Merge pull request #2005 from AndreiDiaconu1/ircsharp-unaliased

C# IR: Unaliased SSA

Author: dave-bartolomeo

csharp/ql/src/semmle/code/csharp/ir/IR.qll

@@ -3,4 +3,4 @@
  * publicly as the "IR".
  */
 
-import implementation.raw.IR
+import implementation.unaliased_ssa.IR

csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql

@@ -5,4 +5,4 @@
  * @kind graph
  */
 
-import implementation.raw.PrintIR
+import implementation.unaliased_ssa.PrintIR

csharp/ql/src/semmle/code/csharp/ir/PrintIR.qll

@@ -1 +1 @@
-import implementation.raw.PrintIR
+import implementation.unaliased_ssa.PrintIR

csharp/ql/src/semmle/code/csharp/ir/ValueNumbering.qll

@@ -1 +1 @@
-import implementation.raw.gvn.ValueNumbering
+import implementation.unaliased_ssa.gvn.ValueNumbering

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedDeclaration.qll

@@ -72,6 +72,4 @@ class TranslatedLocalVariableDeclaration extends TranslatedLocalDeclaration,
         // then the simple variable initialization
         result = getTranslatedInitialization(var.getInitializer())
   }
-
-  override predicate isInitializedByElement() { expr.getParent() instanceof IsExpr }
 }

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1792,27 +1792,27 @@ class TranslatedIsExpr extends TranslatedNonConstantExpr {
     this.hasVar() and
     tag = GeneratedBranchTag() and
     (
-      tag = GeneratedBranchTag() and
       kind instanceof TrueEdge and
-      result = getPatternVarDecl().getFirstInstruction()
+      result = this.getInstruction(InitializerStoreTag())
       or
-      tag = GeneratedBranchTag() and
       kind instanceof FalseEdge and
       result = this.getParent().getChildSuccessor(this)
     )
     or
     tag = GeneratedConstantTag() and
     kind instanceof GotoEdge and
-    result = this.getInstruction(GeneratedNEQTag())
+    if this.hasVar()
+    then result = this.getPatternVarDecl().getFirstInstruction()
+    else result = this.getInstruction(GeneratedNEQTag())
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
     child = this.getIsExpr() and
     result = this.getInstruction(ConvertTag())
     or
     this.hasVar() and
-    child = getPatternVarDecl() and
-    result = this.getInstruction(InitializerStoreTag())
+    child = this.getPatternVarDecl() and
+    result = this.getInstruction(GeneratedNEQTag())
   }
 
   override predicate hasInstruction(
@@ -1842,7 +1842,7 @@ class TranslatedIsExpr extends TranslatedNonConstantExpr {
     this.hasVar() and
     tag = GeneratedBranchTag() and
     opcode instanceof Opcode::ConditionalBranch and
-    resultType = expr.getType() and
+    resultType instanceof VoidType and
     isLValue = false
   }
 

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedDeclarationBase.qll

@@ -39,12 +39,7 @@ abstract class LocalVariableDeclarationBase extends TranslatedElement {
       kind instanceof GotoEdge and
       if hasUninitializedInstruction()
       then result = getInstruction(InitializerStoreTag())
-      else
-        if isInitializedByElement()
-        then
-          // initialization is done by an element
-          result = getParent().getChildSuccessor(this)
-        else result = getInitialization().getFirstInstruction()
+      else result = getInitialization().getFirstInstruction()
     )
     or
     hasUninitializedInstruction() and
@@ -75,11 +70,8 @@ abstract class LocalVariableDeclarationBase extends TranslatedElement {
    * desugaring process.
    */
   predicate hasUninitializedInstruction() {
-    (
-      not exists(getInitialization()) or
-      getInitialization() instanceof TranslatedListInitialization
-    ) and
-    not isInitializedByElement()
+    not exists(getInitialization()) or
+    getInitialization() instanceof TranslatedListInitialization
   }
 
   Instruction getVarAddress() { result = getInstruction(InitializerVariableAddressTag()) }
@@ -101,10 +93,4 @@ abstract class LocalVariableDeclarationBase extends TranslatedElement {
    * as a different step, but do it during the declaration.
    */
   abstract TranslatedElement getInitialization();
-
-  /**
-   * Holds if a declaration is not explicitly initialized,
-   * but will be implicitly initialized by an element.
-   */
-  abstract predicate isInitializedByElement();
 }

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedDeclaration.qll

@@ -72,10 +72,6 @@ abstract class TranslatedCompilerGeneratedDeclaration extends LocalVariableDecla
   // element
   override LocalVariable getDeclVar() { none() }
 
-  // A compiler generated element always has an explicit
-  // initialization
-  override predicate isInitializedByElement() { none() }
-
   override Type getVarType() { result = getIRVariable().getType() }
 
   /**

csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll

@@ -0,0 +1,29 @@
+import IRFunction
+import Instruction
+import IRBlock
+import IRVariable
+import Operand
+private import internal.IRImports as Imports
+import Imports::EdgeKind
+import Imports::MemoryAccessKind
+
+private newtype TIRPropertyProvider = MkIRPropertyProvider()
+
+/**
+ * Class that provides additional properties to be dumped for IR instructions and blocks when using
+ * the PrintIR module. Libraries that compute additional facts about IR elements can extend the
+ * single instance of this class to specify the additional properties computed by the library.
+ */
+class IRPropertyProvider extends TIRPropertyProvider {
+  string toString() { result = "IRPropertyProvider" }
+
+  /**
+   * Gets the value of the property named `key` for the specified instruction.
+   */
+  string getInstructionProperty(Instruction instruction, string key) { none() }
+
+  /**
+   * Gets the value of the property named `key` for the specified block.
+   */
+  string getBlockProperty(IRBlock block, string key) { none() }
+}

csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -0,0 +1,210 @@
+private import internal.IRInternal
+import Instruction
+private import internal.IRBlockImports as Imports
+import Imports::EdgeKind
+private import Cached
+
+/**
+ * A basic block in the IR. A basic block consists of a sequence of `Instructions` with the only
+ * incoming edges at the beginning of the sequence and the only outgoing edges at the end of the
+ * sequence.
+ *
+ * This class does not contain any members that query the predecessor or successor edges of the
+ * block. This allows different classes that extend `IRBlockBase` to expose different subsets of
+ * edges (e.g. ignoring unreachable edges).
+ *
+ * Most consumers should use the class `IRBlock`.
+ */
+class IRBlockBase extends TIRBlock {
+  final string toString() { result = getFirstInstruction(this).toString() }
+
+  final Language::Location getLocation() { result = getFirstInstruction().getLocation() }
+
+  final string getUniqueId() { result = getFirstInstruction(this).getUniqueId() }
+
+  /**
+   * Gets the zero-based index of the block within its function. This is used
+   * by debugging and printing code only.
+   */
+  int getDisplayIndex() {
+    this = rank[result + 1](IRBlock funcBlock |
+        funcBlock.getEnclosingFunction() = getEnclosingFunction()
+      |
+        funcBlock order by funcBlock.getUniqueId()
+      )
+  }
+
+  final Instruction getInstruction(int index) { result = getInstruction(this, index) }
+
+  final PhiInstruction getAPhiInstruction() {
+    Construction::getPhiInstructionBlockStart(result) = getFirstInstruction()
+  }
+
+  final Instruction getAnInstruction() {
+    result = getInstruction(_) or
+    result = getAPhiInstruction()
+  }
+
+  final Instruction getFirstInstruction() { result = getFirstInstruction(this) }
+
+  final Instruction getLastInstruction() { result = getInstruction(getInstructionCount() - 1) }
+
+  final int getInstructionCount() { result = getInstructionCount(this) }
+
+  final IRFunction getEnclosingIRFunction() {
+    result = getFirstInstruction(this).getEnclosingIRFunction()
+  }
+
+  final Language::Function getEnclosingFunction() {
+    result = getFirstInstruction(this).getEnclosingFunction()
+  }
+}
+
+/**
+ * A basic block with additional information about its predecessor and successor edges. Each edge
+ * corresponds to the control flow between the last instruction of one block and the first
+ * instruction of another block.
+ */
+class IRBlock extends IRBlockBase {
+  final IRBlock getASuccessor() { blockSuccessor(this, result) }
+
+  final IRBlock getAPredecessor() { blockSuccessor(result, this) }
+
+  final IRBlock getSuccessor(EdgeKind kind) { blockSuccessor(this, result, kind) }
+
+  final IRBlock getBackEdgeSuccessor(EdgeKind kind) { backEdgeSuccessor(this, result, kind) }
+
+  final predicate immediatelyDominates(IRBlock block) { blockImmediatelyDominates(this, block) }
+
+  final predicate strictlyDominates(IRBlock block) { blockImmediatelyDominates+(this, block) }
+
+  final predicate dominates(IRBlock block) { strictlyDominates(block) or this = block }
+
+  pragma[noinline]
