github
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll‎
Lines changed: 9 additions & 4 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll‎
Lines changed: 20 additions & 9 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll‎
Lines changed: 20 additions & 9 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 56 additions & 64 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 56 additions & 64 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll‎
Lines changed: 1 addition & 2 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll‎
Lines changed: 1 addition & 2 deletions
@@ -105,6 +105,11 @@ abstract class BuiltInOpcode extends Opcode {}
 
 abstract class SideEffectOpcode extends Opcode {}
 
+/**
+ * An opcode that reads a value from memory.
+ */
+abstract class OpcodeWithLoad extends MemoryAccessOpcode {}
+
 /**
  * An opcode that reads from a set of memory locations as a side effect.
  */
@@ -133,10 +138,10 @@ module Opcode {
   class InitializeThis extends Opcode, TInitializeThis { override final string toString() { result = "InitializeThis" } }
   class EnterFunction extends Opcode, TEnterFunction { override final string toString() { result = "EnterFunction" } }
   class ExitFunction extends Opcode, TExitFunction { override final string toString() { result = "ExitFunction" } }
-  class ReturnValue extends ReturnOpcode, MemoryAccessOpcode, TReturnValue { override final string toString() { result = "ReturnValue" } }
+  class ReturnValue extends ReturnOpcode, OpcodeWithLoad, TReturnValue { override final string toString() { result = "ReturnValue" } }
   class ReturnVoid extends ReturnOpcode, TReturnVoid { override final string toString() { result = "ReturnVoid" } }
-  class CopyValue extends CopyOpcode, TCopyValue { override final string toString() { result = "CopyValue" } }
-  class Load extends CopyOpcode, MemoryAccessOpcode, TLoad { override final string toString() { result = "Load" } }
+  class CopyValue extends UnaryOpcode, CopyOpcode, TCopyValue { override final string toString() { result = "CopyValue" } }
+  class Load extends CopyOpcode, OpcodeWithLoad, TLoad { override final string toString() { result = "Load" } }
   class Store extends CopyOpcode, MemoryAccessOpcode, TStore { override final string toString() { result = "Store" } }
   class Add extends BinaryOpcode, TAdd { override final string toString() { result = "Add" } }
   class Sub extends BinaryOpcode, TSub { override final string toString() { result = "Sub" } }
@@ -177,7 +182,7 @@ module Opcode {
   class Call extends Opcode, TCall { override final string toString() { result = "Call" } }
   class CatchByType extends CatchOpcode, TCatchByType { override final string toString() { result = "CatchByType" } }
   class CatchAny extends CatchOpcode, TCatchAny { override final string toString() { result = "CatchAny" } }
-  class ThrowValue extends ThrowOpcode, MemoryAccessOpcode, TThrowValue { override final string toString() { result = "ThrowValue" } }
+  class ThrowValue extends ThrowOpcode, OpcodeWithLoad, TThrowValue { override final string toString() { result = "ThrowValue" } }
   class ReThrow extends ThrowOpcode, TReThrow { override final string toString() { result = "ReThrow" } }
   class Unwind extends Opcode, TUnwind { override final string toString() { result = "Unwind" } }
   class UnmodeledDefinition extends Opcode, TUnmodeledDefinition { override final string toString() { result = "UnmodeledDefinition" } }
 
@@ -29,12 +29,11 @@ module InstructionSanity {
             tag instanceof RightOperandTag
           )
         ) or
-        opcode instanceof CopyOpcode and tag instanceof CopySourceOperandTag or
         opcode instanceof MemoryAccessOpcode and tag instanceof AddressOperandTag or
         opcode instanceof BufferAccessOpcode and tag instanceof BufferSizeOperand or
         opcode instanceof OpcodeWithCondition and tag instanceof ConditionOperandTag or
-        opcode instanceof Opcode::ReturnValue and tag instanceof ReturnValueOperandTag or
-        opcode instanceof Opcode::ThrowValue and tag instanceof ExceptionOperandTag or
+        opcode instanceof OpcodeWithLoad and tag instanceof LoadOperandTag or
+        opcode instanceof Opcode::Store and tag instanceof StoreValueOperandTag or
         opcode instanceof Opcode::UnmodeledUse and tag instanceof UnmodeledUseOperandTag or
         opcode instanceof Opcode::Call and tag instanceof CallTargetOperandTag or
         opcode instanceof Opcode::Chi and tag instanceof ChiTotalOperandTag or
@@ -714,7 +713,7 @@ class ReturnValueInstruction extends ReturnInstruction {
     getOpcode() instanceof Opcode::ReturnValue
   }
 
