Handle more cases that require synthesizing temporary objects

Dave Bartolomeo · Dave Bartolomeo · commit bace0dca6d03 · 2020-10-23T12:04:09.000-04:00
- Parens around qualifier expressions
- Inheritance conversions involving class prvalues
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -227,6 +227,24 @@ private predicate usedAsCondition(Expr expr) {
   )
 }
 
+/**
+ * Holds if `conv` is an `InheritanceConversion` that requires a `TranslatedLoad`, despite not being
+ * marked as having an lvalue-to-rvalue conversion.
+ *
+ * This is necessary for an `InheritanceConversion` that is originally modeled as a
+ * prvalue-to-prvalue conversion, since we transform it into a glvalue-to-glvalue conversion. If it
+ * is actually consumed as a prvalue, such as on the right hand side of an assignment, we need to
+ * load the resulting glvalue.
+ */
+private predicate isInheritanceConversionWithImplicitLoad(InheritanceConversion conv) {
+  // Must have originally been a prvalue-to-prvalue conversion.
+  isClassPRValue(conv.getExpr()) and
+  not conv.hasLValueToRValueConversion() and
+  // Exclude that case where this will be consumed as a glvalue, such as when used as the qualifier
+  // of a field access.
+  not isPRValueConversionOnGLValue(conv)
+}
+
 /**
  * Holds if `expr` is the result of a field access whose qualifier was a prvalue and whose result is
  * a prvalue. These accesses are not marked as having loads, but we do need a load in the IR.
@@ -241,35 +259,93 @@ private predicate isPRValueFieldAccessWithImplicitLoad(Expr expr) {
 }
 
 /**
- * Holds if `expr` is a prvalue of class type that is used directly as the qualifier for a member
- * access, or is used after undergoing a prvalue adjustment conversion.
+ * Holds if `expr` is a prvalue of class type.
+ *
+ * This same test is used in several places.
+ */
+pragma[inline]
+private predicate isClassPRValue(Expr expr) {
+  expr.isPRValueCategory() and
+  expr.getUnspecifiedType() instanceof Class
+}
+
+/**
+ * Holds if `expr` is consumed as a glvalue by its parent. If `expr` is actually a prvalue, it will
+ * have any lvalue-to-rvalue conversion ignored. If it does not have an lvalue-to-rvalue conversion,
+ * it will be materialized into a temporary object.
  */
-private predicate isClassPRValueForMemberAccessQualifier(Expr expr) {
-  exists(Expr qualifier |
-    exists(FieldAccess access | qualifier = access.getQualifier().getFullyConverted())
+private predicate consumedAsGLValue(Expr expr) {
+  isClassPRValue(expr) and
+  (
+    // Qualifier of a field access.
+    expr = any(FieldAccess a).getQualifier().getFullyConverted()
     or
-    exists(Call call | qualifier = call.getQualifier().getFullyConverted())
-  |
-    // The qualifier is a prvalue of class type.
-    qualifier.getUnspecifiedType() instanceof Class and
-    qualifier.isPRValueCategory() and
+    // Qualifier of a member function call.
+    expr = any(Call c).getQualifier().getFullyConverted()
+    or
+    // The operand of an inheritance conversion.
+    expr = any(InheritanceConversion c).getExpr()
+  )
+}
+
+/**
+ * Holds if `expr` is a conversion that is originally a prvalue-to-prvalue conversion, but which is
+ * applied to a prvalue that will actually be consumed as a glvalue.
+ */
+predicate isPRValueConversionOnGLValue(Conversion conv) {
+  exists(Expr consumed |
+    consumedAsGLValue(consumed) and
+    isClassPRValue(conv.getExpr()) and
+    (
+      // Example: The conversion of `std::string` to `const std::string` when evaluating
+      // `std::string("foo").c_str()`.
+      conv instanceof PrvalueAdjustmentConversion
+      or
+      // Parentheses are transparent.
+      conv instanceof ParenthesisExpr
+      or
+      // Example: The base class conversion in `f().m()`, when `m` is member function of a base
+      // class of the return type of `f()`.
+      conv instanceof InheritanceConversion
+    ) and
     (
-      expr = qualifier and not expr instanceof PrvalueAdjustmentConversion
+      // Base case: The conversion is consumed directly.
+      conv = consumed
       or
-      // If the qualifier is a prvalue adjustment conversion, the actual object with be provided by
-      // the operand of that conversion. For example:
-      // ```c++
-      // std::string("s").c_str();
-      // ```
-      // The object for the qualifier is a prvalue(load) of type `std::string`, but the actual
-      // fully-converted qualifier of the call to `c_str()` is a prvalue adjustment conversion that
-      // converts the type to `const std::string` to match the type of the `this` pointer of the
-      // member function.
-      expr = qualifier.(PrvalueAdjustmentConversion).getExpr()
+      // Recursive case: The conversion is the operand of another prvalue conversion.
+      isPRValueConversionOnGLValue(conv.getConversion())
     )
   )
 }
 
+/**
+ * Holds if `expr` is a prvalue of class type that is used in a context that requires a glvalue.
+ *
+ * Any conversions between `expr` and the ancestor that consumes the glvalue will also be treated
+ * as glvalues, but are not part of this relation.
+ *
+ * For example:
+ * ```c++
+ * std::string("s").c_str();
+ * ```
+ * The object for the qualifier is a prvalue(load) of type `std::string`, but the actual
+ * fully-converted qualifier of the call to `c_str()` is a prvalue adjustment conversion that
+ * converts the type to `const std::string` to match the type of the `this` pointer of the
+ * member function. In this case, `mustTransformToGLValue()` will hold for the temporary
+ * `std::string` object, but not the prvalue adjustment on top of it.
+ * `isPRValueConversionOnGLValue()` would hold for the prvalue adjustment.
+ */
+private predicate mustTransformToGLValue(Expr expr) {
+  not isPRValueConversionOnGLValue(expr) and
+  (
+    // The expression is the fully converted qualifier, with no prvalue adjustments on top.
+    consumedAsGLValue(expr)
+    or
+    // The expression has conversions on top, but they are all prvalue adjustments.
+    isPRValueConversionOnGLValue(expr.getConversion())
+  )
+}
+
 /**
  * Holds if `expr` has an lvalue-to-rvalue conversion that should be ignored
  * when generating IR. This occurs for conversion from an lvalue of function type
@@ -294,7 +370,7 @@ predicate ignoreLoad(Expr expr) {
     // the temporary object if the original qualifier was a prvalue. For IR purposes, we always want
     // to use the address of the temporary object as the qualifier of a field access or the `this`
     // argument to a member function call.
-    isClassPRValueForMemberAccessQualifier(expr)
+    mustTransformToGLValue(expr)
   )
 }
 
@@ -332,6 +408,8 @@ predicate hasTranslatedLoad(Expr expr) {
     needsLoadForParentExpr(expr)
     or
     isPRValueFieldAccessWithImplicitLoad(expr)
+    or
+    isInheritanceConversionWithImplicitLoad(expr)
   ) and
   not ignoreExpr(expr) and
   not isNativeCondition(expr) and
@@ -344,7 +422,7 @@ predicate hasTranslatedLoad(Expr expr) {
  */
 predicate hasTranslatedSyntheticTemporaryObject(Expr expr) {
   not ignoreExpr(expr) and
-  isClassPRValueForMemberAccessQualifier(expr) and
+  mustTransformToGLValue(expr) and
   // If it's a load, we'll just ignore the load in `ignoreLoad()`.
   not expr.hasLValueToRValueConversion()
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -108,6 +108,10 @@ abstract class TranslatedCoreExpr extends TranslatedExpr {
     // If this TranslatedExpr doesn't produce the result, then it must represent
     // a glvalue that is then loaded by a TranslatedLoad.
     hasTranslatedLoad(expr)
+    or
+    // The expression should be treated as a glvalue because its operand was forced to be a glvalue,
+    // such as for the qualifier of a member access.
+    isPRValueConversionOnGLValue(expr)
   }
 
   final override predicate producesExprResult() {
@@ -1072,14 +1076,6 @@ class TranslatedSimpleConversion extends TranslatedSingleInstructionConversion {
   }
 
