C++: Add implicit defs and uses for iterators' underlying containers.

MathiasVP · MathiasVP · commit f94ca0e0870a · 2022-12-15T11:55:21.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -119,6 +119,17 @@ private newtype TDefOrUseImpl =
   TUseImpl(Operand operand, int indirectionIndex) {
     isUse(_, operand, _, _, indirectionIndex) and
     not isDef(_, _, operand, _, _, _)
+  } or
+  TIteratorDef(
+    Operand iteratorAddress, BaseSourceVariableInstruction container, int indirectionIndex
+  ) {
+    isIteratorDef(container, iteratorAddress, _, _, indirectionIndex) and
+    any(SsaInternals0::Def def | def.isIteratorDef()).getAddressOperand() = iteratorAddress
+  } or
+  TIteratorUse(
+    Operand iteratorAddress, BaseSourceVariableInstruction container, int indirectionIndex
+  ) {
+    isIteratorUse(container, iteratorAddress, _, indirectionIndex)
   }
 
 abstract private class DefOrUseImpl extends TDefOrUseImpl {
@@ -230,8 +241,20 @@ private class DirectDef extends DefImpl, TDefImpl {
   override Node0Impl getValue() { isDef(_, result, address, _, _, _) }
 
   override predicate isCertain() { isDef(true, _, address, _, _, ind) }
+}
+
+private class IteratorDef extends DefImpl, TIteratorDef {
+  BaseSourceVariableInstruction container;
+
+  IteratorDef() { this = TIteratorDef(address, container, ind) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override int getIndirection() { isIteratorDef(container, address, _, result, ind) }
 
-  predicate isCertain() { isDef(true, _, address, _, _, ind) }
+  override Node0Impl getValue() { isIteratorDef(container, address, result, _, _) }
+
+  override predicate isCertain() { none() }
 }
 
 abstract class UseImpl extends DefOrUseImpl {
@@ -270,6 +293,18 @@ private class DirectUse extends UseImpl, TUseImpl {
   override predicate isCertain() { isUse(true, operand, _, _, ind) }
 }
 
+private class IteratorUse extends UseImpl, TIteratorUse {
+  BaseSourceVariableInstruction container;
+
+  IteratorUse() { this = TIteratorUse(operand, container, ind) }
+
+  override int getIndirection() { isIteratorUse(container, operand, result, ind) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override predicate isCertain() { none() }
+}
+
 /**
  * Holds if `defOrUse1` is a definition which is first read by `use`,
  * or if `defOrUse1` is a use and `use` is a next subsequent use.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -410,6 +410,136 @@ private class BaseAllocationInstruction extends BaseSourceVariableInstruction, A
 
