Merge pull request #474 from rdmarsh2/rdmarsh/cpp/call-side-effect

C++: Initital aliased SSA with Chi nodes and function side effects

Author: jbj

config/identical-files.json

@@ -43,14 +43,6 @@
         "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
         "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
     ],
-    "C++ SSA SimpleSSA": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SimpleSSA.qll"
-    ],
-    "C++ SSA IRBlockConstruction": [
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockConstruction.qll",
-        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockConstruction.qll"
-    ],
     "C++ SSA SSAConstruction": [
         "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
         "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"

cpp/ql/src/semmle/code/cpp/PrintAST.qll

@@ -542,6 +542,42 @@ class FunctionNode extends ASTNode {
   }
 }
 
+/**
+ * A node representing an `ClassAggregateLiteral`.
+ */
+class ClassAggregateLiteralNode extends ExprNode {
+  ClassAggregateLiteral list;
+
+  ClassAggregateLiteralNode() {
+    list = ast
+  }
+
+  override string getChildEdgeLabel(int childIndex) {
+    exists(Field field |
+      list.getFieldExpr(field) = list.getChild(childIndex) and
+      result = "." + field.getName()
+    )
+  }
+}
+
+/**
+ * A node representing an `ArrayAggregateLiteral`.
+ */
+class ArrayAggregateLiteralNode extends ExprNode {
+  ArrayAggregateLiteral list;
+
+  ArrayAggregateLiteralNode() {
+    list = ast
+  }
+
+  override string getChildEdgeLabel(int childIndex) {
+    exists(int elementIndex |
+      list.getElementExpr(elementIndex) = list.getChild(childIndex) and
+      result = "[" + elementIndex.toString() + "]"
+    )
+  }
+}
+
 query predicate nodes(PrintASTNode node, string key, string value) {
   node.shouldPrint() and
   value = node.getProperty(key)

cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -1,10 +1,15 @@
 import cpp
 
-newtype TMemoryAccessKind =
+private newtype TMemoryAccessKind =
   TIndirectMemoryAccess() or
+  TIndirectMayMemoryAccess() or
+  TBufferMemoryAccess() or
+  TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
   TPhiMemoryAccess() or
-  TUnmodeledMemoryAccess()
+  TUnmodeledMemoryAccess() or
+  TChiTotalMemoryAccess() or
+  TChiPartialMemoryAccess()
 
 /**
  * Describes the set of memory locations memory accessed by a memory operand or
@@ -15,15 +20,47 @@ class MemoryAccessKind extends TMemoryAccessKind {
 }
 
 /**
- * The operand or result accesses memory at the address specified by the
- * `AddressOperand` on the same instruction.
+ * The operand or result accesses memory at the address specified by the `AddressOperand` on the
+ * same instruction.
  */
 class IndirectMemoryAccess extends MemoryAccessKind, TIndirectMemoryAccess {
   override string toString() {
     result = "indirect"
   }
 }
 
+/**
+ * The operand or result may access some, all, or none of the memory at the address specified by the
+ * `AddressOperand` on the same instruction.
+ */
+class IndirectMayMemoryAccess extends MemoryAccessKind, TIndirectMayMemoryAccess {
+  override string toString() {
+    result = "indirect(may)"
+  }
+}
+
+/**
+ * The operand or result accesses memory starting at the address specified by the `AddressOperand`
+ * on the same instruction, accessing a number of consecutive elements given by the
+ * `BufferSizeOperand`.
+ */
+class BufferMemoryAccess extends MemoryAccessKind, TBufferMemoryAccess {
+  override string toString() {
+    result = "buffer"
+  }
+}
+
+/**
+ * The operand or result may access some, all, or none of the memory starting at the address
+ * specified by the `AddressOperand` on the same instruction, accessing a number of consecutive
+ * elements given by the `BufferSizeOperand`.
+ */
+class BufferMayMemoryAccess extends MemoryAccessKind, TBufferMayMemoryAccess {
+  override string toString() {
+    result = "buffer(may)"
+  }
+}
+
 /**
  * The operand or result accesses all memory whose address has escaped.
  */
@@ -43,6 +80,26 @@ class PhiMemoryAccess extends MemoryAccessKind, TPhiMemoryAccess {
   }
 }
 
