C++: Model varargs in IR, Part I

This change introduces a new synthesized `IRVariable` in every varargs function. This variable represents the entire set of arguments passed to the ellipsis by the caller. We give it an opaque type big enough hold all of the arguments passed by the largest vararg call in the database. It is treated just like any other parameter. It is initialized the same, it has indirect buffers, etc.

I had to introduce a couple new APIs to `Call` and `Function`. The QLDoc comments should explain these. I added tests for these new APIs as well.

The next step will be to change the IR generation for the `va_*` macros to manipulate the ellipsis parameter.

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/Function.qll

@@ -364,6 +364,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   /** Holds if this function is a varargs function. */
   predicate isVarargs() { hasSpecifier("varargs") }
 
+  /**
+   * Gets the index of the `...` parameter, if any. If present, the value will always be equal to
+   * `getNumberOfParameters()`.
+   */
+  int getEllipsisParameterIndex() { isVarargs() and result = getNumberOfParameters() }
+
   /** Gets a type that is specified to be thrown by the function. */
   Type getAThrownType() { result = getADeclarationEntry().getAThrownType() }
 

cpp/ql/src/semmle/code/cpp/exprs/Call.qll

@@ -2,6 +2,13 @@ import semmle.code.cpp.exprs.Expr
 import semmle.code.cpp.Function
 private import semmle.code.cpp.dataflow.EscapesTree
 
+/**
+ * Gets the index of the `...` parameter, if any.
+ */
+private int getEllipsisParameterIndex(RoutineType type) {
+  type.getParameterType(result) instanceof UnknownType
+}
+
 /**
  * A C/C++ call.
  *
@@ -78,6 +85,32 @@ abstract class Call extends Expr, NameQualifiableElement {
 
   override string toString() { none() }
 
+  /**
+   * Gets the index of the `...` parameter, if any. This will be one greater than the index of the
+   * last declared positional parameter.
+   */
+  abstract int getEllipsisParameterIndex();
+
+  /**
+   * Gets the index of the parameter that will be initialized with the value of the argument
+   * specified by `argIndex`. For ordinary positional parameters, the argument and parameter indices
+   * will be equal. For a call to a varargs function, all arguments passed to the `...` will be
+   * mapped to the index returned by `getEllipsisParameterIndex()`.
+   */
+  final int getParameterIndexForArgument(int argIndex) {
+    exists(getArgument(argIndex)) and
+    if argIndex >= getEllipsisParameterIndex()
+    then result = getEllipsisParameterIndex()
+    else result = argIndex
+  }
+
+  /**
+   * Holds if the argument specified by `index` is an argument to the `...` of a varargs function.
+   */
+  final predicate isEllipsisArgumentIndex(int index) {
+    exists(getArgument(index)) and index >= getEllipsisParameterIndex()
+  }
+
   /**
    * Holds if this call passes the variable accessed by `va` by
    * reference as the `i`th argument.
@@ -259,6 +292,12 @@ class FunctionCall extends Call, @funbindexpr {
     else result = "call to unknown function"
   }
 
+  final override int getEllipsisParameterIndex() {
+    if getTargetType() instanceof RoutineType
+    then result = getEllipsisParameterIndex(getTargetType())
+    else result = getTarget().getEllipsisParameterIndex()
+  }
+
   override predicate mayBeImpure() {
     this.getChild(_).mayBeImpure() or
     this.getTarget().mayHaveSideEffects() or
@@ -378,6 +417,10 @@ class ExprCall extends Call, @callexpr {
   override string toString() { result = "call to expression" }
 
   override Function getTarget() { none() }
+
+  final override int getEllipsisParameterIndex() {
+    result = getEllipsisParameterIndex(getExpr().getType().stripType())
+  }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/exprs/ObjectiveC.qll

