C++: Fix IR variable reuse for global var inits

Robert Marsh · Robert Marsh · commit e0878d7d3c95 · 2022-06-20T14:41:02.000-04:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll
@@ -2,21 +2,21 @@ private import TIRVariableInternal
 private import Imports::TempVariableTag
 
 newtype TIRVariable =
-  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) {
+  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Declaration func) {
     Construction::hasUserVariable(func, var, type)
   } or
   TIRTempVariable(
-    Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
+    Language::Declaration func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
   ) {
     Construction::hasTempVariable(func, ast, tag, type)
   } or
   TIRDynamicInitializationFlag(
-    Language::Function func, Language::Variable var, Language::LanguageType type
+    Language::Declaration func, Language::Variable var, Language::LanguageType type
   ) {
     Construction::hasDynamicInitializationFlag(func, var, type)
   } or
   TIRStringLiteral(
-    Language::Function func, Language::AST ast, Language::LanguageType type,
+    Language::Declaration func, Language::AST ast, Language::LanguageType type,
     Language::StringLiteral literal
   ) {
     Construction::hasStringLiteral(func, ast, type, literal)
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
@@ -89,7 +89,8 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
 
   override IRUserVariable getInstructionVariable(InstructionTag tag) {
     tag = InitializerVariableAddressTag() and
-    result.getVariable() = var
+    result.getVariable() = var and
+    result.getEnclosingFunction() = var
   }
 
   override Instruction getTargetAddress() {
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -1,16 +1,20 @@
 uniqueEnclosingCallable
 | globals.cpp:9:5:9:19 | Address | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:5:9:19 | AliasedDefinition | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:5:9:19 | VariableAddress | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:5:9:19 | VariableAddress [post update] | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:23:9:23 | 0 | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:23:9:23 | ChiPartial | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:23:9:23 | ChiTotal | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:23:9:23 | Store | Node should have one enclosing callable but has 0. |
 | globals.cpp:9:23:9:23 | StoreValue | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:12:16:26 | Address | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:12:16:26 | AliasedDefinition | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:12:16:26 | VariableAddress | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:12:16:26 | VariableAddress [post update] | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:30:16:30 | 0 | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:30:16:30 | ChiPartial | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:30:16:30 | ChiTotal | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:30:16:30 | Store | Node should have one enclosing callable but has 0. |
 | globals.cpp:16:30:16:30 | StoreValue | Node should have one enclosing callable but has 0. |
 uniqueType
@@ -234,10 +238,10 @@ postWithInFlow
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -4744,15 +4744,13 @@
 | ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |
 | ir.cpp:1035:15:1035:15 | Address | &:r1035_1 |
 | ir.cpp:1038:6:1038:8 | Address | &:r1038_3 |
-| ir.cpp:1038:6:1038:8 | SideEffect | ~m1038_9 |
+| ir.cpp:1038:6:1038:8 | SideEffect | ~m1038_8 |
 | ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
 | ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
-| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_5 |
-| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_8 |
+| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_7 |
 | ir.cpp:1038:12:1038:18 | ChiTotal | total:m1038_2 |
-| ir.cpp:1038:12:1038:18 | ChiTotal | total:m1038_6 |
-| ir.cpp:1038:12:1038:18 | Load | ~m1038_6 |
-| ir.cpp:1038:12:1038:18 | StoreValue | r1038_7 |
+| ir.cpp:1038:12:1038:18 | Load | m1038_5 |
+| ir.cpp:1038:12:1038:18 | StoreValue | r1038_6 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -5652,16 +5652,16 @@ ir.cpp:
 
