C++: Model dynamic initialization of static local variables in IR

Previously, the IR for the initialization of a static local variable ran the initialization unconditionally, every time the declaration was reached during execution. This means that we don't model the possibility that an access to the static variable fetches a value that was set on a previous execution of the function.

I've added some simple modelling of the correct behavior to the IR. For each static local variable that has a dynamic initializer, we synthesize a (static) `bool` variable to hold whether the initializer for the original variable has executed. When executing a declaration, we check the value of the synthesized variable, and skip the initialization code if it is `true`. If it is `false`, we execute the initialization code as before, and then set the flag to `true`. This doesn't capture the thread-safe nature of static initialization, but I think it's more than enough to handle anything we're likely to care about for the foreseeable future.

In `TranslatedDeclarationEntry.qll`, I split the translation of a static local variable declaration into two `TranslatedElement`s: one for the declaration itself, and one for the initialization. The declaration part handles the checking and setting of the flag; the initialization just does the initialization as before.

I've added an IR test case that has static variables with constant, zero, and dynamic initialization. I've also verified the new IR generated for @jbj's previous test cases for constant initialization.

I inverted the sense of the `hasConstantInitialization()` predicate to be `hasDynamicInitialization()`. Mostly this just made more sense to me, but I think it also fixed a potential bug where `hasConstantInitialization()` would not hold for a zero-initialized variable. Technically, constant initialization isn't the same as zero initialization, but I believe that most code really cares about the distinction between dynamic initialization and static initialization, where static initialization includes both constant and zero initialization.

I've fixed up the C# side of IR generation to continue working, but it doesn't use any of the dynamic initialization stuff. In theory, it could use something similar to model the initialization of static fields.

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/Variable.qll

@@ -381,10 +381,10 @@ class StaticStorageDurationVariable extends Variable {
   }
 
   /**
-   * Holds if the initializer for this variable is evaluated at compile time.
+   * Holds if the initializer for this variable is evaluated at runtime.
    */
-  predicate hasConstantInitialization() {
-    not runtimeExprInStaticInitializer(this.getInitializer().getExpr())
+  predicate hasDynamicInitialization() {
+    runtimeExprInStaticInitializer(this.getInitializer().getExpr())
   }
 }
 

cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -443,7 +443,7 @@ private Node getControlOrderChildSparse(Node n, int i) {
 private predicate skipInitializer(Initializer init) {
   exists(LocalVariable local |
     init = local.getInitializer() and
-    local.(StaticStorageDurationVariable).hasConstantInitialization()
+    not local.(StaticStorageDurationVariable).hasDynamicInitialization()
   )
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -23,7 +23,8 @@ class IRVariable extends TIRVariable {
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
     this = TIRTempVariable(func, _, _, _) or
-    this = TIRStringLiteral(func, _, _, _)
+    this = TIRStringLiteral(func, _, _, _) or
+    this = TIRDynamicInitializationFlag(func, _, _)
   }
 
   string toString() { none() }
@@ -149,7 +150,8 @@ class IRGeneratedVariable extends IRVariable {
 
   IRGeneratedVariable() {
     this = TIRTempVariable(func, ast, _, type) or
-    this = TIRStringLiteral(func, ast, type, _)
+    this = TIRStringLiteral(func, ast, type, _) or
+    this = TIRDynamicInitializationFlag(func, ast, type)
   }
 
   final override Language::LanguageType getLanguageType() { result = type }
@@ -208,7 +210,7 @@ class IRReturnVariable extends IRTempVariable {
 class IRThrowVariable extends IRTempVariable {
   IRThrowVariable() { tag = ThrowTempVar() }
 
-  override string getBaseString() { result = "#throw" }
+  final override string getBaseString() { result = "#throw" }
 }
 
 /**
@@ -226,7 +228,30 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
     result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
   }
 
-  override string getBaseString() { result = "#string" }
+  final override string getBaseString() { result = "#string" }
 
   final Language::StringLiteral getLiteral() { result = literal }
 }
+
+/**
+ * A variable generated to track whether a specific non-stack variable has been initialized. This is
+ * used to model the runtime initialization of static local variables in C++, as well as static
+ * fields in C#.
+ */
+class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitializationFlag {
+  Language::Variable var;
+
+  IRDynamicInitializationFlag() {
+    this = TIRDynamicInitializationFlag(func, var, type) and ast = var
+  }
+
+  final override string toString() { result = var.toString() + "#init" }
+
+  final Language::Variable getVariable() { result = var }
+
+  final override string getUniqueId() {
+    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+  }
+
+  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll

@@ -10,6 +10,11 @@ newtype TIRVariable =
   ) {
     Construction::hasTempVariable(func, ast, tag, type)
   } or
+  TIRDynamicInitializationFlag(
+    Language::Function func, Language::Variable var, Language::LanguageType type
+  ) {
+    Construction::hasDynamicInitializationFlag(func, var, type)
+  } or
   TIRStringLiteral(
     Language::Function func, Language::AST ast, Language::LanguageType type,
     Language::StringLiteral literal

