Merge pull request #2184 from dave-bartolomeo/dave/AliasedUse

C++/C#: Add `AliasedUse` instruction to all functions

Author: jbj

cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -5,6 +5,7 @@ private newtype TMemoryAccessKind =
   TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
   TEscapedMayMemoryAccess() or
+  TNonLocalMayMemoryAccess() or
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
@@ -80,6 +81,14 @@ class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess {
   override string toString() { result = "escaped(may)" }
 }
 
+/**
+ * The operand or result may access all memory whose address has escaped, other than data on the
+ * stack frame of the current function.
+ */
+class NonLocalMayMemoryAccess extends MemoryAccessKind, TNonLocalMayMemoryAccess {
+  override string toString() { result = "nonlocal(may)" }
+}
+
 /**
  * The operand is a Phi operand, which accesses the same memory as its
  * definition.

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -57,6 +57,7 @@ private newtype TOpcode =
   TUnmodeledDefinition() or
   TUnmodeledUse() or
   TAliasedDefinition() or
+  TAliasedUse() or
   TPhi() or
   TBuiltIn() or
   TVarArgsStart() or
@@ -393,6 +394,10 @@ module Opcode {
     final override string toString() { result = "AliasedDefinition" }
   }
 
+  class AliasedUse extends Opcode, TAliasedUse {
+    final override string toString() { result = "AliasedUse" }
+  }
+
   class Phi extends Opcode, TPhi {
     final override string toString() { result = "Phi" }
   }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -50,7 +50,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -263,6 +264,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1421,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -396,6 +396,9 @@ class SideEffectOperand extends TypedOperand {
   override SideEffectOperandTag tag;
 
   override MemoryAccessKind getMemoryAccess() {
+    useInstr instanceof AliasedUseInstruction and
+    result instanceof NonLocalMayMemoryAccess
+    or
     useInstr instanceof CallSideEffectInstruction and
     result instanceof EscapedMayMemoryAccess
     or

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -45,6 +45,7 @@ private newtype TMemoryLocation =
     languageType = type.getCanonicalLanguageType()
   } or
   TUnknownMemoryLocation(IRFunction irFunc) or
+  TUnknownNonLocalMemoryLocation(IRFunction irFunc) or
   TUnknownVirtualVariable(IRFunction irFunc)
 
 /**
@@ -162,6 +163,26 @@ class UnknownMemoryLocation extends TUnknownMemoryLocation, MemoryLocation {
   final override string getUniqueId() { result = "{Unknown}" }
 }
 
+/**
+ * An access to memory that is not known to be confined to a specific `IRVariable`, but is known to
+ * not access memory on the current function's stack frame.
+ */
+class UnknownNonLocalMemoryLocation extends TUnknownNonLocalMemoryLocation, MemoryLocation {
+  IRFunction irFunc;
+
+  UnknownNonLocalMemoryLocation() { this = TUnknownNonLocalMemoryLocation(irFunc) }
+
+  final override string toString() { result = "{UnknownNonLocal}" }
+
+  final override VirtualVariable getVirtualVariable() { result = TUnknownVirtualVariable(irFunc) }
+
+  final override Language::LanguageType getType() {
+    result = any(IRUnknownType type).getCanonicalLanguageType()
+  }
+
+  final override string getUniqueId() { result = "{UnknownNonLocal}" }
+}
+
 /**
  * An access to all aliased memory.
  */
@@ -194,6 +215,13 @@ Overlap getOverlap(MemoryLocation def, MemoryLocation use) {
     def instanceof UnknownMemoryLocation and
     result instanceof MayPartiallyOverlap
     or
+    // An UnknownNonLocalMemoryLocation may partially overlap any location within the same virtual
+    // variable, except a local variable.
+    def.getVirtualVariable() = use.getVirtualVariable() and
+    def instanceof UnknownNonLocalMemoryLocation and
+    result instanceof MayPartiallyOverlap and
+    not use.(VariableMemoryLocation).getVariable() instanceof IRAutomaticVariable
+    or
     exists(VariableMemoryLocation defVariableLocation |
       defVariableLocation = def and
       (
@@ -202,6 +230,13 @@ Overlap getOverlap(MemoryLocation def, MemoryLocation use) {
         (use instanceof UnknownMemoryLocation or use instanceof UnknownVirtualVariable) and
         result instanceof MayPartiallyOverlap
         or
+        // A VariableMemoryLocation that is not a local variable may partially overlap an unknown
+        // non-local location within the same virtual variable.
+        def.getVirtualVariable() = use.getVirtualVariable() and
+        use instanceof UnknownNonLocalMemoryLocation and
+        result instanceof MayPartiallyOverlap and
+        not defVariableLocation.getVariable() instanceof IRAutomaticVariable
+        or
         // A VariableMemoryLocation overlaps another location within the same variable based on the relationship
         // of the two offset intervals.
         exists(Overlap intervalOverlap |
@@ -327,6 +362,9 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
       or
       kind instanceof EscapedMayMemoryAccess and
       result = TUnknownMemoryLocation(instr.getEnclosingIRFunction())
+      or
+      kind instanceof NonLocalMayMemoryAccess and
+      result = TUnknownNonLocalMemoryLocation(instr.getEnclosingIRFunction())
     )
   )
 }
@@ -351,6 +389,9 @@ MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
       or
       kind instanceof EscapedMayMemoryAccess and
       result = TUnknownMemoryLocation(operand.getEnclosingIRFunction())
+      or
+      kind instanceof NonLocalMayMemoryAccess and
+      result = TUnknownNonLocalMemoryLocation(operand.getEnclosingIRFunction())
     )
   )
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -50,7 +50,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -263,6 +264,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1421,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -396,6 +396,9 @@ class SideEffectOperand extends TypedOperand {
   override SideEffectOperandTag tag;
 
