Merge pull request github#5854 from dbartol/dbartol/smart-pointers/side-effects

C++: Generate side effect instructions for smart pointer indirections

Author: jbj

config/identical-files.json

@@ -250,6 +250,10 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
+  "SSA PrintAliasAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+  ],
   "C++ SSA AliasAnalysisImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -416,3 +416,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll

@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -1073,7 +1073,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -7,6 +7,7 @@
 
 private import cpp
 private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
@@ -39,7 +40,8 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
       exists(Type t | t = expr.getUnspecifiedType() |
         t instanceof ArrayType or
         t instanceof PointerType or
-        t instanceof ReferenceType
+        t instanceof ReferenceType or
+        t instanceof PointerWrapper
       ) and
       (
         isWrite = true and

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -416,3 +416,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll

@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -1073,7 +1073,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 

cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -157,11 +157,11 @@ private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, Side
           // parameter.
           result.isParameter(1)
         else result.isParameterDeref(0)
+        or
+        // One of the functions that takes ownership of a raw pointer.
+        param0.getUnspecifiedType() instanceof PointerType and
+        result.isParameter(0)
       )
-      or
-      // One of the functions that takes ownership of a raw pointer.
-      param0.getUnspecifiedType() instanceof PointerType and
-      result.isParameter(0)
     )
   }
 }

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -11365,6 +11365,86 @@ perf-regression.cpp:
 #   12|           Type = [IntType] int
 #   12|           Value = [Literal] 0
 #   12|           ValueCategory = prvalue
+smart_ptr.cpp:
+#    8| [TopLevelFunction] void unique_ptr_arg(std::unique_ptr<int, std::default_delete<int>>)
+#    8|   <params>: 
+#    8|     getParameter(0): [Parameter] up
+#    8|         Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   10| [TopLevelFunction] void call_unique_ptr_arg(int*)
+#   10|   <params>: 
+#   10|     getParameter(0): [Parameter] p
+#   10|         Type = [IntPointerType] int *
+#   10|   getEntryPoint(): [BlockStmt] { ... }
+#   11|     getStmt(0): [DeclStmt] declaration
+#   11|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of up
+#   11|           Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   11|         getVariable().getInitializer(): [Initializer] initializer for up
+#   11|           getExpr(): [ConstructorCall] call to unique_ptr
+#   11|               Type = [VoidType] void
+#   11|               ValueCategory = prvalue
+#   11|             getArgument(0): [VariableAccess] p
+#   11|                 Type = [IntPointerType] int *
+#   11|                 ValueCategory = prvalue(load)
+#   12|     getStmt(1): [ExprStmt] ExprStmt
+#   12|       getExpr(): [FunctionCall] call to unique_ptr_arg
+#   12|           Type = [VoidType] void
+#   12|           ValueCategory = prvalue
+#   12|         getArgument(0): [FunctionCall] call to move
+#   12|             Type = [RValueReferenceType] type &&
+#   12|             ValueCategory = prvalue
+#   12|           getArgument(0): [VariableAccess] up
+#   12|               Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   12|               ValueCategory = lvalue
+#   12|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   12|               Type = [LValueReferenceType] unique_ptr<int, default_delete<int>> &
+#   12|               ValueCategory = prvalue
+#   12|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   12|             Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   12|             ValueCategory = lvalue
+#   12|           getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+#   12|               Type = [CTypedefType,NestedTypedefType] type
+#   12|               ValueCategory = prvalue(load)
+#   13|     getStmt(2): [ReturnStmt] return ...
+#   15| [TopLevelFunction] void shared_ptr_arg(std::shared_ptr<float>)
+#   15|   <params>: 
+#   15|     getParameter(0): [Parameter] sp
+#   15|         Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   17| [TopLevelFunction] void call_shared_ptr_arg(float*)
+#   17|   <params>: 
+#   17|     getParameter(0): [Parameter] p
+#   17|         Type = [PointerType] float *
+#   17|   getEntryPoint(): [BlockStmt] { ... }
+#   18|     getStmt(0): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp
+#   18|           Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   18|         getVariable().getInitializer(): [Initializer] initializer for sp
+#   18|           getExpr(): [ConstructorCall] call to shared_ptr
+#   18|               Type = [VoidType] void
+#   18|               ValueCategory = prvalue
+#   18|             getArgument(0): [VariableAccess] p
+#   18|                 Type = [PointerType] float *
+#   18|                 ValueCategory = prvalue(load)
+#   19|     getStmt(1): [ExprStmt] ExprStmt
+#   19|       getExpr(): [FunctionCall] call to shared_ptr_arg
+#   19|           Type = [VoidType] void
+#   19|           ValueCategory = prvalue
+#   19|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   19|             Type = [VoidType] void
+#   19|             ValueCategory = prvalue
+#   19|           getArgument(0): [VariableAccess] sp
+#   19|               Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   19|               ValueCategory = lvalue
+#   19|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   19|               Type = [LValueReferenceType] const shared_ptr<float> &
+#   19|               ValueCategory = prvalue
+#   19|             getExpr(): [CStyleCast] (const shared_ptr<float>)...
+#   19|                 Conversion = [GlvalueConversion] glvalue conversion
+#   19|                 Type = [SpecifiedType] const shared_ptr<float>
+#   19|                 ValueCategory = lvalue
+#   19|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   19|             Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   19|             ValueCategory = lvalue
+#   20|     getStmt(2): [ReturnStmt] return ...
 struct_init.cpp:
 #    1| [TopLevelFunction] int handler1(void*)
 #    1|   <params>: