C++: Treat asmStmt operands as input/output in IR

Author: Robert Marsh

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -84,7 +84,13 @@ newtype TInstructionTag =
   } or
   InitializerElementDefaultValueStoreTag(int elementIndex) {
     elementIsInitialized(elementIndex)
-  }
+  } or
+  AsmTag() or
+  AsmInputTag(int elementIndex) {
+    exists(AsmStmt asm |
+      exists(asm.getChild(elementIndex))
+    )
+  } 
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -161,5 +167,9 @@ string getInstructionTagId(TInstructionTag tag) {
       tag = InitializerElementDefaultValueStoreTag(index) and tagName = "InitElemDefValStore"
     ) and
     result = tagName + "(" + index + ")"
+  ) or
+  tag = AsmTag() and result = "Asm" or
+  exists(int index |
+    tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")"
   )
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -64,7 +64,7 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     // represent them.
     newExpr.getInitializer().getFullyConverted() = expr
   ) or
-  // Ignore descendants of asm statements, since we can't differentiate inputs and outputs
+  // Do not translate input/output variables in GNU asm statements
   getRealParent(expr) instanceof AsmStmt or
   ignoreExprAndDescendants(getRealParent(expr)) // recursive case
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -819,36 +819,69 @@ class TranslatedAsmStmt extends TranslatedStmt {
   }
 
   override Instruction getFirstInstruction() {
-    result = getInstruction(OnlyInstructionTag())
+    if exists(stmt.getChild(0))
+    then result = getInstruction(AsmInputTag(0))
+    else result = getInstruction(AsmTag())
   }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag,
       Type resultType, boolean isGLValue) {
-    tag = OnlyInstructionTag() and
+    tag = AsmTag() and
     opcode instanceof Opcode::InlineAsm and
     resultType instanceof UnknownType and
     isGLValue = false
+    or
+    exists(int index, VariableAccess va |
+      tag = AsmInputTag(index) and
+      stmt.getChild(index) = va and
+      opcode instanceof Opcode::VariableAddress and
+      resultType = va.getType().getUnspecifiedType() and
+      isGLValue = true
+    )
+  }
+
+  override IRVariable getInstructionVariable(InstructionTag tag) {
+    exists(int index |
+      tag = AsmInputTag(index) and
+      result = getIRUserVariable(stmt.getEnclosingFunction(), stmt.getChild(index).(VariableAccess).getTarget())
+    )
   }
 
   override Instruction getInstructionOperand(InstructionTag tag,
       OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
+    tag = AsmTag() and
     operandTag instanceof SideEffectOperandTag and
     result = getTranslatedFunction(stmt.getEnclosingFunction()).getUnmodeledDefinitionInstruction()
+    or
+    exists(int index |
+      tag = AsmTag() and
+      operandTag = asmOperand(index) and
+      result = getInstruction(AsmInputTag(index))
+    )
   }
 
   override final Type getInstructionOperandType(InstructionTag tag,
       TypedOperandTag operandTag) {
-    tag = OnlyInstructionTag() and
+    tag = AsmTag() and
     operandTag instanceof SideEffectOperandTag and
     result instanceof UnknownType
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag,
       EdgeKind kind) {
-    tag = OnlyInstructionTag() and
+    tag = AsmTag() and
     result = getParent().getChildSuccessor(this) and
     kind instanceof GotoEdge
+    or
+    exists(int index |
+      tag = AsmInputTag(index) and
+      kind instanceof GotoEdge and
+      if exists(stmt.getChild(index + 1))
+      then 
+        result = getInstruction(AsmInputTag(index + 1))
+      else
+        result = getInstruction(AsmTag())
+    )
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -73,7 +73,8 @@ module InstructionSanity {
       operand.getOperandTag() = tag) and
     not expectsOperand(instr, tag) and
     not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag)
+    not (instr instanceof BuiltInInstruction and tag instanceof PositionalArgumentOperandTag) and
+    not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag)
   }
 
