C++/C#: Remove UnmodeledDefinition instruction

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -92,11 +92,3 @@ class ChiTotalMemoryAccess extends MemoryAccessKind, TChiTotalMemoryAccess {
 class ChiPartialMemoryAccess extends MemoryAccessKind, TChiPartialMemoryAccess {
   override string toString() { result = "chi(partial)" }
 }
-
-/**
- * The operand accesses memory not modeled in SSA. Used only on the result of
- * `UnmodeledDefinition` and on the operands of `UnmodeledUse`.
- */
-class UnmodeledMemoryAccess extends MemoryAccessKind, TUnmodeledMemoryAccess {
-  override string toString() { result = "unmodeled" }
-}

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -60,7 +60,6 @@ private newtype TOpcode =
   TThrowValue() or
   TReThrow() or
   TUnwind() or
-  TUnmodeledDefinition() or
   TAliasedDefinition() or
   TInitializeNonLocal() or
   TAliasedUse() or
@@ -578,14 +577,6 @@ module Opcode {
     final override string toString() { result = "Unwind" }
   }
 
-  class UnmodeledDefinition extends Opcode, TUnmodeledDefinition {
-    final override string toString() { result = "UnmodeledDefinition" }
-
-    final override MemoryAccessKind getWriteMemoryAccess() {
-      result instanceof UnmodeledMemoryAccess
-    }
-  }
-
   class AliasedDefinition extends Opcode, TAliasedDefinition {
     final override string toString() { result = "AliasedDefinition" }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -149,8 +149,7 @@ module InstructionConsistency {
   }
 
   /**
-   * Holds if a memory operand is connected to a definition with an unmodeled result, other than
-   * `UnmodeledDefinition` itself.
+   * Holds if a memory operand is connected to a definition with an unmodeled result.
    */
   query predicate memoryOperandDefinitionIsUnmodeled(
     Instruction instr, string message, IRFunction func, string funcText
@@ -159,9 +158,8 @@ module InstructionConsistency {
       operand = instr.getAnOperand() and
       def = operand.getAnyDef() and
       not def.isResultModeled() and
-      not def instanceof UnmodeledDefinitionInstruction and
       message =
-        "Memory operand definition has unmodeled result, but is not the `UnmodeledDefinition` instruction in function '$@'" and
+        "Memory operand definition has unmodeled result in function '$@'" and
       func = instr.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction())
     )
@@ -257,7 +255,6 @@ module InstructionConsistency {
     Operand useOperand, string message, IRFunction func, string funcText
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
-      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -306,8 +303,6 @@ module InstructionConsistency {
   private predicate shouldBeConflated(Instruction instr) {
     isOnAliasedDefinitionChain(instr)
     or
-    instr instanceof UnmodeledDefinitionInstruction
-    or
     instr.getOpcode() instanceof Opcode::InitializeNonLocal
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll

@@ -40,11 +40,6 @@ class IRFunction extends TIRFunction {
     result.getEnclosingIRFunction() = this
   }
 
-  pragma[noinline]
-  final UnmodeledDefinitionInstruction getUnmodeledDefinitionInstruction() {
-    result.getEnclosingIRFunction() = this
-  }
-
   /**
    * Gets the single return instruction for this function.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1229,10 +1229,6 @@ class CatchAnyInstruction extends CatchInstruction {
   CatchAnyInstruction() { getOpcode() instanceof Opcode::CatchAny }
 }
 
-class UnmodeledDefinitionInstruction extends Instruction {
-  UnmodeledDefinitionInstruction() { getOpcode() instanceof Opcode::UnmodeledDefinition }
-}
-
 /**
  * An instruction that initializes all escaped memory.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -155,10 +155,9 @@ class Operand extends TOperand {
    * definition is not modeled in SSA.
    */
   private string getDefinitionId() {
-    exists(Instruction def |
-      def = getAnyDef() and
-      if def.isResultModeled() then result = def.getResultId() else result = "m?"
-    )
+    result = getAnyDef().getResultId()
+    or
+    not exists(getAnyDef()) and result = "m?"
   }
 
   /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -67,8 +67,6 @@ private module Cached {
 
   cached
   predicate hasConflatedMemoryResult(Instruction instruction) {
-    instruction instanceof UnmodeledDefinitionInstruction
-    or
     instruction instanceof AliasedDefinitionInstruction
     or
     instruction.getOpcode() instanceof Opcode::InitializeNonLocal
@@ -127,14 +125,7 @@ private module Cached {
       oldInstruction = getOldInstruction(instruction) and
       oldOperand = oldInstruction.getAnOperand() and
       tag = oldOperand.getOperandTag() and
-      (
-        if exists(Alias::getOperandMemoryLocation(oldOperand))
-        then hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
-        else (
-          result = instruction.getEnclosingIRFunction().getUnmodeledDefinitionInstruction() and
-          overlap instanceof MustTotallyOverlap
-        )
-      )
+      hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
     )
     or
     instruction = Chi(getOldInstruction(result)) and

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -149,8 +149,7 @@ module InstructionConsistency {
   }
 
   /**
-   * Holds if a memory operand is connected to a definition with an unmodeled result, other than
-   * `UnmodeledDefinition` itself.
+   * Holds if a memory operand is connected to a definition with an unmodeled result.
    */
   query predicate memoryOperandDefinitionIsUnmodeled(
     Instruction instr, string message, IRFunction func, string funcText
@@ -159,9 +158,8 @@ module InstructionConsistency {
       operand = instr.getAnOperand() and
       def = operand.getAnyDef() and
       not def.isResultModeled() and
-      not def instanceof UnmodeledDefinitionInstruction and
       message =
-        "Memory operand definition has unmodeled result, but is not the `UnmodeledDefinition` instruction in function '$@'" and
+        "Memory operand definition has unmodeled result in function '$@'" and
       func = instr.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction())
     )
@@ -257,7 +255,6 @@ module InstructionConsistency {
     Operand useOperand, string message, IRFunction func, string funcText
   ) {
     exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
-      not defInstr instanceof UnmodeledDefinitionInstruction and
       pointOfEvaluation(useOperand, useBlock, useIndex) and
       defInstr = useOperand.getAnyDef() and
       (
@@ -306,8 +303,6 @@ module InstructionConsistency {
   private predicate shouldBeConflated(Instruction instr) {
     isOnAliasedDefinitionChain(instr)
     or
-    instr instanceof UnmodeledDefinitionInstruction
-    or
     instr.getOpcode() instanceof Opcode::InitializeNonLocal
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll

@@ -40,11 +40,6 @@ class IRFunction extends TIRFunction {
     result.getEnclosingIRFunction() = this
   }
 
-  pragma[noinline]
-  final UnmodeledDefinitionInstruction getUnmodeledDefinitionInstruction() {
-    result.getEnclosingIRFunction() = this
-  }
-
   /**
    * Gets the single return instruction for this function.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -1229,10 +1229,6 @@ class CatchAnyInstruction extends CatchInstruction {
   CatchAnyInstruction() { getOpcode() instanceof Opcode::CatchAny }
 }
 
-class UnmodeledDefinitionInstruction extends Instruction {
-  UnmodeledDefinitionInstruction() { getOpcode() instanceof Opcode::UnmodeledDefinition }
-}
-
 /**
  * An instruction that initializes all escaped memory.
  */