C++: Since we now no longer have flow from exact memory operands to LoadInstructions, we no longer have flow from PhiInstructions to LoadInstructions. We could allow flow in this particular case, but we might as well use the shared SSA library's phi edges.

MathiasVP · MathiasVP · commit 710d0cfc3df6 · 2021-10-28T12:35:00.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -22,7 +22,8 @@ private module Cached {
     TVariableNode(Variable var) or
     TStoreNodeInstr(Instruction i) { Ssa::explicitWrite(_, _, i) } or
     TStoreNodeOperand(ArgumentOperand op) { Ssa::explicitWrite(_, _, op.getDef()) } or
-    TReadNode(Instruction i) { needsPostReadNode(i) }
+    TReadNode(Instruction i) { needsPostReadNode(i) } or
+    TSsaPhiNode(Ssa::PhiNode phi)
 
   cached
   predicate localFlowStepCached(Node nodeFrom, Node nodeTo) {
@@ -347,6 +348,44 @@ class ReadNode extends Node, TReadNode {
   }
 }
 
+/**
+ * INTERNAL: do not use.
+ * 
+ * A phi node produced by the shared SSA library, viewed as a node in a data flow graph.
+ */
+class SsaPhiNode extends Node, TSsaPhiNode {
+  Ssa::PhiNode phi;
+
+  SsaPhiNode() { this = TSsaPhiNode(phi) }
+
+  /* Get the phi node associated with this node. */
+  Ssa::PhiNode getPhiNode() { result = phi }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Function getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
+
+  override IRType getType() { result instanceof IRVoidType }
+
+  override Location getLocation() { result = phi.getBasicBlock().getLocation() }
+
+  /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
+  final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
+    hasInputAtRankInBlock(block, rnk, _)
+  }
+
+  /**
+   * Holds if this phi node has input from the definition `input` (which is the `rnk`'th write
+   * operation in block `block`).
+   */
+  cached
+  final predicate hasInputAtRankInBlock(IRBlock block, int rnk, Ssa::Definition input) {
+    Ssa::phiHasInputFromBlock(phi, input, _) and input.definesAt(_, block, rnk)
+  }
+
+  override string toString() { result = "Phi" }
+}
+
 /**
  * An expression, viewed as a node in a data flow graph.
  */
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
@@ -336,6 +336,34 @@ private module Cached {
     )
   }
 
+  private predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
+    exists(PhiNode phi, Use use, IRBlock block, int rnk |
+      phi = nodeFrom.getPhiNode() and
+      adjacentDefRead(phi, _, _, block, rnk) and
+      use.hasRankInBlock(block, rnk) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+    )
+  }
+
+  private predicate toPhiNode(Node nodeFrom, SsaPhiNode nodeTo) {
+    // Flow to phi nodes
+    exists(Def def, IRBlock block, int rnk |
+      def.hasRankInBlock(block, rnk) and
+      nodeTo.hasInputAtRankInBlock(block, rnk)
+    |
+      exists(StoreNode store |
+        store = nodeFrom and
+        store.isTerminal() and
+        def.getInstruction() = store.getStoreInstruction()
+      )
+      or
+      def.getInstruction() = nodeFrom.asInstruction()
+    )
+    or
+    // Phi -> phi flow
+    nodeTo.hasInputAtRankInBlock(_, _, nodeFrom.(SsaPhiNode).getPhiNode())
+  }
+
   /**
    * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
    * written (or read) by `storeOrRead`.
@@ -350,6 +378,10 @@ private module Cached {
     or
     // Use-use flow from a `ReadNode` to an `OperandNode`
     fromReadNode(nodeFrom, nodeTo)
+    or
+    fromPhiNode(nodeFrom, nodeTo)
+    or
+    toPhiNode(nodeFrom, nodeTo)
   }
 
   private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
