github
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll‎
Lines changed: 38 additions & 3 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll‎
Lines changed: 38 additions & 3 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll‎
Lines changed: 40 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll‎
Lines changed: 40 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll‎
Lines changed: 128 additions & 3 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll‎
Lines changed: 128 additions & 3 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 33 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll‎
Lines changed: 7 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll‎
Lines changed: 7 additions & 0 deletions
@@ -1,7 +1,10 @@
 import cpp
 
-newtype TMemoryAccessKind =
+private newtype TMemoryAccessKind =
   TIndirectMemoryAccess() or
+  TIndirectMayMemoryAccess() or
+  TBufferMemoryAccess() or
+  TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess()
@@ -15,15 +18,47 @@ class MemoryAccessKind extends TMemoryAccessKind {
 }
 
 /**
- * The operand or result accesses memory at the address specified by the
- * `AddressOperand` on the same instruction.
+ * The operand or result accesses memory at the address specified by the `AddressOperand` on the
+ * same instruction.
  */
 class IndirectMemoryAccess extends MemoryAccessKind, TIndirectMemoryAccess {
   override string toString() {
     result = "indirect"
   }
 }
 
+/**
+ * The operand or result may access some, all, or none of the memory at the address specified by the
+ * `AddressOperand` on the same instruction.
+ */
+class IndirectMayMemoryAccess extends MemoryAccessKind, TIndirectMayMemoryAccess {
+  override string toString() {
+    result = "indirect(may)"
+  }
+}
+
+/**
+ * The operand or result accesses memory starting at the address specified by the `AddressOperand`
+ * on the same instruction, accessing a number of consecutive elements given by the
+ * `BufferSizeOperand`.
+ */
+class BufferMemoryAccess extends MemoryAccessKind, TBufferMemoryAccess {
+  override string toString() {
+    result = "buffer"
+  }
+}
+
+/**
+ * The operand or result may access some, all, or none of the memory starting at the address
+ * specified by the `AddressOperand` on the same instruction, accessing a number of consecutive
+ * elements given by the `BufferSizeOperand`.
+ */
+class BufferMayMemoryAccess extends MemoryAccessKind, TBufferMayMemoryAccess {
+  override string toString() {
+    result = "buffer(may)"
+  }
+}
+
 /**
  * The operand or result accesses all memory whose address has escaped.
  */
 
@@ -58,7 +58,15 @@ private newtype TOpcode =
   TVarArgsStart() or
   TVarArgsEnd() or
   TVarArg() or
-  TVarArgCopy()
+  TVarArgCopy() or
+  TCallSideEffect() or
+  TCallReadSideEffect() or
+  TIndirectReadSideEffect() or
+  TIndirectWriteSideEffect() or
+  TIndirectMayWriteSideEffect() or
+  TBufferReadSideEffect() or
+  TBufferWriteSideEffect() or
+  TBufferMayWriteSideEffect()
 
 class Opcode extends TOpcode {
   string toString() {
@@ -92,6 +100,29 @@ abstract class OpcodeWithCondition extends Opcode {}
 