@@ -63,6 +63,10 @@ deprecated class MessageExpr extends Expr, Call {
   override Expr getArgument(int n) { none() }
 
   override int getPrecedence() { none() }
+
+  final override int getEllipsisParameterIndex() {
+    none()
+  }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -211,6 +211,16 @@ class IRThrowVariable extends IRTempVariable {
   override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -211,6 +211,16 @@ class IRThrowVariable extends IRTempVariable {
   override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -382,6 +382,9 @@ newtype TTranslatedElement =
       translateFunction(func)
     )
   } or
+  TTranslatedEllipsisParameter(Function func) {
+    translateFunction(func) and func.isVarargs()
+  } or
   TTranslatedReadEffects(Function func) { translateFunction(func) } or
   // The read side effects in a function's return block
   TTranslatedReadEffect(Parameter param) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -16,6 +16,32 @@ private import TranslatedStmt
  */
 TranslatedFunction getTranslatedFunction(Function func) { result.getAST() = func }
 
+/**
+ * Gets the size, in bytes, of the variable used to represent the `...` parameter in a varargs
+ * function. This is determined by finding the total size of all of the arguments passed to the
+ * `...` in each call in the program, and choosing the maximum of those, with a minimum of 8 bytes.
+ */
+private int getEllipsisVariableByteSize() {
+  result =
+    max(int variableSize |
+      variableSize =
+        max(Call call, int callSize |
+          callSize =
+            sum(int argIndex |
+              call.isEllipsisArgumentIndex(argIndex)
+            |
+              call.getArgument(argIndex).getType().getSize()
+            )
+        |
+          callSize
+        )
+      or
+      variableSize = 8
+    |
+      variableSize
+    )
+}
+
 /**
  * Represents the IR translation of a function. This is the root elements for
  * all other elements associated with this function.
@@ -60,6 +86,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 
   final private TranslatedParameter getParameter(int index) {
     result = getTranslatedParameter(func.getParameter(index))
+    or
+    index = func.getEllipsisParameterIndex() and
+    result = getTranslatedEllipsisParameter(func)
   }
 
   final override Instruction getFirstInstruction() { result = getInstruction(EnterFunctionTag()) }
@@ -113,7 +142,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Instruction getChildSuccessor(TranslatedElement child) {
     exists(int paramIndex |
       child = getParameter(paramIndex) and
-      if exists(func.getParameter(paramIndex + 1))
+      if
+        exists(func.getParameter(paramIndex + 1)) or
+        func.getEllipsisParameterIndex() = paramIndex + 1
       then result = getParameter(paramIndex + 1).getFirstInstruction()
       else result = getConstructorInitList().getFirstInstruction()
     )
@@ -237,10 +268,18 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     result = getReturnVariable()
   }
 
+  final override predicate needsUnknownOpaqueType(int byteSize) {
+    byteSize = getEllipsisVariableByteSize()
+  }
+
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     tag = ReturnValueTempVar() and
     hasReturnValue() and
     type = getTypeForPRValue(getReturnType())
+    or
+    tag = EllipsisTempVar() and
+    func.isVarargs() and
+    type = getUnknownOpaqueType(getEllipsisVariableByteSize())
   }
 
   /**
@@ -316,34 +355,29 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 }
 
 /**
- * Gets the `TranslatedParameter` that represents parameter `param`.
+ * Gets the `TranslatedPositionalParameter` that represents parameter `param`.
  */
-TranslatedParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
+TranslatedPositionalParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
 
 /**
- * Represents the IR translation of a function parameter, including the
- * initialization of that parameter with the incoming argument.
+ * Gets the `TranslatedEllipsisParameter` for function `func`, if one exists.
  */
-class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
-  Parameter param;
-
-  TranslatedParameter() { this = TTranslatedParameter(param) }
-
-  final override string toString() { result = param.toString() }
-
-  final override Locatable getAST() { result = param }
+TranslatedEllipsisParameter getTranslatedEllipsisParameter(Function func) {
+  result.getFunction() = func
+}
 
