C++: Handle inheritance conversions in IR GVN

Author: dave-bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/gvn/ValueNumber.qll

@@ -45,6 +45,10 @@ newtype TValueNumber =
   TUnaryValueNumber(FunctionIR funcIR, Opcode opcode, Type type, ValueNumber operand) {
     unaryValueNumber(_, funcIR, opcode, type, operand)
   } or
+  TInheritanceConversionValueNumber(FunctionIR funcIR, Opcode opcode, Class baseClass,
+      Class derivedClass, ValueNumber operand) {
+    inheritanceConversionValueNumber(_, funcIR, opcode, baseClass, derivedClass, operand)
+  } or
   TUniqueValueNumber(FunctionIR funcIR, Instruction instr) {
     uniqueValueNumber(instr, funcIR)
   }
@@ -81,13 +85,6 @@ class ValueNumber extends TValueNumber {
   }
 }
 
-class BinaryValueNumber extends ValueNumber, TBinaryValueNumber {}
-class UnaryValueNumber extends ValueNumber, TUnaryValueNumber {}
-class ConstantValueNumber extends ValueNumber, TConstantValueNumber {}
-class FieldAddressValueNumber extends ValueNumber, TFieldAddressValueNumber {}
-class PointerArithmeticValueNumber extends ValueNumber, TPointerArithmeticValueNumber {}
-class UniqueValueNumber extends ValueNumber, TUniqueValueNumber {}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -187,12 +184,20 @@ private predicate unaryValueNumber(UnaryInstruction instr, FunctionIR funcIR, Op
     Type type, ValueNumber operand) {
   instr.getFunctionIR() = funcIR and
   (not instr instanceof InheritanceConversionInstruction) and
-  (not instr instanceof FieldAddressInstruction) and
   instr.getOpcode() = opcode and
   instr.getResultType() = type and
   valueNumber(instr.getOperand()) = operand
 }
 
+private predicate inheritanceConversionValueNumber(InheritanceConversionInstruction instr,
+    FunctionIR funcIR, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand) {
+  instr.getFunctionIR() = funcIR and
+  instr.getOpcode() = opcode and
+  instr.getBaseClass() = baseClass and
+  instr.getDerivedClass() = derivedClass and
+  valueNumber(instr.getOperand()) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -250,6 +255,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
         unaryValueNumber(instr, funcIR, opcode, type, operand) and
         result = TUnaryValueNumber(funcIR, opcode, type, operand)
       ) or
+      exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand |
+        inheritanceConversionValueNumber(instr, funcIR, opcode, baseClass, derivedClass,
+            operand) and
+        result = TInheritanceConversionValueNumber(funcIR, opcode, baseClass, derivedClass, operand)
+      ) or
       exists(Opcode opcode, Type type, int elementSize, ValueNumber leftOperand,
           ValueNumber rightOperand |
         pointerArithmeticValueNumber(instr, funcIR, opcode, type, elementSize, leftOperand,

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/gvn/ValueNumber.qll

@@ -45,6 +45,10 @@ newtype TValueNumber =
   TUnaryValueNumber(FunctionIR funcIR, Opcode opcode, Type type, ValueNumber operand) {
     unaryValueNumber(_, funcIR, opcode, type, operand)
   } or
+  TInheritanceConversionValueNumber(FunctionIR funcIR, Opcode opcode, Class baseClass,
+      Class derivedClass, ValueNumber operand) {
+    inheritanceConversionValueNumber(_, funcIR, opcode, baseClass, derivedClass, operand)
+  } or
   TUniqueValueNumber(FunctionIR funcIR, Instruction instr) {
     uniqueValueNumber(instr, funcIR)
   }
@@ -81,13 +85,6 @@ class ValueNumber extends TValueNumber {
   }
 }
 
-class BinaryValueNumber extends ValueNumber, TBinaryValueNumber {}
-class UnaryValueNumber extends ValueNumber, TUnaryValueNumber {}
-class ConstantValueNumber extends ValueNumber, TConstantValueNumber {}
-class FieldAddressValueNumber extends ValueNumber, TFieldAddressValueNumber {}
-class PointerArithmeticValueNumber extends ValueNumber, TPointerArithmeticValueNumber {}
-class UniqueValueNumber extends ValueNumber, TUniqueValueNumber {}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -187,12 +184,20 @@ private predicate unaryValueNumber(UnaryInstruction instr, FunctionIR funcIR, Op
     Type type, ValueNumber operand) {
   instr.getFunctionIR() = funcIR and
   (not instr instanceof InheritanceConversionInstruction) and
-  (not instr instanceof FieldAddressInstruction) and
   instr.getOpcode() = opcode and
   instr.getResultType() = type and
   valueNumber(instr.getOperand()) = operand
 }
 