   override Opcode getOpcode() { result instanceof Opcode::Convert }
-
-  override predicate isResultGLValue() {
-    super.isResultGLValue()
-    or
-    // If this is a prvalue adjustment, the result is a treated as a glvalue if the source was also
-    // treated as a glvalue. See the comment in `ignoreLoad()` for more details.
-    expr instanceof PrvalueAdjustmentConversion and ignoreLoad(expr.getExpr())
-  }
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -106,8 +106,8 @@
 | string.cpp:363:11:363:16 | string.cpp:358:18:358:23 | AST only |
 | string.cpp:382:8:382:14 | string.cpp:374:18:374:23 | IR only |
 | string.cpp:383:13:383:15 | string.cpp:374:18:374:23 | IR only |
-| string.cpp:396:8:396:8 | string.cpp:389:18:389:23 | AST only |
-| string.cpp:397:8:397:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:396:8:396:15 | string.cpp:389:18:389:23 | IR only |
+| string.cpp:397:8:397:15 | string.cpp:389:18:389:23 | IR only |
 | string.cpp:399:8:399:8 | string.cpp:389:18:389:23 | AST only |
 | string.cpp:401:8:401:8 | string.cpp:389:18:389:23 | AST only |
 | string.cpp:404:8:404:11 | string.cpp:389:18:389:23 | IR only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -362,6 +362,10 @@
 | string.cpp:382:8:382:14 | (reference dereference) | string.cpp:374:18:374:23 | call to source |
 | string.cpp:383:13:383:13 | call to operator[] | string.cpp:374:18:374:23 | call to source |
 | string.cpp:383:13:383:15 | (reference dereference) | string.cpp:374:18:374:23 | call to source |
+| string.cpp:396:8:396:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:396:8:396:15 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
+| string.cpp:397:8:397:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:397:8:397:15 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
 | string.cpp:404:8:404:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
 | string.cpp:404:8:404:11 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
 | string.cpp:407:8:407:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -10650,6 +10650,10 @@ ir.cpp:
 # 1360|   params: 
 # 1360|     0: [Parameter] v
 # 1360|         Type = [Class] destructor_only
+# 1363| [FunctionTemplateInstantiation,TopLevelFunction] POD_Derived returnValue<POD_Derived>()
+# 1363|   params: 
+# 1363| [FunctionTemplateInstantiation,TopLevelFunction] POD_Middle returnValue<POD_Middle>()
+# 1363|   params: 
 # 1363| [FunctionTemplateInstantiation,TopLevelFunction] Point returnValue<Point>()
 # 1363|   params: 
 # 1363| [FunctionTemplateInstantiation,TopLevelFunction] String returnValue<String>()
@@ -11161,6 +11165,114 @@ ir.cpp:
 # 1426|                 Value = [Literal] 5
 # 1426|                 ValueCategory = prvalue
 # 1427|     4: [ReturnStmt] return ...
+# 1429| [CopyAssignmentOperator] POD_Base& POD_Base::operator=(POD_Base const&)
+# 1429|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const POD_Base &
+# 1429| [MoveAssignmentOperator] POD_Base& POD_Base::operator=(POD_Base&&)
+# 1429|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] POD_Base &&
+# 1432| [ConstMemberFunction] float POD_Base::f() const
+# 1432|   params: 
+# 1435| [CopyAssignmentOperator] POD_Middle& POD_Middle::operator=(POD_Middle const&)
+# 1435|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const POD_Middle &
+# 1435| [MoveAssignmentOperator] POD_Middle& POD_Middle::operator=(POD_Middle&&)
+# 1435|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] POD_Middle &&
+# 1435| [Constructor] void POD_Middle::POD_Middle()
+# 1435|   params: 
+# 1439| [CopyAssignmentOperator] POD_Derived& POD_Derived::operator=(POD_Derived const&)
+# 1439|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const POD_Derived &
+# 1439| [MoveAssignmentOperator] POD_Derived& POD_Derived::operator=(POD_Derived&&)
+# 1439|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] POD_Derived &&
+# 1439| [Constructor] void POD_Derived::POD_Derived()
+# 1439|   params: 
+# 1443| [TopLevelFunction] void temporary_hierarchy()
+# 1443|   params: 
+# 1443|   body: [BlockStmt] { ... }
+# 1444|     0: [DeclStmt] declaration
+# 1444|       0: [VariableDeclarationEntry] definition of b
+# 1444|           Type = [Struct] POD_Base
+# 1444|         init: [Initializer] initializer for b
+# 1444|           expr: [CStyleCast] (POD_Base)...
+# 1444|               Conversion = [BaseClassConversion] base class conversion
+# 1444|               Type = [Struct] POD_Base
