C++: Introduce a node class that exists before computing SSA.

MathiasVP · MathiasVP · commit 145dea0e9ba6 · 2022-12-02T10:04:52.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -6,6 +6,111 @@ private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 
+cached
+private module Cached {
+  cached
+  newtype TIRDataFlowNode0 =
+    TInstructionNode0(Instruction i) {
+      not Ssa::ignoreInstruction(i) and
+      // We exclude `void`-typed instructions because they cannot contain data.
+      // However, if the instruction is a glvalue, and their type is `void`, then the result
+      // type of the instruction is really `void*`, and thus we still want to have a dataflow
+      // node for it.
+      (not i.getResultType() instanceof VoidType or i.isGLValue())
+    } or
+    TOperandNode0(Operand op) { not Ssa::ignoreOperand(op) }
+}
+
+private import Cached
+
+class Node0Impl extends TIRDataFlowNode0 {
+  /**
+   * INTERNAL: Do not use.
+   */
+  Declaration getEnclosingCallable() { none() } // overridden in subclasses
+
+  /** Gets the function to which this node belongs, if any. */
+  Declaration getFunction() { none() } // overridden in subclasses
+
+  /**
+   * Gets the type of this node.
+   *
+   * If `asInstruction().isGLValue()` holds, then the type of this node
+   * should be thought of as "pointer to `getType()`".
+   */
+  DataFlowType getType() { none() } // overridden in subclasses
+
+  /** Gets the instruction corresponding to this node, if any. */
+  Instruction asInstruction() { result = this.(InstructionNode0).getInstruction() }
+
+  /** Gets the operands corresponding to this node, if any. */
+  Operand asOperand() { result = this.(OperandNode0).getOperand() }
+
+  /** INTERNAL: Do not use. */
+  Location getLocationImpl() {
+    none() // overridden by subclasses
+  }
+
+  /** INTERNAL: Do not use. */
+  string toStringImpl() {
+    none() // overridden by subclasses
+  }
+
+  /** Gets the location of this node. */
+  final Location getLocation() { result = this.getLocationImpl() }
+
+  /** Gets a textual representation of this node. */
+  final string toString() { result = this.toStringImpl() }
+}
+
+/**
+ * An instruction, viewed as a node in a data flow graph.
+ */
+class InstructionNode0 extends Node0Impl, TInstructionNode0 {
+  Instruction instr;
+
+  InstructionNode0() { this = TInstructionNode0(instr) }
+
+  /** Gets the instruction corresponding to this node. */
+  Instruction getInstruction() { result = instr }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Declaration getFunction() { result = instr.getEnclosingFunction() }
+
+  override DataFlowType getType() { result = instr.getResultType() }
+
+  final override Location getLocationImpl() { result = instr.getLocation() }
+
+  override string toStringImpl() {
+    // This predicate is overridden in subclasses. This default implementation
+    // does not use `Instruction.toString` because that's expensive to compute.
+    result = this.getInstruction().getOpcode().toString()
+  }
+}
+
+/**
+ * An operand, viewed as a node in a data flow graph.
+ */
+class OperandNode0 extends Node0Impl, TOperandNode0 {
+  Operand op;
+
+  OperandNode0() { this = TOperandNode0(op) }
+
+  /** Gets the operand corresponding to this node. */
+  Operand getOperand() { result = op }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
+
+  override DataFlowType getType() { result = op.getType() }
+
+  final override Location getLocationImpl() { result = op.getLocation() }
+
+  override string toStringImpl() { result = this.getOperand().toString() }
+}
+
 /**
  * INTERNAL: Do not use.
  *
@@ -251,7 +356,7 @@ class ReturnNode extends Node instanceof IndirectReturnNode {
  */
 private predicate hasNonInitializeParameterDef(IRVariable v) {
   exists(Ssa::Def def |
-    not def.getDefiningInstruction() instanceof InitializeParameterInstruction and
+    not def.getValue().asInstruction() instanceof InitializeParameterInstruction and
     v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable()
   )
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -33,15 +33,7 @@ private module Cached {
    */
   cached
   newtype TIRDataFlowNode =
-    TInstructionNode(Instruction i) {
-      not Ssa::ignoreInstruction(i) and
-      // We exclude `void`-typed instructions because they cannot contain data.
-      // However, if the instruction is a glvalue, and their type is `void`, then the result
-      // type of the instruction is really `void*`, and thus we still want to have a dataflow
-      // node for it.
-      (not i.getResultType() instanceof VoidType or i.isGLValue())
-    } or
-    TOperandNode(Operand op) { not Ssa::ignoreOperand(op) } or
+    TNode0(Node0Impl node) or
     TVariableNode(Variable var) or
     TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
       indirectionIndex =
@@ -335,52 +327,50 @@ private string toExprString(Node n) {
   result = n.asIndirectExpr().toString() + " indirection"
 }
 
