C++: treat this as a parameter in IR

Author: rdmarsh2

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -223,6 +223,16 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -204,7 +204,7 @@ private predicate isArgumentForParameter(CallInstruction ci, Operand operand, In
       init.(InitializeParameterInstruction).getParameter() =
         f.getParameter(operand.(PositionalArgumentOperand).getIndex())
       or
-      init instanceof InitializeThisInstruction and
+      init.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable and
       init.getEnclosingFunction() = f and
       operand instanceof ThisArgumentOperand
     ) and

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll

@@ -5,7 +5,7 @@ private import AliasAnalysis
 
 private newtype TAllocation =
   TVariableAllocation(IRVariable var) or
-  TIndirectParameterAllocation(IRAutomaticUserVariable var) {
+  TIndirectParameterAllocation(IRVariable var) {
     exists(InitializeIndirectionInstruction instr | instr.getIRVariable() = var)
   } or
   TDynamicAllocation(CallInstruction call) {
@@ -74,7 +74,7 @@ class VariableAllocation extends Allocation, TVariableAllocation {
 }
 
 class IndirectParameterAllocation extends Allocation, TIndirectParameterAllocation {
-  IRAutomaticUserVariable var;
+  IRVariable var;
 
   IndirectParameterAllocation() { this = TIndirectParameterAllocation(var) }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -223,6 +223,16 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -35,6 +35,11 @@ private module Cached {
     getTranslatedFunction(func).hasUserVariable(var, type)
   }
 
+  cached
+  predicate hasThisVariable(Function func, CppType type) {
+    type = getTypeForGLValue(getTranslatedFunction(func).getThisType())
+  }
+
   cached
   predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) {
     exists(TranslatedElement element |

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -2,7 +2,10 @@ private import cpp
 
 newtype TInstructionTag =
   OnlyInstructionTag() or // Single instruction (not including implicit Load)
+  InitializeThisAddressTag() or
   InitializeThisTag() or
+  InitializeThisIndirectionAddressTag() or
+  InitializeThisIndirectionTag() or
   InitializerVariableAddressTag() or
   InitializerLoadStringTag() or
   InitializerStoreTag() or
@@ -70,7 +73,9 @@ newtype TInstructionTag =
   VarArgsMoveNextTag() or
   VarArgsVAListStoreTag() or
   AsmTag() or
-  AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) }
+  AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) } or
+  ThisAddressTag() or
+  ThisLoadTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = "Tag" }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -664,31 +664,35 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {
   final override TranslatedElement getChild(int id) { none() }
 
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    tag = OnlyInstructionTag() and
-    opcode instanceof Opcode::CopyValue and
+    tag = ThisAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    resultType = getTypeForGLValue(any(UnknownType t))
+    or
+    tag = ThisLoadTag() and
+    opcode instanceof Opcode::Load and
     resultType = getResultType()
   }
 
-  final override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) }
+  final override Instruction getResult() { result = getInstruction(ThisLoadTag()) }
 
-  final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+  final override Instruction getFirstInstruction() { result = getInstruction(ThisAddressTag()) }
 
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
-    tag = OnlyInstructionTag() and
+    tag = ThisAddressTag() and
+    result = getInstruction(ThisLoadTag())
+    or
+    kind instanceof GotoEdge and
+    tag = ThisLoadTag() and
     result = getParent().getChildSuccessor(this)
   }
 
   final override Instruction getChildSuccessor(TranslatedElement child) { none() }
 
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag instanceof UnaryOperandTag and
-    result = getInitializeThisInstruction()
-  }
-
-  private Instruction getInitializeThisInstruction() {
-    result = getTranslatedFunction(expr.getEnclosingFunction()).getInitializeThisInstruction()
+    tag = ThisLoadTag() and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(ThisAddressTag())
   }
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -117,15 +117,24 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       (
         tag = InitializeNonLocalTag() and
         if exists(getThisType())
-        then result = getInstruction(InitializeThisTag())
+        then result = getInstruction(InitializeThisAddressTag())
         else
           if exists(getParameter(0))
           then result = getParameter(0).getFirstInstruction()
           else result = getBody().getFirstInstruction()
       )
       or
+      tag = InitializeThisAddressTag() and
+      result = getInstruction(InitializeThisTag())
+      or
+      tag = InitializeThisTag() and
+      result = getInstruction(InitializeThisIndirectionAddressTag())
+      or
+      tag = InitializeThisIndirectionAddressTag() and
+      result = getInstruction(InitializeThisIndirectionTag())
+      or
       (
-        tag = InitializeThisTag() and
+        tag = InitializeThisIndirectionTag() and
         if exists(getParameter(0))
         then result = getParameter(0).getFirstInstruction()
         else result = getConstructorInitList().getFirstInstruction()
@@ -184,10 +193,23 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       opcode instanceof Opcode::InitializeNonLocal and
       resultType = getUnknownType()
       or
+      tag = InitializeThisAddressTag() and
+      opcode instanceof Opcode::VariableAddress and
+      resultType = getTypeForGLValue(any(UnknownType t)) and
+      exists(getThisType())
+      or
       tag = InitializeThisTag() and
-      opcode instanceof Opcode::InitializeThis and
+      opcode instanceof Opcode::InitializeParameter and
+      resultType = getTypeForGLValue(getThisType())
+      or
+      tag = InitializeThisIndirectionAddressTag() and
+      opcode instanceof Opcode::Load and
       resultType = getTypeForGLValue(getThisType())
       or
+      tag = InitializeThisIndirectionTag() and
+      opcode instanceof Opcode::InitializeIndirection and
+      resultType = getTypeForPRValue(getThisType())
+      or
       tag = ReturnValueAddressTag() and
       opcode instanceof Opcode::VariableAddress and
       resultType = getTypeForGLValue(getReturnType()) and
@@ -228,10 +250,23 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = ReturnTag() and
     hasReturnValue() and
-    (
-      operandTag instanceof AddressOperandTag and
-      result = getInstruction(ReturnValueAddressTag())
-    )
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(ReturnValueAddressTag())
+    or
+    tag = InitializeThisTag() and
+    exists(getThisType()) and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(InitializeThisAddressTag())
+    or
+    tag = InitializeThisIndirectionAddressTag() and
+    exists(getThisType()) and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(InitializeThisAddressTag())
+    or
+    tag = InitializeThisIndirectionTag() and
+    exists(getThisType()) and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(InitializeThisIndirectionAddressTag())
   }
 
   final override CppType getInstructionMemoryOperandType(
@@ -245,9 +280,23 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     tag = AliasedUseTag() and
     operandTag instanceof SideEffectOperandTag and
     result = getUnknownType()
+    or
+    tag = InitializeThisIndirectionAddressTag() and
+    exists(getThisType()) and
+    operandTag instanceof LoadOperandTag and
+    result = getTypeForGLValue(getThisType())
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
+    tag = InitializeThisAddressTag() and
+    result = getThisVariable()
+    or
+    tag = InitializeThisTag() and
+    result = getThisVariable()
+    or
+    tag = InitializeThisIndirectionTag() and
+    result = getThisVariable()
+    or
     tag = ReturnValueAddressTag() and
     result = getReturnVariable()
   }
@@ -264,6 +313,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     tag = EllipsisTempVar() and
     func.isVarargs() and
     type = getEllipsisVariablePRValueType()
+    or
+    tag = ThisTempVar() and
+    type = getTypeForGLValue(getThisType())
   }
 
   /**
@@ -286,6 +338,13 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
    */
   final IREllipsisVariable getEllipsisVariable() { result.getEnclosingFunction() = func }
 
+  /**
+   * Gets the variable that represents the `this` pointer for this function, if any.
+   */
+  final IRThisVariable getThisVariable() {
+    result = getIRTempVariable(func, ThisTempVar())
+  }
+
   /**
    * Holds if the function has a non-`void` return type.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -223,6 +223,16 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -204,7 +204,7 @@ private predicate isArgumentForParameter(CallInstruction ci, Operand operand, In
       init.(InitializeParameterInstruction).getParameter() =
         f.getParameter(operand.(PositionalArgumentOperand).getIndex())
       or
-      init instanceof InitializeThisInstruction and
+      init.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable and
       init.getEnclosingFunction() = f and
       operand instanceof ThisArgumentOperand
     ) and