+# 1444|               ValueCategory = prvalue
+# 1444|             expr: [FunctionCall] call to returnValue
+# 1444|                 Type = [Struct] POD_Middle
+# 1444|                 ValueCategory = prvalue
+# 1445|     1: [ExprStmt] ExprStmt
+# 1445|       0: [AssignExpr] ... = ...
+# 1445|           Type = [Struct] POD_Base
+# 1445|           ValueCategory = lvalue
+# 1445|         0: [VariableAccess] b
+# 1445|             Type = [Struct] POD_Base
+# 1445|             ValueCategory = lvalue
+# 1445|         1: [CStyleCast] (POD_Base)...
+# 1445|             Conversion = [BaseClassConversion] base class conversion
+# 1445|             Type = [Struct] POD_Base
+# 1445|             ValueCategory = prvalue(load)
+# 1445|           expr: [CStyleCast] (POD_Middle)...
+# 1445|               Conversion = [BaseClassConversion] base class conversion
+# 1445|               Type = [Struct] POD_Middle
+# 1445|               ValueCategory = lvalue
+# 1445|             expr: [TemporaryObjectExpr] temporary object
+# 1445|                 Type = [Struct] POD_Derived
+# 1445|                 ValueCategory = lvalue
+# 1445|               expr: [ParenthesisExpr] (...)
+# 1445|                   Type = [Struct] POD_Derived
+# 1445|                   ValueCategory = prvalue
+# 1445|                 expr: [FunctionCall] call to returnValue
+# 1445|                     Type = [Struct] POD_Derived
+# 1445|                     ValueCategory = prvalue
+# 1446|     2: [DeclStmt] declaration
+# 1446|       0: [VariableDeclarationEntry] definition of x
+# 1446|           Type = [IntType] int
+# 1446|         init: [Initializer] initializer for x
+# 1446|           expr: [ValueFieldAccess] x
+# 1446|               Type = [IntType] int
+# 1446|               ValueCategory = prvalue
+# 1446|             -1: [CStyleCast] (POD_Base)...
+# 1446|                 Conversion = [BaseClassConversion] base class conversion
+# 1446|                 Type = [Struct] POD_Base
+# 1446|                 ValueCategory = prvalue
+# 1446|               expr: [CStyleCast] (POD_Middle)...
+# 1446|                   Conversion = [BaseClassConversion] base class conversion
+# 1446|                   Type = [Struct] POD_Middle
+# 1446|                   ValueCategory = prvalue
+# 1446|                 expr: [FunctionCall] call to returnValue
+# 1446|                     Type = [Struct] POD_Derived
+# 1446|                     ValueCategory = prvalue
+# 1447|     3: [DeclStmt] declaration
+# 1447|       0: [VariableDeclarationEntry] definition of f
+# 1447|           Type = [FloatType] float
+# 1447|         init: [Initializer] initializer for f
+# 1447|           expr: [FunctionCall] call to f
+# 1447|               Type = [FloatType] float
+# 1447|               ValueCategory = prvalue
+# 1447|             -1: [CStyleCast] (const POD_Base)...
+# 1447|                 Conversion = [BaseClassConversion] base class conversion
+# 1447|                 Type = [SpecifiedType] const POD_Base
+# 1447|                 ValueCategory = prvalue
+# 1447|               expr: [CStyleCast] (POD_Middle)...
+# 1447|                   Conversion = [BaseClassConversion] base class conversion
+# 1447|                   Type = [Struct] POD_Middle
+# 1447|                   ValueCategory = prvalue
+# 1447|                 expr: [ParenthesisExpr] (...)
+# 1447|                     Type = [Struct] POD_Derived
+# 1447|                     ValueCategory = prvalue
+# 1447|                   expr: [FunctionCall] call to returnValue
+# 1447|                       Type = [Struct] POD_Derived
+# 1447|                       ValueCategory = prvalue
+# 1448|     4: [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   params: 
diff --git a/cpp/ql/test/library-tests/ir/ir/ir.cpp b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1426,4 +1426,25 @@ void temporary_unusual_fields() {
     float f = returnValue<UnusualFields>().a[5];
 }
 
+struct POD_Base {
+    int x;
+
+    float f() const;
+};
+
+struct POD_Middle : POD_Base {
+    int y;
+};
+
+struct POD_Derived : POD_Middle {
+    int z;
+};
+
+void temporary_hierarchy() {
+    POD_Base b = returnValue<POD_Middle>();
+    b = (returnValue<POD_Derived>());  // Multiple conversions plus parens
+    int x = returnValue<POD_Derived>().x;
+    float f = (returnValue<POD_Derived>()).f();
+}
+
 // semmle-extractor-options: -std=c++17 --clang
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
