C++/C#: Add AliasedUse instruction to all functions

This new instruction is the dual of the existing `AliasedDefinition` instruction. Whereas that instruction defines the contents of aliased memory before the function was called, `AliasedUse` represents the potential use of all aliased memory after the function returns. This ensures that writes to aliased memory do not appear "dead", even if there are no further reads from aliased memory within the function itself.

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -57,6 +57,7 @@ private newtype TOpcode =
   TUnmodeledDefinition() or
   TUnmodeledUse() or
   TAliasedDefinition() or
+  TAliasedUse() or
   TPhi() or
   TBuiltIn() or
   TVarArgsStart() or
@@ -393,6 +394,10 @@ module Opcode {
     final override string toString() { result = "AliasedDefinition" }
   }
 
+  class AliasedUse extends Opcode, TAliasedUse {
+    final override string toString() { result = "AliasedUse" }
+  }
+  
   class Phi extends Opcode, TPhi {
     final override string toString() { result = "Phi" }
   }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -260,6 +261,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1423,6 +1425,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -388,6 +388,9 @@ class SideEffectOperand extends TypedOperand {
   }
 
   override MemoryAccessKind getMemoryAccess() {
+    useInstr instanceof AliasedUseInstruction and
+    result instanceof EscapedMayMemoryAccess
+    or
     useInstr instanceof CallSideEffectInstruction and
     result instanceof EscapedMayMemoryAccess
     or

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -260,6 +261,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1423,6 +1425,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -388,6 +388,9 @@ class SideEffectOperand extends TypedOperand {
   }
 
   override MemoryAccessKind getMemoryAccess() {
+    useInstr instanceof AliasedUseInstruction and
+    result instanceof EscapedMayMemoryAccess
+    or
     useInstr instanceof CallSideEffectInstruction and
     result instanceof EscapedMayMemoryAccess
     or

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -26,6 +26,7 @@ newtype TInstructionTag =
   UnmodeledDefinitionTag() or
   UnmodeledUseTag() or
   AliasedDefinitionTag() or
+  AliasedUseTag() or
   SwitchBranchTag() or
   CallTargetTag() or
   CallTag() or
@@ -118,6 +119,8 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = AliasedDefinitionTag() and result = "AliasedDef"
   or
+  tag = AliasedUseTag() and result = "AliasedUse"
+  or
   tag = SwitchBranchTag() and result = "SwitchBranch"
   or
   tag = CallTargetTag() and result = "CallTarget"

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -95,6 +95,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       result = getInstruction(UnmodeledUseTag())
       or
       tag = UnmodeledUseTag() and
+      result = getInstruction(AliasedUseTag())
+      or
+      tag = AliasedUseTag() and
       result = getInstruction(ExitFunctionTag())
     )
   }
@@ -176,6 +179,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       resultType instanceof VoidType and
       isGLValue = false
       or
+      tag = AliasedUseTag() and
+      opcode instanceof Opcode::AliasedUse and
+      resultType instanceof VoidType and
+      isGLValue = false
+      or
       tag = ExitFunctionTag() and
       opcode instanceof Opcode::ExitFunction and
       resultType instanceof VoidType and
@@ -197,6 +205,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     operandTag instanceof UnmodeledUseOperandTag and
     result = getUnmodeledDefinitionInstruction()
     or
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnmodeledDefinitionInstruction()
+    or
     tag = ReturnTag() and
     not getReturnType() instanceof VoidType and
     (
@@ -213,6 +225,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     not getReturnType() instanceof VoidType and
     operandTag instanceof LoadOperandTag and
     result = getReturnType()
+    or
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result instanceof UnknownType
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -260,6 +261,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1423,6 +1425,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -388,6 +388,9 @@ class SideEffectOperand extends TypedOperand {
   }
 
   override MemoryAccessKind getMemoryAccess() {
+    useInstr instanceof AliasedUseInstruction and
+    result instanceof EscapedMayMemoryAccess
+    or
     useInstr instanceof CallSideEffectInstruction and
     result instanceof EscapedMayMemoryAccess
     or