-/**
- * An instruction, viewed as a node in a data flow graph.
- */
-class InstructionNode extends Node, TInstructionNode {
-  Instruction instr;
+class Node0 extends Node, TNode0 {
+  Node0Impl node;
 
-  InstructionNode() { this = TInstructionNode(instr) }
+  Node0() { this = TNode0(node) }
 
-  /** Gets the instruction corresponding to this node. */
-  Instruction getInstruction() { result = instr }
+  override Declaration getEnclosingCallable() { result = node.getEnclosingCallable() }
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override Declaration getFunction() { result = instr.getEnclosingFunction() }
+  override Declaration getFunction() { result = node.getFunction() }
 
-  override DataFlowType getType() { result = instr.getResultType() }
+  override DataFlowType getType() { result = node.getType() }
 
-  final override Location getLocationImpl() { result = instr.getLocation() }
+  final override Location getLocationImpl() { result = node.getLocationImpl() }
 
   override string toStringImpl() {
     // This predicate is overridden in subclasses. This default implementation
     // does not use `Instruction.toString` because that's expensive to compute.
-    result = this.getInstruction().getOpcode().toString()
+    result = node.toStringImpl()
   }
 }
 
 /**
- * An operand, viewed as a node in a data flow graph.
+ * An instruction, viewed as a node in a data flow graph.
  */
-class OperandNode extends Node, TOperandNode {
-  Operand op;
-
-  OperandNode() { this = TOperandNode(op) }
-
-  /** Gets the operand corresponding to this node. */
-  Operand getOperand() { result = op }
+class InstructionNode extends Node0 {
+  override InstructionNode0 node;
+  Instruction instr;
 
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  InstructionNode() { instr = node.getInstruction() }
 
-  override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
+  /** Gets the instruction corresponding to this node. */
+  Instruction getInstruction() { result = instr }
+}
 
-  override DataFlowType getType() { result = op.getType() }
+/**
+ * An operand, viewed as a node in a data flow graph.
+ */
+class OperandNode extends Node, Node0 {
+  override OperandNode0 node;
+  Operand op;
 
-  final override Location getLocationImpl() { result = op.getLocation() }
+  OperandNode() { op = node.getOperand() }
 
-  override string toStringImpl() { result = this.getOperand().toString() }
+  /** Gets the operand corresponding to this node. */
+  Operand getOperand() { result = node.getOperand() }
 }
 
 /**
@@ -681,7 +671,7 @@ class UninitializedNode extends Node {
 
   UninitializedNode() {
     exists(Ssa::Def def |
-      def.getDefiningInstruction() instanceof UninitializedInstruction and
+      def.getValue().asInstruction() instanceof UninitializedInstruction and
       Ssa::nodeToDefOrUse(this, def) and
       v = def.getSourceVariable().getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst()
     )
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -222,16 +222,16 @@ class DefImpl extends DefOrUseImpl, TDefImpl {
 
   override int getIndirectionIndex() { result = ind }
 
-  Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }
+  Node0Impl getValue() { isDef(_, result, address, _, _, _) }
 
   override string toString() { result = "DefImpl" }
 
-  override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }
+  override IRBlock getBlock() { result = this.getAddressOperand().getUse().getBlock() }
 
