C++: Add use-use flow through global variables.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -345,21 +345,17 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
  */
 predicate jumpStep(Node n1, Node n2) {
   exists(Cpp::GlobalOrNamespaceVariable v |
-    v =
-      n1.asInstruction()
-          .(StoreInstruction)
-          .getResultAddress()
-          .(VariableAddressInstruction)
-          .getAstVariable() and
-    v = n2.asVariable()
+    exists(Ssa::GlobalUse globalUse |
+      v = globalUse.getVariable() and
+      n1.(FinalGlobalValue).getGlobalUse() = globalUse and
+      v = n2.asVariable(globalUse.getIndirectionIndex())
+    )
     or
-    v =
-      n2.asInstruction()
-          .(LoadInstruction)
-          .getSourceAddress()
-          .(VariableAddressInstruction)
-          .getAstVariable() and
-    v = n1.asVariable()
+    exists(Ssa::GlobalDef globalDef |
+      v = globalDef.getVariable() and
+      v = n1.asVariable(globalDef.getIndirectionIndex()) and
+      n2.(InitialGlobalValue).getGlobalDef() = globalDef
+    )
   )
 }
 
@@ -535,7 +531,13 @@ class Unit extends TUnit {
 }
 
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { n instanceof OperandNode and not n instanceof ArgumentNode }
+predicate nodeIsHidden(Node n) {
+  n instanceof OperandNode and not n instanceof ArgumentNode
+  or
+  n instanceof FinalGlobalValue
+  or
+  n instanceof InitialGlobalValue
+}
 
 class LambdaCallKind = Unit;
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -42,7 +42,9 @@ private module Cached {
       (not i.getResultType() instanceof VoidType or i.isGLValue())
     } or
     TOperandNode(Operand op) { not Ssa::ignoreOperand(op) } or
-    TVariableNode(Variable var) or
+    TVariableNode(Variable var, int indirectionIndex) {
+      indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
+    } or
     TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
       indirectionIndex =
         [1 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType())]
@@ -57,7 +59,9 @@ private module Cached {
     } or
     TIndirectInstruction(Instruction instr, int indirectionIndex) {
       Ssa::hasIndirectInstruction(instr, indirectionIndex)
-    }
+    } or
+    TFinalGlobalValue(Ssa::GlobalUse globalUse) or
+    TInitialGlobalValue(Ssa::GlobalDef globalUse)
 }
 
 /**
@@ -269,7 +273,14 @@ class Node extends TIRDataFlowNode {
    * Gets the variable corresponding to this node, if any. This can be used for
    * modeling flow in and out of global variables.
    */
-  Variable asVariable() { result = this.(VariableNode).getVariable() }
+  Variable asVariable() { result = this.asVariable(1) }
+
+  Variable asVariable(int indirectionIndex) {
+    exists(VariableNode varNode | this = varNode |
+      varNode.getVariable() = result and
+      varNode.getIndirectionIndex() = indirectionIndex
+    )
+  }
 
   /**
    * Gets the expression that is partially defined by this node, if any.
@@ -492,6 +503,42 @@ class SideEffectOperandNode extends Node, IndirectOperand {
   Expr getArgument() { result = call.getArgument(argumentIndex).getUnconvertedResultExpression() }
 }
 
+class FinalGlobalValue extends Node, TFinalGlobalValue {
+  Ssa::GlobalUse globalUse;
+
+  FinalGlobalValue() { this = TFinalGlobalValue(globalUse) }
+
+  Ssa::GlobalUse getGlobalUse() { result = globalUse }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }
+
+  override DataFlowType getType() { result instanceof VoidType } // TODO
+
+  final override Location getLocationImpl() { result = globalUse.getLocation() }
+
+  override string toStringImpl() { result = "FinalGlobalValue" }
+}
+
+class InitialGlobalValue extends Node, TInitialGlobalValue {
+  Ssa::GlobalDef globalDef;
+
+  InitialGlobalValue() { this = TInitialGlobalValue(globalDef) }
+
+  Ssa::GlobalDef getGlobalDef() { result = globalDef }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Declaration getFunction() { result = globalDef.getIRFunction().getFunction() }
+
+  override DataFlowType getType() { result instanceof VoidType } // TODO
+
+  final override Location getLocationImpl() { result = globalDef.getLocation() }
+
+  override string toStringImpl() { result = "InitialGlobalValue" }
+}
+
 /**
  * INTERNAL: do not use.
  *
@@ -1074,12 +1121,15 @@ class DefinitionByReferenceNode extends IndirectArgumentOutNode {
  */
 class VariableNode extends Node, TVariableNode {
   Variable v;
+  int indirectionIndex;
 
-  VariableNode() { this = TVariableNode(v) }
+  VariableNode() { this = TVariableNode(v, indirectionIndex) }
 
   /** Gets the variable corresponding to this node. */
   Variable getVariable() { result = v }
 
+  int getIndirectionIndex() { result = indirectionIndex }
+
   override Declaration getFunction() { none() }
 
   override Declaration getEnclosingCallable() {
@@ -1093,7 +1143,15 @@ class VariableNode extends Node, TVariableNode {
 
   override DataFlowType getType() { result = v.getType() }
 
-  final override Location getLocationImpl() { result = v.getLocation() }
+  final override Location getLocationImpl() {
+    // Certain variables (such as parameters) can have multiple locations.
+    // When there's a unique location we use that one, but if multiple locations
+    // exist we default to an unknown location.
+    result = unique( | | v.getLocation())
+    or
+    not exists(unique( | | v.getLocation())) and
+    result instanceof UnknownDefaultLocation
+  }
 
   override string toStringImpl() { result = v.toString() }
 }
@@ -1138,7 +1196,9 @@ DefinitionByReferenceNode definitionByReferenceNodeFromArgument(Expr argument) {
 }
 
 /** Gets the `VariableNode` corresponding to the variable `v`. */
-VariableNode variableNode(Variable v) { result.getVariable() = v }
+VariableNode variableNode(Variable v) {
+  result.getVariable() = v and result.getIndirectionIndex() = 1
+}
 
 /**
  * DEPRECATED: See UninitializedNode.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -107,14 +107,39 @@ predicate hasIndirectInstruction(Instruction instr, int indirectionIndex) {
 cached
 private newtype TDefOrUseImpl =
   TDefImpl(Operand address, int indirectionIndex) {
-    isDef(_, _, address, _, _, indirectionIndex) and
-    // We only include the definition if the SSA pruning stage
-    // concluded that the definition is live after the write.
-    any(SsaInternals0::Def def).getAddressOperand() = address
+    exists(Instruction base | isDef(_, _, address, base, _, indirectionIndex) |
+      // We only include the definition if the SSA pruning stage
+      // concluded that the definition is live after the write.
+      any(SsaInternals0::Def def).getAddressOperand() = address
+      or
+      // Since the pruning stage doesn't know about global variables we can't use the above check to
+      // rule out dead assignments to globals.
+      base.(VariableAddressInstruction).getAstVariable() instanceof Cpp::GlobalOrNamespaceVariable
+    )
   } or
   TUseImpl(Operand operand, int indirectionIndex) {
     isUse(_, operand, _, _, indirectionIndex) and
     not isDef(_, _, operand, _, _, _)
+  } or
+  TGlobalUse(Cpp::GlobalOrNamespaceVariable v, IRFunction f, int indirectionIndex) {
+    // Represents a final "use" of a global variable to ensure that
+    // the assignment to a global variable isn't ruled out as dead.
+    exists(VariableAddressInstruction vai, int defIndex |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isDef(_, _, _, vai, _, defIndex) and
+      indirectionIndex = [0 .. defIndex] + 1
+    )
+  } or
+  TGlobalDef(Cpp::GlobalOrNamespaceVariable v, IRFunction f, int indirectionIndex) {
+    // Represents the initial "definition" of a global variable when entering
+    // a function body.
+    exists(VariableAddressInstruction vai |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isUse(_, _, vai, _, indirectionIndex) and
+      not isDef(_, _, vai.getAUse(), _, _, _)
+    )
   }
 
 abstract private class DefOrUseImpl extends TDefOrUseImpl {
@@ -254,6 +279,70 @@ class UseImpl extends DefOrUseImpl, TUseImpl {
   predicate isCertain() { isUse(true, operand, _, _, ind) }
 }
 
+class GlobalUse extends TGlobalUse {
+  Cpp::GlobalOrNamespaceVariable global;
+  IRFunction f;
+  int indirectionIndex;
+
+  GlobalUse() { this = TGlobalUse(global, f, indirectionIndex) }
+
+  Cpp::GlobalOrNamespaceVariable getVariable() { result = global }
+
+  IRFunction getIRFunction() { result = f }
+
+  final predicate hasIndexInBlock(IRBlock block, int index) {
+    exists(ExitFunctionInstruction exit |
+      exit = f.getExitFunctionInstruction() and
+      block.getInstruction(index) = exit
+    )
+  }
+
+  int getIndirectionIndex() { result = indirectionIndex }
+
+  SourceVariable getSourceVariable() { sourceVariableIsGlobal(result, global, f, indirectionIndex) }
+
+  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+    this.hasIndexInBlock(block, index) and
+    sv = this.getSourceVariable()
+  }
+
+  final Cpp::Location getLocation() { result = f.getLocation() }
+
+  string toString() { result = global.toString() + " [final value from " + f.toString() + "]" }
+}
+
+class GlobalDef extends TGlobalDef {
+  Cpp::GlobalOrNamespaceVariable global;
+  IRFunction f;
+  int indirectionIndex;
+
+  GlobalDef() { this = TGlobalDef(global, f, indirectionIndex) }
+
+  Cpp::GlobalOrNamespaceVariable getVariable() { result = global }
+
+  IRFunction getIRFunction() { result = f }
+
+  int getIndirectionIndex() { result = indirectionIndex }
+
+  final predicate hasIndexInBlock(IRBlock block, int index) {
+    exists(EnterFunctionInstruction enter |
+      enter = f.getEnterFunctionInstruction() and
+      block.getInstruction(index) = enter
+    )
+  }
+
+  SourceVariable getSourceVariable() { sourceVariableIsGlobal(result, global, f, indirectionIndex) }
+
+  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+    this.hasIndexInBlock(block, index) and
+    sv = this.getSourceVariable()
+  }
+
+  final Cpp::Location getLocation() { result = f.getLocation() }
+
+  string toString() { result = global.toString() + " [initial value in " + f.toString() + "]" }
+}
+
 /**
  * Holds if `defOrUse1` is a definition which is first read by `use`,
  * or if `defOrUse1` is a use and `use` is a next subsequent use.
@@ -280,6 +369,32 @@ predicate adjacentDefRead(DefOrUse defOrUse1, UseOrPhi use) {
   )
 }
 
