github
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll‎
Lines changed: 60 additions & 23 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll‎
Lines changed: 60 additions & 23 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll‎
Lines changed: 86 additions & 12 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll‎
Lines changed: 86 additions & 12 deletions
diff --git a/‎cpp/ql/test/library-tests/ir/ir/PrintAST.expected‎
Lines changed: 100 additions & 0 deletions b/‎cpp/ql/test/library-tests/ir/ir/PrintAST.expected‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected‎
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected‎
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected‎
Lines changed: 0 additions & 1 deletion
@@ -227,6 +227,49 @@ private predicate usedAsCondition(Expr expr) {
   )
 }
 
+/**
+ * Holds if `expr` is the result of a field access whose qualifier was a prvalue and whose result is
+ * a prvalue. These accesses are not marked as having loads, but we do need a load in the IR.
+ */
+private predicate isPRValueFieldAccessWithImplicitLoad(Expr expr) {
+  expr instanceof ValueFieldAccess and
+  expr.isPRValueCategory() and
+  // No need to do a load if we're replacing the result with a constant anyway.
+  not isIRConstant(expr) and
+  // Model an array prvalue as the address of the array, just like an array glvalue.
+  not expr.getUnspecifiedType() instanceof ArrayType
+}
+
+/**
+ * Holds if `expr` is a prvalue of class type that is used directly as the qualifier for a member
+ * access, or is used after undergoing a prvalue adjustment conversion.
+ */
+private predicate isClassPRValueForMemberAccessQualifier(Expr expr) {
+  exists(Expr qualifier |
+    exists(FieldAccess access | qualifier = access.getQualifier().getFullyConverted())
+    or
+    exists(Call call | qualifier = call.getQualifier().getFullyConverted())
+  |
+    // The qualifier is a prvalue of class type.
+    qualifier.getUnspecifiedType() instanceof Class and
+    qualifier.isPRValueCategory() and
+    (
+      expr = qualifier and not expr instanceof PrvalueAdjustmentConversion
+      or
+      // If the qualifier is a prvalue adjustment conversion, the actual object with be provided by
+      // the operand of that conversion. For example:
+      // ```c++
+      // std::string("s").c_str();
+      // ```
+      // The object for the qualifier is a prvalue(load) of type `std::string`, but the actual
+      // fully-converted qualifier of the call to `c_str()` is a prvalue adjustment conversion that
+      // converts the type to `const std::string` to match the type of the `this` pointer of the
+      // member function.
+      expr = qualifier.(PrvalueAdjustmentConversion).getExpr()
+    )
+  )
+}
+
 /**
  * Holds if `expr` has an lvalue-to-rvalue conversion that should be ignored
  * when generating IR. This occurs for conversion from an lvalue of function type
@@ -249,30 +292,9 @@ predicate ignoreLoad(Expr expr) {
     or
     // The extractor represents the qualifier of a field access or member function call as a load of
     // the temporary object if the original qualifier was a prvalue. For IR purposes, we always want
-    // to use the address of the temporary object as the base of a field access or the `this`
+    // to use the address of the temporary object as the qualifier of a field access or the `this`
     // argument to a member function call.
-    exists(Expr qualifier |
-      exists(FieldAccess access | qualifier = access.getQualifier().getFullyConverted())
-      or
-      exists(Call call | qualifier = call.getQualifier().getFullyConverted())
-    |
-      // The qualifier has a class type.
-      qualifier.getUnspecifiedType() instanceof Class and
-      (
-        expr = qualifier
-        or
-        // If the qualifier is a prvalue adjustment conversion, the load will be on the operand of
-        // that conversion. For example:
-        // ```c++
-        // std::string("s").c_str();
-        // ```
-        // The temporary object for the qualifier is a prvalue(load) of type `std::string`, but the
-        // actual fully converted qualifier of the call to `c_str()` is a prvalue adjustment
-        // conversion that converts the type to `const std::string` to match the type of the `this`
-        // pointer of the member function.
-        expr = qualifier.(PrvalueAdjustmentConversion).getExpr()
-      )
-    )
+    isClassPRValueForMemberAccessQualifier(expr)
   )
 }
 
@@ -308,13 +330,25 @@ predicate hasTranslatedLoad(Expr expr) {
     expr.hasLValueToRValueConversion()
     or
     needsLoadForParentExpr(expr)
+    or
+    isPRValueFieldAccessWithImplicitLoad(expr)
   ) and
   not ignoreExpr(expr) and
   not isNativeCondition(expr) and
   not isFlexibleCondition(expr) and
   not ignoreLoad(expr)
 }
 