   override MemoryAccessKind getMemoryAccess() {
+    useInstr instanceof AliasedUseInstruction and
+    result instanceof NonLocalMayMemoryAccess
+    or
     useInstr instanceof CallSideEffectInstruction and
     result instanceof EscapedMayMemoryAccess
     or

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -26,6 +26,7 @@ newtype TInstructionTag =
   UnmodeledDefinitionTag() or
   UnmodeledUseTag() or
   AliasedDefinitionTag() or
+  AliasedUseTag() or
   SwitchBranchTag() or
   CallTargetTag() or
   CallTag() or
@@ -118,6 +119,8 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = AliasedDefinitionTag() and result = "AliasedDef"
   or
+  tag = AliasedUseTag() and result = "AliasedUse"
+  or
   tag = SwitchBranchTag() and result = "SwitchBranch"
   or
   tag = CallTargetTag() and result = "CallTarget"

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -96,6 +96,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       result = getInstruction(UnmodeledUseTag())
       or
       tag = UnmodeledUseTag() and
+      result = getInstruction(AliasedUseTag())
+      or
+      tag = AliasedUseTag() and
       result = getInstruction(ExitFunctionTag())
     )
   }
@@ -167,6 +170,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       opcode instanceof Opcode::UnmodeledUse and
       resultType = getVoidType()
       or
+      tag = AliasedUseTag() and
+      opcode instanceof Opcode::AliasedUse and
+      resultType = getVoidType()
+      or
       tag = ExitFunctionTag() and
       opcode instanceof Opcode::ExitFunction and
       resultType = getVoidType()
@@ -187,6 +194,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     operandTag instanceof UnmodeledUseOperandTag and
     result = getUnmodeledDefinitionInstruction()
     or
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnmodeledDefinitionInstruction()
+    or
     tag = ReturnTag() and
     hasReturnValue() and
     (
@@ -203,6 +214,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     hasReturnValue() and
     operandTag instanceof LoadOperandTag and
     result = getTypeForPRValue(getReturnType())
+    or
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -50,7 +50,8 @@ module InstructionSanity {
         (
           opcode instanceof ReadSideEffectOpcode or
           opcode instanceof Opcode::InlineAsm or
-          opcode instanceof Opcode::CallSideEffect
+          opcode instanceof Opcode::CallSideEffect or
+          opcode instanceof Opcode::AliasedUse
         ) and
         tag instanceof SideEffectOperandTag
       )
@@ -263,6 +264,7 @@ module InstructionSanity {
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
       not useOperand.getUse() instanceof UnmodeledUseInstruction and
+      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -1421,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction {
   final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess }
 }
 
+/**
+ * An instruction that consumes all escaped memory on exit from the function.
+ */
+class AliasedUseInstruction extends Instruction {
+  AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse }