AST and IR support for TemporaryObjectExpr

Dave Bartolomeo · Dave Bartolomeo · commit badb11750a1f · 2020-10-05T17:53:35.000-04:00
diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Cast.qll b/cpp/ql/src/semmle/code/cpp/exprs/Cast.qll
@@ -840,6 +840,27 @@ class ArrayToPointerConversion extends Conversion, @array_to_pointer {
   override predicate mayBeGloballyImpure() { none() }
 }
 
+/**
+ * A node representing a temporary object created as part of an expression.
+ * 
+ * This is most commonly seen in the following cases (from [class.temporary]/2):
+ * - when binding a reference to a prvalue
+ * - when performing member access on a class prvalue
+ * - when performing an array-to-pointer conversion or subscripting on an array prvalue
+ * - when initializing an object of type std::initializer_list from a braced-init-list
+ * - for certain unevaluated operands
+ * - when a prvalue that has type other than cv void appears as a discarded-value expression
+ * 
+ * This node will only exist if the object is of class type, and even then only if either the
+ * object's initialization or destruction is non-trivial.
+ */
+class TemporaryObjectExpr extends Conversion, @temp_init {
+  /** Gets a textual representation of this conversion. */
+  override string toString() { result = "temporary object" }
+
+  override string getAPrimaryQlClass() { result = "TemporaryObjectExpr" }
+}
+
 /**
  * A node representing the Cast sub-class of entity `cast`.
  */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -351,6 +351,7 @@ newtype TTranslatedElement =
       exists(ConstructorFieldInit fieldInit | fieldInit.getExpr().getFullyConverted() = expr) or
       exists(NewExpr newExpr | newExpr.getInitializer().getFullyConverted() = expr) or
       exists(ThrowExpr throw | throw.getExpr().getFullyConverted() = expr) or
+      exists(TemporaryObjectExpr temp | temp.getExpr() = expr) or
       exists(LambdaExpression lambda | lambda.getInitializer().getFullyConverted() = expr)
     )
   } or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -2049,6 +2049,37 @@ class TranslatedBinaryConditionalExpr extends TranslatedConditionalExpr {
   }
 }
 
+/**
+ * IR translation of the materialization of a temporary object.
+ * 
+ * This translation allocates a temporary variable, and initializes it treating `expr.getExpr()` as
+ * its initializer.
+ */
+class TranslatedTemporaryObjectExpr extends TranslatedNonConstantExpr, TranslatedVariableInitialization {
+  override TemporaryObjectExpr expr;
+
+  final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
+    tag = TempObjectTempVar() and
+    type = getTypeForPRValue(expr.getType())
+  }
+
+  override Type getTargetType() { result = expr.getType() }
+
+  final override TranslatedInitialization getInitialization() {
+    result = getTranslatedInitialization(expr.getExpr())
+  }
+
+  final override IRVariable getIRVariable() { result = getIRTempVariable(expr, TempObjectTempVar()) }
+
+  final override Instruction getInitializationSuccessor() {
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getResult() {
+    result = getTargetAddress()
+  }
+}
+
 /**
  * IR translation of a `throw` expression.
  */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll b/cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll
@@ -4,7 +4,8 @@ newtype TTempVariableTag =
   ThrowTempVar() or
   LambdaTempVar() or
   EllipsisTempVar() or
-  ThisTempVar()
+  ThisTempVar() or
+  TempObjectTempVar()
 
 string getTempVariableTagId(TTempVariableTag tag) {
   tag = ConditionValueTempVar() and result = "CondVal"
@@ -18,4 +19,6 @@ string getTempVariableTagId(TTempVariableTag tag) {
   tag = EllipsisTempVar() and result = "Ellipsis"
   or
   tag = ThisTempVar() and result = "This"
+  or
+  tag = TempObjectTempVar() and result = "Temp"
 }
diff --git a/cpp/ql/src/semmlecode.cpp.dbscheme b/cpp/ql/src/semmlecode.cpp.dbscheme
@@ -1171,6 +1171,7 @@ conversionkinds(
             | @parexpr
             | @reference_to
             | @ref_indirect
+            | @temp_init
             ;
 
 /*
@@ -1673,6 +1674,7 @@ case @expr.kind of
 | 326 = @spaceshipexpr
 | 327 = @co_await
 | 328 = @co_yield
+| 329 = @temp_init
 ;
 
 @var_args_expr = @vastartexpr
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
diff --git a/cpp/ql/test/library-tests/ir/ir/ir.cpp b/cpp/ql/test/library-tests/ir/ir/ir.cpp

Original file line number	Diff line number	Diff line change
`@@ -351,6 +351,7 @@ newtype TTranslatedElement =`
`351`	`351`	`exists(ConstructorFieldInit fieldInit \| fieldInit.getExpr().getFullyConverted() = expr) or`
`352`	`352`	`exists(NewExpr newExpr \| newExpr.getInitializer().getFullyConverted() = expr) or`
`353`	`353`	`exists(ThrowExpr throw \| throw.getExpr().getFullyConverted() = expr) or`
	`354`	`+ exists(TemporaryObjectExpr temp \| temp.getExpr() = expr) or`
`354`	`355`	`exists(LambdaExpression lambda \| lambda.getInitializer().getFullyConverted() = expr)`
`355`	`356`	`)`
`356`	`357`	`} or`
Original file line number	Diff line number	Diff line change
`@@ -1171,6 +1171,7 @@ conversionkinds(`
`1171`	`1171`	`\| @parexpr`
`1172`	`1172`	`\| @reference_to`
`1173`	`1173`	`\| @ref_indirect`
	`1174`	`+ \| @temp_init`
`1174`	`1175`	`;`
`1175`	`1176`
`1176`	`1177`	`/*`
`@@ -1673,6 +1674,7 @@ case @expr.kind of`
`1673`	`1674`	`\| 326 = @spaceshipexpr`
`1674`	`1675`	`\| 327 = @co_await`
`1675`	`1676`	`\| 328 = @co_yield`
	`1677`	`+\| 329 = @temp_init`
`1676`	`1678`	`;`
`1677`	`1679`
`1678`	`1680`	`@var_args_expr = @vastartexpr`