C++: add param read side effects to IR exit blocks

Robert Marsh · Robert Marsh · commit 5e946cc9f3dc · 2019-10-28T15:09:04.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -9,6 +9,7 @@ private newtype TOpcode =
   TExitFunction() or
   TReturnValue() or
   TReturnVoid() or
+  TReturnIndirection() or
   TCopyValue() or
   TLoad() or
   TStore() or
@@ -202,6 +203,10 @@ module Opcode {
     final override string toString() { result = "ReturnVoid" }
   }
 
+  class ReturnIndirection extends MemoryAccessOpcode, TReturnIndirection {
+    final override string toString() { result = "ReturnIndirection" }
+  }
+
   class CopyValue extends UnaryOpcode, CopyOpcode, TCopyValue {
     final override string toString() { result = "CopyValue" }
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::ReturnIndirection
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -743,6 +744,18 @@ class ReturnValueInstruction extends ReturnInstruction {
   final Instruction getReturnValue() { result = getReturnValueOperand().getDef() }
 }
 
+class ReturnIndirectionInstruction extends Instruction {
+  ReturnIndirectionInstruction() { getOpcode() instanceof Opcode::ReturnIndirection }
+
+  final SideEffectOperand getSideEffectOperand() { result = getAnOperand() }
+
+  final Instruction getSideEffect() { result = getSideEffectOperand().getDef() }
+
+  final AddressOperand getSourceAddressOperand() { result = getAnOperand() }
+
+  final Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
+}
+
 class CopyInstruction extends Instruction {
   CopyInstruction() { getOpcode() instanceof CopyOpcode }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::ReturnIndirection
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -743,6 +744,18 @@ class ReturnValueInstruction extends ReturnInstruction {
   final Instruction getReturnValue() { result = getReturnValueOperand().getDef() }
 }
 
+class ReturnIndirectionInstruction extends Instruction {
+  ReturnIndirectionInstruction() { getOpcode() instanceof Opcode::ReturnIndirection }
+
+  final SideEffectOperand getSideEffectOperand() { result = getAnOperand() }
+
+  final Instruction getSideEffect() { result = getSideEffectOperand().getDef() }
+
+  final AddressOperand getSourceAddressOperand() { result = getAnOperand() }
+
+  final Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
+}
+
 class CopyInstruction extends Instruction {
   CopyInstruction() { getOpcode() instanceof CopyOpcode }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -346,6 +346,16 @@ newtype TTranslatedElement =
       translateFunction(func)
     )
   } or
+  TTranslatedReadEffects(Function func) { translateFunction(func) } or
+  // The read side effects in a function's return block
+  TTranslatedReadEffect(Parameter param) {
+    translateFunction(param.getFunction()) and
+    exists(Type t | t = param.getUnspecifiedType() |
+      t instanceof ArrayType or
+      t instanceof PointerType or
+      t instanceof ReferenceType
+    )
+  } or
   // A local declaration
   TTranslatedDeclarationEntry(DeclarationEntry entry) {
     exists(DeclStmt declStmt |
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -34,6 +34,8 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Function getFunction() { result = func }
 
   final override TranslatedElement getChild(int id) {
+    id = -4 and result = getReadEffects()
+    or
     id = -3 and result = getConstructorInitList()
     or
     id = -2 and result = getBody()
@@ -53,6 +55,8 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 
   final private TranslatedStmt getBody() { result = getTranslatedStmt(func.getEntryPoint()) }
 
+  final private TranslatedReadEffects getReadEffects() { result = getTranslatedReadEffects(func) }
+
   final private TranslatedParameter getParameter(int index) {
     result = getTranslatedParameter(func.getParameter(index))
   }
@@ -113,8 +117,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     child = getBody() and
     result = getReturnSuccessorInstruction()
     or
+    child = getDestructorDestructionList() and
+    result = getReadEffects().getFirstInstruction()
+    or
     (
-      child = getDestructorDestructionList() and
+      child = getReadEffects() and
       if getReturnType() instanceof VoidType
       then result = getInstruction(ReturnTag())
       else result = getInstruction(ReturnValueAddressTag())
@@ -531,3 +538,101 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
     )
   }
 }
+
+TranslatedReadEffects getTranslatedReadEffects(Function func) { result.getAST() = func }
+
+class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
+  Function func;
+
+  TranslatedReadEffects() { this = TTranslatedReadEffects(func) }
+
+  override Locatable getAST() { result = func }
+
+  override Function getFunction() { result = func }
+
+  override string toString() { result = "read effects: " + func.toString() }
+
+  override TranslatedElement getChild(int id) {
+    result = getTranslatedReadEffect(func.getParameter(id))
+  }
+
+  override Instruction getFirstInstruction() {
+    if exists(getAChild())
+    then
+      result = min(TranslatedReadEffect child, int id | child = getChild(id) | child order by id)
+            .getFirstInstruction()
+    else result = getParent().getChildSuccessor(this)
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    exists(int id | child = getChild(id) |
+      if exists(TranslatedReadEffect child2, int id2 | id2 > id and child2 = getChild(id2))
+      then
+        result = min(TranslatedReadEffect child2, int id2 |
+            child2 = getChild(id2) and id2 > id
+          |
+            child2 order by id2
+          ).getFirstInstruction()
+      else result = getParent().getChildSuccessor(this)
+    )
+  }
+
+  override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue
+  ) {
+    none()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+}
+
+private TranslatedReadEffect getTranslatedReadEffect(Parameter param) { result.getAST() = param }
+
+class TranslatedReadEffect extends TranslatedElement, TTranslatedReadEffect {
+  Parameter param;
+
+  TranslatedReadEffect() { this = TTranslatedReadEffect(param) }
+
+  override Locatable getAST() { result = param }
+
+  override string toString() { result = "read effect: " + param.toString() }
+
+  override TranslatedElement getChild(int id) { none() }
+
+  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind edge) {
+    tag = OnlyInstructionTag() and
+    edge = gotoEdge() and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+
+  override Function getFunction() { result = param.getFunction() }
+
+  override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue
+  ) {
+    opcode instanceof Opcode::ReturnIndirection and
+    tag = OnlyInstructionTag() and
+    resultType instanceof VoidType and
+    isGLValue = false
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = sideEffectOperand() and
+    result = getTranslatedFunction(getFunction()).getUnmodeledDefinitionInstruction()
+    or
+    tag = OnlyInstructionTag() and
+    operandTag = addressOperand() and
+    result = getTranslatedParameter(param).getInstruction(InitializerIndirectAddressTag())
+  }
+
+  final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = sideEffectOperand() and
+    result instanceof UnknownType
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -49,7 +49,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::ReturnIndirection
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -743,6 +744,18 @@ class ReturnValueInstruction extends ReturnInstruction {
   final Instruction getReturnValue() { result = getReturnValueOperand().getDef() }
 }
 
+class ReturnIndirectionInstruction extends Instruction {
+  ReturnIndirectionInstruction() { getOpcode() instanceof Opcode::ReturnIndirection }
+
+  final SideEffectOperand getSideEffectOperand() { result = getAnOperand() }
+
+  final Instruction getSideEffect() { result = getSideEffectOperand().getDef() }
+
+  final AddressOperand getSourceAddressOperand() { result = getAnOperand() }
+
+  final Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
+}
+
 class CopyInstruction extends Instruction {
   CopyInstruction() { getOpcode() instanceof CopyOpcode }
 
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
