Insert a load of the temporary object for arguments passed by value

Dave Bartolomeo · Dave Bartolomeo · commit 9afddf0dadde · 2020-10-16T12:56:46.000-04:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -256,7 +256,17 @@ private predicate ignoreLoad(Expr expr) {
 private predicate needsLoadForParentExpr(Expr expr) {
   exists(CrementOperation crement | expr = crement.getOperand().getFullyConverted())
   or
-  exists(AssignOperation ao | expr = ao.getLValue().getFullyConverted())
+  exists(AssignOperation ao | expr = ao.getLValue().getFullyConverted()) or
+  // For arguments that are passed by value but require a constructor call, the extractor emits a
+  // `TemporaryObjectExpr` as the argument, and marks it as a glvalue. This is roughly how a code-
+  // generating compiler would implement this, passing the address of the temporary so that the
+  // callee is using the exact same memory location allocated by the caller. We don't fully model
+  // this yet, though, so we'll synthesize a load so that we appear to be passing the temporary
+  // object via a bitwise copy.
+  exists(Call call |
+    expr = call.getAnArgument().getFullyConverted().(TemporaryObjectExpr) and
+    expr.isGLValueCategory()
+  )
 }
 
 /**
