Merge branch 'main' into alternative-instruction-operand-flow

Author: MathiasVP

cpp/autobuilder/.gitignore

@@ -0,0 +1,13 @@
+obj/
+TestResults/
+*.manifest
+*.pdb
+*.suo
+*.mdb
+*.vsmdi
+csharp.log
+**/bin/Debug
+**/bin/Release
+*.tlog
+.vs
+*.user

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/Bound.qll

@@ -8,8 +8,8 @@ private newtype TBound =
     exists(Instruction i |
       vn.getAnInstruction() = i and
       (
-        i.getResultType() instanceof IntegralType or
-        i.getResultType() instanceof PointerType
+        i.getResultIRType() instanceof IRIntegerType or
+        i.getResultIRType() instanceof IRAddressType
       ) and
       not vn.getAnInstruction() instanceof ConstantInstruction
     |

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll

@@ -244,14 +244,14 @@ class CondReason extends Reason, TCondReason {
 /**
  * Holds if `typ` is a small integral type with the given lower and upper bounds.
  */
-private predicate typeBound(IntegralType typ, int lowerbound, int upperbound) {
-  typ.isSigned() and typ.getSize() = 1 and lowerbound = -128 and upperbound = 127
+private predicate typeBound(IRIntegerType typ, int lowerbound, int upperbound) {
+  typ.isSigned() and typ.getByteSize() = 1 and lowerbound = -128 and upperbound = 127
   or
-  typ.isUnsigned() and typ.getSize() = 1 and lowerbound = 0 and upperbound = 255
+  typ.isUnsigned() and typ.getByteSize() = 1 and lowerbound = 0 and upperbound = 255
   or
-  typ.isSigned() and typ.getSize() = 2 and lowerbound = -32768 and upperbound = 32767
+  typ.isSigned() and typ.getByteSize() = 2 and lowerbound = -32768 and upperbound = 32767
   or
-  typ.isUnsigned() and typ.getSize() = 2 and lowerbound = 0 and upperbound = 65535
+  typ.isUnsigned() and typ.getByteSize() = 2 and lowerbound = 0 and upperbound = 65535
 }
 
 /**
@@ -260,14 +260,14 @@ private predicate typeBound(IntegralType typ, int lowerbound, int upperbound) {
 private class NarrowingCastInstruction extends ConvertInstruction {
   NarrowingCastInstruction() {
     not this instanceof SafeCastInstruction and
-    typeBound(getResultType(), _, _)
+    typeBound(getResultIRType(), _, _)
   }
 
   /** Gets the lower bound of the resulting type. */
-  int getLowerBound() { typeBound(getResultType(), result, _) }
+  int getLowerBound() { typeBound(getResultIRType(), result, _) }
 
   /** Gets the upper bound of the resulting type. */
-  int getUpperBound() { typeBound(getResultType(), _, result) }
+  int getUpperBound() { typeBound(getResultIRType(), _, result) }
 }
 
 /**

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll

@@ -86,15 +86,15 @@ predicate backEdge(PhiInstruction phi, PhiInputOperand op) {
  * range analysis.
  */
 pragma[inline]
-private predicate safeCast(IntegralType fromtyp, IntegralType totyp) {
-  fromtyp.getSize() < totyp.getSize() and
+private predicate safeCast(IRIntegerType fromtyp, IRIntegerType totyp) {
+  fromtyp.getByteSize() < totyp.getByteSize() and
   (
     fromtyp.isUnsigned()
     or
     totyp.isSigned()
   )
   or
-  fromtyp.getSize() <= totyp.getSize() and
+  fromtyp.getByteSize() <= totyp.getByteSize() and
   (
     fromtyp.isSigned() and
     totyp.isSigned()
@@ -109,8 +109,8 @@ private predicate safeCast(IntegralType fromtyp, IntegralType totyp) {
  */
 class PtrToPtrCastInstruction extends ConvertInstruction {
   PtrToPtrCastInstruction() {
-    getResultType() instanceof PointerType and
-    getUnary().getResultType() instanceof PointerType
+    getResultIRType() instanceof IRAddressType and
+    getUnary().getResultIRType() instanceof IRAddressType
   }
 }
 
@@ -119,7 +119,7 @@ class PtrToPtrCastInstruction extends ConvertInstruction {
  * that cannot overflow or underflow.
  */
 class SafeIntCastInstruction extends ConvertInstruction {
-  SafeIntCastInstruction() { safeCast(getUnary().getResultType(), getResultType()) }
+  SafeIntCastInstruction() { safeCast(getUnary().getResultIRType(), getResultIRType()) }
 }
 
 /**

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/SignAnalysis.qll

@@ -469,17 +469,21 @@ module SignAnalysisCached {
     not exists(certainInstructionSign(i)) and
     not (
       result = TNeg() and
-      i.getResultType().(IntegralType).isUnsigned()
+      i.getResultIRType().(IRIntegerType).isUnsigned()
     ) and
     (
       unknownSign(i)
       or
       exists(ConvertInstruction ci, Instruction prior, boolean fromSigned, boolean toSigned |
         i = ci and
         prior = ci.getUnary() and
-        (if ci.getResultType().(IntegralType).isSigned() then toSigned = true else toSigned = false) and
         (
-          if prior.getResultType().(IntegralType).isSigned()
+          if ci.getResultIRType().(IRIntegerType).isSigned()
+          then toSigned = true
+          else toSigned = false
+        ) and
+        (
+          if prior.getResultIRType().(IRIntegerType).isSigned()
           then fromSigned = true
           else fromSigned = false
         ) and
@@ -512,11 +516,11 @@ module SignAnalysisCached {
         i instanceof ShiftLeftInstruction and result = s1.lshift(s2)
         or
         i instanceof ShiftRightInstruction and
-        i.getResultType().(IntegralType).isSigned() and
+        i.getResultIRType().(IRIntegerType).isSigned() and
         result = s1.rshift(s2)
         or
         i instanceof ShiftRightInstruction and
-        not i.getResultType().(IntegralType).isSigned() and
+        not i.getResultIRType().(IRIntegerType).isSigned() and
         result = s1.urshift(s2)
       )
       or