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -23,7 +23,8 @@ class IRVariable extends TIRVariable {
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
     this = TIRTempVariable(func, _, _, _) or
-    this = TIRStringLiteral(func, _, _, _)
+    this = TIRStringLiteral(func, _, _, _) or
+    this = TIRDynamicInitializationFlag(func, _, _)
   }
 
   string toString() { none() }
@@ -149,7 +150,8 @@ class IRGeneratedVariable extends IRVariable {
 
   IRGeneratedVariable() {
     this = TIRTempVariable(func, ast, _, type) or
-    this = TIRStringLiteral(func, ast, type, _)
+    this = TIRStringLiteral(func, ast, type, _) or
+    this = TIRDynamicInitializationFlag(func, ast, type)
   }
 
   final override Language::LanguageType getLanguageType() { result = type }
@@ -208,7 +210,7 @@ class IRReturnVariable extends IRTempVariable {
 class IRThrowVariable extends IRTempVariable {
   IRThrowVariable() { tag = ThrowTempVar() }
 
-  override string getBaseString() { result = "#throw" }
+  final override string getBaseString() { result = "#throw" }
 }
 
 /**
@@ -226,7 +228,30 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
     result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
   }
 
-  override string getBaseString() { result = "#string" }
+  final override string getBaseString() { result = "#string" }
 
   final Language::StringLiteral getLiteral() { result = literal }
 }
+
+/**
+ * A variable generated to track whether a specific non-stack variable has been initialized. This is
+ * used to model the runtime initialization of static local variables in C++, as well as static
+ * fields in C#.
+ */
+class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitializationFlag {
+  Language::Variable var;
+
+  IRDynamicInitializationFlag() {
+    this = TIRDynamicInitializationFlag(func, var, type) and ast = var
+  }
+
+  final override string toString() { result = var.toString() + "#init" }
+
+  final Language::Variable getVariable() { result = var }
+
+  final override string getUniqueId() {
+    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+  }
+
+  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -51,6 +51,13 @@ private module Cached {
     getTypeForPRValue(literal.getType()) = type
   }
 
+  cached
+  predicate hasDynamicInitializationFlag(Function func, StaticStorageDurationVariable var, CppType type) {
+    var.(LocalVariable).getFunction() = func and
+    var.hasDynamicInitialization() and
+    type = getBoolType()
+  }
+
   cached
   predicate hasModeledMemoryResult(Instruction instruction) { none() }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -8,6 +8,11 @@ newtype TInstructionTag =
   InitializerStoreTag() or
   InitializerIndirectAddressTag() or
   InitializerIndirectStoreTag() or
+  DynamicInitializationFlagAddressTag() or
+  DynamicInitializationFlagLoadTag() or
+  DynamicInitializationConditionalBranchTag() or
+  DynamicInitializationFlagConstantTag() or
+  DynamicInitializationFlagStoreTag() or
   ZeroPadStringConstantTag() or
   ZeroPadStringElementIndexTag() or
   ZeroPadStringElementAddressTag() or
@@ -186,4 +191,14 @@ string getInstructionTagId(TInstructionTag tag) {
   tag = AsmTag() and result = "Asm"
   or
   exists(int index | tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")")
+  or
+  tag = DynamicInitializationFlagAddressTag() and result = "DynInitFlagAddr"
+  or
+  tag = DynamicInitializationFlagLoadTag() and result = "DynInitFlagLoad"
+  or
+  tag = DynamicInitializationConditionalBranchTag() and result = "DynInitCondBranch"
+  or
+  tag = DynamicInitializationFlagConstantTag() and result = "DynInitFlagConst"
+  or
+  tag = DynamicInitializationFlagStoreTag() and result = "DynInitFlagStore"
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -6,6 +6,7 @@ private import semmle.code.cpp.ir.internal.IRUtilities
 private import InstructionTag
 private import TranslatedElement
 private import TranslatedExpr
+private import TranslatedFunction
 private import TranslatedInitialization
 
 /**
@@ -66,17 +67,152 @@ abstract class TranslatedLocalVariableDeclaration extends TranslatedVariableInit
 }
 
 /**
- * Represents the IR translation of a local variable declaration within a declaration statement.
+ * The IR translation of a local variable declaration within a declaration statement.
  */
-class TranslatedVariableDeclarationEntry extends TranslatedLocalVariableDeclaration,
+class TranslatedAutoVariableDeclarationEntry extends TranslatedLocalVariableDeclaration,
   TranslatedDeclarationEntry {
   LocalVariable var;
 
