Merge pull request #987 from rdmarsh2/rdmarsh/cpp/ir-asm-stmt

Approved by dave-bartolomeo

Author: semmle-qlci

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -69,6 +69,7 @@ private newtype TOpcode =
   TBufferWriteSideEffect() or
   TBufferMayWriteSideEffect() or
   TChi() or
+  TInlineAsm() or
   TUnreached()
 
 class Opcode extends TOpcode {
@@ -214,5 +215,6 @@ module Opcode {
   class BufferWriteSideEffect extends WriteSideEffectOpcode, BufferAccessOpcode, TBufferWriteSideEffect { override final string toString() { result = "BufferWriteSideEffect" } }
   class BufferMayWriteSideEffect extends MayWriteSideEffectOpcode, BufferAccessOpcode, TBufferMayWriteSideEffect { override final string toString() { result = "BufferMayWriteSideEffect" } }
   class Chi extends Opcode, TChi { override final string toString() { result = "Chi" } }
+  class InlineAsm extends Opcode, TInlineAsm { override final string toString() { result = "InlineAsm" } }
   class Unreached extends Opcode, TUnreached { override final string toString() { result = "Unreached" } }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -40,7 +40,7 @@ module InstructionSanity {
         opcode instanceof Opcode::Chi and tag instanceof ChiTotalOperandTag or
         opcode instanceof Opcode::Chi and tag instanceof ChiPartialOperandTag or
         (
-          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode) and
+          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode or opcode instanceof Opcode::InlineAsm) and
           tag instanceof SideEffectOperandTag
         )
       )
@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**
@@ -1474,6 +1475,19 @@ class BufferMayWriteSideEffectInstruction extends SideEffectInstruction {
   }
 }
 
+/**
+ * An instruction representing a GNU or MSVC inline assembly statement.
+ */
+class InlineAsmInstruction extends Instruction {
+  InlineAsmInstruction() {
+    getOpcode() instanceof Opcode::InlineAsm
+  }
+  
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMayMemoryAccess
+  }
+}
+
 /**
  * An instruction that throws an exception.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -40,7 +40,7 @@ module InstructionSanity {
         opcode instanceof Opcode::Chi and tag instanceof ChiTotalOperandTag or
         opcode instanceof Opcode::Chi and tag instanceof ChiPartialOperandTag or
         (
-          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode) and
+          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode or opcode instanceof Opcode::InlineAsm) and
           tag instanceof SideEffectOperandTag
         )
       )
@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**
@@ -1474,6 +1475,19 @@ class BufferMayWriteSideEffectInstruction extends SideEffectInstruction {
   }
 }
 
+/**
+ * An instruction representing a GNU or MSVC inline assembly statement.
+ */
+class InlineAsmInstruction extends Instruction {
+  InlineAsmInstruction() {
+    getOpcode() instanceof Opcode::InlineAsm
+  }
+  
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMayMemoryAccess
+  }
+}
+
 /**
  * An instruction that throws an exception.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -84,7 +84,13 @@ newtype TInstructionTag =
   } or
   InitializerElementDefaultValueStoreTag(int elementIndex) {
     elementIsInitialized(elementIndex)
-  }
+  } or
+  AsmTag() or
+  AsmInputTag(int elementIndex) {
+    exists(AsmStmt asm |
+      exists(asm.getChild(elementIndex))
+    )
+  } 
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -161,5 +167,9 @@ string getInstructionTagId(TInstructionTag tag) {
       tag = InitializerElementDefaultValueStoreTag(index) and tagName = "InitElemDefValStore"
     ) and
     result = tagName + "(" + index + ")"
+  ) or
+  tag = AsmTag() and result = "Asm" or
+  exists(int index |
+    tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")"
   )
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -64,6 +64,8 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     // represent them.
     newExpr.getInitializer().getFullyConverted() = expr
   ) or
+  // Do not translate input/output variables in GNU asm statements
+  getRealParent(expr) instanceof AsmStmt or
   ignoreExprAndDescendants(getRealParent(expr)) // recursive case
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -810,3 +810,81 @@ class TranslatedSwitchStmt extends TranslatedStmt {
     child = getBody() and result = getParent().getChildSuccessor(this)
   }
 }
+
+class TranslatedAsmStmt extends TranslatedStmt {
+  override AsmStmt stmt;
+
+  override TranslatedElement getChild(int id) {
+    none()
+  }
+
+  override Instruction getFirstInstruction() {
+    if exists(stmt.getChild(0))
+    then result = getInstruction(AsmInputTag(0))
+    else result = getInstruction(AsmTag())
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag,
+      Type resultType, boolean isGLValue) {
+    tag = AsmTag() and
+    opcode instanceof Opcode::InlineAsm and
+    resultType instanceof UnknownType and
+    isGLValue = false
+    or
+    exists(int index, VariableAccess va |
+      tag = AsmInputTag(index) and
+      stmt.getChild(index) = va and
+      opcode instanceof Opcode::VariableAddress and
+      resultType = va.getType().getUnspecifiedType() and
+      isGLValue = true
+    )
+  }
+
+  override IRVariable getInstructionVariable(InstructionTag tag) {
+    exists(int index |
+      tag = AsmInputTag(index) and
+      result = getIRUserVariable(stmt.getEnclosingFunction(), stmt.getChild(index).(VariableAccess).getTarget())
+    )
+  }
+  
+  override Instruction getInstructionOperand(InstructionTag tag,
+      OperandTag operandTag) {
+    tag = AsmTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getTranslatedFunction(stmt.getEnclosingFunction()).getUnmodeledDefinitionInstruction()
+    or
+    exists(int index |
+      tag = AsmTag() and
+      operandTag = asmOperand(index) and
+      result = getInstruction(AsmInputTag(index))
+    )
+  }
+
+  override final Type getInstructionOperandType(InstructionTag tag,
+      TypedOperandTag operandTag) {
+    tag = AsmTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result instanceof UnknownType
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag,
+      EdgeKind kind) {
+    tag = AsmTag() and
+    result = getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+    or
+    exists(int index |
+      tag = AsmInputTag(index) and
+      kind instanceof GotoEdge and
+      if exists(stmt.getChild(index + 1))
+      then 
+        result = getInstruction(AsmInputTag(index + 1))
+      else
+        result = getInstruction(AsmTag())
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    none()
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -40,7 +40,7 @@ module InstructionSanity {
         opcode instanceof Opcode::Chi and tag instanceof ChiTotalOperandTag or
         opcode instanceof Opcode::Chi and tag instanceof ChiPartialOperandTag or
         (
-          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode) and
+          (opcode instanceof ReadSideEffectOpcode or opcode instanceof MayWriteSideEffectOpcode or opcode instanceof Opcode::InlineAsm) and
           tag instanceof SideEffectOperandTag
         )
       )
@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**
@@ -1474,6 +1475,19 @@ class BufferMayWriteSideEffectInstruction extends SideEffectInstruction {
   }
 }
 