+/**
+ * Holds if `expr` should have a `TranslatedSyntheticTemporaryObject` on it.
+ */
+predicate hasTranslatedSyntheticTemporaryObject(Expr expr) {
+  not ignoreExpr(expr) and
+  isClassPRValueForMemberAccessQualifier(expr) and
+  // If it's a load, we'll just ignore the load in `ignoreLoad()`.
+  not expr.hasLValueToRValueConversion()
+}
+
 /**
  * Holds if the specified `DeclarationEntry` needs an IR translation. An IR translation is only
  * necessary for automatic local variables, or for static local variables with dynamic
@@ -345,6 +379,9 @@ newtype TTranslatedElement =
   // A separate element to handle the lvalue-to-rvalue conversion step of an
   // expression.
   TTranslatedLoad(Expr expr) { hasTranslatedLoad(expr) } or
+  // A temporary object that we had to synthesize ourselves, so that we could do a field access or
+  // method call on a prvalue.
+  TTranslatedSyntheticTemporaryObject(Expr expr) { hasTranslatedSyntheticTemporaryObject(expr) } or
   // For expressions that would not otherwise generate an instruction.
   TTranslatedResultCopy(Expr expr) {
     not ignoreExpr(expr) and
 
@@ -110,9 +110,10 @@ abstract class TranslatedCoreExpr extends TranslatedExpr {
   }
 
   final override predicate producesExprResult() {
-    // If there's no load, then this is the only TranslatedExpr for this
+    // If there's no load or temp object, then this is the only TranslatedExpr for this
     // expression.
     not hasTranslatedLoad(expr) and
+    not hasTranslatedSyntheticTemporaryObject(expr) and
     // If there's a result copy, then this expression's result is the copy.
     not exprNeedsCopyIfNotLoaded(expr)
   }
@@ -246,19 +247,35 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext,
   private TranslatedCondition getCondition() { result = getTranslatedCondition(expr) }
 }
 
+/**
+ * The IR translation of a node synthesized to adjust the value category of its operand.
+ * One of:
+ * - `TranslatedLoad` - Convert from glvalue to prvalue by loading from the location.
+ * - `TranslatedSyntheticTemporaryObject` - Convert from prvalue to glvalue by storing to a
+ *   temporary variable.
+ */
+abstract class TranslatedValueCategoryAdjustment extends TranslatedExpr {
+  final override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getOperand() }
+
+  final override predicate producesExprResult() {
+    // A temp object always produces the result of the expression.
+    any()
+  }
+
+  final TranslatedCoreExpr getOperand() { result.getExpr() = expr }
+}
+
 /**
  * IR translation of an implicit lvalue-to-rvalue conversion on the result of
  * an expression.
  */
-class TranslatedLoad extends TranslatedExpr, TTranslatedLoad {
+class TranslatedLoad extends TranslatedValueCategoryAdjustment, TTranslatedLoad {
   TranslatedLoad() { this = TTranslatedLoad(expr) }
 
   override string toString() { result = "Load of " + expr.toString() }
 
-  override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() }
-
-  override TranslatedElement getChild(int id) { id = 0 and result = getOperand() }
-
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     tag = LoadTag() and
     opcode instanceof Opcode::Load and
@@ -286,18 +303,75 @@ class TranslatedLoad extends TranslatedExpr, TTranslatedLoad {
       result = getOperand().getResult()
     )
   }
+}
 
-  final override predicate producesExprResult() {
-    // A load always produces the result of the expression.
-    any()
+/**
+ * The IR translation of a temporary object synthesized by the IR to hold a class prvalue on which
+ * a member access is going to be performed. This differs from `TranslatedTemporaryObjectExpr` in
+ * that instances of `TranslatedSyntheticTemporaryObject` are synthesized during IR construction,
+ * whereas `TranslatedTemporaryObjectExpr` instances are created from `TemporaryObjectExpr` nodes
+ * from the AST.
+ */
+class TranslatedSyntheticTemporaryObject extends TranslatedValueCategoryAdjustment,
+  TTranslatedSyntheticTemporaryObject {
+  TranslatedSyntheticTemporaryObject() { this = TTranslatedSyntheticTemporaryObject(expr) }
+
+  override string toString() { result = "Temporary materialization of " + expr.toString() }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = InitializerVariableAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    resultType = getTypeForGLValue(expr.getType())
+    or
+    tag = InitializerStoreTag() and
+    opcode instanceof Opcode::Store and
+    resultType = getTypeForPRValue(expr.getType())
   }
 
