C++: assume arguments to virtual functions escape

Robert Marsh · Robert Marsh · commit c70bd285de3b · 2019-03-07T13:14:49.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -152,7 +152,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
     // result does not itself escape.
     operandIsPropagated(operand, _) and not resultEscapes(operand.getUseInstruction())
     or
-    // The address is passed as an argument to a function from which it does not escape
+    // The operand is used in a function call from which the operand does not escape
     exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
@@ -163,6 +163,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
         init.getEnclosingFunctionIR() = f and
         operand instanceof ThisArgumentOperand
       ) and
+      not exists(f.getFunction().getAnOverload()) and
       not resultEscapesNonReturn(init) and
       (
         not resultReturned(init)
@@ -195,6 +196,7 @@ predicate operandEscapesNonReturn(Operand operand) {
         init.getEnclosingFunctionIR() = f and
         operand instanceof ThisArgumentOperand
       ) and
+      not exists(f.getFunction().getAnOverload()) and
       not resultEscapesNonReturn(init) and
       not resultEscapesNonReturn(ci)
     ) or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -152,7 +152,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
     // result does not itself escape.
     operandIsPropagated(operand, _) and not resultEscapes(operand.getUseInstruction())
     or
-    // The address is passed as an argument to a function from which it does not escape
+    // The operand is used in a function call from which the operand does not escape
     exists(CallInstruction ci, FunctionIR f, Instruction init |
       ci = operand.getUseInstruction() and
       f.getFunction() = ci.getStaticCallTarget() and
@@ -163,6 +163,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
         init.getEnclosingFunctionIR() = f and
         operand instanceof ThisArgumentOperand
       ) and
+      not exists(f.getFunction().getAnOverload()) and
       not resultEscapesNonReturn(init) and
       (
         not resultReturned(init)
@@ -195,6 +196,7 @@ predicate operandEscapesNonReturn(Operand operand) {
         init.getEnclosingFunctionIR() = f and
         operand instanceof ThisArgumentOperand
       ) and
+      not exists(f.getFunction().getAnOverload()) and
       not resultEscapesNonReturn(init) and
       not resultEscapesNonReturn(ci)
     ) or
diff --git a/cpp/ql/test/library-tests/ir/escape/escape.expected b/cpp/ql/test/library-tests/ir/escape/escape.expected
@@ -1 +0,0 @@
-| escape.cpp:237:18:237:20 | on1 |
diff --git a/cpp/ql/test/library-tests/ir/escape/ssa_escape.expected b/cpp/ql/test/library-tests/ir/escape/ssa_escape.expected
@@ -1,2 +0,0 @@
-| escape.cpp:231:21:231:23 | or1 |
-| escape.cpp:237:18:237:20 | on1 |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +0,0 @@`
`1`		`-\| escape.cpp:231:21:231:23 \| or1 \|`
`2`		`-\| escape.cpp:237:18:237:20 \| on1 \|`