 # 1038| (lambda [] type at line 1038, col. 12) lam
 # 1038|   Block 0
-# 1038|     v1038_1(void)                             = EnterFunction     : 
-# 1038|     mu1038_2(unknown)                         = AliasedDefinition : 
-# 1038|     r1038_3(glval<decltype([...](...){...})>) = VariableAddress   : 
-# 1038|     r1038_4(glval<decltype([...](...){...})>) = VariableAddress   : 
-# 1038|     mu1038_5(decltype([...](...){...}))       = Uninitialized     : &:r1038_4
-# 1038|     r1038_6(decltype([...](...){...}))        = Load[?]           : &:r1038_4, ~m?
-# 1038|     mu1038_7(decltype([...](...){...}))       = Store[?]          : &:r1038_3, r1038_6
-# 1038|     v1038_8(void)                             = ReturnVoid        : 
-# 1038|     v1038_9(void)                             = AliasedUse        : ~m?
-# 1038|     v1038_10(void)                            = ExitFunction      : 
+# 1038|     v1038_1(void)                             = EnterFunction                 : 
+# 1038|     mu1038_2(unknown)                         = AliasedDefinition             : 
+# 1038|     r1038_3(glval<decltype([...](...){...})>) = VariableAddress               : 
+# 1038|     r1038_4(glval<decltype([...](...){...})>) = VariableAddress[#temp1038:12] : 
+# 1038|     mu1038_5(decltype([...](...){...}))       = Uninitialized[#temp1038:12]   : &:r1038_4
+# 1038|     r1038_6(decltype([...](...){...}))        = Load[#temp1038:12]            : &:r1038_4, ~m?
+# 1038|     mu1038_7(decltype([...](...){...}))       = Store[?]                      : &:r1038_3, r1038_6
+# 1038|     v1038_8(void)                             = ReturnVoid                    : 
+# 1038|     v1038_9(void)                             = AliasedUse                    : ~m?
+# 1038|     v1038_10(void)                            = ExitFunction                  : 
 
 # 1038| void (lambda [] type at line 1038, col. 12)::operator()() const
 # 1038|   Block 0
@@ -9785,16 +9785,16 @@ ir.cpp:
 
 # 1829| char* global_string
 # 1829|   Block 0
-# 1829|     v1829_1(void)            = EnterFunction     : 
-# 1829|     mu1829_2(unknown)        = AliasedDefinition : 
-# 1829|     r1829_3(glval<char *>)   = VariableAddress   : 
-# 1829|     r1829_4(glval<char[14]>) = StringConstant    : 
-# 1829|     r1829_5(char *)          = Convert           : r1829_4
-# 1829|     r1829_6(char *)          = Convert           : r1829_5
-# 1829|     mu1829_7(char *)         = Store[?]          : &:r1829_3, r1829_6
-# 1829|     v1829_8(void)            = ReturnVoid        : 
-# 1829|     v1829_9(void)            = AliasedUse        : ~m?
-# 1829|     v1829_10(void)           = ExitFunction      : 
+# 1829|     v1829_1(void)            = EnterFunction                   : 
+# 1829|     mu1829_2(unknown)        = AliasedDefinition               : 
+# 1829|     r1829_3(glval<char *>)   = VariableAddress                 : 
+# 1829|     r1829_4(glval<char[14]>) = StringConstant["global string"] : 
+# 1829|     r1829_5(char *)          = Convert                         : r1829_4
+# 1829|     r1829_6(char *)          = Convert                         : r1829_5
+# 1829|     mu1829_7(char *)         = Store[?]                        : &:r1829_3, r1829_6
+# 1829|     v1829_8(void)            = ReturnVoid                      : 
+# 1829|     v1829_9(void)            = AliasedUse                      : ~m?
+# 1829|     v1829_10(void)           = ExitFunction                    : 
 