+/**
+ * The operand is a ChiTotal operand, which accesses the same memory as its
+ * definition.
+ */
+class ChiTotalMemoryAccess extends MemoryAccessKind, TChiTotalMemoryAccess {
+  override string toString() {
+    result = "chi(total)"
+  }
+}
+
+/**
+ * The operand is a ChiPartial operand, which accesses the same memory as its
+ * definition.
+ */
+class ChiPartialMemoryAccess extends MemoryAccessKind, TChiPartialMemoryAccess {
+  override string toString() {
+    result = "chi(partial)"
+  }
+}
+
 /**
  * The operand accesses memory not modeled in SSA. Used only on the result of
  * `UnmodeledDefinition` and on the operands of `UnmodeledUse`.

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -54,11 +54,21 @@ private newtype TOpcode =
   TUnwind() or
   TUnmodeledDefinition() or
   TUnmodeledUse() or
+  TAliasedDefinition() or
   TPhi() or
   TVarArgsStart() or
   TVarArgsEnd() or
   TVarArg() or
-  TVarArgCopy()
+  TVarArgCopy() or
+  TCallSideEffect() or
+  TCallReadSideEffect() or
+  TIndirectReadSideEffect() or
+  TIndirectWriteSideEffect() or
+  TIndirectMayWriteSideEffect() or
+  TBufferReadSideEffect() or
+  TBufferWriteSideEffect() or
+  TBufferMayWriteSideEffect() or
+  TChi()
 
 class Opcode extends TOpcode {
   string toString() {
@@ -92,6 +102,29 @@ abstract class OpcodeWithCondition extends Opcode {}
 
 abstract class BuiltInOpcode extends Opcode {}
 
+abstract class SideEffectOpcode extends Opcode {}
+
+/**
+ * An opcode that reads from a set of memory locations as a side effect.
+ */
+abstract class ReadSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that writes to a set of memory locations as a side effect.
+ */
+abstract class WriteSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that may overwrite some, all, or none of an existing set of memory locations. Modeled
+ * as a read of the original contents, plus a "may" write of the new contents.
+ */
+abstract class MayWriteSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that accesses a buffer via an `AddressOperand` and a `BufferSizeOperand`.
+ */
+abstract class BufferAccessOpcode extends MemoryAccessOpcode {}
+
 module Opcode {
   class NoOp extends Opcode, TNoOp { override final string toString() { result = "NoOp" } }
   class Uninitialized extends MemoryAccessOpcode, TUninitialized { override final string toString() { result = "Uninitialized" } }
@@ -148,9 +181,19 @@ module Opcode {
   class Unwind extends Opcode, TUnwind { override final string toString() { result = "Unwind" } }
   class UnmodeledDefinition extends Opcode, TUnmodeledDefinition { override final string toString() { result = "UnmodeledDefinition" } }
   class UnmodeledUse extends Opcode, TUnmodeledUse { override final string toString() { result = "UnmodeledUse" } }
+  class AliasedDefinition extends Opcode, TAliasedDefinition { override final string toString() { result = "AliasedDefinition" } }
   class Phi extends Opcode, TPhi { override final string toString() { result = "Phi" } }
   class VarArgsStart extends BuiltInOpcode, TVarArgsStart { override final string toString() { result = "VarArgsStart" } }
   class VarArgsEnd extends BuiltInOpcode, TVarArgsEnd { override final string toString() { result = "VarArgsEnd" } }
   class VarArg extends BuiltInOpcode, TVarArg { override final string toString() { result = "VarArg" } }
   class VarArgCopy extends BuiltInOpcode, TVarArgCopy { override final string toString() { result = "VarArgCopy" } }
+  class CallSideEffect extends MayWriteSideEffectOpcode, TCallSideEffect { override final string toString() { result = "CallSideEffect" } }
+  class CallReadSideEffect extends ReadSideEffectOpcode, TCallReadSideEffect { override final string toString() { result = "CallReadSideEffect" } }
+  class IndirectReadSideEffect extends ReadSideEffectOpcode, MemoryAccessOpcode, TIndirectReadSideEffect { override final string toString() { result = "IndirectReadSideEffect" } }
+  class IndirectWriteSideEffect extends WriteSideEffectOpcode, MemoryAccessOpcode, TIndirectWriteSideEffect { override final string toString() { result = "IndirectWriteSideEffect" } }
+  class IndirectMayWriteSideEffect extends MayWriteSideEffectOpcode, MemoryAccessOpcode, TIndirectMayWriteSideEffect { override final string toString() { result = "IndirectMayWriteSideEffect" } }
+  class BufferReadSideEffect extends ReadSideEffectOpcode, BufferAccessOpcode, TBufferReadSideEffect { override final string toString() { result = "BufferReadSideEffect" } }
+  class BufferWriteSideEffect extends WriteSideEffectOpcode, BufferAccessOpcode, TBufferWriteSideEffect { override final string toString() { result = "BufferWriteSideEffect" } }
+  class BufferMayWriteSideEffect extends MayWriteSideEffectOpcode, BufferAccessOpcode, TBufferMayWriteSideEffect { override final string toString() { result = "BufferMayWriteSideEffect" } }
+  class Chi extends Opcode, TChi {override final string toString() { result = "Chi" } }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -1,7 +1,7 @@
 private import internal.IRInternal
 import Instruction
 import semmle.code.cpp.ir.implementation.EdgeKind
-private import Construction::BlockConstruction
+import Cached
 
