C++/C#: Remove UnmodeledUseOperand

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -590,9 +590,7 @@ module Opcode {
   class UnmodeledUse extends Opcode, TUnmodeledUse {
     final override string toString() { result = "UnmodeledUse" }
 
-    final override predicate hasOperandInternal(OperandTag tag) {
-      tag instanceof UnmodeledUseOperandTag
-    }
+    final override predicate hasOperandInternal(OperandTag tag) { none() }
   }
 
   class AliasedDefinition extends Opcode, TAliasedDefinition {

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -55,7 +55,6 @@ module InstructionConsistency {
           operand.getOperandTag() = tag
         ) and
       operandCount > 1 and
-      not tag instanceof UnmodeledUseOperandTag and
       message =
         "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
           " in function '$@'." and
@@ -158,7 +157,6 @@ module InstructionConsistency {
   ) {
     exists(MemoryOperand operand, Instruction def |
       operand = instr.getAnOperand() and
-      not operand instanceof UnmodeledUseOperand and
       def = operand.getAnyDef() and
       not def.isResultModeled() and
       not def instanceof UnmodeledDefinitionInstruction and

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -19,11 +19,7 @@ private newtype TOperand =
   ) {
     defInstr = Construction::getMemoryOperandDefinition(useInstr, tag, overlap) and
     not Construction::isInCycle(useInstr) and
-    (
-      strictcount(Construction::getMemoryOperandDefinition(useInstr, tag, _)) = 1
-      or
-      tag instanceof UnmodeledUseOperandTag
-    )
+    strictcount(Construction::getMemoryOperandDefinition(useInstr, tag, _)) = 1
   } or
   TPhiOperand(
     PhiInstruction useInstr, Instruction defInstr, IRBlock predecessorBlock, Overlap overlap
@@ -327,16 +323,6 @@ class ConditionOperand extends RegisterOperand {
   override string toString() { result = "Condition" }
 }
 
-/**
- * An operand of the special `UnmodeledUse` instruction, representing a value
- * whose set of uses is unknown.
- */
-class UnmodeledUseOperand extends NonPhiMemoryOperand {
-  override UnmodeledUseOperandTag tag;
-
-  override string toString() { result = "UnmodeledUse" }
-}
-
 /**
  * The operand representing the target function of an `Call` instruction.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -247,6 +247,10 @@ private predicate resultMayReachReturn(Instruction instr) { operandMayReachRetur
 private predicate resultEscapesNonReturn(Instruction instr) {
   // The result escapes if it has at least one use that escapes.
   operandEscapesNonReturn(instr.getAUse())
+  or
+  // The result also escapes if it is not modeled in SSA, because we do not know where it might be
+  // used.
+  not instr.isResultModeled()
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -128,23 +128,10 @@ private module Cached {
       oldOperand = oldInstruction.getAnOperand() and
       tag = oldOperand.getOperandTag() and
       (
-        (
-          if exists(Alias::getOperandMemoryLocation(oldOperand))
-          then hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
-          else (
-            result = instruction.getEnclosingIRFunction().getUnmodeledDefinitionInstruction() and
-            overlap instanceof MustTotallyOverlap
-          )
-        )
-        or
-        // Connect any definitions that are not being modeled in SSA to the
-        // `UnmodeledUse` instruction.
-        exists(OldInstruction oldDefinition |
-          instruction instanceof UnmodeledUseInstruction and
-          tag instanceof UnmodeledUseOperandTag and
-          oldDefinition = oldOperand.getAnyDef() and
-          not exists(Alias::getResultMemoryLocation(oldDefinition)) and
-          result = getNewInstruction(oldDefinition) and
+        if exists(Alias::getOperandMemoryLocation(oldOperand))
+        then hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
+        else (
+          result = instruction.getEnclosingIRFunction().getUnmodeledDefinitionInstruction() and
           overlap instanceof MustTotallyOverlap
         )
       )
@@ -154,13 +141,6 @@ private module Cached {
     tag instanceof ChiPartialOperandTag and
     overlap instanceof MustExactlyOverlap
     or
-    exists(IRFunction f |
-      tag instanceof UnmodeledUseOperandTag and
-      result = f.getUnmodeledDefinitionInstruction() and
-      instruction = f.getUnmodeledUseInstruction() and
-      overlap instanceof MustTotallyOverlap
-    )
-    or
     tag instanceof ChiTotalOperandTag and
     result = getChiInstructionTotalOperand(instruction) and
     overlap instanceof MustExactlyOverlap

cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll

@@ -15,7 +15,6 @@ private newtype TOperandTag =
   TLeftOperand() or
   TRightOperand() or
   TConditionOperand() or
-  TUnmodeledUseOperand() or
   TCallTargetOperand() or
   TThisArgumentOperand() or
   TPositionalArgumentOperand(int argIndex) { Language::hasPositionalArgIndex(argIndex) } or
@@ -165,18 +164,6 @@ class ConditionOperandTag extends RegisterOperandTag, TConditionOperand {
 
 ConditionOperandTag conditionOperand() { result = TConditionOperand() }
 
-/**
- * An operand of the special `UnmodeledUse` instruction, representing a value
- * whose set of uses is unknown.
- */
-class UnmodeledUseOperandTag extends MemoryOperandTag, TUnmodeledUseOperand {
-  final override string toString() { result = "UnmodeledUse" }
-
-  final override int getSortOrder() { result = 9 }
-}
-
-UnmodeledUseOperandTag unmodeledUseOperand() { result = TUnmodeledUseOperand() }
-
 /**
  * The operand representing the target function of an `Call` instruction.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -55,7 +55,6 @@ module InstructionConsistency {
           operand.getOperandTag() = tag
         ) and
       operandCount > 1 and
-      not tag instanceof UnmodeledUseOperandTag and
       message =
         "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
           " in function '$@'." and
@@ -158,7 +157,6 @@ module InstructionConsistency {
   ) {
     exists(MemoryOperand operand, Instruction def |
       operand = instr.getAnOperand() and
-      not operand instanceof UnmodeledUseOperand and
       def = operand.getAnyDef() and
       not def.isResultModeled() and
       not def instanceof UnmodeledDefinitionInstruction and