-  TranslatedCoreExpr getOperand() { result.getExpr() = expr }
+  override predicate isResultGLValue() { any() }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = InitializerVariableAddressTag() and
+    result = getInstruction(InitializerStoreTag()) and
+    kind instanceof GotoEdge
+    or
+    tag = InitializerStoreTag() and
+    result = getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getOperand() and result = getInstruction(InitializerVariableAddressTag())
+  }
+
+  override Instruction getResult() { result = getInstruction(InitializerVariableAddressTag()) }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = InitializerStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(InitializerVariableAddressTag())
+      or
+      operandTag instanceof StoreValueOperandTag and
+      result = getOperand().getResult()
+    )
+  }
+
+  final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
+    tag = TempObjectTempVar() and
+    type = getTypeForPRValue(expr.getType())
+  }
+
+  final override IRVariable getInstructionVariable(InstructionTag tag) {
+    tag = InitializerVariableAddressTag() and
+    result = getIRTempVariable(expr, TempObjectTempVar())
+  }
 }
 
 /**
- * IR translation of an implicit lvalue-to-rvalue conversion on the result of
- * an expression.
+ * IR translation of an expression that simply returns its result. We generate an otherwise useless
+ * `CopyValue` instruction for these expressions so that there is at least one instruction
+ * associated with the expression.
  */
 class TranslatedResultCopy extends TranslatedExpr, TTranslatedResultCopy {
   TranslatedResultCopy() { this = TTranslatedResultCopy(expr) }
 
