Merge pull request #648 from dave-bartolomeo/dave/UnreachableIR

C++: Remove unreachable IR

Author: dave-bartolomeo

config/identical-files.json

@@ -72,5 +72,27 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+  ],
+  "C++ IR ConstantAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+  ],
+  "C++ IR PrintConstantAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+  ],
+  "C++ IR ReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+  ],
+  "C++ IR PrintReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+  ],
+  "C++ IR Dominance": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
   ]
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -68,7 +68,8 @@ private newtype TOpcode =
   TBufferReadSideEffect() or
   TBufferWriteSideEffect() or
   TBufferMayWriteSideEffect() or
-  TChi()
+  TChi() or
+  TUnreached()
 
 class Opcode extends TOpcode {
   string toString() {
@@ -195,5 +196,6 @@ module Opcode {
   class BufferReadSideEffect extends ReadSideEffectOpcode, BufferAccessOpcode, TBufferReadSideEffect { override final string toString() { result = "BufferReadSideEffect" } }
   class BufferWriteSideEffect extends WriteSideEffectOpcode, BufferAccessOpcode, TBufferWriteSideEffect { override final string toString() { result = "BufferWriteSideEffect" } }
   class BufferMayWriteSideEffect extends MayWriteSideEffectOpcode, BufferAccessOpcode, TBufferMayWriteSideEffect { override final string toString() { result = "BufferMayWriteSideEffect" } }
-  class Chi extends Opcode, TChi {override final string toString() { result = "Chi" } }
+  class Chi extends Opcode, TChi { override final string toString() { result = "Chi" } }
+  class Unreached extends Opcode, TUnreached { override final string toString() { result = "Unreached" } }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -1,7 +1,7 @@
 private import internal.IRInternal
 import Instruction
 import semmle.code.cpp.ir.implementation.EdgeKind
-import Cached
+private import Cached
 
 class IRBlock extends TIRBlock {
   final string toString() {

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -102,7 +102,8 @@ module InstructionSanity {
     not exists(instr.getASuccessor()) and
     not instr instanceof ExitFunctionInstruction and
     // Phi instructions aren't linked into the instruction-level flow graph.
-    not instr instanceof PhiInstruction
+    not instr instanceof PhiInstruction and
+    not instr instanceof UnreachedInstruction
   }
 
   /**
@@ -451,8 +452,7 @@ class Instruction extends Construction::TInstruction {
   final predicate isResultModeled() {
     // Register results are always in SSA form.
     not hasMemoryResult() or
-    // An unmodeled result will have a use on the `UnmodeledUse` instruction.
-    not (getAUse() instanceof UnmodeledUseOperand)
+    Construction::hasModeledMemoryResult(this)
   }
 
   /**
@@ -1469,6 +1469,17 @@ class ChiInstruction extends Instruction {
   }
 }
 
+/**
+ * An instruction representing unreachable code. Inserted in place of the original target
+ * instruction of a `ConditionalBranch` or `Switch` instruction where that particular edge is
+ * infeasible.
+ */
+class UnreachedInstruction extends Instruction {
+  UnreachedInstruction() {
+    opcode instanceof Opcode::Unreached
+  }
+}
+
 /**
  * An instruction representing a built-in operation. This is used to represent
  * operations such as access to variable argument lists.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll

@@ -0,0 +1,38 @@
+private import internal.ConstantAnalysisInternal
+import semmle.code.cpp.ir.internal.IntegerConstant
+private import IR
+
+language[monotonicAggregates]
+IntValue getConstantValue(Instruction instr) {
+  result = instr.(IntegerConstantInstruction).getValue().toInt() or
+  exists(BinaryInstruction binInstr, IntValue left, IntValue right |
+    binInstr = instr and
+    left = getConstantValue(binInstr.getLeftOperand()) and
+    right = getConstantValue(binInstr.getRightOperand()) and
+    (
+      binInstr instanceof AddInstruction and result = add(left, right) or
+      binInstr instanceof SubInstruction and result = sub(left, right) or
+      binInstr instanceof MulInstruction and result = mul(left, right) or
+      binInstr instanceof DivInstruction and result = div(left, right) or
+      binInstr instanceof CompareEQInstruction and result = compareEQ(left, right) or
+      binInstr instanceof CompareNEInstruction and result = compareNE(left, right) or
+      binInstr instanceof CompareLTInstruction and result = compareLT(left, right) or
+      binInstr instanceof CompareGTInstruction and result = compareGT(left, right) or
+      binInstr instanceof CompareLEInstruction and result = compareLE(left, right) or
+      binInstr instanceof CompareGEInstruction and result = compareGE(left, right)
+    )
+  ) or
+  exists(UnaryInstruction unaryInstr, IntValue src |
+    unaryInstr = instr and
+    src = getConstantValue(unaryInstr.getOperand()) and
+    (
+      unaryInstr instanceof NegateInstruction and result = neg(src)
+    )
+  ) or
+  result = getConstantValue(instr.(CopyInstruction).getSourceValue()) or
+  exists(PhiInstruction phi |
+    phi = instr and
+    result = max(PhiOperand operand | operand = phi.getAnOperand() | getConstantValue(operand.getDefinitionInstruction())) and
+    result = min(PhiOperand operand | operand = phi.getAnOperand() | getConstantValue(operand.getDefinitionInstruction()))
+  )
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll

@@ -0,0 +1,11 @@
+private import internal.ConstantAnalysisInternal
+private import semmle.code.cpp.ir.internal.IntegerConstant
+private import ConstantAnalysis
+import IR
+
+private class ConstantAnalysisPropertyProvider extends IRPropertyProvider {
+  override string getInstructionProperty(Instruction instr, string key) {
+    key = "ConstantValue" and
+    result = getValue(getConstantValue(instr)).toString()
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/internal/ConstantAnalysisInternal.qll

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.implementation.aliased_ssa.IR as IR

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -268,9 +268,10 @@ MemoryAccess getOperandMemoryAccess(Operand operand) {
   if exists(IRVariable var, IntValue i |
     resultPointsTo(operand.getAddressOperand().getDefinitionInstruction(), var, i)
   )
-  then exists(IRVariable var, IntValue i |
+  then exists(IRVariable var, IntValue i, int size |
     resultPointsTo(operand.getAddressOperand().getDefinitionInstruction(), var, i) and
-    result = getVariableMemoryAccess(var, i, operand.getDefinitionInstruction().getResultSize())
+    result = getVariableMemoryAccess(var, i, size) and
+    size = operand.getDefinitionInstruction().getResultSize()
   )
   else (
     result = TUnknownMemoryAccess(TUnknownVirtualVariable(operand.getInstruction().getFunctionIR())) and