+private predicate inheritanceConversionValueNumber(InheritanceConversionInstruction instr,
+    FunctionIR funcIR, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand) {
+  instr.getFunctionIR() = funcIR and
+  instr.getOpcode() = opcode and
+  instr.getBaseClass() = baseClass and
+  instr.getDerivedClass() = derivedClass and
+  valueNumber(instr.getOperand()) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -250,6 +255,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
         unaryValueNumber(instr, funcIR, opcode, type, operand) and
         result = TUnaryValueNumber(funcIR, opcode, type, operand)
       ) or
+      exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand |
+        inheritanceConversionValueNumber(instr, funcIR, opcode, baseClass, derivedClass,
+            operand) and
+        result = TInheritanceConversionValueNumber(funcIR, opcode, baseClass, derivedClass, operand)
+      ) or
       exists(Opcode opcode, Type type, int elementSize, ValueNumber leftOperand,
           ValueNumber rightOperand |
         pointerArithmeticValueNumber(instr, funcIR, opcode, type, elementSize, leftOperand,

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/gvn/ValueNumber.qll

@@ -45,6 +45,10 @@ newtype TValueNumber =
   TUnaryValueNumber(FunctionIR funcIR, Opcode opcode, Type type, ValueNumber operand) {
     unaryValueNumber(_, funcIR, opcode, type, operand)
   } or
+  TInheritanceConversionValueNumber(FunctionIR funcIR, Opcode opcode, Class baseClass,
+      Class derivedClass, ValueNumber operand) {
+    inheritanceConversionValueNumber(_, funcIR, opcode, baseClass, derivedClass, operand)
+  } or
   TUniqueValueNumber(FunctionIR funcIR, Instruction instr) {
     uniqueValueNumber(instr, funcIR)
   }
@@ -81,13 +85,6 @@ class ValueNumber extends TValueNumber {
   }
 }
 
-class BinaryValueNumber extends ValueNumber, TBinaryValueNumber {}
-class UnaryValueNumber extends ValueNumber, TUnaryValueNumber {}
-class ConstantValueNumber extends ValueNumber, TConstantValueNumber {}
-class FieldAddressValueNumber extends ValueNumber, TFieldAddressValueNumber {}
-class PointerArithmeticValueNumber extends ValueNumber, TPointerArithmeticValueNumber {}
-class UniqueValueNumber extends ValueNumber, TUniqueValueNumber {}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -187,12 +184,20 @@ private predicate unaryValueNumber(UnaryInstruction instr, FunctionIR funcIR, Op
     Type type, ValueNumber operand) {
   instr.getFunctionIR() = funcIR and
   (not instr instanceof InheritanceConversionInstruction) and
-  (not instr instanceof FieldAddressInstruction) and
   instr.getOpcode() = opcode and
   instr.getResultType() = type and
   valueNumber(instr.getOperand()) = operand
 }
 
+private predicate inheritanceConversionValueNumber(InheritanceConversionInstruction instr,
+    FunctionIR funcIR, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand) {
+  instr.getFunctionIR() = funcIR and
+  instr.getOpcode() = opcode and
+  instr.getBaseClass() = baseClass and
+  instr.getDerivedClass() = derivedClass and
+  valueNumber(instr.getOperand()) = operand
+}
+
 /**
  * Holds if `instr` should be assigned a unique value number because this library does not know how
  * to determine if two instances of that instruction are equivalent.
@@ -250,6 +255,11 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) {
         unaryValueNumber(instr, funcIR, opcode, type, operand) and
         result = TUnaryValueNumber(funcIR, opcode, type, operand)
       ) or
+      exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand |
+        inheritanceConversionValueNumber(instr, funcIR, opcode, baseClass, derivedClass,
+            operand) and
+        result = TInheritanceConversionValueNumber(funcIR, opcode, baseClass, derivedClass, operand)
+      ) or
       exists(Opcode opcode, Type type, int elementSize, ValueNumber leftOperand,
           ValueNumber rightOperand |
         pointerArithmeticValueNumber(instr, funcIR, opcode, type, elementSize, leftOperand,

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/GlobalValueNumbering.expected

