ValueNumber operand
+  ) {
+    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
+  } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
 /**
@@ -101,12 +106,18 @@ class ValueNumber extends TValueNumber {
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
  */
-private class CongruentCopyInstruction extends CopyInstruction {
+class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
     this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
+class LoadTotalOverlapInstruction extends LoadInstruction {
+  LoadTotalOverlapInstruction() {
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustTotallyOverlap
+  }
+}
+
 /**
  * Holds if this library knows how to assign a value number to the specified instruction, other than
  * a `unique` value number that is never shared by multiple instructions.
@@ -131,6 +142,8 @@ private predicate numberableInstruction(Instruction instr) {
   instr instanceof PointerArithmeticInstruction
   or
   instr instanceof CongruentCopyInstruction
+  or
+  instr instanceof LoadTotalOverlapInstruction
 }
 
 private predicate variableAddressValueNumber(
@@ -205,6 +218,7 @@ private predicate unaryValueNumber(
   instr.getEnclosingIRFunction() = irFunc and
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
+  not instr instanceof FieldAddressInstruction and
   instr.getOpcode() = opcode and
   instr.getResultIRType() = type and
   valueNumber(instr.getUnary()) = operand
@@ -221,6 +235,16 @@ private predicate inheritanceConversionValueNumber(
   valueNumber(instr.getUnary()) = operand
 }
 
+private predicate loadTotalOverlapValueNumber(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, ValueNumber memOperand,
+  ValueNumber operand
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  valueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
+  valueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -313,6 +337,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
           TPointerArithmeticValueNumber(irFunc, opcode, type, elementSize, leftOperand, rightOperand)
       )
       or
+      exists(IRType type, ValueNumber memOperand, ValueNumber operand |
+        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+      )
+      or
       // The value number of a copy is just the value number of its source value.
       result = valueNumber(instr.(CongruentCopyInstruction).getSourceValue())
     )

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll

@@ -52,6 +52,11 @@ newtype TValueNumber =
   ) {
     inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand)
   } or
+  TLoadTotalOverlapValueNumber(
+    IRFunction irFunc, IRType type, ValueNumber memOperand, ValueNumber operand
+  ) {
+    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
+  } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
 /**
@@ -101,12 +106,18 @@ class ValueNumber extends TValueNumber {
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
  */
-private class CongruentCopyInstruction extends CopyInstruction {
+class CongruentCopyInstruction extends CopyInstruction {
   CongruentCopyInstruction() {
     this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
+class LoadTotalOverlapInstruction extends LoadInstruction {
+  LoadTotalOverlapInstruction() {
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustTotallyOverlap
+  }
+}
+
 /**
  * Holds if this library knows how to assign a value number to the specified instruction, other than
  * a `unique` value number that is never shared by multiple instructions.
@@ -131,6 +142,8 @@ private predicate numberableInstruction(Instruction instr) {
   instr instanceof PointerArithmeticInstruction
   or
   instr instanceof CongruentCopyInstruction
+  or
+  instr instanceof LoadTotalOverlapInstruction
 }
 
 private predicate variableAddressValueNumber(
@@ -205,6 +218,7 @@ private predicate unaryValueNumber(
   instr.getEnclosingIRFunction() = irFunc and
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
+  not instr instanceof FieldAddressInstruction and
   instr.getOpcode() = opcode and
   instr.getResultIRType() = type and
   valueNumber(instr.getUnary()) = operand
@@ -221,6 +235,16 @@ private predicate inheritanceConversionValueNumber(
   valueNumber(instr.getUnary()) = operand
 }
 
+private predicate loadTotalOverlapValueNumber(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, ValueNumber memOperand,
+  ValueNumber operand
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  valueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
+  valueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -313,6 +337,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
           TPointerArithmeticValueNumber(irFunc, opcode, type, elementSize, leftOperand, rightOperand)
       )
       or
+      exists(IRType type, ValueNumber memOperand, ValueNumber operand |
+        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+      )
+      or
       // The value number of a copy is just the value number of its source value.
       result = valueNumber(instr.(CongruentCopyInstruction).getSourceValue())
     )

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/GlobalValueNumbering.expected

@@ -30,3 +30,11 @@
 | test.cpp:105:11:105:12 | (Base *)... | 105:c11-c12 106:c14-c35 107:c11-c12 |
 | test.cpp:105:11:105:12 | pd | 105:c11-c12 106:c33-c34 |
 | test.cpp:105:15:105:15 | b | 105:c15-c15 107:c15-c15 109:c10-c10 |
+| test.cpp:125:11:125:12 | pa | 125:c11-c12 126:c11-c12 128:c3-c4 129:c11-c12 |
+| test.cpp:125:15:125:15 | x | 125:c15-c15 126:c15-c15 128:c7-c7 |
+| test.cpp:136:11:136:18 | global_a | 136:c11-c18 137:c11-c18 139:c3-c10 |
+| test.cpp:136:21:136:21 | x | 136:c21-c21 137:c21-c21 139:c13-c13 |
+| test.cpp:144:11:144:12 | pa | 144:c11-c12 145:c11-c12 147:c3-c4 149:c11-c12 |
+| test.cpp:145:15:145:15 | y | 145:c15-c15 147:c7-c7 |
+| test.cpp:153:11:153:18 | global_a | 153:c11-c18 154:c11-c18 156:c3-c10 |
+| test.cpp:153:21:153:21 | x | 153:c21-c21 154:c21-c21 |