 cached
 private module Cached {
+  private import semmle.code.cpp.models.interfaces.Iterator as Interfaces
+  private import semmle.code.cpp.models.implementations.Iterator as Iterator
+
+  /**
+   * Holds if `next` is a instruction with a memory result that potentially
+   * updates the memory produced by `prev`.
+   */
+  private predicate memorySucc(Instruction prev, Instruction next) {
+    prev = next.(ChiInstruction).getTotal()
+    or
+    // Phi inputs can be inexact.
+    prev = next.(PhiInstruction).getAnInputOperand().getAnyDef()
+    or
+    prev = next.(CopyInstruction).getSourceValue()
+    or
+    exists(ReadSideEffectInstruction read |
+      next = read.getPrimaryInstruction() and
+      isAdditionalConversionFlow(_, next) and
+      prev = read.getSideEffectOperand().getAnyDef()
+    )
+  }
+
+  /**
+   * Holds if `iteratorDerefAddress` is an address of an iterator dereference (i.e., `*it`)
+   * that is used for a write operation that writes the value `value`. The `memory` instruction
+   * represents the memory that the IR's SSA analysis determined was read by the call to `operator*`.
+   *
+   * The `numberOfLoads` integer represents the number of dereferences this write corresponds to
+   * on the underlying container that produced the iterator.
+   */
+  private predicate isChiAfterIteratorDef(
+    Instruction memory, Operand iteratorDerefAddress, Node0Impl value, int numberOfLoads
+  ) {
+    exists(
+      BaseSourceVariableInstruction iteratorBase, ReadSideEffectInstruction read,
+      Operand iteratorAddress
+    |
+      numberOfLoads >= 0 and
+      isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
+      isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
+      iteratorBase.getResultType() instanceof Interfaces::Iterator and
+      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
+      memory = read.getSideEffectOperand().getAnyDef()
+    )
+  }
+
+  /**
+   * Holds if `iterator` is a `StoreInstruction` that stores the result of some function
+   * returning an iterator into an address computed started at `containerBase`.
+   *
+   * For example, given a declaration like `std::vector<int>::iterator it = v.begin()`,
+   * the `iterator` will be the `StoreInstruction` generated by the write to `it`, and
+   * `containerBase` will be the address of `v`.
+   */
+  private predicate isChiAfterBegin(
+    BaseSourceVariableInstruction containerBase, StoreInstruction iterator
+  ) {
+    exists(CallInstruction getIterator |
+      getIterator = iterator.getSourceValue() and
+      getIterator.getStaticCallTarget() instanceof Iterator::GetIteratorFunction and
+      isDef(_, any(Node0Impl n | n.asInstruction() = iterator), _, _, 1, 0) and
+      isUse(_, getIterator.getThisArgumentOperand(), containerBase, 0, 0)
+    )
+  }
+
+  /**
+   * Holds if `iteratorDerefAddress` is an address of an iterator dereference (i.e., `*it`)
+   * that is used for a read operation. The `memory` instruction represents the memory that
+   * the IR's SSA analysis determined was read by the call to `operator*`.
+   *
+   * Finally, the `numberOfLoads` integer represents the number of dereferences this read
+   * corresponds to on the underlying container that produced the iterator.
+   */
+  private predicate isChiBeforeIteratorUse(
+    Operand iteratorDerefAddress, Instruction memory, int numberOfLoads
+  ) {
+    exists(
+      BaseSourceVariableInstruction iteratorBase, LoadInstruction load,
+      ReadSideEffectInstruction read
+    |
+      numberOfLoads >= 0 and
+      isUse(_, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
+      iteratorBase.getResultType() instanceof Interfaces::Iterator and
+      read.getPrimaryInstruction() = load.getSourceAddress() and
+      memory = read.getSideEffectOperand().getAnyDef()
+    )
+  }
+
+  /**
+   * Holds if `iteratorDerefAddress` is an address of an iterator dereference (i.e., `*it`)
+   * that is used for a write operation that writes the value `value` to a container that
+   * created the iterator. `container` represents the base of the address of the container
+   * that was used to create the iterator.
+   */
+  cached
+  predicate isIteratorDef(
+    BaseSourceVariableInstruction container, Operand iteratorDerefAddress, Node0Impl value,
+    int numberOfLoads, int indirectionIndex
+  ) {
+    exists(Instruction memory, Instruction begin, int upper, int ind |
+      isChiAfterIteratorDef(memory, iteratorDerefAddress, value, numberOfLoads) and
+      memorySucc*(begin, memory) and
+      isChiAfterBegin(container, begin) and
+      upper = countIndirectionsForCppType(container.getResultLanguageType()) and
+      ind = numberOfLoads + [1 .. upper] and
+      indirectionIndex = ind - (numberOfLoads + 1)
+    )
+  }
+
+  /**
+   * Holds if `iteratorDerefAddress` is an address of an iterator dereference (i.e., `*it`)
+   * that is used for a read operation to read a value from a container that created the iterator.
+   * `container` represents the base of the address of the container that was used to create
+   * the iterator.
+   */
+  cached
+  predicate isIteratorUse(
+    BaseSourceVariableInstruction container, Operand iteratorDerefAddress, int numberOfLoads,
+    int indirectionIndex
+  ) {
+    exists(Instruction begin, Instruction memory, int upper, int ind |
+      isChiBeforeIteratorUse(iteratorDerefAddress, memory, numberOfLoads) and
+      memorySucc*(begin, memory) and
+      isChiAfterBegin(container, begin) and
+      upper = countIndirectionsForCppType(container.getResultLanguageType()) and
+      ind = numberOfLoads + [1 .. upper] and
+      indirectionIndex = ind - (numberOfLoads + 1)
+    )
+  }
+
   /**
    * Holds if `op` is a use of an SSA variable rooted at `base` with `ind` number
    * of indirections.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
@@ -33,6 +33,12 @@ private newtype TDefOrUseImpl =
   TUseImpl(Operand operand) {
     isUse(_, operand, _, _, _) and
     not isDef(true, _, operand, _, _, _)
+  } or
+  TIteratorDef(BaseSourceVariableInstruction container, Operand iteratorAddress) {
+    isIteratorDef(container, iteratorAddress, _, _, _)
+  } or
+  TIteratorUse(BaseSourceVariableInstruction container, Operand iteratorAddress) {
+    isIteratorUse(container, iteratorAddress, _, _)
   }
 
 abstract private class DefOrUseImpl extends TDefOrUseImpl {
@@ -93,8 +99,18 @@ private class DirectDef extends DefImpl, TDefImpl {
   override Node0Impl getValue() { isDef(_, result, address, _, _, _) }
 
   override predicate isCertain() { isDef(true, _, address, _, _, _) }
+}
+
+private class IteratorDef extends DefImpl, TIteratorDef {
+  BaseSourceVariableInstruction container;
+
+  IteratorDef() { this = TIteratorDef(container, address) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override Node0Impl getValue() { isIteratorDef(_, address, result, _, _) }
 
-  predicate isCertain() { isDef(true, _, address, _, _, _) }
+  override predicate isCertain() { none() }
 }
 
 abstract class UseImpl extends DefOrUseImpl {
@@ -121,6 +137,16 @@ private class DirectUse extends UseImpl, TUseImpl {
   override predicate isCertain() { isUse(true, operand, _, _, _) }
 }
 
+private class IteratorUse extends UseImpl, TIteratorUse {
+  BaseSourceVariableInstruction container;
+
+  IteratorUse() { this = TIteratorUse(container, operand) }
+
+  override BaseSourceVariableInstruction getBase() { result = container }
+
+  override predicate isCertain() { none() }
+}
+
 private module SsaInput implements SsaImplCommon::InputSig {
   import InputSigCommon
   import SourceVariables
@@ -223,6 +249,8 @@ class Def extends DefOrUse {
   override string toString() { result = this.asDefOrUse().toString() }
 
   BaseSourceVariableInstruction getBase() { result = defOrUse.getBase() }
+
+  predicate isIteratorDef() { defOrUse instanceof IteratorDef }
 }
 
 private module SsaImpl = SsaImplCommon::Make<SsaInput>;
