Merge branch 'main' into redsun82/kotlin

Author: redsun82

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -290,6 +290,8 @@ predicate knownSourceModel(Node source, string model) { none() }
 
 predicate knownSinkModel(Node sink, string model) { none() }
 
+class DataFlowSecondLevelScope = Unit;
+
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
  * side-effect, resulting in a summary from `p` to itself.

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -1338,6 +1338,24 @@ class CoAwaitExpr extends UnaryOperation, @co_await {
   override string getOperator() { result = "co_await" }
 
   override int getPrecedence() { result = 16 }
+
+  /**
+   * Gets the Boolean expression that is used to decide if the enclosing
+   * coroutine should be suspended.
+   */
+  Expr getAwaitReady() { result = this.getChild(1) }
+
+  /**
+   * Gets the expression that represents the resume point if the enclosing
+   * coroutine was suspended.
+   */
+  Expr getAwaitResume() { result = this.getChild(2) }
+
+  /**
+   * Gets the expression that is evaluated when the enclosing coroutine is
+   * suspended.
+   */
+  Expr getAwaitSuspend() { result = this.getChild(3) }
 }
 
 /**
@@ -1352,6 +1370,24 @@ class CoYieldExpr extends UnaryOperation, @co_yield {
   override string getOperator() { result = "co_yield" }
 
   override int getPrecedence() { result = 2 }
+
+  /**
+   * Gets the Boolean expression that is used to decide if the enclosing
+   * coroutine should be suspended.
+   */
+  Expr getAwaitReady() { result = this.getChild(1) }
+
+  /**
+   * Gets the expression that represents the resume point if the enclosing
+   * coroutine was suspended.
+   */
+  Expr getAwaitResume() { result = this.getChild(2) }
+
+  /**
+   * Gets the expression that is evaluated when the enclosing coroutine is
+   * suspended.
+   */
+  Expr getAwaitSuspend() { result = this.getChild(3) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -22,6 +22,8 @@ module CppDataFlow implements InputSig<Location> {
 
   predicate getAdditionalFlowIntoCallNodeTerm = Private::getAdditionalFlowIntoCallNodeTerm/2;
 
+  predicate getSecondLevelScope = Private::getSecondLevelScope/1;
+
   predicate validParameterAliasStep = Private::validParameterAliasStep/2;
 