@@ -10656,6 +10656,8 @@ ir.cpp:
 # 1363|   params: 
 # 1363| [TemplateFunction,TopLevelFunction] T returnValue<T>()
 # 1363|   params: 
+# 1363| [FunctionTemplateInstantiation,TopLevelFunction] UnusualFields returnValue<UnusualFields>()
+# 1363|   params: 
 # 1363| [FunctionTemplateInstantiation,TopLevelFunction] copy_constructor returnValue<copy_constructor>()
 # 1363|   params: 
 # 1363| [FunctionTemplateInstantiation,TopLevelFunction] destructor_only returnValue<destructor_only>()
@@ -11061,6 +11063,104 @@ ir.cpp:
 # 1413|           Type = [Struct] Point
 # 1413|           ValueCategory = prvalue
 # 1414|     7: [ReturnStmt] return ...
+# 1416| [CopyAssignmentOperator] UnusualFields& UnusualFields::operator=(UnusualFields const&)
+# 1416|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const UnusualFields &
+# 1416| [Constructor] void UnusualFields::UnusualFields()
+# 1416|   params: 
+# 1416| [CopyConstructor] void UnusualFields::UnusualFields(UnusualFields const&)
+# 1416|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const UnusualFields &
+# 1416| [MoveConstructor] void UnusualFields::UnusualFields(UnusualFields&&)
+# 1416|   params: 
+#-----|     0: [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] UnusualFields &&
+# 1421| [TopLevelFunction] void temporary_unusual_fields()
+# 1421|   params: 
+# 1421|   body: [BlockStmt] { ... }
+# 1422|     0: [DeclStmt] declaration
+# 1422|       0: [VariableDeclarationEntry] definition of rx
+# 1422|           Type = [LValueReferenceType] const int &
+# 1422|         init: [Initializer] initializer for rx
+# 1422|           expr: [ReferenceToExpr] (reference to)
+# 1422|               Type = [LValueReferenceType] const int &
+# 1422|               ValueCategory = prvalue
+# 1422|             expr: [CStyleCast] (const int)...
+# 1422|                 Conversion = [GlvalueConversion] glvalue conversion
+# 1422|                 Type = [SpecifiedType] const int
+# 1422|                 ValueCategory = lvalue
+# 1422|               expr: [ReferenceDereferenceExpr] (reference dereference)
+# 1422|                   Type = [IntType] int
+# 1422|                   ValueCategory = lvalue
+# 1422|                 expr: [ValueFieldAccess] r
+# 1422|                     Type = [LValueReferenceType] int &
+# 1422|                     ValueCategory = prvalue
+# 1422|                   -1: [FunctionCall] call to returnValue
+# 1422|                       Type = [Struct] UnusualFields
+# 1422|                       ValueCategory = prvalue
+# 1423|     1: [DeclStmt] declaration
+# 1423|       0: [VariableDeclarationEntry] definition of x
+# 1423|           Type = [IntType] int
+# 1423|         init: [Initializer] initializer for x
+# 1423|           expr: [ReferenceDereferenceExpr] (reference dereference)
+# 1423|               Type = [IntType] int
+# 1423|               ValueCategory = prvalue(load)
+# 1423|             expr: [ValueFieldAccess] r
+# 1423|                 Type = [LValueReferenceType] int &
+# 1423|                 ValueCategory = prvalue
+# 1423|               -1: [FunctionCall] call to returnValue
+# 1423|                   Type = [Struct] UnusualFields
+# 1423|                   ValueCategory = prvalue
+# 1425|     2: [DeclStmt] declaration
+# 1425|       0: [VariableDeclarationEntry] definition of rf
+# 1425|           Type = [LValueReferenceType] const float &
+# 1425|         init: [Initializer] initializer for rf
+# 1425|           expr: [ReferenceToExpr] (reference to)
+# 1425|               Type = [LValueReferenceType] const float &
+# 1425|               ValueCategory = prvalue
+# 1425|             expr: [CStyleCast] (const float)...
+# 1425|                 Conversion = [GlvalueConversion] glvalue conversion
+# 1425|                 Type = [SpecifiedType] const float
+# 1425|                 ValueCategory = lvalue
+# 1425|               expr: [ArrayExpr] access to array
+# 1425|                   Type = [FloatType] float
+# 1425|                   ValueCategory = lvalue
+# 1425|                 0: [ArrayToPointerConversion] array to pointer conversion
+# 1425|                     Type = [PointerType] float *
+# 1425|                     ValueCategory = prvalue
+# 1425|                   expr: [ValueFieldAccess] a
+# 1425|                       Type = [ArrayType] float[10]
+# 1425|                       ValueCategory = prvalue
+# 1425|                     -1: [FunctionCall] call to returnValue
+# 1425|                         Type = [Struct] UnusualFields
+# 1425|                         ValueCategory = prvalue
+# 1425|                 1: [Literal] 3
+# 1425|                     Type = [IntType] int
+# 1425|                     Value = [Literal] 3
+# 1425|                     ValueCategory = prvalue
+# 1426|     3: [DeclStmt] declaration
+# 1426|       0: [VariableDeclarationEntry] definition of f
+# 1426|           Type = [FloatType] float
+# 1426|         init: [Initializer] initializer for f
+# 1426|           expr: [ArrayExpr] access to array
+# 1426|               Type = [FloatType] float
+# 1426|               ValueCategory = prvalue(load)
+# 1426|             0: [ArrayToPointerConversion] array to pointer conversion
+# 1426|                 Type = [PointerType] float *
+# 1426|                 ValueCategory = prvalue
+# 1426|               expr: [ValueFieldAccess] a
+# 1426|                   Type = [ArrayType] float[10]
+# 1426|                   ValueCategory = prvalue
+# 1426|                 -1: [FunctionCall] call to returnValue
+# 1426|                     Type = [Struct] UnusualFields
+# 1426|                     ValueCategory = prvalue
+# 1426|             1: [Literal] 5
+# 1426|                 Type = [IntType] int
+# 1426|                 Value = [Literal] 5
+# 1426|                 ValueCategory = prvalue
+# 1427|     4: [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   params: 
 
@@ -22,7 +22,6 @@ wronglyMarkedAsConflated
 invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
-| ir.cpp:1411:34:1411:34 | FieldAddress: y | FieldAddress instruction 'FieldAddress: y' has an object address operand that is not an address, in function '$@'. | ir.cpp:1404:6:1404:20 | void temporary_point() | void temporary_point() |
 thisArgumentIsNonPointer
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 
@@ -22,7 +22,6 @@ wronglyMarkedAsConflated
 invalidOverlap
 nonUniqueEnclosingIRFunction
 fieldAddressOnNonPointer
-| ir.cpp:1411:34:1411:34 | FieldAddress: y | FieldAddress instruction 'FieldAddress: y' has an object address operand that is not an address, in function '$@'. | ir.cpp:1404:6:1404:20 | void temporary_point() | void temporary_point() |
 thisArgumentIsNonPointer
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes