C++: Handle pointer decay and inferred array sizes

dave-bartolomeo · dave-bartolomeo · commit aff2ea331620 · 2019-02-12T12:41:21.000-08:00
For function parameters that are subject to "pointer decay", the database contains the type as originally declared (e.g. `T[]` instead of `T*`). The IR needs the actual type. Similarly, for variable declared as an array of unknown size, the actual size needs to be inferred from the initializer (e.g. `char a[] = "blah";` needs to have the type `char[5]`).

I've opened a ticket to have the extractor emit the actual type alongside the declared type, but for now, this workaround is enough to unblock progress for typical code.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
@@ -2,6 +2,7 @@ private import internal.IRInternal
 import FunctionIR
 import cpp
 import semmle.code.cpp.ir.implementation.TempVariableTag
+private import semmle.code.cpp.ir.internal.IRUtilities
 private import semmle.code.cpp.ir.internal.TempVariableTag
 private import semmle.code.cpp.ir.internal.TIRVariable
 
@@ -70,7 +71,7 @@ abstract class IRUserVariable extends IRVariable {
   }
 
   override final Type getType() {
-    result = var.getType().getUnspecifiedType()
+    result = getVariableType(var)
   }
 
   override final Locatable getAST() {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
@@ -2,6 +2,7 @@ private import internal.IRInternal
 import FunctionIR
 import cpp
 import semmle.code.cpp.ir.implementation.TempVariableTag
+private import semmle.code.cpp.ir.internal.IRUtilities
 private import semmle.code.cpp.ir.internal.TempVariableTag
 private import semmle.code.cpp.ir.internal.TIRVariable
 
@@ -70,7 +71,7 @@ abstract class IRUserVariable extends IRVariable {
   }
 
   override final Type getType() {
-    result = var.getType().getUnspecifiedType()
+    result = getVariableType(var)
   }
 
   override final Locatable getAST() {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -1,5 +1,6 @@
 import cpp
 private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.ir.internal.IRUtilities
 private import semmle.code.cpp.ir.internal.OperandTag
 private import InstructionTag
 private import TranslatedElement
@@ -104,14 +105,14 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
     (
       tag = InitializerVariableAddressTag() and
       opcode instanceof Opcode::VariableAddress and
-      resultType = getVariable().getType().getUnspecifiedType() and
+      resultType = getVariableType(getVariable()) and
       isGLValue = true
     ) or
     (
       hasUninitializedInstruction() and
       tag = InitializerStoreTag() and
       opcode instanceof Opcode::Uninitialized and
-      resultType = getVariable().getType().getUnspecifiedType() and
+      resultType = getVariableType(getVariable()) and
       isGLValue = false
     )
   }
@@ -161,7 +162,7 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
   }
 
   override Type getTargetType() {
-    result = getVariable().getType().getUnspecifiedType()
+    result = getVariableType(getVariable())
   }
 
   private TranslatedInitialization getInitialization() {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -1,6 +1,7 @@
 import cpp
 import semmle.code.cpp.ir.implementation.raw.IR
 private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.ir.internal.IRUtilities
 private import semmle.code.cpp.ir.internal.OperandTag
 private import semmle.code.cpp.ir.internal.TempVariableTag
 private import InstructionTag
@@ -377,13 +378,13 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
     (
       tag = InitializerVariableAddressTag() and
       opcode instanceof Opcode::VariableAddress and
-      resultType = param.getType().getUnspecifiedType() and
+      resultType = getVariableType(param) and
       isGLValue = true
     ) or
     (
       tag = InitializerStoreTag() and
       opcode instanceof Opcode::InitializeParameter and
-      resultType = param.getType().getUnspecifiedType() and
+      resultType = getVariableType(param) and
       isGLValue = false
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
@@ -2,6 +2,7 @@ private import internal.IRInternal
 import FunctionIR
 import cpp
 import semmle.code.cpp.ir.implementation.TempVariableTag
+private import semmle.code.cpp.ir.internal.IRUtilities
 private import semmle.code.cpp.ir.internal.TempVariableTag
 private import semmle.code.cpp.ir.internal.TIRVariable
 
@@ -70,7 +71,7 @@ abstract class IRUserVariable extends IRVariable {
   }
 
   override final Type getType() {
-    result = var.getType().getUnspecifiedType()
+    result = getVariableType(var)
   }
 