 class IRBlock extends TIRBlock {
   final string toString() {
@@ -98,3 +98,82 @@ class IRBlock extends TIRBlock {
     getAPredecessor().isReachableFromFunctionEntry()
   }
 }
+
+private predicate startsBasicBlock(Instruction instr) {
+  not instr instanceof PhiInstruction and
+  (
+    count(Instruction predecessor |
+      instr = predecessor.getASuccessor()
+    ) != 1 or  // Multiple predecessors or no predecessor
+    exists(Instruction predecessor |
+      instr = predecessor.getASuccessor() and
+      strictcount(Instruction other |
+        other = predecessor.getASuccessor()
+      ) > 1
+    ) or  // Predecessor has multiple successors
+    exists(Instruction predecessor, EdgeKind kind |
+      instr = predecessor.getSuccessor(kind) and
+      not kind instanceof GotoEdge
+    )  // Incoming edge is not a GotoEdge
+  )
+}
+
+private predicate isEntryBlock(TIRBlock block) {
+  block = MkIRBlock(any(EnterFunctionInstruction enter))
+}
+
+private cached module Cached {
+  cached newtype TIRBlock =
+    MkIRBlock(Instruction firstInstr) {
+      startsBasicBlock(firstInstr)
+    }
+
+  /** Holds if `i2` follows `i1` in a `IRBlock`. */
+  private predicate adjacentInBlock(Instruction i1, Instruction i2) {
+    exists(GotoEdge edgeKind | i2 = i1.getSuccessor(edgeKind)) and
+    not startsBasicBlock(i2)
+  }
+
+  /** Gets the index of `i` in its `IRBlock`. */
+  private int getMemberIndex(Instruction i) {
+    startsBasicBlock(i) and
+    result = 0
+    or
+    exists(Instruction iPrev |
+      adjacentInBlock(iPrev, i) and
+      result = getMemberIndex(iPrev) + 1
+    )
+  }
+
+  /** Holds if `i` is the `index`th instruction in `block`. */
+  cached Instruction getInstruction(TIRBlock block, int index) {
+    exists(Instruction first |
+      block = MkIRBlock(first) and
+      index = getMemberIndex(result) and
+      adjacentInBlock*(first, result)
+    )
+  }
+
+  cached int getInstructionCount(TIRBlock block) {
+    result = strictcount(getInstruction(block, _))
+  }
+
+  cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = predLast.getSuccessor(kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
+  cached predicate blockSuccessor(TIRBlock pred, TIRBlock succ) {
+    blockSuccessor(pred, succ, _)
+  }
+
+  cached predicate blockImmediatelyDominates(TIRBlock dominator, TIRBlock block) =
+    idominance(isEntryBlock/1, blockSuccessor/2)(_, dominator, block)
+}
+
+Instruction getFirstInstruction(TIRBlock block) {
+  block = MkIRBlock(result)
+}