+/**
+ * An instruction representing a GNU or MSVC inline assembly statement.
+ */
+class InlineAsmInstruction extends Instruction {
+  InlineAsmInstruction() {
+    getOpcode() instanceof Opcode::InlineAsm
+  }
+  
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMayMemoryAccess
+  }
+}
+
 /**
  * An instruction that throws an exception.
  */

cpp/ql/src/semmle/code/cpp/ir/internal/OperandTag.qll

@@ -28,7 +28,12 @@ private newtype TOperandTag =
     )
   } or
   TChiTotalOperand() or
-  TChiPartialOperand()
+  TChiPartialOperand() or
+  TAsmOperand(int index) {
+    exists(AsmStmt asm |
+      exists(asm.getChild(index))
+    )
+  } 
 
 /**
  * Identifies the kind of operand on an instruction. Each `Instruction` has at
@@ -362,3 +367,27 @@ class ChiPartialOperandTag extends MemoryOperandTag, TChiPartialOperand {
 ChiPartialOperandTag chiPartialOperand() {
   result = TChiPartialOperand()
 }
+
+class AsmOperandTag extends RegisterOperandTag, TAsmOperand {
+  int index;
+
+  AsmOperandTag() {
+    this = TAsmOperand(index)
+  }
+
+  override final string toString() {
+    result = "AsmOperand(" + index + ")"
+  }
+
+  override final int getSortOrder() {
+    result = 15 + index
+  }
+
+  override final string getLabel() {
+    result = index.toString() + ":"
+  }
+}
+
+AsmOperandTag asmOperand(int index) {
+  result = TAsmOperand(index)
+}

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -7570,3 +7570,50 @@ ir.cpp:
 # 1077|             0: break;
 # 1079|     2: label ...:
 # 1080|     3: return ...
+# 1099| int AsmStmt(int)
+# 1099|   params: 
+# 1099|     0: x
+# 1099|         Type = int
+# 1099|   body: { ... }
+# 1100|     0: asm statement
+# 1101|     1: return ...
+# 1101|       0: x
+# 1101|           Type = int
+# 1101|           ValueCategory = prvalue(load)
+# 1104| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&)
+# 1104|   params: 
+# 1104|     0: a
+# 1104|         Type = unsigned int &
+# 1104|     1: b
+# 1104|         Type = unsigned int &
+# 1104|     2: c
+# 1104|         Type = unsigned int &
+# 1104|     3: d
+# 1104|         Type = unsigned int &
+# 1105|   body: { ... }
+# 1106|     0: asm statement
+# 1109|       0: (reference dereference)
+# 1109|           Type = unsigned int
+# 1109|           ValueCategory = lvalue
+# 1109|         expr: a
+# 1109|             Type = unsigned int &
+# 1109|             ValueCategory = prvalue(load)
+# 1109|       1: (reference dereference)
+# 1109|           Type = unsigned int
+# 1109|           ValueCategory = lvalue
+# 1109|         expr: b
+# 1109|             Type = unsigned int &
+# 1109|             ValueCategory = prvalue(load)
+# 1109|       2: (reference dereference)
+# 1109|           Type = unsigned int
+# 1109|           ValueCategory = lvalue
+# 1109|         expr: c
+# 1109|             Type = unsigned int &
+# 1109|             ValueCategory = prvalue(load)
+# 1109|       3: (reference dereference)
+# 1109|           Type = unsigned int
+# 1109|           ValueCategory = lvalue
+# 1109|         expr: d
+# 1109|             Type = unsigned int &
+# 1109|             ValueCategory = prvalue(load)
+# 1111|     1: return ...

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -1096,4 +1096,18 @@ struct LambdaContainer {
 
 #endif
 
+int AsmStmt(int x) {
+  __asm__("");
+  return x;
+}
+
+static void AsmStmtWithOutputs(unsigned int& a, unsigned int& b, unsigned int& c, unsigned int& d)
+{
+  __asm__ __volatile__
+    (
+  "cpuid\n\t"
+    : "+a" (a), "+b" (b), "+c" (c), "+d" (d)
+    );
+}
+
 // semmle-extractor-options: -std=c++17