   override final Locatable getAST() {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/internal/IRUtilities.qll b/cpp/ql/src/semmle/code/cpp/ir/internal/IRUtilities.qll
@@ -0,0 +1,34 @@
+import cpp
+
+/**
+ * Given a type, get the type that would result by applying "pointer decay".
+ * A function type becomes a pointer to that function type, and an array type
+ * becomes a pointer to the element type of the array. If the specified type
+ * is not subject to pointer decay, this predicate does not hold.
+ */
+private Type getDecayedType(Type type) {
+  result.(FunctionPointerType).getBaseType() = type.(RoutineType) or
+  result.(PointerType).getBaseType() = type.(ArrayType).getBaseType()
+}
+
+/**
+ * Get the actual type of the specified variable, as opposed to the declared type.
+ * This returns the type of the variable after any pointer decay is applied, and
+ * after any unsized array type has its size inferred from the initializer.
+ */
+Type getVariableType(Variable v) {
+  exists(Type declaredType |
+    declaredType = v.getType().getUnspecifiedType() and
+    if v instanceof Parameter then (
+      result = getDecayedType(declaredType) or
+      not exists(getDecayedType(declaredType)) and result = declaredType
+    )
+    else if declaredType instanceof ArrayType and not declaredType.(ArrayType).hasArraySize() then (
+      result = v.getInitializer().getExpr().getType().getUnspecifiedType() or
+      not exists(v.getInitializer()) and result = declaredType
+    )
+    else (
+      result = declaredType
+    )
+  )
+}
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -6591,3 +6591,39 @@ ir.cpp:
 #  983|               ValueCategory = prvalue(load)
 #  983|       1: { ... }
 #  985|     3: return ...
+#  987| int PointerDecay(int[], int(float))
+#  987|   params: 
+#  987|     0: a
+#  987|         Type = int[]
+#  987|     1: fn
+#  987|         Type = ..()(..)
+#  987|   body: { ... }
+#  988|     0: return ...
+#  988|       0: ... + ...
+#  988|           Type = int
+#  988|           ValueCategory = prvalue
+#  988|         0: access to array
+#  988|             Type = int
+#  988|             ValueCategory = prvalue(load)
+#  988|           0: a
+#  988|               Type = int *
+#  988|               ValueCategory = prvalue(load)
+#  988|           1: 0
+#  988|               Type = int
+#  988|               Value = 0
+#  988|               ValueCategory = prvalue
+#  988|         1: call to expression
+#  988|             Type = int
+#  988|             ValueCategory = prvalue
+#  988|           0: fn
+#  988|               Type = ..(*)(..)
+#  988|               ValueCategory = prvalue(load)
+#  988|           1: (float)...
+#  988|               Conversion = floating point conversion
+#  988|               Type = float
+#  988|               Value = 1.0
+#  988|               ValueCategory = prvalue
+#  988|             expr: 1.0
+#  988|                 Type = double
+#  988|                 Value = 1.0
+#  988|                 ValueCategory = prvalue
diff --git a/cpp/ql/test/library-tests/ir/ir/ir.cpp b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -984,6 +984,10 @@ void WhileStmtWithDeclaration(int x, int y) {
   }
 }
 
+int PointerDecay(int a[], int fn(float)) {
+  return a[0] + fn(1.0);
+}
+
 #if 0
 void OperatorDelete() {
   delete static_cast<int*>(nullptr);  // No destructor
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -2579,7 +2579,7 @@ ir.cpp:
 #  573|     r0_12(glval<char[4]>) = StringConstant["foo"]    : 
 #  573|     r0_13(char[4])        = Load                     : r0_12, mu0_2
 #  573|     mu0_14(char[4])       = Store                    : r0_11, r0_13
-#  574|     r0_15(glval<char[]>)  = VariableAddress[a_infer] : 
+#  574|     r0_15(glval<char[5]>) = VariableAddress[a_infer] : 
 #  574|     r0_16(glval<char[5]>) = StringConstant["blah"]   : 
 #  574|     r0_17(char[5])        = Load                     : r0_16, mu0_2
 #  574|     mu0_18(char[5])       = Store                    : r0_15, r0_17
@@ -4339,3 +4339,30 @@ ir.cpp:
 #  979|     v7_9(void)        = ConditionalBranch  : r7_8
 #-----|   False -> Block 2
 #-----|   True -> Block 1
+
+#  987| int PointerDecay(int[], int(float))
+#  987|   Block 0
+#  987|     v0_0(void)              = EnterFunction            : 
+#  987|     mu0_1(unknown)          = AliasedDefinition        : 
+#  987|     mu0_2(unknown)          = UnmodeledDefinition      : 
+#  987|     r0_3(glval<int *>)      = VariableAddress[a]       : 
+#  987|     mu0_4(int *)            = InitializeParameter[a]   : r0_3
+#  987|     r0_5(glval<..(*)(..)>)  = VariableAddress[fn]      : 
+#  987|     mu0_6(..(*)(..))        = InitializeParameter[fn]  : r0_5
+#  988|     r0_7(glval<int>)        = VariableAddress[#return] : 
+#  988|     r0_8(glval<int *>)      = VariableAddress[a]       : 
+#  988|     r0_9(int *)             = Load                     : r0_8, mu0_2
+#  988|     r0_10(int)              = Constant[0]              : 
+#  988|     r0_11(int *)            = PointerAdd[4]            : r0_9, r0_10
+#  988|     r0_12(int)              = Load                     : r0_11, mu0_2
+#  988|     r0_13(glval<..(*)(..)>) = VariableAddress[fn]      : 
+#  988|     r0_14(..(*)(..))        = Load                     : r0_13, mu0_2
+#  988|     r0_15(float)            = Constant[1.0]            : 
+#  988|     r0_16(int)              = Call                     : r0_14, r0_15
+#  988|     mu0_17(unknown)         = ^CallSideEffect          : mu0_2
+#  988|     r0_18(int)              = Add                      : r0_12, r0_16
+#  988|     mu0_19(int)             = Store                    : r0_7, r0_18
+#  987|     r0_20(glval<int>)       = VariableAddress[#return] : 
+#  987|     v0_21(void)             = ReturnValue              : r0_20, mu0_2
+#  987|     v0_22(void)             = UnmodeledUse             : mu*
+#  987|     v0_23(void)             = ExitFunction             : 

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ private import internal.IRInternal`
`2`	`2`	`import FunctionIR`
`3`	`3`	`import cpp`
`4`	`4`	`import semmle.code.cpp.ir.implementation.TempVariableTag`
	`5`	`+private import semmle.code.cpp.ir.internal.IRUtilities`
`5`	`6`	`private import semmle.code.cpp.ir.internal.TempVariableTag`
`6`	`7`	`private import semmle.code.cpp.ir.internal.TIRVariable`
`7`	`8`
`@@ -70,7 +71,7 @@ abstract class IRUserVariable extends IRVariable {`
`70`	`71`	`}`
`71`	`72`
`72`	`73`	`override final Type getType() {`
`73`		`- result = var.getType().getUnspecifiedType()`
	`74`	`+ result = getVariableType(var)`
`74`	`75`	`}`
`75`	`76`
`76`	`77`	`override final Locatable getAST() {`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`import cpp`
`2`	`2`	`private import semmle.code.cpp.ir.implementation.Opcode`
	`3`	`+private import semmle.code.cpp.ir.internal.IRUtilities`
`3`	`4`	`private import semmle.code.cpp.ir.internal.OperandTag`
`4`	`5`	`private import InstructionTag`
`5`	`6`	`private import TranslatedElement`
`@@ -104,14 +105,14 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali`
`104`	`105`	`(`
`105`	`106`	`tag = InitializerVariableAddressTag() and`
`106`	`107`	`opcode instanceof Opcode::VariableAddress and`
`107`		`- resultType = getVariable().getType().getUnspecifiedType() and`
	`108`	`+ resultType = getVariableType(getVariable()) and`
`108`	`109`	`isGLValue = true`
`109`	`110`	`) or`
`110`	`111`	`(`
`111`	`112`	`hasUninitializedInstruction() and`
`112`	`113`	`tag = InitializerStoreTag() and`
`113`	`114`	`opcode instanceof Opcode::Uninitialized and`
`114`		`- resultType = getVariable().getType().getUnspecifiedType() and`
	`115`	`+ resultType = getVariableType(getVariable()) and`
`115`	`116`	`isGLValue = false`
`116`	`117`	`)`
`117`	`118`	`}`
`@@ -161,7 +162,7 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali`
`161`	`162`	`}`
`162`	`163`
`163`	`164`	`override Type getTargetType() {`
`164`		`- result = getVariable().getType().getUnspecifiedType()`
	`165`	`+ result = getVariableType(getVariable())`
`165`	`166`	`}`
`166`	`167`
`167`	`168`	`private TranslatedInitialization getInitialization() {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`import cpp`
`2`	`2`	`import semmle.code.cpp.ir.implementation.raw.IR`
`3`	`3`	`private import semmle.code.cpp.ir.implementation.Opcode`
	`4`	`+private import semmle.code.cpp.ir.internal.IRUtilities`
`4`	`5`	`private import semmle.code.cpp.ir.internal.OperandTag`
`5`	`6`	`private import semmle.code.cpp.ir.internal.TempVariableTag`
`6`	`7`	`private import InstructionTag`
`@@ -377,13 +378,13 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {`
`377`	`378`	`(`
`378`	`379`	`tag = InitializerVariableAddressTag() and`
`379`	`380`	`opcode instanceof Opcode::VariableAddress and`
`380`		`- resultType = param.getType().getUnspecifiedType() and`
	`381`	`+ resultType = getVariableType(param) and`
`381`	`382`	`isGLValue = true`
`382`	`383`	`) or`
`383`	`384`	`(`
`384`	`385`	`tag = InitializerStoreTag() and`
`385`	`386`	`opcode instanceof Opcode::InitializeParameter and`
`386`		`- resultType = param.getType().getUnspecifiedType() and`
	`387`	`+ resultType = getVariableType(param) and`
`387`	`388`	`isGLValue = false`
`388`	`389`	`)`
`389`	`390`	`}`
Original file line number	Diff line number	Diff line change
`@@ -984,6 +984,10 @@ void WhileStmtWithDeclaration(int x, int y) {`
`984`	`984`	`}`
`985`	`985`	`}`
`986`	`986`
	`987`	`+int PointerDecay(int a[], int fn(float)) {`
	`988`	`+ return a[0] + fn(1.0);`
	`989`	`+}`
	`990`	`+`
`987`	`991`	`#if 0`
`988`	`992`	`void OperatorDelete() {`
`989`	`993`	`delete static_cast<int*>(nullptr); // No destructor`