-  TranslatedVariableDeclarationEntry() { var = entry.getDeclaration() }
+  TranslatedAutoVariableDeclarationEntry() { var = entry.getDeclaration() and not var.isStatic() }
 
   override LocalVariable getVariable() { result = var }
 }
 
+/**
+ * The IR translation of the declaration of a static local variable.
+ * This element generates the logic that determines whether or not the variable has already been
+ * initialized, and if not, invokes the initializer and sets the dynamic initialization flag for the
+ * variable. The actual initialization code is handled in
+ * `TranslatedStaticLocalVariableInitialization`, which is a child of this element.
+ */
+class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclarationEntry {
+  LocalVariable var;
+
+  TranslatedStaticLocalVariableDeclarationEntry() {
+    var = entry.getDeclaration() and var.isStatic()
+  }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+    tag = DynamicInitializationFlagAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    type = getBoolGLValueType()
+    or
+    tag = DynamicInitializationFlagLoadTag() and
+    opcode instanceof Opcode::Load and
+    type = getBoolType()
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    opcode instanceof Opcode::ConditionalBranch and
+    type = getVoidType()
+    or
+    tag = DynamicInitializationFlagConstantTag() and
+    opcode instanceof Opcode::Constant and
+    type = getBoolType()
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    opcode instanceof Opcode::Store and
+    type = getBoolType()
+  }
+
+  final override Instruction getFirstInstruction() {
+    result = getInstruction(DynamicInitializationFlagAddressTag())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = DynamicInitializationFlagAddressTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationFlagLoadTag())
+    or
+    tag = DynamicInitializationFlagLoadTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationConditionalBranchTag())
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    (
+      kind instanceof TrueEdge and
+      result = getParent().getChildSuccessor(this)
+      or
+      kind instanceof FalseEdge and
+      result = getInitialization().getFirstInstruction()
+    )
+    or
+    tag = DynamicInitializationFlagConstantTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationFlagStoreTag())
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getInitialization() and
+    result = getInstruction(DynamicInitializationFlagConstantTag())
+  }
+
+  final override IRDynamicInitializationFlag getInstructionVariable(InstructionTag tag) {
+    tag = DynamicInitializationFlagAddressTag() and
+    result.getVariable() = var
+  }
+
+  final override string getInstructionConstantValue(InstructionTag tag) {
+    tag = DynamicInitializationFlagConstantTag() and result = "1"
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = DynamicInitializationFlagLoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(DynamicInitializationFlagAddressTag())
+      or
+      operandTag instanceof LoadOperandTag and
+      result = getTranslatedFunction(var.getFunction()).getUnmodeledDefinitionInstruction()
+    )
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    operandTag instanceof ConditionOperandTag and
+    result = getInstruction(DynamicInitializationFlagLoadTag())
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(DynamicInitializationFlagAddressTag())
+      or
+      operandTag instanceof StoreValueOperandTag and
+      result = getInstruction(DynamicInitializationFlagConstantTag())
+    )
+  }
+
+  private TranslatedStaticLocalVariableInitialization getInitialization() {
+    result.getVariable() = var
+  }
+}
+
+/**
+ * The initialization of a static local variable. This element will only exist for a static variable
+ * with a dynamic initializer.
+ */
+class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
+  TranslatedLocalVariableDeclaration, TTranslatedStaticLocalVariableInitialization {
+  VariableDeclarationEntry entry;
+  LocalVariable var;
+
+  TranslatedStaticLocalVariableInitialization() {
+    this = TTranslatedStaticLocalVariableInitialization(entry) and
+    var = entry.getDeclaration()
+  }
+
+  final override string toString() { result = "init: " + entry.toString() }
+
+  final override Locatable getAST() { result = entry }
+
+  final override LocalVariable getVariable() { result = var }
+
+  final override Function getFunction() { result = var.getFunction() }
+}
+
 /**
  * Gets the `TranslatedRangeBasedForVariableDeclaration` that represents the declaration of
  * `var`.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -54,7 +54,7 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   // Otherwise the initializer does not run in function scope.
   exists(Initializer init, StaticStorageDurationVariable var |
     init = var.getInitializer() and
-    var.hasConstantInitialization() and
+    not var.hasDynamicInitialization() and
     expr = init.getExpr().getFullyConverted()
   )
   or
@@ -394,11 +394,25 @@ newtype TTranslatedElement =
   } or
   // A local declaration
   TTranslatedDeclarationEntry(DeclarationEntry entry) {
-    exists(DeclStmt declStmt |
+    exists(DeclStmt declStmt, LocalVariable var |
       translateStmt(declStmt) and
       declStmt.getADeclarationEntry() = entry and
       // Only declarations of local variables need to be translated to IR.
-      entry.getDeclaration() instanceof LocalVariable
+      var = entry.getDeclaration() and
+      (
+        not var.isStatic()
+        or
+        // Ignore static variables unless they have a dynamic initializer.
+        var.(StaticStorageDurationVariable).hasDynamicInitialization()
+      )
+    )
+  } or
+  // The dynamic initialization of a static local variable. This is a separate object from the
+  // declaration entry.
+  TTranslatedStaticLocalVariableInitialization(DeclarationEntry entry) {
+    exists(TTranslatedDeclarationEntry translatedEntry |
+      translatedEntry = TTranslatedDeclarationEntry(entry) and
+      entry.getDeclaration().(LocalVariable).isStatic()
     )
   } or
   // A compiler-generated variable to implement a range-based for loop. These don't have a