+  final IRBlock dominanceFrontier() {
+    dominates(result.getAPredecessor()) and
+    not strictlyDominates(result)
+  }
+
+  /**
+   * Holds if this block is reachable from the entry point of its function
+   */
+  final predicate isReachableFromFunctionEntry() {
+    this = getEnclosingIRFunction().getEntryBlock() or
+    getAPredecessor().isReachableFromFunctionEntry()
+  }
+}
+
+private predicate startsBasicBlock(Instruction instr) {
+  not instr instanceof PhiInstruction and
+  (
+    count(Instruction predecessor | instr = predecessor.getASuccessor()) != 1 // Multiple predecessors or no predecessor
+    or
+    exists(Instruction predecessor |
+      instr = predecessor.getASuccessor() and
+      strictcount(Instruction other | other = predecessor.getASuccessor()) > 1
+    ) // Predecessor has multiple successors
+    or
+    exists(Instruction predecessor, EdgeKind kind |
+      instr = predecessor.getSuccessor(kind) and
+      not kind instanceof GotoEdge
+    ) // Incoming edge is not a GotoEdge
+    or
+    exists(Instruction predecessor |
+      instr = Construction::getInstructionBackEdgeSuccessor(predecessor, _)
+    ) // A back edge enters this instruction
+  )
+}
+
+private predicate isEntryBlock(TIRBlock block) {
+  block = MkIRBlock(any(EnterFunctionInstruction enter))
+}
+
+cached
+private module Cached {
+  cached
+  newtype TIRBlock = MkIRBlock(Instruction firstInstr) { startsBasicBlock(firstInstr) }
+
+  /** Holds if `i2` follows `i1` in a `IRBlock`. */
+  private predicate adjacentInBlock(Instruction i1, Instruction i2) {
+    exists(GotoEdge edgeKind | i2 = i1.getSuccessor(edgeKind)) and
+    not startsBasicBlock(i2)
+  }
+
+  /** Holds if `i` is the `index`th instruction the block starting with `first`. */
+  private Instruction getInstructionFromFirst(Instruction first, int index) =
+    shortestDistances(startsBasicBlock/1, adjacentInBlock/2)(first, result, index)
+
+  /** Holds if `i` is the `index`th instruction in `block`. */
+  cached
+  Instruction getInstruction(TIRBlock block, int index) {
+    result = getInstructionFromFirst(getFirstInstruction(block), index)
+  }
+
+  cached
+  int getInstructionCount(TIRBlock block) { result = strictcount(getInstruction(block, _)) }
+
+  cached
+  predicate blockSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = predLast.getSuccessor(kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
+  pragma[noinline]
+  private predicate blockIdentity(TIRBlock b1, TIRBlock b2) { b1 = b2 }
+
+  pragma[noopt]
+  cached
+  predicate backEdgeSuccessor(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    backEdgeSuccessorRaw(pred, succ, kind)
+    or
+    // See the QLDoc on `backEdgeSuccessorRaw`.
+    exists(TIRBlock pred2 |
+      // Joining with `blockIdentity` is a performance trick to get
+      // `forwardEdgeRaw` on the RHS of a join, where it's fast.
+      blockIdentity(pred, pred2) and
+      forwardEdgeRaw+(pred, pred2)
+    ) and
+    blockSuccessor(pred, succ, kind)
+  }
+
+  /**
+   * Holds if there is an edge from `pred` to `succ` that is not a back edge.
+   */
+  private predicate forwardEdgeRaw(TIRBlock pred, TIRBlock succ) {
+    exists(EdgeKind kind |
+      blockSuccessor(pred, succ, kind) and
+      not backEdgeSuccessorRaw(pred, succ, kind)
+    )
+  }
+
+  /**
+   * Holds if the `kind`-edge from `pred` to `succ` is a back edge according to
+   * `Construction`.
+   *
+   * There could be loops of non-back-edges if there is a flaw in the IR
+   * construction or back-edge detection, and this could cause non-termination
+   * of subsequent analysis. To prevent that, a subsequent predicate further
+   * classifies all edges as back edges if they are involved in a loop of
+   * non-back-edges.
+   */
+  private predicate backEdgeSuccessorRaw(TIRBlock pred, TIRBlock succ, EdgeKind kind) {
+    exists(Instruction predLast, Instruction succFirst |
+      predLast = getInstruction(pred, getInstructionCount(pred) - 1) and
+      succFirst = Construction::getInstructionBackEdgeSuccessor(predLast, kind) and
+      succ = MkIRBlock(succFirst)
+    )
+  }
+
+  cached
+  predicate blockSuccessor(TIRBlock pred, TIRBlock succ) { blockSuccessor(pred, succ, _) }
+
+  cached
+  predicate blockImmediatelyDominates(TIRBlock dominator, TIRBlock block) =
+    idominance(isEntryBlock/1, blockSuccessor/2)(_, dominator, block)
+}
+
+Instruction getFirstInstruction(TIRBlock block) { block = MkIRBlock(result) }