Merge pull request #938 from dave-bartolomeo/dave/AliasedSSA

C++: Better tracking of SSA memory accesses

Author: rdmarsh2

config/identical-files.json

@@ -68,6 +68,10 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
   ],
+  "C++ SSA PrintSSA": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
+  ],
   "C++ IR ValueNumber": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",

cpp/ql/src/semmle/code/cpp/Enum.qll

@@ -16,6 +16,13 @@ class Enum extends UserType, IntegralOrEnumType {
    */
   override string explain() { result =  "enum " + this.getName() }
 
+  override int getSize() {
+    // Workaround for extractor bug CPP-348: No size information for enums.
+    // If the extractor didn't provide a size, assume four bytes.
+    result = UserType.super.getSize() or
+    not exists(UserType.super.getSize()) and result = 4
+  }
+
   /** See `Type.isDeeplyConst` and `Type.isDeeplyConstBelow`. Internal. */
   override predicate isDeeplyConstBelow() { any() } // No subparts
 

cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -6,6 +6,7 @@ private newtype TMemoryAccessKind =
   TBufferMemoryAccess() or
   TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
+  TEscapedMayMemoryAccess() or
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
@@ -16,7 +17,17 @@ private newtype TMemoryAccessKind =
  * memory result.
  */
 class MemoryAccessKind extends TMemoryAccessKind {
-  abstract string toString();
+  string toString() {
+    none()
+  }
+
+  /**
+   * Holds if the operand or result accesses memory pointed to by the `AddressOperand` on the
+   * same instruction.
+   */
+  predicate usesAddressOperand() {
+    none()
+  }
 }
 
 /**
@@ -27,6 +38,10 @@ class IndirectMemoryAccess extends MemoryAccessKind, TIndirectMemoryAccess {
   override string toString() {
     result = "indirect"
   }
+  
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -37,6 +52,10 @@ class IndirectMayMemoryAccess extends MemoryAccessKind, TIndirectMayMemoryAccess
   override string toString() {
     result = "indirect(may)"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -48,6 +67,10 @@ class BufferMemoryAccess extends MemoryAccessKind, TBufferMemoryAccess {
   override string toString() {
     result = "buffer"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -59,6 +82,10 @@ class BufferMayMemoryAccess extends MemoryAccessKind, TBufferMayMemoryAccess {
   override string toString() {
     result = "buffer(may)"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -70,6 +97,15 @@ class EscapedMemoryAccess extends MemoryAccessKind, TEscapedMemoryAccess {
   }
 }
 
+/**
+ * The operand or result may access all memory whose address has escaped.
+ */
+class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess {
+  override string toString() {
+    result = "escaped(may)"
+  }
+}
+
 /**
  * The operand is a Phi operand, which accesses the same memory as its
  * definition.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -498,6 +498,16 @@ class Instruction extends Construction::TInstruction {
     none()
   }
 
+  /**
+   * Returns the operand that holds the memory address to which the instruction stores its
+   * result, if any. For example, in `m3 = Store r1, r2`, the result of `getResultAddressOperand()`
+   * is `r1`.
+   */
+  final AddressOperand getResultAddressOperand() {
+    getResultMemoryAccess().usesAddressOperand() and
+    result.getUseInstruction() = this
+  }
+
   /**
    * Holds if the result of this instruction is precisely modeled in SSA. Always
    * holds for a register result. For a memory result, a modeled result is
@@ -1340,7 +1350,7 @@ class CallSideEffectInstruction extends SideEffectInstruction {
   }
 
   override final MemoryAccessKind getResultMemoryAccess() {
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
   }
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -128,7 +128,7 @@ class MemoryOperand extends Operand {
    * is `r1`.
    */
   final AddressOperand getAddressOperand() {
-    getMemoryAccess() instanceof IndirectMemoryAccess and
+    getMemoryAccess().usesAddressOperand() and
     result.getUseInstruction() = getUseInstruction()
   }
 }
@@ -351,10 +351,10 @@ class SideEffectOperand extends TypedOperand {
 
   override MemoryAccessKind getMemoryAccess() {
     useInstr instanceof CallSideEffectInstruction and
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
     or
     useInstr instanceof CallReadSideEffectInstruction and
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
     or
     useInstr instanceof IndirectReadSideEffectInstruction and
     result instanceof IndirectMemoryAccess