C++: Better tracking of SSA memory accesses

This change fixes a few key problems with the existing SSA implementations:

For unaliased SSA, we were incorrectly choosing to model a local variable that had accesses that did not cover the entire variable. This has been changed to ensure that all accesses to the variable are at offset zero and have the same type as the variable itself. This was only possible to fix now that every `MemoryOperand` has its own type.

For aliased SSA, we now correctly track the offset and size of each memory access using an interval of bit offsets covered by the access. The offset interval makes the overlap computation more straightforward. Again, this is only possible now that operands have types.
The `getXXXMemoryAccess` predicates are now driven by the `MemoryAccessKind` on the operands and results, instead of by specific opcodes.

This change does fix an existing false negative in the IR dataflow tests.

I added a few simple test cases to the SSA IR tests, covering the various kinds of overlap (MustExcactly, MustTotally, and MayPartially).

I added "PrintSSA.qll", which can dump the SSA memory accesses as part of an IR dump.

Author: dave-bartolomeo

config/identical-files.json

@@ -68,6 +68,10 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
   ],
+  "C++ SSA PrintSSA": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
+  ],
   "C++ IR ValueNumber": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",

cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -6,6 +6,7 @@ private newtype TMemoryAccessKind =
   TBufferMemoryAccess() or
   TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
+  TEscapedMayMemoryAccess() or
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
@@ -16,7 +17,17 @@ private newtype TMemoryAccessKind =
  * memory result.
  */
 class MemoryAccessKind extends TMemoryAccessKind {
-  abstract string toString();
+  string toString() {
+    none()
+  }
+
+  /**
+   * Holds if the operand or result accesses memory pointed to by the `AddressOperand` on the
+   * same instruction.
+   */
+  predicate usesAddressOperand() {
+    none()
+  }
 }
 
 /**
@@ -27,6 +38,10 @@ class IndirectMemoryAccess extends MemoryAccessKind, TIndirectMemoryAccess {
   override string toString() {
     result = "indirect"
   }
+  
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -37,6 +52,10 @@ class IndirectMayMemoryAccess extends MemoryAccessKind, TIndirectMayMemoryAccess
   override string toString() {
     result = "indirect(may)"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -48,6 +67,10 @@ class BufferMemoryAccess extends MemoryAccessKind, TBufferMemoryAccess {
   override string toString() {
     result = "buffer"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -59,6 +82,10 @@ class BufferMayMemoryAccess extends MemoryAccessKind, TBufferMayMemoryAccess {
   override string toString() {
     result = "buffer(may)"
   }
+
+  override final predicate usesAddressOperand() {
+    any()
+  }
 }
 
 /**
@@ -70,6 +97,15 @@ class EscapedMemoryAccess extends MemoryAccessKind, TEscapedMemoryAccess {
   }
 }
 
+/**
+ * The operand or result may access all memory whose address has escaped.
+ */
+class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess {
+  override string toString() {
+    result = "escaped(may)"
+  }
+}
+
 /**
  * The operand is a Phi operand, which accesses the same memory as its
  * definition.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -498,6 +498,16 @@ class Instruction extends Construction::TInstruction {
     none()
   }
 
+  /**
+   * Returns the operand that holds the memory address to which the instruction stores its
+   * result, if any. For example, in `m3 = Store r1, r2`, the result of `getResultAddressOperand()`
+   * is `r1`.
+   */
+  final AddressOperand getResultAddressOperand() {
+    getResultMemoryAccess().usesAddressOperand() and
+    result.getUseInstruction() = this
+  }
+
   /**
    * Holds if the result of this instruction is precisely modeled in SSA. Always
    * holds for a register result. For a memory result, a modeled result is
@@ -1340,7 +1350,7 @@ class CallSideEffectInstruction extends SideEffectInstruction {
   }
 
   override final MemoryAccessKind getResultMemoryAccess() {
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
   }
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -128,7 +128,7 @@ class MemoryOperand extends Operand {
    * is `r1`.
    */
   final AddressOperand getAddressOperand() {
-    getMemoryAccess() instanceof IndirectMemoryAccess and
+    getMemoryAccess().usesAddressOperand() and
     result.getUseInstruction() = getUseInstruction()
   }
 }
@@ -351,10 +351,10 @@ class SideEffectOperand extends TypedOperand {
 
   override MemoryAccessKind getMemoryAccess() {
     useInstr instanceof CallSideEffectInstruction and
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
     or
     useInstr instanceof CallReadSideEffectInstruction and
-    result instanceof EscapedMemoryAccess
+    result instanceof EscapedMayMemoryAccess
     or
     useInstr instanceof IndirectReadSideEffectInstruction and
     result instanceof IndirectMemoryAccess