   /**

cpp/ql/src/semmle/code/cpp/ir/internal/OperandTag.qll

@@ -28,7 +28,12 @@ private newtype TOperandTag =
     )
   } or
   TChiTotalOperand() or
-  TChiPartialOperand()
+  TChiPartialOperand() or
+  TAsmOperand(int index) {
+    exists(AsmStmt asm |
+      exists(asm.getChild(index))
+    )
+  } 
 
 /**
  * Identifies the kind of operand on an instruction. Each `Instruction` has at
@@ -362,3 +367,27 @@ class ChiPartialOperandTag extends MemoryOperandTag, TChiPartialOperand {
 ChiPartialOperandTag chiPartialOperand() {
   result = TChiPartialOperand()
 }
+
+class AsmOperandTag extends RegisterOperandTag, TAsmOperand {
+  int index;
+
+  AsmOperandTag() {
+    this = TAsmOperand(index)
+  }
+
+  override final string toString() {
+    result = "AsmOperand(" + index + ")"
+  }
+
+  override final int getSortOrder() {
+    result = 15 + index
+  }
+
+  override final string getLabel() {
+    result = index.toString() + ":"
+  }
+}
+
+AsmOperandTag asmOperand(int index) {
+  result = TAsmOperand(index)
+}

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -5018,19 +5018,23 @@ ir.cpp:
 
 # 1104| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&)
 # 1104|   Block 0
-# 1104|     v0_0(void)                  = EnterFunction          : 
-# 1104|     mu0_1(unknown)              = AliasedDefinition      : 
-# 1104|     mu0_2(unknown)              = UnmodeledDefinition    : 
-# 1104|     r0_3(glval<unsigned int &>) = VariableAddress[a]     : 
-# 1104|     mu0_4(unsigned int &)       = InitializeParameter[a] : &:r0_3
-# 1104|     r0_5(glval<unsigned int &>) = VariableAddress[b]     : 
-# 1104|     mu0_6(unsigned int &)       = InitializeParameter[b] : &:r0_5
-# 1104|     r0_7(glval<unsigned int &>) = VariableAddress[c]     : 
-# 1104|     mu0_8(unsigned int &)       = InitializeParameter[c] : &:r0_7
-# 1104|     r0_9(glval<unsigned int &>) = VariableAddress[d]     : 
-# 1104|     mu0_10(unsigned int &)      = InitializeParameter[d] : &:r0_9
-# 1107|     mu0_11(unknown)             = InlineAsm              : ~mu0_2
-# 1118|     v0_12(void)                 = NoOp                   : 
-# 1104|     v0_13(void)                 = ReturnVoid             : 
-# 1104|     v0_14(void)                 = UnmodeledUse           : mu*
-# 1104|     v0_15(void)                 = ExitFunction           : 
+# 1104|     v0_0(void)                   = EnterFunction          : 
+# 1104|     mu0_1(unknown)               = AliasedDefinition      : 
+# 1104|     mu0_2(unknown)               = UnmodeledDefinition    : 
+# 1104|     r0_3(glval<unsigned int &>)  = VariableAddress[a]     : 
+# 1104|     mu0_4(unsigned int &)        = InitializeParameter[a] : &:r0_3
+# 1104|     r0_5(glval<unsigned int &>)  = VariableAddress[b]     : 
+# 1104|     mu0_6(unsigned int &)        = InitializeParameter[b] : &:r0_5
+# 1104|     r0_7(glval<unsigned int &>)  = VariableAddress[c]     : 
+# 1104|     mu0_8(unsigned int &)        = InitializeParameter[c] : &:r0_7
+# 1104|     r0_9(glval<unsigned int &>)  = VariableAddress[d]     : 
+# 1104|     mu0_10(unsigned int &)       = InitializeParameter[d] : &:r0_9
+# 1107|     r0_11(glval<unsigned int &>) = VariableAddress[a]     : 
+# 1107|     r0_12(glval<unsigned int &>) = VariableAddress[b]     : 
+# 1107|     r0_13(glval<unsigned int &>) = VariableAddress[c]     : 
+# 1107|     r0_14(glval<unsigned int &>) = VariableAddress[d]     : 
+# 1107|     mu0_15(unknown)              = InlineAsm              : ~mu0_2, 0:r0_11, 1:r0_12, 2:r0_13, 3:r0_14
+# 1118|     v0_16(void)                  = NoOp                   : 
+# 1104|     v0_17(void)                  = ReturnVoid             : 
+# 1104|     v0_18(void)                  = UnmodeledUse           : mu*
+# 1104|     v0_19(void)                  = ExitFunction           : 