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -19,11 +19,7 @@ private newtype TOperand =
   ) {
     defInstr = Construction::getMemoryOperandDefinition(useInstr, tag, overlap) and
     not Construction::isInCycle(useInstr) and
-    (
-      strictcount(Construction::getMemoryOperandDefinition(useInstr, tag, _)) = 1
-      or
-      tag instanceof UnmodeledUseOperandTag
-    )
+    strictcount(Construction::getMemoryOperandDefinition(useInstr, tag, _)) = 1
   } or
   TPhiOperand(
     PhiInstruction useInstr, Instruction defInstr, IRBlock predecessorBlock, Overlap overlap
@@ -327,16 +323,6 @@ class ConditionOperand extends RegisterOperand {
   override string toString() { result = "Condition" }
 }
 
-/**
- * An operand of the special `UnmodeledUse` instruction, representing a value
- * whose set of uses is unknown.
- */
-class UnmodeledUseOperand extends NonPhiMemoryOperand {
-  override UnmodeledUseOperandTag tag;
-
-  override string toString() { result = "UnmodeledUse" }
-}
-
 /**
  * The operand representing the target function of an `Call` instruction.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -91,17 +91,25 @@ private module Cached {
   Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
     result =
       getInstructionTranslatedElement(instruction)
-          .getInstructionOperand(getInstructionTag(instruction), tag)
+          .getInstructionRegisterOperand(getInstructionTag(instruction), tag)
   }
 
   cached
   Instruction getMemoryOperandDefinition(
     Instruction instruction, MemoryOperandTag tag, Overlap overlap
   ) {
-    result =
-      getInstructionTranslatedElement(instruction)
-          .getInstructionOperand(getInstructionTag(instruction), tag) and
-    overlap instanceof MustTotallyOverlap
+    exists(TranslatedElement translatedElement, TranslatedFunction translatedFunc |
+      translatedElement = getInstructionTranslatedElement(instruction) and
+      exists(getInstructionOperandType(instruction, tag)) and
+      translatedFunc = getTranslatedFunction(instruction.getEnclosingFunction()) and
+      result = translatedFunc.getUnmodeledDefinitionInstruction() and
+      overlap instanceof MustTotallyOverlap
+    )
+    or
+    // Without the code below, the optimizer will realize that raw IR never contains Chi operands,
+    // and report an error that `ChiTotalOperand` and `ChiPartialOperand` are infeasible.
+    (tag instanceof ChiTotalOperandTag or tag instanceof ChiPartialOperandTag) and
+    none()
   }
 
   /** Gets a non-phi instruction that defines an operand of `instr`. */
@@ -144,12 +152,13 @@ private module Cached {
   CppType getInstructionOperandType(Instruction instruction, TypedOperandTag tag) {
     // For all `LoadInstruction`s, the operand type of the `LoadOperand` is the same as
     // the result type of the load.
+    tag instanceof LoadOperandTag and
     result = instruction.(LoadInstruction).getResultLanguageType()
     or
     not instruction instanceof LoadInstruction and
     result =
       getInstructionTranslatedElement(instruction)
-          .getInstructionOperandType(getInstructionTag(instruction), tag)
+          .getInstructionMemoryOperandType(getInstructionTag(instruction), tag)
   }
 
   cached

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -94,7 +94,7 @@ abstract class TranslatedCall extends TranslatedExpr {
     )
   }
 
-  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = CallTag() and
     (
       operandTag instanceof CallTargetOperandTag and
@@ -115,7 +115,9 @@ abstract class TranslatedCall extends TranslatedExpr {
     result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
   }
 
-  final override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
     tag = CallSideEffectTag() and
     hasSideEffect() and
     operandTag instanceof SideEffectOperandTag and
@@ -381,7 +383,7 @@ class TranslatedAllocationSideEffects extends TranslatedSideEffects,
     else result = getParent().getChildSuccessor(this)
   }
 
-  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag = addressOperand() and
     result = getPrimaryInstructionForSideEffect(OnlyInstructionTag())
@@ -437,7 +439,7 @@ class TranslatedStructorCallSideEffects extends TranslatedCallSideEffects {
 
   override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
 
-  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag instanceof OnlyInstructionTag and
     operandTag instanceof AddressOperandTag and
     result = getParent().(TranslatedStructorCall).getQualifierResult()
@@ -513,25 +515,21 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
     kind instanceof GotoEdge
   }
 
-  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag instanceof OnlyInstructionTag and
     operandTag instanceof AddressOperandTag and
     result = getTranslatedExpr(arg).getResult()
     or
     tag instanceof OnlyInstructionTag and
-    operandTag instanceof SideEffectOperandTag and
-    not isWrite() and
-    result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
-    or
-    tag instanceof OnlyInstructionTag and
     operandTag instanceof BufferSizeOperandTag and
     result =
       getTranslatedExpr(call
             .getArgument(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
             .getFullyConverted()).getResult()
   }
 
-  override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+  override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
+    not isWrite() and
     if hasSpecificReadSideEffect(any(BufferAccessOpcode op))
     then
       result = getUnknownType() and