 perf-regression.cpp:
 #    6| void Big::Big()
@@ -10025,7 +10025,7 @@ struct_init.cpp:
 #    9|     r9_4(int)               = Constant[0]               : 
 #    9|     r9_5(glval<Info>)       = PointerAdd[16]            : r9_3, r9_4
 #   10|     r10_1(glval<char *>)    = FieldAddress[name]        : r9_5
-#   10|     r10_2(glval<char[2]>)   = StringConstant            : 
+#   10|     r10_2(glval<char[2]>)   = StringConstant["1"]       : 
 #   10|     r10_3(char *)           = Convert                   : r10_2
 #   10|     mu10_4(char *)          = Store[?]                  : &:r10_1, r10_3
 #   10|     r10_5(glval<..(*)(..)>) = FieldAddress[handler]     : r9_5
@@ -10034,7 +10034,7 @@ struct_init.cpp:
 #    9|     r9_6(int)               = Constant[1]               : 
 #    9|     r9_7(glval<Info>)       = PointerAdd[16]            : r9_3, r9_6
 #   11|     r11_1(glval<char *>)    = FieldAddress[name]        : r9_7
-#   11|     r11_2(glval<char[2]>)   = StringConstant            : 
+#   11|     r11_2(glval<char[2]>)   = StringConstant["3"]       : 
 #   11|     r11_3(char *)           = Convert                   : r11_2
 #   11|     mu11_4(char *)          = Store[?]                  : &:r11_1, r11_3
 #   11|     r11_5(glval<..(*)(..)>) = FieldAddress[handler]     : r9_7
diff --git a/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected b/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected
@@ -71,20 +71,20 @@ test.cpp:
 
 #   10| int global01
 #   10|   Block 0
-#   10|     v10_1(void)       = EnterFunction             : 
-#   10|     m10_2(unknown)    = AliasedDefinition         : 
+#   10|     v10_1(void)       = EnterFunction     : 
+#   10|     m10_2(unknown)    = AliasedDefinition : 
 #   10|         valnum = unique
-#   10|     r10_3(glval<int>) = VariableAddress[global01] : 
+#   10|     r10_3(glval<int>) = VariableAddress   : 
 #   10|         valnum = unique
-#   10|     r10_4(int)        = Constant[1]               : 
+#   10|     r10_4(int)        = Constant[1]       : 
 #   10|         valnum = m10_5, r10_4
-#   10|     m10_5(int)        = Store[global01]           : &:r10_3, r10_4
+#   10|     m10_5(int)        = Store[?]          : &:r10_3, r10_4
 #   10|         valnum = m10_5, r10_4
-#   10|     m10_6(unknown)    = Chi                       : total:~m?, partial:m10_5
+#   10|     m10_6(unknown)    = Chi               : total:m10_2, partial:m10_5
 #   10|         valnum = unique
-#   10|     v10_7(void)       = ReturnVoid                : 
-#   10|     v10_8(void)       = AliasedUse                : ~m10_2
-#   10|     v10_9(void)       = ExitFunction              : 
+#   10|     v10_7(void)       = ReturnVoid        : 
+#   10|     v10_8(void)       = AliasedUse        : ~m10_6
+#   10|     v10_9(void)       = ExitFunction      : 
 
 #   12| void test01(int, int)
 #   12|   Block 0
@@ -170,20 +170,20 @@ test.cpp:
 
 #   21| int global02
 #   21|   Block 0
-#   21|     v21_1(void)       = EnterFunction             : 
-#   21|     m21_2(unknown)    = AliasedDefinition         : 
+#   21|     v21_1(void)       = EnterFunction     : 
+#   21|     m21_2(unknown)    = AliasedDefinition : 
 #   21|         valnum = unique
-#   21|     r21_3(glval<int>) = VariableAddress[global02] : 
+#   21|     r21_3(glval<int>) = VariableAddress   : 
 #   21|         valnum = unique
-#   21|     r21_4(int)        = Constant[2]               : 
+#   21|     r21_4(int)        = Constant[2]       : 
 #   21|         valnum = m21_5, r21_4
-#   21|     m21_5(int)        = Store[global02]           : &:r21_3, r21_4
+#   21|     m21_5(int)        = Store[?]          : &:r21_3, r21_4
 #   21|         valnum = m21_5, r21_4
-#   21|     m21_6(unknown)    = Chi                       : total:~m?, partial:m21_5
+#   21|     m21_6(unknown)    = Chi               : total:m21_2, partial:m21_5
 #   21|         valnum = unique
-#   21|     v21_7(void)       = ReturnVoid                : 
-#   21|     v21_8(void)       = AliasedUse                : ~m21_2
-#   21|     v21_9(void)       = ExitFunction              : 
+#   21|     v21_7(void)       = ReturnVoid        : 
+#   21|     v21_8(void)       = AliasedUse        : ~m21_6
+#   21|     v21_9(void)       = ExitFunction      : 
 