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

@@ -730,3 +730,31 @@ ssa.cpp:
 #  179|     v0_13(void)        = ReturnValue              : &:r0_12, m0_11
 #  179|     v0_14(void)        = UnmodeledUse             : mu*
 #  179|     v0_15(void)        = ExitFunction             : 
+
+#  184| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&)
+#  184|   Block 0
+#  184|     v0_0(void)                   = EnterFunction          : 
+#  184|     m0_1(unknown)                = AliasedDefinition      : 
+#  184|     mu0_2(unknown)               = UnmodeledDefinition    : 
+#  184|     r0_3(glval<unsigned int &>)  = VariableAddress[a]     : 
+#  184|     m0_4(unsigned int &)         = InitializeParameter[a] : &:r0_3
+#  184|     m0_5(unknown)                = Chi                    : total:m0_1, partial:m0_4
+#  184|     r0_6(glval<unsigned int &>)  = VariableAddress[b]     : 
+#  184|     m0_7(unsigned int &)         = InitializeParameter[b] : &:r0_6
+#  184|     m0_8(unknown)                = Chi                    : total:m0_5, partial:m0_7
+#  184|     r0_9(glval<unsigned int &>)  = VariableAddress[c]     : 
+#  184|     m0_10(unsigned int &)        = InitializeParameter[c] : &:r0_9
+#  184|     m0_11(unknown)               = Chi                    : total:m0_8, partial:m0_10
+#  184|     r0_12(glval<unsigned int &>) = VariableAddress[d]     : 
+#  184|     m0_13(unsigned int &)        = InitializeParameter[d] : &:r0_12
+#  184|     m0_14(unknown)               = Chi                    : total:m0_11, partial:m0_13
+#  187|     r0_15(glval<unsigned int &>) = VariableAddress[a]     : 
+#  187|     r0_16(glval<unsigned int &>) = VariableAddress[b]     : 
+#  187|     r0_17(glval<unsigned int &>) = VariableAddress[c]     : 
+#  187|     r0_18(glval<unsigned int &>) = VariableAddress[d]     : 
+#  187|     m0_19(unknown)               = InlineAsm              : ~mu0_2, 0:r0_15, 1:r0_16, 2:r0_17, 3:r0_18
+#  187|     m0_20(unknown)               = Chi                    : total:m0_14, partial:m0_19
+#  199|     v0_21(void)                  = NoOp                   : 
+#  184|     v0_22(void)                  = ReturnVoid             : 
+#  184|     v0_23(void)                  = UnmodeledUse           : mu*
+#  184|     v0_24(void)                  = ExitFunction           : 

cpp/ql/test/library-tests/ir/ssa/ssa.cpp

@@ -180,3 +180,20 @@ int AsmStmt(int *p) {
   __asm__("");
   return *p;
 }
+
+static void AsmStmtWithOutputs(unsigned int& a, unsigned int& b, unsigned int& c, unsigned int& d)
+{
+#if defined(__GNUC__)
+  __asm__ __volatile__
+    (
+  "cpuid\n\t"
+    : "+a" (a), "+b" (b)
+    : "c" (c), "d" (d)
+    );
+#else
+  a++;
+  b++;
+  c++;
+  d++;
+#endif
+}