-  override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }
+  override Cpp::Location getLocation() { result = this.getAddressOperand().getUse().getLocation() }
 
   final override predicate hasIndexInBlock(IRBlock block, int index) {
-    this.getDefiningInstruction() = block.getInstruction(index)
+    this.getAddressOperand().getUse() = block.getInstruction(index)
   }
 
   predicate isCertain() { isDef(true, _, address, _, _, ind) }
@@ -308,7 +308,10 @@ predicate outNodeHasAddressAndIndex(
 }
 
 private predicate defToNode(Node nodeFrom, Def def) {
-  nodeHasInstruction(nodeFrom, def.getDefiningInstruction(), def.getIndirectionIndex())
+  // TODO: This is not yet needed (and in fact, the compiler rejects it because `exists(def.getValue().asOperand())` never holds).
+  // nodeHasOperand(nodeFrom, def.getValue().asOperand(), def.getIndirectionIndex())
+  // or
+  nodeHasInstruction(nodeFrom, def.getValue().asInstruction(), def.getIndirectionIndex())
 }
 
 /**
@@ -562,7 +565,7 @@ class Def extends DefOrUse {
     pragma[only_bind_into](result) = pragma[only_bind_out](defOrUse).getIndirectionIndex()
   }
 
-  Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }
+  Node0Impl getValue() { result = defOrUse.getValue() }
 }
 
 private module SsaImpl = SsaImplCommon::Make<SsaInput>;
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -4,6 +4,7 @@ import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
 private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowUtil
+private import DataFlowPrivate
 
 /**
  * Holds if `operand` is an operand that is not used by the dataflow library.
@@ -126,15 +127,29 @@ class AllocationInstruction extends CallInstruction {
   AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
 }
 
-/**
- * Holds if `i` is a base instruction that starts a sequence of uses
- * of some variable that SSA can handle.
- *
- * This is either when `i` is a `VariableAddressInstruction` or when
- * `i` is a fresh allocation produced by an `AllocationInstruction`.
- */
-private predicate isSourceVariableBase(Instruction i) {
-  i instanceof VariableAddressInstruction or i instanceof AllocationInstruction
+predicate isWrite(Node0Impl value, Operand address, boolean certain) {
+  certain = true and
+  (
+    exists(StoreInstruction store |
+      value.asInstruction() = store and
+      address = store.getDestinationAddressOperand()
+    )
+    or
+    exists(InitializeParameterInstruction init |
+      value.asInstruction() = init and
+      address = init.getAnOperand()
+    )
+    or
+    exists(InitializeDynamicAllocationInstruction init |
+      value.asInstruction() = init and
+      address = init.getAllocationAddressOperand()
+    )
+    or
+    exists(UninitializedInstruction uninitialized |
+      value.asInstruction() = uninitialized and
+      address = uninitialized.getAnOperand()
+    )
+  )
 }
 
 /**
@@ -263,6 +278,17 @@ private module Cached {
     )
   }
 
+  /**
+   * Holds if `i` is a base instruction that starts a sequence of uses
+   * of some variable that SSA can handle.
+   *
+   * This is either when `i` is a `VariableAddressInstruction` or when
+   * `i` is a fresh allocation produced by an `AllocationInstruction`.
+   */
+  private predicate isSourceVariableBase(Instruction i) {
+    i instanceof VariableAddressInstruction or i instanceof AllocationInstruction
+  }
+
   /**
    * Holds if `address` is an address of an SSA variable rooted at `base`,
    * and `instr` is a definition of the SSA variable with `ind` number of indirections.
@@ -273,25 +299,17 @@ private module Cached {
    */
   cached
   predicate isDef(
-    boolean certain, Instruction instr, Operand address, Instruction base, int ind,
+    boolean certain, Node0Impl value, Operand address, Instruction base, int ind,
     int indirectionIndex
   ) {
-    certain = true and
     exists(int ind0, CppType type, int lower, int upper |
-      address =
-        [
-          instr.(StoreInstruction).getDestinationAddressOperand(),
-          instr.(InitializeParameterInstruction).getAnOperand(),
-          instr.(InitializeDynamicAllocationInstruction).getAllocationAddressOperand(),
-          instr.(UninitializedInstruction).getAnOperand()
-        ]
-    |
+      isWrite(value, address, certain) and
       isDefImpl(address, base, ind0) and
       type = getLanguageType(address) and
       upper = countIndirectionsForCppType(type) and
       ind = ind0 + [lower .. upper] and
       indirectionIndex = ind - (ind0 + lower) and
-      if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1
+      (if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1)
     )
   }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
@@ -168,16 +168,16 @@ class DefImpl extends DefOrUseImpl, TDefImpl {
 