 #   25| void test02(int, int)
 #   25|   Block 0
@@ -276,20 +276,20 @@ test.cpp:
 
 #   35| int global03
 #   35|   Block 0
-#   35|     v35_1(void)       = EnterFunction             : 
-#   35|     m35_2(unknown)    = AliasedDefinition         : 
+#   35|     v35_1(void)       = EnterFunction     : 
+#   35|     m35_2(unknown)    = AliasedDefinition : 
 #   35|         valnum = unique
-#   35|     r35_3(glval<int>) = VariableAddress[global03] : 
+#   35|     r35_3(glval<int>) = VariableAddress   : 
 #   35|         valnum = unique
-#   35|     r35_4(int)        = Constant[3]               : 
+#   35|     r35_4(int)        = Constant[3]       : 
 #   35|         valnum = m35_5, r35_4
-#   35|     m35_5(int)        = Store[global03]           : &:r35_3, r35_4
+#   35|     m35_5(int)        = Store[?]          : &:r35_3, r35_4
 #   35|         valnum = m35_5, r35_4
-#   35|     m35_6(unknown)    = Chi                       : total:~m?, partial:m35_5
+#   35|     m35_6(unknown)    = Chi               : total:m35_2, partial:m35_5
 #   35|         valnum = unique
-#   35|     v35_7(void)       = ReturnVoid                : 
-#   35|     v35_8(void)       = AliasedUse                : ~m35_2
-#   35|     v35_9(void)       = ExitFunction              : 
+#   35|     v35_7(void)       = ReturnVoid        : 
+#   35|     v35_8(void)       = AliasedUse        : ~m35_6
+#   35|     v35_9(void)       = ExitFunction      : 
 
 #   39| void test03(int, int, int*)
 #   39|   Block 0
diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll b/csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll
@@ -2,21 +2,21 @@ private import TIRVariableInternal
 private import Imports::TempVariableTag
 
 newtype TIRVariable =
-  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) {
+  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Declaration func) {
     Construction::hasUserVariable(func, var, type)
   } or
   TIRTempVariable(
-    Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
+    Language::Declaration func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
   ) {
     Construction::hasTempVariable(func, ast, tag, type)
   } or
   TIRDynamicInitializationFlag(
-    Language::Function func, Language::Variable var, Language::LanguageType type
+    Language::Declaration func, Language::Variable var, Language::LanguageType type
   ) {
     Construction::hasDynamicInitializationFlag(func, var, type)
   } or
   TIRStringLiteral(
-    Language::Function func, Language::AST ast, Language::LanguageType type,
+    Language::Declaration func, Language::AST ast, Language::LanguageType type,
     Language::StringLiteral literal
   ) {
     Construction::hasStringLiteral(func, ast, type, literal)
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll b/csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
  * by the AST-to-IR translation (`IRTempVariable`).
  */
 class IRVariable extends TIRVariable {
-  Language::Function func;
+  Language::Declaration func;
 
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
   /**
    * Gets the function that references this variable.
    */
-  final Language::Function getEnclosingFunction() { result = func }
+  final Language::Declaration getEnclosingFunction() { result = func }
 }
 
 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {
 
   final override string toString() { result = "#ellipsis" }
 
-  final override int getIndex() { result = func.getNumberOfParameters() }
+  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll

Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,8 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,`
`89`	`89`
`90`	`90`	`override IRUserVariable getInstructionVariable(InstructionTag tag) {`
`91`	`91`	`tag = InitializerVariableAddressTag() and`
`92`		`- result.getVariable() = var`
	`92`	`+ result.getVariable() = var and`
	`93`	`+ result.getEnclosingFunction() = var`
`93`	`94`	`}`
`94`	`95`
`95`	`96`	`override Instruction getTargetAddress() {`