-  final ReturnValueOperand getReturnValueOperand() {
+  final LoadOperand getReturnValueOperand() {
     result = getAnOperand()
   }
 
@@ -728,19 +727,23 @@ class CopyInstruction extends Instruction {
     getOpcode() instanceof CopyOpcode
   }
 
-  final CopySourceOperand getSourceValueOperand() {
-    result = getAnOperand()
+  Operand getSourceValueOperand() {
+    none()
   }
-  
+
   final Instruction getSourceValue() {
     result = getSourceValueOperand().getDefinitionInstruction()
   }
 }
 
-class CopyValueInstruction extends CopyInstruction {
+class CopyValueInstruction extends CopyInstruction, UnaryInstruction {
   CopyValueInstruction() {
     getOpcode() instanceof Opcode::CopyValue
   }
+
+  override final UnaryOperand getSourceValueOperand() {
+    result = getAnOperand()
+  }
 }
 
 class LoadInstruction extends CopyInstruction {
@@ -755,6 +758,10 @@ class LoadInstruction extends CopyInstruction {
   final Instruction getSourceAddress() {
     result = getSourceAddressOperand().getDefinitionInstruction()
   }
+
+  override final LoadOperand getSourceValueOperand() {
+    result = getAnOperand()
+  }
 }
 
 class StoreInstruction extends CopyInstruction {
@@ -773,6 +780,10 @@ class StoreInstruction extends CopyInstruction {
   final Instruction getDestinationAddress() {
     result = getDestinationAddressOperand().getDefinitionInstruction()
   }
+
+  override final StoreValueOperand getSourceValueOperand() {
+    result = getAnOperand()
+  }
 }
 
 class ConditionalBranchInstruction extends Instruction {
@@ -1442,7 +1453,7 @@ class ThrowValueInstruction extends ThrowInstruction {
   /**
    * Gets the operand for the exception thrown by this instruction.
    */
-  final ExceptionOperand getExceptionOperand() {
+  final LoadOperand getExceptionOperand() {
     result = getAnOperand()
   }
 
 
@@ -63,9 +63,21 @@ class Operand extends TOperand {
   int getDumpSortOrder() {
     result = -1
   }
+}
+
+/**
+ * An operand that consumes a memory result (e.g. the `LoadOperand` on a `Load` instruction).
+ */
+class MemoryOperand extends Operand {
+  MemoryOperand() {
+    exists(MemoryOperandTag tag |
+      this = TNonPhiOperand(_, tag, _)
+    ) or
+    this = TPhiOperand(_, _, _)
+  }
 
   /**
-   * Gets the kind of memory access performed by the operand. Holds only for memory operands.
+   * Gets the kind of memory access performed by the operand.
    */
   MemoryAccessKind getMemoryAccess() {
     none()
@@ -82,6 +94,17 @@ class Operand extends TOperand {
   }
 }
 
+/**
+ * An operand that consumes a register (non-memory) result.
+ */
+class RegisterOperand extends Operand {
+  RegisterOperand() {
+    exists(RegisterOperandTag tag |
+      this = TNonPhiOperand(_, tag, _)
+    )
+  }
+}
+
 /**
  * An operand that is not an operand of a `PhiInstruction`.
  */
@@ -119,7 +142,7 @@ class NonPhiOperand extends Operand, TNonPhiOperand {
  * The address operand of an instruction that loads or stores a value from
  * memory (e.g. `Load`, `Store`).
  */
-class AddressOperand extends NonPhiOperand {
+class AddressOperand extends NonPhiOperand, RegisterOperand {
   AddressOperand() {
     this = TNonPhiOperand(_, addressOperand(), _)
   }
@@ -130,28 +153,40 @@ class AddressOperand extends NonPhiOperand {
 }
 
 /**
- * The source value operand of an instruction that copies this value to its
- * result (e.g. `Copy`, `Load`, `Store`).
+ * The source value operand of an instruction that loads a value from memory (e.g. `Load`,
+ * `ReturnValue`, `ThrowValue`).
  */
-class CopySourceOperand extends NonPhiOperand {
-  CopySourceOperand() {
-    this = TNonPhiOperand(_, copySourceOperand(), _)
+class LoadOperand extends NonPhiOperand, MemoryOperand {
+  LoadOperand() {
+    this = TNonPhiOperand(_, loadOperand(), _)
   }
 
   override string toString() {
-    result = "CopySource"
+    result = "Load"
   }
 
   override final MemoryAccessKind getMemoryAccess() {
-    instr.getOpcode() instanceof Opcode::Load and
     result instanceof IndirectMemoryAccess
   }
 }
 
