C++: Remove unreachable IR

This change removes any IR instructions that can be statically proven unreachable. To detect unreachable IR, we first run a simple constant value analysis on the IR. Then, any `ConditionalBranch` with a constant condition has the appropriate edge marked as "infeasible". We define a class `ReachableBlock` as any `IRBlock` with a path from the entry block of the function. SSA construction has been modified to operate only on `ReachableBlock` and `ReachableInstruction`, which ensures that only reachable IR gets translated into SSA form. For any infeasible edge where its predecessor block is reachable, we replace the original target of the branch with an `Unreached` instruction, which lets us preserve the invariant that all `ConditionalBranch` instructions have both a true and a false edge, and allows guard inference to still work.

The changes to `SSAConstruction.qll` are not as scary as they look. They are almost entirely a mechanical replacement of `OldIR::IRBlock` with `OldBlock`, which is just an alias for `ReachableBlock`.

Note that the `constant_func.ql` test can determine that the two new test functions always return 0.

Removing unreachable code helps get rid of some common FPs in IR-based dataflow analysis, especially for constructs like `while(true)`.

Author: dave-bartolomeo

config/identical-files.json

@@ -82,5 +82,20 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+  ],
+  "C++ IR ReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/reachability/ReachableBlock.qll"
+  ],
+  "C++ IR PrintReachableBlock": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/reachability/PrintReachableBlock.qll"
+  ],
+  "C++ IR Dominance": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/reachability/Dominance.qll"
   ]
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -68,7 +68,8 @@ private newtype TOpcode =
   TBufferReadSideEffect() or
   TBufferWriteSideEffect() or
   TBufferMayWriteSideEffect() or
-  TChi()
+  TChi() or
+  TUnreached()
 
 class Opcode extends TOpcode {
   string toString() {
@@ -195,5 +196,6 @@ module Opcode {
   class BufferReadSideEffect extends ReadSideEffectOpcode, BufferAccessOpcode, TBufferReadSideEffect { override final string toString() { result = "BufferReadSideEffect" } }
   class BufferWriteSideEffect extends WriteSideEffectOpcode, BufferAccessOpcode, TBufferWriteSideEffect { override final string toString() { result = "BufferWriteSideEffect" } }
   class BufferMayWriteSideEffect extends MayWriteSideEffectOpcode, BufferAccessOpcode, TBufferMayWriteSideEffect { override final string toString() { result = "BufferMayWriteSideEffect" } }
-  class Chi extends Opcode, TChi {override final string toString() { result = "Chi" } }
+  class Chi extends Opcode, TChi { override final string toString() { result = "Chi" } }
+  class Unreached extends Opcode, TUnreached { override final string toString() { result = "Unreached" } }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -1,7 +1,7 @@
 private import internal.IRInternal
 import Instruction
 import semmle.code.cpp.ir.implementation.EdgeKind
-import Cached
+private import Cached
 
 class IRBlock extends TIRBlock {
   final string toString() {

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -102,7 +102,8 @@ module InstructionSanity {
     not exists(instr.getASuccessor()) and
     not instr instanceof ExitFunctionInstruction and
     // Phi instructions aren't linked into the instruction-level flow graph.
-    not instr instanceof PhiInstruction
+    not instr instanceof PhiInstruction and
+    not instr instanceof UnreachedInstruction
   }
 
   /**
@@ -451,8 +452,7 @@ class Instruction extends Construction::TInstruction {
   final predicate isResultModeled() {
     // Register results are always in SSA form.
     not hasMemoryResult() or
-    // An unmodeled result will have a use on the `UnmodeledUse` instruction.
-    not (getAUse() instanceof UnmodeledUseOperand)
+    Construction::hasModeledMemoryResult(this)
   }
 
   /**
@@ -1469,6 +1469,17 @@ class ChiInstruction extends Instruction {
   }
 }
 
+/**
+ * An instruction representing unreachable code. Inserted in place of the original target
+ * instruction of a `ConditionalBranch` or `Switch` instruction where that particular edge is
+ * infeasible.
+ */
+class UnreachedInstruction extends Instruction {
+  UnreachedInstruction() {
+    opcode instanceof Opcode::Unreached
+  }
+}
+
 /**
  * An instruction representing a built-in operation. This is used to represent
  * operations such as access to variable argument lists.