@@ -27,3 +27,6 @@
 | test.cpp:62:5:62:10 | result | 62:c5-c10 65:c10-c15 |
 | test.cpp:77:20:77:30 | (signed short)... | 77:c20-c30 79:c7-c7 |
 | test.cpp:79:11:79:14 | vals | 79:c11-c14 79:c24-c27 |
+| test.cpp:105:11:105:12 | (Base *)... | 105:c11-c12 106:c14-c35 107:c11-c12 |
+| test.cpp:105:11:105:12 | pd | 105:c11-c12 106:c33-c34 |
+| test.cpp:105:15:105:15 | b | 105:c15-c15 107:c15-c15 109:c10-c10 |

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected

@@ -653,3 +653,62 @@ test.cpp:
 #   91|     v0_12(void)       = ReturnValue              : r0_11, m0_10
 #   91|     v0_13(void)       = UnmodeledUse             : mu*
 #   91|     v0_14(void)       = ExitFunction             : 
+
+#  104| inheritanceConversions(Derived *) -> int
+#  104|   Block 0
+#  104|     v0_0(void)              = EnterFunction                 : 
+#  104|     mu0_1(unknown)          = UnmodeledDefinition           : 
+#  104|         valnum = unique
+#  104|     r0_2(glval<Derived *>)  = VariableAddress[pd]           : 
+#  104|         valnum = r0_2
+#  104|     m0_3(Derived *)         = InitializeParameter[pd]       : r0_2
+#  104|         valnum = m0_3
+#  105|     r0_4(glval<int>)        = VariableAddress[x]            : 
+#  105|         valnum = unique
+#  105|     r0_5(glval<Derived *>)  = VariableAddress[pd]           : 
+#  105|         valnum = r0_2
+#  105|     r0_6(Derived *)         = Load                          : r0_5, m0_3
+#  105|         valnum = m0_3
+#  105|     r0_7(Base *)            = ConvertToBase[Derived : Base] : r0_6
+#  105|         valnum = r0_7
+#  105|     r0_8(glval<int>)        = FieldAddress[b]               : r0_7
+#  105|         valnum = r0_8
+#  105|     r0_9(int)               = Load                          : r0_8, mu0_1
+#  105|         valnum = r0_9
+#  105|     m0_10(int)              = Store                         : r0_4, r0_9
+#  105|         valnum = r0_9
+#  106|     r0_11(glval<Base *>)    = VariableAddress[pb]           : 
+#  106|         valnum = r0_11
+#  106|     r0_12(glval<Derived *>) = VariableAddress[pd]           : 
+#  106|         valnum = r0_2
+#  106|     r0_13(Derived *)        = Load                          : r0_12, m0_3
+#  106|         valnum = m0_3
+#  106|     r0_14(Base *)           = ConvertToBase[Derived : Base] : r0_13
+#  106|         valnum = r0_7
+#  106|     m0_15(Base *)           = Store                         : r0_11, r0_14
+#  106|         valnum = r0_7
+#  107|     r0_16(glval<int>)       = VariableAddress[y]            : 
+#  107|         valnum = r0_16
+#  107|     r0_17(glval<Base *>)    = VariableAddress[pb]           : 
+#  107|         valnum = r0_11
+#  107|     r0_18(Base *)           = Load                          : r0_17, m0_15
+#  107|         valnum = r0_7
+#  107|     r0_19(glval<int>)       = FieldAddress[b]               : r0_18
+#  107|         valnum = r0_8
+#  107|     r0_20(int)              = Load                          : r0_19, mu0_1
+#  107|         valnum = r0_20
+#  107|     m0_21(int)              = Store                         : r0_16, r0_20
+#  107|         valnum = r0_20
+#  109|     r0_22(glval<int>)       = VariableAddress[#return]      : 
+#  109|         valnum = r0_22
+#  109|     r0_23(glval<int>)       = VariableAddress[y]            : 
+#  109|         valnum = r0_16
+#  109|     r0_24(int)              = Load                          : r0_23, m0_21
+#  109|         valnum = r0_20
+#  109|     m0_25(int)              = Store                         : r0_22, r0_24
+#  109|         valnum = r0_20
+#  104|     r0_26(glval<int>)       = VariableAddress[#return]      : 
+#  104|         valnum = r0_22
+#  104|     v0_27(void)             = ReturnValue                   : r0_26, m0_25
+#  104|     v0_28(void)             = UnmodeledUse                  : mu*
+#  104|     v0_29(void)             = ExitFunction                  : 

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/test.cpp

@@ -92,3 +92,19 @@ int regression_test00() {
   int x = x = 10;
   return x;
 }
+
+struct Base {
+  int b;
+};
+
+struct Derived : Base {
+  int d;
+};
+
+int inheritanceConversions(Derived* pd) {
+  int x = pd->b;
+  Base* pb = static_cast<Base*>(pd);
+  int y = pb->b;
+
+  return y;
+}