 /**
- * The sole operand of a unary instruction (e.g. `Convert`, `Negate`).
+ * The source value operand of a `Store` instruction.
  */
-class UnaryOperand extends NonPhiOperand {
+class StoreValueOperand extends NonPhiOperand, RegisterOperand {
+  StoreValueOperand() {
+    this = TNonPhiOperand(_, storeValueOperand(), _)
+  }
+
+  override string toString() {
+    result = "StoreValue"
+  }
+}
+
+/**
+ * The sole operand of a unary instruction (e.g. `Convert`, `Negate`, `Copy`).
+ */
+class UnaryOperand extends NonPhiOperand, RegisterOperand {
   UnaryOperand() {
     this = TNonPhiOperand(_, unaryOperand(), _)
   }
@@ -164,7 +199,7 @@ class UnaryOperand extends NonPhiOperand {
 /**
  * The left operand of a binary instruction (e.g. `Add`, `CompareEQ`).
  */
-class LeftOperand extends NonPhiOperand {
+class LeftOperand extends NonPhiOperand, RegisterOperand {
   LeftOperand() {
     this = TNonPhiOperand(_, leftOperand(), _)
   }
@@ -177,7 +212,7 @@ class LeftOperand extends NonPhiOperand {
 /**
  * The right operand of a binary instruction (e.g. `Add`, `CompareEQ`).
  */
-class RightOperand extends NonPhiOperand {
+class RightOperand extends NonPhiOperand, RegisterOperand {
   RightOperand() {
     this = TNonPhiOperand(_, rightOperand(), _)
   }
@@ -187,44 +222,10 @@ class RightOperand extends NonPhiOperand {
   }
 }
 
-/**
- * The return value operand of a `ReturnValue` instruction.
- */
-class ReturnValueOperand extends NonPhiOperand {
-  ReturnValueOperand() {
-    this = TNonPhiOperand(_, returnValueOperand(), _)
-  }
-
-  override string toString() {
-    result = "ReturnValue"
-  }
-
-  override final MemoryAccessKind getMemoryAccess() {
-    result instanceof IndirectMemoryAccess
-  }
-}
-
-/**
- * The exception thrown by a `ThrowValue` instruction.
- */
-class ExceptionOperand extends NonPhiOperand {
-  ExceptionOperand() {
-    this = TNonPhiOperand(_, exceptionOperand(), _)
-  }
-
-  override string toString() {
-    result = "Exception"
-  }
-
-  override final MemoryAccessKind getMemoryAccess() {
-    result instanceof IndirectMemoryAccess
-  }
-}
-
 /**
  * The condition operand of a `ConditionalBranch` or `Switch` instruction.
  */
-class ConditionOperand extends NonPhiOperand {
+class ConditionOperand extends NonPhiOperand, RegisterOperand {
   ConditionOperand() {
     this = TNonPhiOperand(_, conditionOperand(), _)
   }
@@ -238,7 +239,7 @@ class ConditionOperand extends NonPhiOperand {
  * An operand of the special `UnmodeledUse` instruction, representing a value
  * whose set of uses is unknown.
  */
-class UnmodeledUseOperand extends NonPhiOperand {
+class UnmodeledUseOperand extends NonPhiOperand, MemoryOperand {
   UnmodeledUseOperand() {
     this = TNonPhiOperand(_, unmodeledUseOperand(), _)
   }
@@ -255,7 +256,7 @@ class UnmodeledUseOperand extends NonPhiOperand {
 /**
  * The operand representing the target function of an `Call` instruction.
  */
-class CallTargetOperand extends NonPhiOperand {
+class CallTargetOperand extends NonPhiOperand, RegisterOperand {
   CallTargetOperand() {
     this = TNonPhiOperand(_, callTargetOperand(), _)
   }
@@ -270,7 +271,7 @@ class CallTargetOperand extends NonPhiOperand {
  * positional arguments (represented by `PositionalArgumentOperand`) and the
  * implicit `this` argument, if any (represented by `ThisArgumentOperand`).
  */
-class ArgumentOperand extends NonPhiOperand {
+class ArgumentOperand extends NonPhiOperand, RegisterOperand {
   ArgumentOperand() {
     exists(ArgumentOperandTag argTag |
       this = TNonPhiOperand(_, argTag, _)
@@ -317,7 +318,7 @@ class PositionalArgumentOperand extends ArgumentOperand {
   }
 }
 
-class SideEffectOperand extends NonPhiOperand {
+class SideEffectOperand extends NonPhiOperand, MemoryOperand {
   SideEffectOperand() {
     this = TNonPhiOperand(_, sideEffectOperand(), _)
   }
@@ -352,7 +353,7 @@ class SideEffectOperand extends NonPhiOperand {
 /**
  * An operand of a `PhiInstruction`.
  */
-class PhiOperand extends Operand, TPhiOperand {
+class PhiOperand extends MemoryOperand, TPhiOperand {
   PhiInstruction useInstr;
   Instruction defInstr;
   IRBlock predecessorBlock;
@@ -393,19 +394,10 @@ class PhiOperand extends Operand, TPhiOperand {
   }
 }
 
-/**
- * An operand that reads a value from memory.
- */
-class MemoryOperand extends Operand {
-  MemoryOperand() {
-    exists(getMemoryAccess())
-  }
-}
-
 /**
  * The total operand of a Chi node, representing the previous value of the memory.
  */
-class ChiTotalOperand extends Operand {
+class ChiTotalOperand extends MemoryOperand {
   ChiTotalOperand() {
     this = TNonPhiOperand(_, chiTotalOperand(), _)
   }
@@ -423,7 +415,7 @@ class ChiTotalOperand extends Operand {
 /**
  * The partial operand of a Chi node, representing the value being written to part of the memory.
  */
-class ChiPartialOperand extends Operand {
+class ChiPartialOperand extends MemoryOperand {
   ChiPartialOperand() {
     this = TNonPhiOperand(_, chiPartialOperand(), _)
   }
 
@@ -134,7 +134,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
       // offset of the field.
       bitOffset = getFieldBitOffset(instr.(FieldAddressInstruction).getField()) or
       // A copy propagates the source value.
-      operand instanceof CopySourceOperand and bitOffset = 0
+      operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
     )
   )
 }
 
@@ -263,8 +263,7 @@ MemoryAccess getResultMemoryAccess(Instruction instr) {
   )
 }
 