 abstract class BuiltInOpcode extends Opcode {}
 
+abstract class SideEffectOpcode extends Opcode {}
+
+/**
+ * An opcode that reads from a set of memory locations as a side effect.
+ */
+abstract class ReadSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that writes to a set of memory locations as a side effect.
+ */
+abstract class WriteSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that may overwrite some, all, or none of an existing set of memory locations. Modeled
+ * as a read of the original contents, plus a "may" write of the new contents.
+ */
+abstract class MayWriteSideEffectOpcode extends SideEffectOpcode {}
+
+/**
+ * An opcode that accesses a buffer via an `AddressOperand` and a `BufferSizeOperand`.
+ */
+abstract class BufferAccessOpcode extends MemoryAccessOpcode {}
+
 module Opcode {
   class NoOp extends Opcode, TNoOp { override final string toString() { result = "NoOp" } }
   class Uninitialized extends MemoryAccessOpcode, TUninitialized { override final string toString() { result = "Uninitialized" } }
@@ -153,4 +184,12 @@ module Opcode {
   class VarArgsEnd extends BuiltInOpcode, TVarArgsEnd { override final string toString() { result = "VarArgsEnd" } }
   class VarArg extends BuiltInOpcode, TVarArg { override final string toString() { result = "VarArg" } }
   class VarArgCopy extends BuiltInOpcode, TVarArgCopy { override final string toString() { result = "VarArgCopy" } }
+  class CallSideEffect extends MayWriteSideEffectOpcode, TCallSideEffect { override final string toString() { result = "CallSideEffect" } }
+  class CallReadSideEffect extends ReadSideEffectOpcode, TCallReadSideEffect { override final string toString() { result = "CallReadSideEffect" } }
+  class IndirectReadSideEffect extends ReadSideEffectOpcode, MemoryAccessOpcode, TIndirectReadSideEffect { override final string toString() { result = "IndirectReadSideEffect" } }
+  class IndirectWriteSideEffect extends WriteSideEffectOpcode, MemoryAccessOpcode, TIndirectWriteSideEffect { override final string toString() { result = "IndirectWriteSideEffect" } }
+  class IndirectMayWriteSideEffect extends MayWriteSideEffectOpcode, MemoryAccessOpcode, TIndirectMayWriteSideEffect { override final string toString() { result = "IndirectMayWriteSideEffect" } }
+  class BufferReadSideEffect extends ReadSideEffectOpcode, BufferAccessOpcode, TBufferReadSideEffect { override final string toString() { result = "BufferReadSideEffect" } }
+  class BufferWriteSideEffect extends WriteSideEffectOpcode, BufferAccessOpcode, TBufferWriteSideEffect { override final string toString() { result = "BufferWriteSideEffect" } }
+  class BufferMayWriteSideEffect extends MayWriteSideEffectOpcode, BufferAccessOpcode, TBufferMayWriteSideEffect { override final string toString() { result = "BufferMayWriteSideEffect" } }
 }
@@ -33,11 +33,16 @@ module InstructionSanity {
         ) or
         opcode instanceof CopyOpcode and tag instanceof CopySourceOperandTag or
         opcode instanceof MemoryAccessOpcode and tag instanceof AddressOperandTag or
+        opcode instanceof BufferAccessOpcode and tag instanceof BufferSizeOperand or
         opcode instanceof OpcodeWithCondition and tag instanceof ConditionOperandTag or
         opcode instanceof Opcode::ReturnValue and tag instanceof ReturnValueOperandTag or
         opcode instanceof Opcode::ThrowValue and tag instanceof ExceptionOperandTag or
         opcode instanceof Opcode::UnmodeledUse and tag instanceof UnmodeledUseOperandTag or
-        opcode instanceof Opcode::Call and tag instanceof CallTargetOperandTag
+        opcode instanceof Opcode::Call and tag instanceof CallTargetOperandTag or
+        (
+          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode) and
+          tag instanceof SideEffectOperandTag
+        )
       )
     )
   }
@@ -162,9 +167,9 @@ class Instruction extends Construction::TInstruction {
    */
   final string getOperationString() {
     if exists(getImmediateString()) then
-      result = opcode.toString() + "[" + getImmediateString() + "]"
+      result = getOperationPrefix() + opcode.toString() + "[" + getImmediateString() + "]"
     else
-      result = opcode.toString()
+      result = getOperationPrefix() + opcode.toString()
   }
 
   /**
@@ -174,6 +179,13 @@ class Instruction extends Construction::TInstruction {
     none()
   }
 
+  private string getOperationPrefix() {
+    if this instanceof SideEffectInstruction then
+      result = "^"
+    else
+      result = ""
+  }
+
   private string getResultPrefix() {
     if resultType instanceof VoidType then
       result = "v"
@@ -1084,6 +1096,9 @@ class SwitchInstruction extends Instruction {
   }
 }
 
+/**
+ * An instruction that calls a function.
+ */
 class CallInstruction extends Instruction {
   CallInstruction() {
     opcode instanceof Opcode::Call
@@ -1094,6 +1109,116 @@ class CallInstruction extends Instruction {
   }
 }
 
+/**
+ * An instruction representing a side effect of a function call.
+ */
+class SideEffectInstruction extends Instruction {
+  SideEffectInstruction() {
+    opcode instanceof SideEffectOpcode
+  }
+
+  final Instruction getPrimaryInstruction() {
+    result = Construction::getPrimaryInstructionForSideEffect(this)
+  }
+}
+
+/**
+ * An instruction representing the side effect of a function call on any memory that might be
+ * accessed by that call.
+ */
+class CallSideEffectInstruction extends SideEffectInstruction {
+  CallSideEffectInstruction() {
+    opcode instanceof Opcode::CallSideEffect
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMemoryAccess
+  }
+}
+
+/**
+ * An instruction representing the side effect of a function call on any memory that might be read
+ * by that call.
+ */
+class CallReadSideEffectInstruction extends SideEffectInstruction {
+  CallReadSideEffectInstruction() {
+    opcode instanceof Opcode::CallReadSideEffect
+  }
+}
+
+/**
+ * An instruction representing the read of an indirect parameter within a function call.
+ */
+class IndirectReadSideEffectInstruction extends SideEffectInstruction {
+  IndirectReadSideEffectInstruction() {
+    opcode instanceof Opcode::IndirectReadSideEffect
+  }
+}
+
+/**
+ * An instruction representing the read of an indirect buffer parameter within a function call.
+ */
+class BufferReadSideEffectInstruction extends SideEffectInstruction {
+  BufferReadSideEffectInstruction() {
+    opcode instanceof Opcode::BufferReadSideEffect
+  }
+}
+
+/**
+ * An instruction representing the write of an indirect parameter within a function call.
+ */
+class IndirectWriteSideEffectInstruction extends SideEffectInstruction {
+  IndirectWriteSideEffectInstruction() {
+    opcode instanceof Opcode::IndirectWriteSideEffect
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
+}
+
+/**
+ * An instruction representing the write of an indirect buffer parameter within a function call. The
+ * entire buffer is overwritten.
+ */
+class BufferWriteSideEffectInstruction extends SideEffectInstruction {
+  BufferWriteSideEffectInstruction() {
+    opcode instanceof Opcode::BufferWriteSideEffect
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof BufferMemoryAccess
+  }
+}
+
+/**
+ * An instruction representing the potential write of an indirect parameter within a function call.
+ * Unlike `IndirectWriteSideEffectInstruction`, the location might not be completely overwritten.
+ * written.
+ */
+class IndirectMayWriteSideEffectInstruction extends SideEffectInstruction {
+  IndirectMayWriteSideEffectInstruction() {
+    opcode instanceof Opcode::IndirectMayWriteSideEffect
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMayMemoryAccess
+  }
+}
+
+/**
+ * An instruction representing the write of an indirect buffer parameter within a function call.    
+ * Unlike `BufferWriteSideEffectInstruction`, the buffer might not be completely overwritten.
+ */
+class BufferMayWriteSideEffectInstruction extends SideEffectInstruction {
+  BufferMayWriteSideEffectInstruction() {
+    opcode instanceof Opcode::BufferMayWriteSideEffect
+  }
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof BufferMayMemoryAccess
+  }
+}
+
 /**
  * An instruction that throws an exception.
  */
 
@@ -306,6 +306,38 @@ class PositionalArgumentOperand extends ArgumentOperand {
   }
 }
 
+class SideEffectOperand extends NonPhiOperand {
+  SideEffectOperand() {
+    this = TNonPhiOperand(_, sideEffectOperand(), _)
+  }
+  
+  override MemoryAccessKind getMemoryAccess() {
+    instr instanceof CallSideEffectInstruction and
+    result instanceof EscapedMemoryAccess
+    or
+    instr instanceof CallReadSideEffectInstruction and
+    result instanceof EscapedMemoryAccess
+    or
+    instr instanceof IndirectReadSideEffectInstruction and
+    result instanceof IndirectMemoryAccess
+    or
+    instr instanceof BufferReadSideEffectInstruction and
+    result instanceof BufferMemoryAccess
+    or
+    instr instanceof IndirectWriteSideEffectInstruction and
+    result instanceof IndirectMemoryAccess
+    or
+    instr instanceof BufferWriteSideEffectInstruction and
+    result instanceof BufferMemoryAccess
+    or
+    instr instanceof IndirectMayWriteSideEffectInstruction and
+    result instanceof IndirectMayMemoryAccess
+    or
+    instr instanceof BufferMayWriteSideEffectInstruction and
+    result instanceof BufferMayMemoryAccess
+  }
+}
+
 /**
  * An operand of a `PhiInstruction`.
  */
@@ -350,6 +382,7 @@ class PhiOperand extends Operand, TPhiOperand {
   }
 }
 
+
 /**
  * An operand that reads a value from memory.
  */
 
@@ -227,6 +227,13 @@ cached private module Cached {
     )
   }
 
+  cached Instruction getPrimaryInstructionForSideEffect(Instruction instruction) {
+    exists(OldIR::SideEffectInstruction oldInstruction |
+      oldInstruction = getOldInstruction(instruction) and
+      result = getNewInstruction(oldInstruction.getPrimaryInstruction())
+    )
+  }
+
   private predicate ssa_variableUpdate(Alias::VirtualVariable vvar,
     OldIR::Instruction instr, OldIR::IRBlock block, int index) {
     block.getInstruction(index) = instr and
Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,13 @@ cached private module Cached {`
`227`	`227`	`)`
`228`	`228`	`}`
`229`	`229`
	`230`	`+ cached Instruction getPrimaryInstructionForSideEffect(Instruction instruction) {`
	`231`	`+ exists(OldIR::SideEffectInstruction oldInstruction \|`
	`232`	`+ oldInstruction = getOldInstruction(instruction) and`
	`233`	`+ result = getNewInstruction(oldInstruction.getPrimaryInstruction())`
	`234`	`+ )`
	`235`	`+ }`
	`236`	`+`
`230`	`237`	`private predicate ssa_variableUpdate(Alias::VirtualVariable vvar,`
`231`	`238`	`OldIR::Instruction instr, OldIR::IRBlock block, int index) {`
`232`	`239`	`block.getInstruction(index) = instr and`