C++: escape analysis for this parameters

Robert Marsh · Robert Marsh · commit 608917255404 · 2019-03-07T13:14:49.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -153,13 +153,19 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
     operandIsPropagated(operand, _) and not resultEscapes(operand.getUseInstruction())
     or
     // The address is passed as an argument to a function from which it does not escape
-    exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+    exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
-      ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-      not resultEscapesNonReturn(ipi) and
       (
-        not resultReturned(ipi)
+        init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+        or
+        init instanceof InitializeThisInstruction and
+        init.getEnclosingFunctionIR() = f and
+        operand instanceof ThisArgumentOperand
+      ) and
+      not resultEscapesNonReturn(init) and
+      (
+        not resultReturned(init)
         or
         not resultEscapes(operand.getUseInstruction())
       )
@@ -179,11 +185,17 @@ predicate operandEscapesNonReturn(Operand operand) {
     not resultEscapesNonReturn(operand.getUseInstruction())
     or
     // The operand is used in a function call from which the operand does not escape
-    exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+    exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
-      ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-      not resultEscapesNonReturn(ipi) and
+      (
+        init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+        or
+        init instanceof InitializeThisInstruction and
+        init.getEnclosingFunctionIR() = f and
+        operand instanceof ThisArgumentOperand
+      ) and
+      not resultEscapesNonReturn(init) and
       not resultEscapesNonReturn(ci)
     ) or
     operand instanceof ReturnValueOperand
@@ -203,6 +215,20 @@ predicate operandReturned(Operand operand) {
     resultReturned(ci)
   )
   or
+  exists(CallInstruction ci, FunctionIR f, Instruction init |
+    ci = operand.getUseInstruction() and
+    f.getFunction() = ci.getStaticCallTarget() and
+    (
+      init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+      or
+      init instanceof InitializeThisInstruction and
+      init.getEnclosingFunctionIR() = f and
+      operand instanceof ThisArgumentOperand
+    ) and
+    resultReturned(init) and
+    resultReturned(ci)
+  )
+  or
   // The address is returned
   operand instanceof ReturnValueOperand
 }
@@ -271,11 +297,17 @@ predicate resultPointsTo(Instruction instr, IRVariable var, IntValue bitOffset)
     (
       operandIsPropagated(operand, propagatedBitOffset)
       or
-      exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+      exists(CallInstruction ci, FunctionIR f, Instruction init |
         ci = operand.getUseInstruction() and
         f.getFunction() = ci.getStaticCallTarget() and
-        ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-        resultReturned(ipi) and
+        (
+          init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+          or
+          init instanceof InitializeThisInstruction and
+          init.getEnclosingFunctionIR() = f and
+          operand instanceof ThisArgumentOperand
+        ) and
+        resultReturned(init) and
         propagatedBitOffset = Ints::unknown()
       )
     ) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -153,13 +153,19 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
     operandIsPropagated(operand, _) and not resultEscapes(operand.getUseInstruction())
     or
     // The address is passed as an argument to a function from which it does not escape
-    exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+    exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
-      ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-      not resultEscapesNonReturn(ipi) and
       (
-        not resultReturned(ipi)
+        init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+        or
+        init instanceof InitializeThisInstruction and
+        init.getEnclosingFunctionIR() = f and
+        operand instanceof ThisArgumentOperand
+      ) and
+      not resultEscapesNonReturn(init) and
+      (
+        not resultReturned(init)
         or
         not resultEscapes(operand.getUseInstruction())
       )
@@ -179,11 +185,17 @@ predicate operandEscapesNonReturn(Operand operand) {
     not resultEscapesNonReturn(operand.getUseInstruction())
     or
     // The operand is used in a function call from which the operand does not escape
-    exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+    exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
-      ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-      not resultEscapesNonReturn(ipi) and
+      (
+        init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+        or
+        init instanceof InitializeThisInstruction and
+        init.getEnclosingFunctionIR() = f and
+        operand instanceof ThisArgumentOperand
+      ) and
+      not resultEscapesNonReturn(init) and
       not resultEscapesNonReturn(ci)
     ) or
     operand instanceof ReturnValueOperand
@@ -203,6 +215,20 @@ predicate operandReturned(Operand operand) {
     resultReturned(ci)
   )
   or
+  exists(CallInstruction ci, FunctionIR f, Instruction init |
+    ci = operand.getUseInstruction() and
+    f.getFunction() = ci.getStaticCallTarget() and
+    (
+      init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+      or
+      init instanceof InitializeThisInstruction and
+      init.getEnclosingFunctionIR() = f and
+      operand instanceof ThisArgumentOperand
+    ) and
+    resultReturned(init) and
+    resultReturned(ci)
+  )
+  or
   // The address is returned
   operand instanceof ReturnValueOperand
 }
@@ -271,11 +297,17 @@ predicate resultPointsTo(Instruction instr, IRVariable var, IntValue bitOffset)
     (
       operandIsPropagated(operand, propagatedBitOffset)
       or
-      exists(CallInstruction ci, FunctionIR f, InitializeParameterInstruction ipi |
+      exists(CallInstruction ci, FunctionIR f, Instruction init |
         ci = operand.getUseInstruction() and
         f.getFunction() = ci.getStaticCallTarget() and
-        ipi.getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex()) and
-        resultReturned(ipi) and
+        (
+          init.(InitializeParameterInstruction).getParameter() = f.getFunction().getParameter(operand.(PositionalArgumentOperand).getIndex())
+          or
+          init instanceof InitializeThisInstruction and
+          init.getEnclosingFunctionIR() = f and
+          operand instanceof ThisArgumentOperand
+        ) and
+        resultReturned(init) and
         propagatedBitOffset = Ints::unknown()
       )
     ) and
diff --git a/cpp/ql/test/library-tests/ir/escape/escape.cpp b/cpp/ql/test/library-tests/ir/escape/escape.cpp
@@ -66,6 +66,21 @@ struct Derived : Intermediate1, Intermediate2 {
     float d;
 };
 
+class C;
+
+void CEscapes(C *no_c);
+
+class C {
+public:
+  void ThisEscapes() {
+    CEscapes(this);
+  }
+
+  C *ThisReturned() {
+    return this;
+  }
+};
+
 void Escape()
 {
     int no_result;
@@ -169,4 +184,24 @@ void Escape()
 
     int no_ssa_passByRef7;
     ReturnReference(no_ssa_passByRef7);
+
+    C no_ssa_c;
+
+    no_ssa_c.ThisReturned();
+
+    C c;
+
+    c.ThisEscapes();
+
+    C c2;
+
+    CEscapes(&c2);
+
+    C c3;
+
+    c3.ThisReturned()->ThisEscapes();
+
+    C c4;
+
+    CEscapes(c4.ThisReturned());
 }
diff --git a/cpp/ql/test/library-tests/ir/escape/points_to.expected b/cpp/ql/test/library-tests/ir/escape/points_to.expected