-MemoryAccess getOperandMemoryAccess(Operand operand) {
-  exists(operand.getMemoryAccess()) and
+MemoryAccess getOperandMemoryAccess(MemoryOperand operand) {
   if exists(IRVariable var, IntValue i |
     resultPointsTo(operand.getAddressOperand().getDefinitionInstruction(), var, i)
   )
Original file line number	Diff line number	Diff line change
`@@ -29,12 +29,11 @@ module InstructionSanity {`
`29`	`29`	`tag instanceof RightOperandTag`
`30`	`30`	`)`
`31`	`31`	`) or`
`32`		`- opcode instanceof CopyOpcode and tag instanceof CopySourceOperandTag or`
`33`	`32`	`opcode instanceof MemoryAccessOpcode and tag instanceof AddressOperandTag or`
`34`	`33`	`opcode instanceof BufferAccessOpcode and tag instanceof BufferSizeOperand or`
`35`	`34`	`opcode instanceof OpcodeWithCondition and tag instanceof ConditionOperandTag or`
`36`		`- opcode instanceof Opcode::ReturnValue and tag instanceof ReturnValueOperandTag or`
`37`		`- opcode instanceof Opcode::ThrowValue and tag instanceof ExceptionOperandTag or`
	`35`	`+ opcode instanceof OpcodeWithLoad and tag instanceof LoadOperandTag or`
	`36`	`+ opcode instanceof Opcode::Store and tag instanceof StoreValueOperandTag or`
`38`	`37`	`opcode instanceof Opcode::UnmodeledUse and tag instanceof UnmodeledUseOperandTag or`
`39`	`38`	`opcode instanceof Opcode::Call and tag instanceof CallTargetOperandTag or`
`40`	`39`	`opcode instanceof Opcode::Chi and tag instanceof ChiTotalOperandTag or`
`@@ -714,7 +713,7 @@ class ReturnValueInstruction extends ReturnInstruction {`
`714`	`713`	`getOpcode() instanceof Opcode::ReturnValue`
`715`	`714`	`}`
`716`	`715`
`717`		`- final ReturnValueOperand getReturnValueOperand() {`
	`716`	`+ final LoadOperand getReturnValueOperand() {`
`718`	`717`	`result = getAnOperand()`
`719`	`718`	`}`
`720`	`719`
`@@ -728,19 +727,23 @@ class CopyInstruction extends Instruction {`
`728`	`727`	`getOpcode() instanceof CopyOpcode`
`729`	`728`	`}`
`730`	`729`
`731`		`- final CopySourceOperand getSourceValueOperand() {`
`732`		`- result = getAnOperand()`
	`730`	`+ Operand getSourceValueOperand() {`
	`731`	`+ none()`
`733`	`732`	`}`
`734`		`-`
	`733`	`+`
`735`	`734`	`final Instruction getSourceValue() {`
`736`	`735`	`result = getSourceValueOperand().getDefinitionInstruction()`
`737`	`736`	`}`
`738`	`737`	`}`
`739`	`738`
`740`		`-class CopyValueInstruction extends CopyInstruction {`
	`739`	`+class CopyValueInstruction extends CopyInstruction, UnaryInstruction {`
`741`	`740`	`CopyValueInstruction() {`
`742`	`741`	`getOpcode() instanceof Opcode::CopyValue`
`743`	`742`	`}`
	`743`	`+`
	`744`	`+ override final UnaryOperand getSourceValueOperand() {`
	`745`	`+ result = getAnOperand()`
	`746`	`+ }`
`744`	`747`	`}`
`745`	`748`
`746`	`749`	`class LoadInstruction extends CopyInstruction {`
`@@ -755,6 +758,10 @@ class LoadInstruction extends CopyInstruction {`
`755`	`758`	`final Instruction getSourceAddress() {`
`756`	`759`	`result = getSourceAddressOperand().getDefinitionInstruction()`
`757`	`760`	`}`
	`761`	`+`
	`762`	`+ override final LoadOperand getSourceValueOperand() {`
	`763`	`+ result = getAnOperand()`
	`764`	`+ }`
`758`	`765`	`}`
`759`	`766`
`760`	`767`	`class StoreInstruction extends CopyInstruction {`
`@@ -773,6 +780,10 @@ class StoreInstruction extends CopyInstruction {`
`773`	`780`	`final Instruction getDestinationAddress() {`
`774`	`781`	`result = getDestinationAddressOperand().getDefinitionInstruction()`
`775`	`782`	`}`
	`783`	`+`
	`784`	`+ override final StoreValueOperand getSourceValueOperand() {`
	`785`	`+ result = getAnOperand()`
	`786`	`+ }`
`776`	`787`	`}`
`777`	`788`
`778`	`789`	`class ConditionalBranchInstruction extends Instruction {`
`@@ -1442,7 +1453,7 @@ class ThrowValueInstruction extends ThrowInstruction {`
`1442`	`1453`	`/**`
`1443`	`1454`	`* Gets the operand for the exception thrown by this instruction.`
`1444`	`1455`	`*/`
`1445`		`- final ExceptionOperand getExceptionOperand() {`
	`1456`	`+ final LoadOperand getExceptionOperand() {`
`1446`	`1457`	`result = getAnOperand()`
`1447`	`1458`	`}`
`1448`	`1459`
Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ predicate operandIsPropagated(Operand operand, IntValue bitOffset) {`
`134`	`134`	`// offset of the field.`
`135`	`135`	`bitOffset = getFieldBitOffset(instr.(FieldAddressInstruction).getField()) or`
`136`	`136`	`// A copy propagates the source value.`
`137`		`- operand instanceof CopySourceOperand and bitOffset = 0`
	`137`	`+ operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0`
`138`	`138`	`)`
`139`	`139`	`)`
`140`	`140`	`}`
Original file line number	Diff line number	Diff line change
`@@ -263,8 +263,7 @@ MemoryAccess getResultMemoryAccess(Instruction instr) {`
`263`	`263`	`)`
`264`	`264`	`}`
`265`	`265`
`266`		`-MemoryAccess getOperandMemoryAccess(Operand operand) {`
`267`		`- exists(operand.getMemoryAccess()) and`
	`266`	`+MemoryAccess getOperandMemoryAccess(MemoryOperand operand) {`
`268`	`267`	`if exists(IRVariable var, IntValue i \|`
`269`	`268`	`resultPointsTo(operand.getAddressOperand().getDefinitionInstruction(), var, i)`
`270`	`269`	`)`