cpp/ql/src/printAst.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Print AST
+ * @description Outputs a representation of a file's Abstract Syntax Tree. This
+ *              query is used by the VS Code extension.
+ * @id cpp/print-ast
+ * @kind graph
+ * @tags ide-contextual-queries/print-ast
+ */
+
+import cpp
+import semmle.code.cpp.PrintAST
+import definitions
+
+/**
+ * The source file to generate an AST from.
+ */
+external string selectedSourceFile();
+
+class Cfg extends PrintASTConfiguration {
+  /**
+   * Holds if the AST for `func` should be printed.
+   * Print All functions from the selected file.
+   */
+  override predicate shouldPrintFunction(Function func) {
+    func.getFile() = getEncodedFile(selectedSourceFile())
+  }
+}

cpp/ql/src/semmle/code/cpp/Preprocessor.qll

@@ -33,11 +33,13 @@ class PreprocessorDirective extends Locatable, @preprocdirect {
   }
 }
 
+private class TPreprocessorBranchDirective = @ppd_branch or @ppd_else or @ppd_endif;
+
 /**
  * A C/C++ preprocessor branch related directive: `#if`, `#ifdef`,
  * `#ifndef`, `#elif`, `#else` or `#endif`.
  */
-abstract class PreprocessorBranchDirective extends PreprocessorDirective {
+class PreprocessorBranchDirective extends PreprocessorDirective, TPreprocessorBranchDirective {
   /**
    * Gets the `#if`, `#ifdef` or `#ifndef` directive which matches this
    * branching directive.

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -234,20 +234,20 @@ predicate clearsContent(Node n, Content c) {
 }
 
 /** Gets the type of `n` used for type pruning. */
-Type getNodeType(Node n) {
+IRType getNodeType(Node n) {
   suppressUnusedNode(n) and
-  result instanceof VoidType // stub implementation
+  result instanceof IRVoidType // stub implementation
 }
 
 /** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(Type t) { none() } // stub implementation
+string ppReprType(IRType t) { none() } // stub implementation
 
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
 pragma[inline]
-predicate compatibleTypes(Type t1, Type t2) {
+predicate compatibleTypes(IRType t1, IRType t2) {
   any() // stub implementation
 }
 
@@ -271,7 +271,7 @@ class DataFlowCallable = Declaration;
 
 class DataFlowExpr = Expr;
 
-class DataFlowType = Type;
+class DataFlowType = IRType;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends CallInstruction {

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -34,7 +34,7 @@ class Node extends TIRDataFlowNode {
   Function getFunction() { none() } // overridden in subclasses
 
   /** Gets the type of this node. */
-  Type getType() { none() } // overridden in subclasses
+  IRType getType() { none() } // overridden in subclasses
 
   /** Gets the instruction corresponding to this node, if any. */
   Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -89,7 +89,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  Type getTypeBound() { result = getType() }
+  IRType getTypeBound() { result = getType() }
 
   /** Gets the location of this element. */
   Location getLocation() { none() } // overridden by subclasses
@@ -126,7 +126,7 @@ class InstructionNode extends Node, TInstructionNode {
 
   override Function getFunction() { result = instr.getEnclosingFunction() }
 
-  override Type getType() { result = instr.getResultType() }
+  override IRType getType() { result = instr.getResultIRType() }
 
   override Location getLocation() { result = instr.getLocation() }
 
@@ -152,7 +152,7 @@ class OperandNode extends Node, TOperandNode {
 
   override Function getFunction() { result = op.getUse().getEnclosingFunction() }
 
-  override Type getType() { result = op.getType() }
+  override IRType getType() { result = op.getIRType() }
 
   override Location getLocation() { result = op.getLocation() }
 
@@ -450,7 +450,7 @@ class VariableNode extends Node, TVariableNode {
     result = v
   }
 
-  override Type getType() { result = v.getType() }
+  override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
 
   override Location getLocation() { result = v.getLocation() }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll

@@ -152,6 +152,12 @@ class IRIntegerType extends IRNumericType {
     this = TIRSignedIntegerType(byteSize) or
     this = TIRUnsignedIntegerType(byteSize)
   }
+
+  /** Holds if this integer type is signed. */
+  predicate isSigned() { none() }
+
+  /** Holds if this integer type is unsigned. */
+  predicate isUnsigned() { none() }
   // Don't override `getByteSize()` here. The optimizer seems to generate better code when this is
   // overridden only in the leaf classes.
 }
@@ -169,6 +175,8 @@ class IRSignedIntegerType extends IRIntegerType, TIRSignedIntegerType {
 
   pragma[noinline]
   final override int getByteSize() { result = byteSize }
+
+  override predicate isSigned() { any() }
 }
 
 /**
@@ -184,6 +192,8 @@ class IRUnsignedIntegerType extends IRIntegerType, TIRUnsignedIntegerType {
 
   pragma[noinline]
   final override int getByteSize() { result = byteSize }
+
+  override predicate isUnsigned() { any() }
 }
 
 /**