C++: Add more support for load instructions

MathiasVP · MathiasVP · commit 54f0b4a0990c · 2020-02-06T09:21:42.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
@@ -52,6 +52,11 @@ newtype TValueNumber =
   ) {
     inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand)
   } or
+  TCongruentCopyInstructionTotal(
+    IRFunction irFunc, IRType type, ValueNumber memOperand, ValueNumber operand
+  ) {
+    congruentCopyInstructionTotalValueNumber(_, irFunc, type, memOperand, operand)
+  } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
 /**
@@ -101,12 +106,18 @@ class ValueNumber extends TValueNumber {
  * The use of `p.x` on line 3 is linked to the definition of `p` on line 1 as well, but is not
  * congruent to that definition because `p.x` accesses only a subset of the memory defined by `p`.
  */
-private class CongruentCopyInstruction extends CopyInstruction {
-  CongruentCopyInstruction() {
+class CongruentCopyInstructionExact extends CopyInstruction {
+  CongruentCopyInstructionExact() {
     this.getSourceValueOperand().getDefinitionOverlap() instanceof MustExactlyOverlap
   }
 }
 
+class CongruentCopyInstructionTotal extends CopyInstruction {
+  CongruentCopyInstructionTotal() {
+    this.getSourceValueOperand().getDefinitionOverlap() instanceof MustTotallyOverlap
+  }
+}
+
 /**
  * Holds if this library knows how to assign a value number to the specified instruction, other than
  * a `unique` value number that is never shared by multiple instructions.
@@ -130,7 +141,9 @@ private predicate numberableInstruction(Instruction instr) {
   or
   instr instanceof PointerArithmeticInstruction
   or
-  instr instanceof CongruentCopyInstruction
+  instr instanceof CongruentCopyInstructionExact
+  or
+  instr instanceof CongruentCopyInstructionTotal
 }
 
 private predicate variableAddressValueNumber(
@@ -205,6 +218,7 @@ private predicate unaryValueNumber(
   instr.getEnclosingIRFunction() = irFunc and
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
+  not instr instanceof FieldAddressInstruction and
   instr.getOpcode() = opcode and
   instr.getResultIRType() = type and
   valueNumber(instr.getUnary()) = operand
@@ -221,6 +235,16 @@ private predicate inheritanceConversionValueNumber(
   valueNumber(instr.getUnary()) = operand
 }
 
+private predicate congruentCopyInstructionTotalValueNumber(
+  CongruentCopyInstructionTotal instr, IRFunction irFunc, IRType type, ValueNumber memOperand,
+  ValueNumber operand
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  valueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
+  valueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -313,8 +337,13 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
           TPointerArithmeticValueNumber(irFunc, opcode, type, elementSize, leftOperand, rightOperand)
       )
       or
+      exists(IRType type, ValueNumber memOperand, ValueNumber operand |
+        congruentCopyInstructionTotalValueNumber(instr, irFunc, type, memOperand, operand) and
+        result = TCongruentCopyInstructionTotal(irFunc, type, memOperand, operand)
+      )
+      or
       // The value number of a copy is just the value number of its source value.
-      result = valueNumber(instr.(CongruentCopyInstruction).getSourceValue())
+      result = valueNumber(instr.(CongruentCopyInstructionExact).getSourceValue())
     )
   )
 }