   predicate mayBenefitFromCallContext = Private::mayBenefitFromCallContext/1;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1583,3 +1583,85 @@ predicate validParameterAliasStep(Node node1, Node node2) {
     )
   )
 }
+
+private predicate isTopLevel(Cpp::Stmt s) { any(Function f).getBlock().getAStmt() = s }
+
+private Cpp::Stmt getAChainedBranch(Cpp::IfStmt s) {
+  result = s.getThen()
+  or
+  exists(Cpp::Stmt elseBranch | s.getElse() = elseBranch |
+    result = getAChainedBranch(elseBranch)
+    or
+    result = elseBranch and not elseBranch instanceof Cpp::IfStmt
+  )
+}
+
+private Instruction getAnInstruction(Node n) {
+  result = n.asInstruction()
+  or
+  not n instanceof InstructionNode and
+  result = n.asOperand().getUse()
+  or
+  result = n.(SsaPhiNode).getPhiNode().getBasicBlock().getFirstInstruction()
+  or
+  n.(IndirectInstruction).hasInstructionAndIndirectionIndex(result, _)
+  or
+  not n instanceof IndirectInstruction and
+  exists(Operand operand |
+    n.(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
+    result = operand.getUse()
+  )
+  or
+  result = getAnInstruction(n.(PostUpdateNode).getPreUpdateNode())
+}
+
+private newtype TDataFlowSecondLevelScope =
+  TTopLevelIfBranch(Cpp::Stmt s) {
+    exists(Cpp::IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
+  } or
+  TTopLevelSwitchCase(Cpp::SwitchCase s) {
+    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase() and isTopLevel(switchstmt))
+  }
+
+/**
+ * A second-level control-flow scope in a `switch` or a chained `if` statement.
+ *
+ * This is a `switch` case or a branch of a chained `if` statement, given that
+ * the `switch` or `if` statement is top level, that is, it is not nested inside
+ * other CFG constructs.
+ */
+class DataFlowSecondLevelScope extends TDataFlowSecondLevelScope {
+  /** Gets a textual representation of this element. */
+  string toString() {
+    exists(Cpp::Stmt s | this = TTopLevelIfBranch(s) | result = s.toString())
+    or
+    exists(Cpp::SwitchCase s | this = TTopLevelSwitchCase(s) | result = s.toString())
+  }
+
+  /** Gets the primary location of this element. */
+  Cpp::Location getLocation() {
+    exists(Cpp::Stmt s | this = TTopLevelIfBranch(s) | result = s.getLocation())
+    or
+    exists(Cpp::SwitchCase s | this = TTopLevelSwitchCase(s) | result = s.getLocation())
+  }
+
+  /**
+   * Gets a statement directly contained in this scope. For an `if` branch, this
+   * is the branch itself, and for a `switch case`, this is one the statements
+   * of that case branch.
+   */
+  private Cpp::Stmt getAStmt() {
+    exists(Cpp::Stmt s | this = TTopLevelIfBranch(s) | result = s)
+    or
+    exists(Cpp::SwitchCase s | this = TTopLevelSwitchCase(s) | result = s.getAStmt())
+  }
+
+  /** Gets a data-flow node nested within this scope. */
+  Node getANode() {
+    getAnInstruction(result).getAst().(Cpp::ControlFlowNode).getEnclosingStmt().getParentStmt*() =
+      this.getAStmt()
+  }
+}
+
+/** Gets the second-level scope containing the node `n`, if any. */
+DataFlowSecondLevelScope getSecondLevelScope(Node n) { result.getANode() = n }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -89,7 +89,8 @@ newtype TInstructionTag =
   ImplicitDestructorTag(int index) {
     exists(Expr e | exists(e.getImplicitDestructorCall(index))) or
     exists(Stmt s | exists(s.getImplicitDestructorCall(index)))
-  }
+  } or
+  CoAwaitBranchTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = getInstructionTagId(this) }
@@ -186,6 +187,8 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = BoolConversionCompareTag() and result = "BoolConvComp"
   or
+  tag = ResultCopyTag() and result = "ResultCopy"
+  or
   tag = LoadTag() and result = "Load" // Implicit load due to lvalue-to-rvalue conversion
   or
   tag = CatchTag() and result = "Catch"
@@ -263,4 +266,6 @@ string getInstructionTagId(TInstructionTag tag) {
   exists(int index |
     tag = ImplicitDestructorTag(index) and result = "ImplicitDestructor(" + index + ")"
   )
+  or
+  tag = CoAwaitBranchTag() and result = "CoAwaitBranch"
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1259,9 +1259,7 @@ class TranslatedUnaryExpr extends TranslatedSingleInstructionExpr {
     expr instanceof NotExpr or
     expr instanceof ComplementExpr or
     expr instanceof UnaryPlusExpr or
-    expr instanceof UnaryMinusExpr or
-    expr instanceof CoAwaitExpr or
-    expr instanceof CoYieldExpr
+    expr instanceof UnaryMinusExpr
   }
 
   final override Instruction getFirstInstruction(EdgeKind kind) {
@@ -1301,19 +1299,153 @@ class TranslatedUnaryExpr extends TranslatedSingleInstructionExpr {
     expr instanceof UnaryPlusExpr and result instanceof Opcode::CopyValue
     or
     expr instanceof UnaryMinusExpr and result instanceof Opcode::Negate
-    or
-    // TODO: Use a new opcode to represent "awaiting the value"
-    expr instanceof CoAwaitExpr and result instanceof Opcode::CopyValue
-    or
-    // TODO: Use a new opcode to represent "awaiting the value"
-    expr instanceof CoYieldExpr and result instanceof Opcode::CopyValue
   }
 
   private TranslatedExpr getOperand() {
     result = getTranslatedExpr(expr.(UnaryOperation).getOperand().getFullyConverted())
   }
 }
 
