C++: add phi node support to escape analysis

Robert Marsh · Robert Marsh · commit 7e30ce0c0943 · 2019-03-07T13:14:56.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -72,7 +72,8 @@ private predicate operandEscapesDomain(Operand operand) {
   not operandIsPropagated(operand, _) and
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
-  not operand.getUseInstruction() instanceof ReturnValueInstruction
+  not operand.getUseInstruction() instanceof ReturnValueInstruction and
+  not operand instanceof PhiOperand
 }
 
 /**
@@ -161,7 +162,7 @@ private predicate operandEscapesNonReturn(Operand operand) {
   exists(CallInstruction ci, Instruction init |
     isArgumentForParameter(ci, operand, init) and
     (
-      resultReturned(init, _) and
+      resultMayReachReturn(init) and
       resultEscapesNonReturn(ci)
       or
       resultEscapesNonReturn(init)
@@ -170,9 +171,34 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUseInstruction())
   or
+  operand instanceof PhiOperand and
+  resultEscapesNonReturn(operand.getUseInstruction())
+  or
   operandEscapesDomain(operand)
 }
 
+
+private predicate operandMayReachReturn(Operand operand) {
+  // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _) and
+    resultMayReachReturn(operand.getUseInstruction())
+  or
+  // The operand is used in a function call which returns it, and the return value is then returned
+  exists(CallInstruction ci, Instruction init |
+    isArgumentForParameter(ci, operand, init) and
+    resultMayReachReturn(init) and
+    resultMayReachReturn(ci)
+  )
+  or
+  // The address is returned
+  operand.getUseInstruction() instanceof ReturnValueInstruction
+  or
+  isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUseInstruction())
+  or
+  operand instanceof PhiOperand and
+  resultMayReachReturn(operand.getUseInstruction())
+}
+
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
   // The address is propagated to the result of the instruction, and that result itself is returned
   exists(IntValue bitOffset1, IntValue bitOffset2 |
@@ -239,6 +265,10 @@ private predicate resultReturned(Instruction instr, IntValue bitOffset) {
   operandReturned(instr.getAUse(), bitOffset)
 }
 
+private predicate resultMayReachReturn(Instruction instr) {
+  operandMayReachReturn(instr.getAUse())
+}
+
 /**
  * Holds if any address held in the result of instruction `instr` escapes
  * outside the domain of the analysis.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -72,7 +72,8 @@ private predicate operandEscapesDomain(Operand operand) {
   not operandIsPropagated(operand, _) and
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
-  not operand.getUseInstruction() instanceof ReturnValueInstruction
+  not operand.getUseInstruction() instanceof ReturnValueInstruction and
+  not operand instanceof PhiOperand
 }
 
 /**
@@ -161,7 +162,7 @@ private predicate operandEscapesNonReturn(Operand operand) {
   exists(CallInstruction ci, Instruction init |
     isArgumentForParameter(ci, operand, init) and
     (
-      resultReturned(init, _) and
+      resultMayReachReturn(init) and
       resultEscapesNonReturn(ci)
       or
       resultEscapesNonReturn(init)
@@ -170,9 +171,34 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUseInstruction())
   or
+  operand instanceof PhiOperand and
+  resultEscapesNonReturn(operand.getUseInstruction())
+  or
   operandEscapesDomain(operand)
 }
 
+
+private predicate operandMayReachReturn(Operand operand) {
+  // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _) and
+    resultMayReachReturn(operand.getUseInstruction())
+  or
+  // The operand is used in a function call which returns it, and the return value is then returned
+  exists(CallInstruction ci, Instruction init |
+    isArgumentForParameter(ci, operand, init) and
+    resultMayReachReturn(init) and
+    resultMayReachReturn(ci)
+  )
+  or
+  // The address is returned
+  operand.getUseInstruction() instanceof ReturnValueInstruction
+  or
+  isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUseInstruction())
+  or
+  operand instanceof PhiOperand and
+  resultMayReachReturn(operand.getUseInstruction())
+}
+
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
   // The address is propagated to the result of the instruction, and that result itself is returned
   exists(IntValue bitOffset1, IntValue bitOffset2 |
@@ -239,6 +265,10 @@ private predicate resultReturned(Instruction instr, IntValue bitOffset) {
   operandReturned(instr.getAUse(), bitOffset)
 }
 
+private predicate resultMayReachReturn(Instruction instr) {
+  operandMayReachReturn(instr.getAUse())
+}
+
 /**
  * Holds if any address held in the result of instruction `instr` escapes
  * outside the domain of the analysis.
diff --git a/cpp/ql/test/library-tests/ir/escape/escape.cpp b/cpp/ql/test/library-tests/ir/escape/escape.cpp
@@ -193,10 +193,10 @@ void Escape()
     int passByRef3;
     CallByReferenceParamEscape(ReturnReference(passByRef3));
 
-    int passByPtr4;
-    int passByPtr5;
+    int no_ssa_passByPtr4;
+    int no_ssa_passByPtr5;
     bool no_b2 = false;
-    MaybeReturn(&passByPtr4, &passByPtr5, no_b2);
+    MaybeReturn(&no_ssa_passByPtr4, &no_ssa_passByPtr5, no_b2);
 
     int passByRef6;
     EscapeAndReturn(passByRef6);
@@ -239,5 +239,15 @@ void Escape()
 