-  final override Function getFunction() {
-    result = param.getFunction() or
-    result = param.getCatchBlock().getEnclosingFunction()
-  }
+/**
+ * The IR translation of a parameter to a function. This can be either a user-declared parameter
+ * (`TranslatedPositionParameter`) or the synthesized parameter used to represent a `...` in a
+ * varargs function (`TranslatedEllipsisParameter`).
+ */
+abstract class TranslatedParameter extends TranslatedElement {
+  final override TranslatedElement getChild(int id) { none() }
 
   final override Instruction getFirstInstruction() {
     result = getInstruction(InitializerVariableAddressTag())
   }
 
-  final override TranslatedElement getChild(int id) { none() }
-
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
     (
@@ -368,16 +402,16 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     tag = InitializerVariableAddressTag() and
     opcode instanceof Opcode::VariableAddress and
-    resultType = getTypeForGLValue(getVariableType(param))
+    resultType = getGLValueType()
     or
     tag = InitializerStoreTag() and
     opcode instanceof Opcode::InitializeParameter and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectAddressTag() and
     opcode instanceof Opcode::Load and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectStoreTag() and
@@ -391,7 +425,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
       tag = InitializerVariableAddressTag() or
       tag = InitializerIndirectStoreTag()
     ) and
-    result = getIRUserVariable(getFunction(), param)
+    result = getIRVariable()
   }
 
   final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
@@ -416,13 +450,74 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
     result = getInstruction(InitializerIndirectAddressTag())
   }
 
-  predicate hasIndirection() {
+  abstract predicate hasIndirection();
+
+  abstract CppType getGLValueType();
+
+  abstract CppType getPRValueType();
+
+  abstract IRAutomaticVariable getIRVariable();
+}
+
+/**
+ * Represents the IR translation of a function parameter, including the
+ * initialization of that parameter with the incoming argument.
+ */
+class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedParameter {
+  Parameter param;
+
+  TranslatedPositionalParameter() { this = TTranslatedParameter(param) }
+
+  final override string toString() { result = param.toString() }
+
+  final override Locatable getAST() { result = param }
+
+  final override Function getFunction() {
+    result = param.getFunction() or
+    result = param.getCatchBlock().getEnclosingFunction()
+  }
+
+  final override predicate hasIndirection() {
     exists(Type t | t = param.getUnspecifiedType() |
       t instanceof ArrayType or
       t instanceof PointerType or
       t instanceof ReferenceType
     )
   }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(getVariableType(param)) }
+
+  final override CppType getPRValueType() { result = getTypeForPRValue(getVariableType(param)) }
+
+  final override IRAutomaticUserVariable getIRVariable() {
+    result = getIRUserVariable(getFunction(), param)
+  }
+}
+
+/**
+ * The IR translation of the synthesized parameter used to represent the `...` in a varargs
+ * function.
+ */
+class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllipsisParameter {
+  Function func;
+
+  TranslatedEllipsisParameter() { this = TTranslatedEllipsisParameter(func) }
+
+  final override string toString() { result = "..." }
+
+  final override Locatable getAST() { result = func }
+
+  final override Function getFunction() { result = func }
+
+  final override predicate hasIndirection() { any() }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }
+
+  final override CppType getPRValueType() {
+    result = getUnknownOpaqueType(getEllipsisVariableByteSize())
+  }
+
+  final override IREllipsisVariable getIRVariable() { result.getEnclosingFunction() = func }
 }
 
 private TranslatedConstructorInitList getTranslatedConstructorInitList(Function func) {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -211,6 +211,16 @@ class IRThrowVariable extends IRTempVariable {
   override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll

@@ -2,7 +2,8 @@ newtype TTempVariableTag =
   ConditionValueTempVar() or
   ReturnValueTempVar() or
   ThrowTempVar() or
-  LambdaTempVar()
+  LambdaTempVar() or
+  EllipsisTempVar()
 
 string getTempVariableTagId(TTempVariableTag tag) {
   tag = ConditionValueTempVar() and result = "CondVal"
@@ -12,4 +13,6 @@ string getTempVariableTagId(TTempVariableTag tag) {
   tag = ThrowTempVar() and result = "Throw"
   or
   tag = LambdaTempVar() and result = "Lambda"
+  or
+  tag = EllipsisTempVar() and result = "Ellipsis"
 }