   Operand getAddressOperand() { result = address }
 
-  Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }
+  Node0Impl getValue() { isDef(_, result, address, _, _, _) }
 
   override string toString() { result = address.toString() }
 
-  override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }
+  override IRBlock getBlock() { result = this.getAddressOperand().getDef().getBlock() }
 
-  override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }
+  override Cpp::Location getLocation() { result = this.getAddressOperand().getLocation() }
 
   final override predicate hasIndexInBlock(IRBlock block, int index) {
-    this.getDefiningInstruction() = block.getInstruction(index)
+    this.getAddressOperand().getUse() = block.getInstruction(index)
   }
 
   predicate isCertain() { isDef(true, _, address, _, _, _) }
@@ -302,9 +302,9 @@ class Def extends DefOrUse {
 
   Instruction getAddress() { result = this.getAddressOperand().getDef() }
 
-  Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }
+  Node0Impl getValue() { result = defOrUse.getValue() }
 
-  override string toString() { result = this.asDefOrUse().toString() + " (def)" }
+  override string toString() { result = this.asDefOrUse().toString() }
 }
 
 private module SsaImpl = SsaImplCommon::Make<SsaInput>;

Original file line number	Diff line number	Diff line change
`@@ -222,16 +222,16 @@ class DefImpl extends DefOrUseImpl, TDefImpl {`
`222`	`222`
`223`	`223`	`override int getIndirectionIndex() { result = ind }`
`224`	`224`
`225`		`- Instruction getDefiningInstruction() { isDef(_, result, address, _, _, _) }`
	`225`	`+ Node0Impl getValue() { isDef(_, result, address, _, _, _) }`
`226`	`226`
`227`	`227`	`override string toString() { result = "DefImpl" }`
`228`	`228`
`229`		`- override IRBlock getBlock() { result = this.getDefiningInstruction().getBlock() }`
	`229`	`+ override IRBlock getBlock() { result = this.getAddressOperand().getUse().getBlock() }`
`230`	`230`
`231`		`- override Cpp::Location getLocation() { result = this.getDefiningInstruction().getLocation() }`
	`231`	`+ override Cpp::Location getLocation() { result = this.getAddressOperand().getUse().getLocation() }`
`232`	`232`
`233`	`233`	`final override predicate hasIndexInBlock(IRBlock block, int index) {`
`234`		`- this.getDefiningInstruction() = block.getInstruction(index)`
	`234`	`+ this.getAddressOperand().getUse() = block.getInstruction(index)`
`235`	`235`	`}`
`236`	`236`
`237`	`237`	`predicate isCertain() { isDef(true, _, address, _, _, ind) }`
`@@ -308,7 +308,10 @@ predicate outNodeHasAddressAndIndex(`
`308`	`308`	`}`
`309`	`309`
`310`	`310`	`private predicate defToNode(Node nodeFrom, Def def) {`
`311`		`- nodeHasInstruction(nodeFrom, def.getDefiningInstruction(), def.getIndirectionIndex())`
	`311`	+ // TODO: This is not yet needed (and in fact, the compiler rejects it because `exists(def.getValue().asOperand())` never holds).
	`312`	`+ // nodeHasOperand(nodeFrom, def.getValue().asOperand(), def.getIndirectionIndex())`
	`313`	`+ // or`
	`314`	`+ nodeHasInstruction(nodeFrom, def.getValue().asInstruction(), def.getIndirectionIndex())`
`312`	`315`	`}`
`313`	`316`
`314`	`317`	`/**`
`@@ -562,7 +565,7 @@ class Def extends DefOrUse {`
`562`	`565`	`pragma[only_bind_into](result) = pragma[only_bind_out](defOrUse).getIndirectionIndex()`
`563`	`566`	`}`
`564`	`567`
`565`		`- Instruction getDefiningInstruction() { result = defOrUse.getDefiningInstruction() }`
	`568`	`+ Node0Impl getValue() { result = defOrUse.getValue() }`
`566`	`569`	`}`
`567`	`570`
`568`	`571`	`private module SsaImpl = SsaImplCommon::Make<SsaInput>;`