     OverrideNone on2;
     CEscapes(on2.Overridden());
+
+    int condEscape1, condEscape2;
+
+    int *no_condTemp;
+    if(GetPointer()) {
+	no_condTemp = &condEscape1;
+    } else {
+        no_condTemp = &condEscape2;
+    }
+    CallByPointer(no_condTemp);
 }
 
diff --git a/cpp/ql/test/library-tests/ir/escape/points_to.expected b/cpp/ql/test/library-tests/ir/escape/points_to.expected
@@ -145,12 +145,12 @@
 | escape.cpp:193:9:193:18 | VariableAddress[passByRef3] | passByRef3+0:0 | passByRef3+0:0 |
 | escape.cpp:194:32:194:46 | Call | none | passByRef3+0:0 |
 | escape.cpp:194:48:194:57 | VariableAddress[passByRef3] | passByRef3+0:0 | passByRef3+0:0 |
-| escape.cpp:196:9:196:18 | VariableAddress[passByPtr4] | passByPtr4+0:0 | passByPtr4+0:0 |
-| escape.cpp:197:9:197:18 | VariableAddress[passByPtr5] | passByPtr5+0:0 | passByPtr5+0:0 |
+| escape.cpp:196:9:196:25 | VariableAddress[no_ssa_passByPtr4] | no_ssa_passByPtr4+0:0 | no_ssa_passByPtr4+0:0 |
+| escape.cpp:197:9:197:25 | VariableAddress[no_ssa_passByPtr5] | no_ssa_passByPtr5+0:0 | no_ssa_passByPtr5+0:0 |
 | escape.cpp:198:10:198:14 | VariableAddress[no_b2] | no_b2+0:0 | no_b2+0:0 |
-| escape.cpp:199:18:199:27 | VariableAddress[passByPtr4] | passByPtr4+0:0 | passByPtr4+0:0 |
-| escape.cpp:199:31:199:40 | VariableAddress[passByPtr5] | passByPtr5+0:0 | passByPtr5+0:0 |
-| escape.cpp:199:43:199:47 | VariableAddress[no_b2] | no_b2+0:0 | no_b2+0:0 |
+| escape.cpp:199:18:199:34 | VariableAddress[no_ssa_passByPtr4] | no_ssa_passByPtr4+0:0 | no_ssa_passByPtr4+0:0 |
+| escape.cpp:199:38:199:54 | VariableAddress[no_ssa_passByPtr5] | no_ssa_passByPtr5+0:0 | no_ssa_passByPtr5+0:0 |
+| escape.cpp:199:57:199:61 | VariableAddress[no_b2] | no_b2+0:0 | no_b2+0:0 |
 | escape.cpp:201:9:201:18 | VariableAddress[passByRef6] | passByRef6+0:0 | passByRef6+0:0 |
 | escape.cpp:202:5:202:19 | Call | none | passByRef6+0:0 |
 | escape.cpp:202:21:202:30 | VariableAddress[passByRef6] | passByRef6+0:0 | passByRef6+0:0 |
@@ -180,3 +180,13 @@
 | escape.cpp:238:5:238:7 | VariableAddress[on1] | on1+0:0 | on1+0:0 |
 | escape.cpp:240:18:240:20 | VariableAddress[on2] | on2+0:0 | on2+0:0 |
 | escape.cpp:241:14:241:16 | VariableAddress[on2] | on2+0:0 | on2+0:0 |
+| escape.cpp:243:9:243:19 | VariableAddress[condEscape1] | condEscape1+0:0 | condEscape1+0:0 |
+| escape.cpp:243:22:243:32 | VariableAddress[condEscape2] | condEscape2+0:0 | condEscape2+0:0 |
+| escape.cpp:245:10:245:20 | VariableAddress[no_condTemp] | no_condTemp+0:0 | no_condTemp+0:0 |
+| escape.cpp:247:2:247:12 | VariableAddress[no_condTemp] | no_condTemp+0:0 | no_condTemp+0:0 |
+| escape.cpp:247:2:247:27 | Store | condEscape1+0:0 | condEscape1+0:0 |
+| escape.cpp:247:17:247:27 | VariableAddress[condEscape1] | condEscape1+0:0 | condEscape1+0:0 |
+| escape.cpp:249:9:249:19 | VariableAddress[no_condTemp] | no_condTemp+0:0 | no_condTemp+0:0 |
+| escape.cpp:249:9:249:34 | Store | condEscape2+0:0 | condEscape2+0:0 |
+| escape.cpp:249:24:249:34 | VariableAddress[condEscape2] | condEscape2+0:0 | condEscape2+0:0 |
+| escape.cpp:251:19:251:29 | VariableAddress[no_condTemp] | no_condTemp+0:0 | no_condTemp+0:0 |
diff --git a/cpp/ql/test/library-tests/ir/escape/points_to.ql b/cpp/ql/test/library-tests/ir/escape/points_to.ql
@@ -29,5 +29,6 @@ where
       not UnAA::resultPointsTo(unInstr, Un::getIRUserVariable(_, var), _) and
       unPointsTo = "none"
     )
-  )
+  ) and
+  rawPointsTo != unPointsTo
 select rawInstr.getLocation().toString(), rawInstr.getOperationString(), rawPointsTo, unPointsTo

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,6 @@ where`
`29`	`29`	`not UnAA::resultPointsTo(unInstr, Un::getIRUserVariable(_, var), _) and`
`30`	`30`	`unPointsTo = "none"`
`31`	`31`	`)`
`32`		`- )`
	`32`	`+ ) and`
	`33`	`+ rawPointsTo != unPointsTo`
`33`	`34`	`select rawInstr.getLocation().toString(), rawInstr.getOperationString(), rawPointsTo, unPointsTo`