+/**
+ * IR translation of a `co_await` or `co_yield` expression.
+ *
+ * The translation of `x = co_await ...` is essentially:
+ * ```cpp
+ * if (!awaiter.await_ready()) {
+ *   awaiter.await_suspend();
+ * }
+ * x = awaiter.await_resume();
+ * ```
+ * where `awaiter` is an object constructed from programmer-supplied
+ * input, and for IR construction purposes these are resolved by the C/C++
+ * front-end.
+ *
+ * See https://en.cppreference.com/w/cpp/language/coroutines#co_await for the
+ * specification on how `awaiter` is obtained.
+ */
+abstract private class TranslatedCoExpr extends TranslatedNonConstantExpr {
+  /** Gets the operand of this operation. */
+  abstract Expr getOperand();
+
+  /**
+   * Gets the expression that decides if the enclosing coroutine should be
+   * suspended.
+   */
+  abstract Expr getAwaitReady();
+
+  /**
+   * Gets the expression that is evaluated when the enclosing coroutine is
+   * suspended.
+   */
+  abstract Expr getAwaitSuspend();
+
+  /**
+   * Gets the expression that represents the resume point if the enclosing
+   * coroutine was suspended.
+   */
+  abstract Expr getAwaitResume();
+
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getTranslatedOperand().getFirstInstruction(kind)
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getTranslatedAwaitResume().getALastInstruction()
+  }
+
+  final override TranslatedElement getChildInternal(int id) {
+    id = 0 and result = this.getTranslatedOperand()
+    or
+    id = 1 and result = this.getTranslatedAwaitReady()
+    or
+    id = 2 and result = this.getTranslatedAwaitResume()
+    or
+    id = 3 and result = this.getTranslatedAwaitSuspend()
+  }
+
+  final override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    tag = CoAwaitBranchTag() and
+    (
+      kind instanceof TrueEdge and
+      result = this.getTranslatedAwaitResume().getFirstInstruction(any(GotoEdge goto))
+      or
+      kind instanceof FalseEdge and
+      result = this.getTranslatedAwaitSuspend().getFirstInstruction(any(GotoEdge goto))
+    )
+  }
+
+  override Instruction getResult() { result = this.getTranslatedAwaitResume().getResult() }
+
+  final override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
+    child = this.getTranslatedOperand() and
+    result = this.getTranslatedAwaitReady().getFirstInstruction(kind)
+    or
+    child = this.getTranslatedAwaitReady() and
+    kind instanceof GotoEdge and
+    result = this.getInstruction(CoAwaitBranchTag())
+    or
+    child = this.getTranslatedAwaitSuspend() and
+    result = this.getTranslatedAwaitResume().getFirstInstruction(kind)
+    or
+    child = this.getTranslatedAwaitResume() and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = CoAwaitBranchTag() and
+    opcode instanceof Opcode::ConditionalBranch and
+    resultType = getVoidType()
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CoAwaitBranchTag() and
+    operandTag instanceof ConditionOperandTag and
+    result = this.getTranslatedAwaitReady().getResult()
+  }
+
+  private TranslatedExpr getTranslatedOperand() {
+    result = getTranslatedExpr(this.getOperand().getFullyConverted())
+  }
+
+  private TranslatedExpr getTranslatedAwaitReady() {
+    result = getTranslatedExpr(this.getAwaitReady().getFullyConverted())
+  }
+
+  private TranslatedExpr getTranslatedAwaitResume() {
+    result = getTranslatedExpr(this.getAwaitResume().getFullyConverted())
+  }
+
+  private TranslatedExpr getTranslatedAwaitSuspend() {
+    result = getTranslatedExpr(this.getAwaitSuspend().getFullyConverted())
+  }
+}
+
+/** IR translation of `co_await`. */
+class TranslatedCoAwaitExpr extends TranslatedCoExpr {
+  override CoAwaitExpr expr;
+
+  final override Expr getOperand() { result = expr.getOperand() }
+
+  final override Expr getAwaitReady() { result = expr.getAwaitReady() }
+
+  final override Expr getAwaitSuspend() { result = expr.getAwaitSuspend() }
+
+  final override Expr getAwaitResume() { result = expr.getAwaitResume() }
+}
+
+/** IR translation of `co_yield`. */
+class TranslatedCoYieldxpr extends TranslatedCoExpr {
+  override CoYieldExpr expr;
+
+  final override Expr getOperand() { result = expr.getOperand() }
+
+  final override Expr getAwaitReady() { result = expr.getAwaitReady() }
+
+  final override Expr getAwaitSuspend() { result = expr.getAwaitSuspend() }
+
+  final override Expr getAwaitResume() { result = expr.getAwaitResume() }
+}
+
 abstract class TranslatedConversion extends TranslatedNonConstantExpr {
   override Conversion expr;
 

cpp/ql/test/library-tests/dataflow/taint-tests/swap2.cpp

@@ -84,7 +84,7 @@ void test_copy_assignment_operator()
 
     swap(z1, z2);
 
-    sink(z2.data1); // $ ir MISSING: ast
+    sink(z2.data1); // $ ir ast
     sink(z1.data1); // $ SPURIOUS: ir ast=81:27 ast=82:16
 }