+/**
+ * Holds if `defOrUse` should flow to the final use of the
+ * global variable use represetned by `globalUse`.
+ */
+private predicate defOrUseToGlobalUse(DefOrUse defOrUse, GlobalUse globalUse) {
+  exists(IRBlock bb1, int i1, IRBlock bb2, int i2, SourceVariable v |
+    defOrUse.asDefOrUse().hasIndexInBlock(bb1, i1, v) and
+    globalUse.hasIndexInBlock(bb2, i2, v) and
+    adjacentDefRead(_, pragma[only_bind_into](bb1), pragma[only_bind_into](i1),
+      pragma[only_bind_into](bb2), pragma[only_bind_into](i2))
+  )
+}
+
+/**
+ * Holds if `globalDef` represents the initial definition of a global variable that
+ * flows to `useOrPhi`.
+ */
+private predicate globalDefToUse(GlobalDef globalDef, UseOrPhi useOrPhi) {
+  exists(IRBlock bb1, int i1, IRBlock bb2, int i2, SourceVariable v |
+    globalDef.hasIndexInBlock(bb1, i1, v) and
+    adjacentDefRead(_, pragma[only_bind_into](bb1), pragma[only_bind_into](i1),
+      pragma[only_bind_into](bb2), pragma[only_bind_into](i2)) and
+    useOrPhi.asDefOrUse().hasIndexInBlock(bb2, i2, v)
+  )
+}
+
 private predicate useToNode(UseOrPhi use, Node nodeTo) {
   exists(UseImpl useImpl |
     useImpl = use.asDefOrUse() and
@@ -369,6 +484,20 @@ predicate ssaFlow(Node nodeFrom, Node nodeTo) {
     adjacentDefRead(defOrUse1, use) and
     useToNode(use, nodeTo)
   )
+  or
+  // Def/use to final value of global vairable
+  exists(DefOrUse defOrUse, GlobalUse globalUse |
+    nodeToDefOrUse(nodeFrom, defOrUse) and
+    defOrUseToGlobalUse(defOrUse, globalUse) and
+    nodeTo.(FinalGlobalValue).getGlobalUse() = globalUse
+  )
+  or
+  // Initial global variable value to a first use
+  exists(GlobalDef globalDef, UseOrPhi use |
+    nodeFrom.(InitialGlobalValue).getGlobalDef() = globalDef and
+    globalDefToUse(globalDef, use) and
+    useToNode(use, nodeTo)
+  )
 }
 
 /**
@@ -421,6 +550,17 @@ private predicate variableWriteCand(IRBlock bb, int i, SourceVariable v) {
   )
 }
 
+private predicate sourceVariableIsGlobal(
+  SourceVariable sv, Cpp::GlobalOrNamespaceVariable global, IRFunction func, int indirectionIndex
+) {
+  exists(IRVariable irVar, BaseIRVariable base |
+    sourceVariableHasBaseAndIndex(sv, base, indirectionIndex) and
+    irVar = base.getIRVariable() and
+    irVar.getEnclosingIRFunction() = func and
+    global = irVar.getAst()
+  )
+}
+
 private module SsaInput implements SsaImplCommon::InputSig {
   import InputSigCommon
   import SourceVariables
@@ -431,10 +571,18 @@ private module SsaInput implements SsaImplCommon::InputSig {
    */
   predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
-    variableWriteCand(bb, i, v) and
+    (
+      variableWriteCand(bb, i, v) or
+      sourceVariableIsGlobal(v, _, _, _)
+    ) and
     exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
       if def.isCertain() then certain = true else certain = false
     )
+    or
+    exists(GlobalDef global |
+      global.hasIndexInBlock(bb, i, v) and
+      certain = true
+    )
   }
 
   /**
@@ -445,6 +593,11 @@ private module SsaInput implements SsaImplCommon::InputSig {
     exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
       if use.isCertain() then certain = true else certain = false
     )
+    or
+    exists(GlobalUse global |
+      global.hasIndexInBlock(bb, i, v) and
+      certain = true
+    )
   }
 }