Merge pull request github#3056 from dbartol/dbartol/static-locals

C++: Model dynamic initialization of static local variables in IR

Author: jbj

cpp/ql/src/semmle/code/cpp/Variable.qll

@@ -381,10 +381,10 @@ class StaticStorageDurationVariable extends Variable {
   }
 
   /**
-   * Holds if the initializer for this variable is evaluated at compile time.
+   * Holds if the initializer for this variable is evaluated at runtime.
    */
-  predicate hasConstantInitialization() {
-    not runtimeExprInStaticInitializer(this.getInitializer().getExpr())
+  predicate hasDynamicInitialization() {
+    runtimeExprInStaticInitializer(this.getInitializer().getExpr())
   }
 }
 
@@ -409,6 +409,11 @@ private predicate inStaticInitializer(Expr e) {
   inStaticInitializer(e.getParent())
 }
 
+/**
+ * A C++ local variable declared as `static`.
+ */
+class StaticLocalVariable extends LocalVariable, StaticStorageDurationVariable { }
+
 /**
  * A C/C++ variable which has global scope or namespace scope. For example the
  * variables `a` and `b` in the following code:

cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -441,9 +441,9 @@ private Node getControlOrderChildSparse(Node n, int i) {
  * thus should not have control flow computed.
  */
 private predicate skipInitializer(Initializer init) {
-  exists(LocalVariable local |
+  exists(StaticLocalVariable local |
     init = local.getInitializer() and
-    local.(StaticStorageDurationVariable).hasConstantInitialization()
+    not local.hasDynamicInitialization()
   )
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -23,7 +23,8 @@ class IRVariable extends TIRVariable {
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
     this = TIRTempVariable(func, _, _, _) or
-    this = TIRStringLiteral(func, _, _, _)
+    this = TIRStringLiteral(func, _, _, _) or
+    this = TIRDynamicInitializationFlag(func, _, _)
   }
 
   string toString() { none() }
@@ -149,7 +150,8 @@ class IRGeneratedVariable extends IRVariable {
 
   IRGeneratedVariable() {
     this = TIRTempVariable(func, ast, _, type) or
-    this = TIRStringLiteral(func, ast, type, _)
+    this = TIRStringLiteral(func, ast, type, _) or
+    this = TIRDynamicInitializationFlag(func, ast, type)
   }
 
   final override Language::LanguageType getLanguageType() { result = type }
@@ -208,7 +210,7 @@ class IRReturnVariable extends IRTempVariable {
 class IRThrowVariable extends IRTempVariable {
   IRThrowVariable() { tag = ThrowTempVar() }
 
-  override string getBaseString() { result = "#throw" }
+  final override string getBaseString() { result = "#throw" }
 }
 
 /**
@@ -226,7 +228,30 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
     result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
   }
 
-  override string getBaseString() { result = "#string" }
+  final override string getBaseString() { result = "#string" }
 
   final Language::StringLiteral getLiteral() { result = literal }
 }
+
+/**
+ * A variable generated to track whether a specific non-stack variable has been initialized. This is
+ * used to model the runtime initialization of static local variables in C++, as well as static
+ * fields in C#.
+ */
+class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitializationFlag {
+  Language::Variable var;
+
+  IRDynamicInitializationFlag() {
+    this = TIRDynamicInitializationFlag(func, var, type) and ast = var
+  }
+
+  final override string toString() { result = var.toString() + "#init" }
+
+  final Language::Variable getVariable() { result = var }
+
+  final override string getUniqueId() {
+    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+  }
+
+  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll

@@ -10,6 +10,11 @@ newtype TIRVariable =
   ) {
     Construction::hasTempVariable(func, ast, tag, type)
   } or
+  TIRDynamicInitializationFlag(
+    Language::Function func, Language::Variable var, Language::LanguageType type
+  ) {
+    Construction::hasDynamicInitializationFlag(func, var, type)
+  } or
   TIRStringLiteral(
     Language::Function func, Language::AST ast, Language::LanguageType type,
     Language::StringLiteral literal

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -23,7 +23,8 @@ class IRVariable extends TIRVariable {
   IRVariable() {
     this = TIRUserVariable(_, _, func) or
     this = TIRTempVariable(func, _, _, _) or
-    this = TIRStringLiteral(func, _, _, _)
+    this = TIRStringLiteral(func, _, _, _) or
+    this = TIRDynamicInitializationFlag(func, _, _)
   }
 
   string toString() { none() }
@@ -149,7 +150,8 @@ class IRGeneratedVariable extends IRVariable {
 
   IRGeneratedVariable() {
     this = TIRTempVariable(func, ast, _, type) or
-    this = TIRStringLiteral(func, ast, type, _)
+    this = TIRStringLiteral(func, ast, type, _) or
+    this = TIRDynamicInitializationFlag(func, ast, type)
   }
 
   final override Language::LanguageType getLanguageType() { result = type }
@@ -208,7 +210,7 @@ class IRReturnVariable extends IRTempVariable {
 class IRThrowVariable extends IRTempVariable {
   IRThrowVariable() { tag = ThrowTempVar() }
 
-  override string getBaseString() { result = "#throw" }
+  final override string getBaseString() { result = "#throw" }
 }
 
 /**
@@ -226,7 +228,30 @@ class IRStringLiteral extends IRGeneratedVariable, TIRStringLiteral {
     result = "String: " + getLocationString() + "=" + Language::getStringLiteralText(literal)
   }
 
-  override string getBaseString() { result = "#string" }
+  final override string getBaseString() { result = "#string" }
 
   final Language::StringLiteral getLiteral() { result = literal }
 }
+
+/**
+ * A variable generated to track whether a specific non-stack variable has been initialized. This is
+ * used to model the runtime initialization of static local variables in C++, as well as static
+ * fields in C#.
+ */
+class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitializationFlag {
+  Language::Variable var;
+
+  IRDynamicInitializationFlag() {
+    this = TIRDynamicInitializationFlag(func, var, type) and ast = var
+  }
+
+  final override string toString() { result = var.toString() + "#init" }
+
+  final Language::Variable getVariable() { result = var }
+
+  final override string getUniqueId() {
+    result = "Init: " + getVariable().toString() + " " + getVariable().getLocation().toString()
+  }
+
+  final override string getBaseString() { result = "#init:" + var.toString() + ":" }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -51,6 +51,13 @@ private module Cached {
     getTypeForPRValue(literal.getType()) = type
   }
 
+  cached
+  predicate hasDynamicInitializationFlag(Function func, StaticLocalVariable var, CppType type) {
+    var.getFunction() = func and
+    var.hasDynamicInitialization() and
+    type = getBoolType()
+  }
+
   cached
   predicate hasModeledMemoryResult(Instruction instruction) { none() }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -8,6 +8,11 @@ newtype TInstructionTag =
   InitializerStoreTag() or
   InitializerIndirectAddressTag() or
   InitializerIndirectStoreTag() or
+  DynamicInitializationFlagAddressTag() or
+  DynamicInitializationFlagLoadTag() or
+  DynamicInitializationConditionalBranchTag() or
+  DynamicInitializationFlagConstantTag() or
+  DynamicInitializationFlagStoreTag() or
   ZeroPadStringConstantTag() or
   ZeroPadStringElementIndexTag() or
   ZeroPadStringElementAddressTag() or
@@ -186,4 +191,14 @@ string getInstructionTagId(TInstructionTag tag) {
   tag = AsmTag() and result = "Asm"
   or
   exists(int index | tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")")
+  or
+  tag = DynamicInitializationFlagAddressTag() and result = "DynInitFlagAddr"
+  or
+  tag = DynamicInitializationFlagLoadTag() and result = "DynInitFlagLoad"
+  or
+  tag = DynamicInitializationConditionalBranchTag() and result = "DynInitCondBranch"
+  or
+  tag = DynamicInitializationFlagConstantTag() and result = "DynInitFlagConst"
+  or
+  tag = DynamicInitializationFlagStoreTag() and result = "DynInitFlagStore"
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -6,6 +6,7 @@ private import semmle.code.cpp.ir.internal.IRUtilities
 private import InstructionTag
 private import TranslatedElement
 private import TranslatedExpr
+private import TranslatedFunction
 private import TranslatedInitialization
 
 /**
@@ -66,17 +67,172 @@ abstract class TranslatedLocalVariableDeclaration extends TranslatedVariableInit
 }
 
 /**
- * Represents the IR translation of a local variable declaration within a declaration statement.
+ * The IR translation of a local variable declaration within a declaration statement.
  */
-class TranslatedVariableDeclarationEntry extends TranslatedLocalVariableDeclaration,
+class TranslatedAutoVariableDeclarationEntry extends TranslatedLocalVariableDeclaration,
   TranslatedDeclarationEntry {
-  LocalVariable var;
+  StackVariable var;
 
-  TranslatedVariableDeclarationEntry() { var = entry.getDeclaration() }
+  TranslatedAutoVariableDeclarationEntry() { var = entry.getDeclaration() }
 
   override LocalVariable getVariable() { result = var }
 }
 
+/**
+ * The IR translation of the declaration of a static local variable.
+ * This element generates the logic that determines whether or not the variable has already been
+ * initialized, and if not, invokes the initializer and sets the dynamic initialization flag for the
+ * variable. The actual initialization code is handled in
+ * `TranslatedStaticLocalVariableInitialization`, which is a child of this element.
+ *
+ * The generated code to do the initialization only once is:
+ * ```
+ * Block 1
+ *   r1225_1(glval<bool>) = VariableAddress[c#init] :
+ *   r1225_2(bool)        = Load                    : &:r1225_1, ~mu1222_4
+ *   v1225_3(void)        = ConditionalBranch       : r1225_2
+ * False -> Block 2
+ * True -> Block 3
+ *
+ * Block 2
+ *   r1225_4(glval<int>) = VariableAddress[c] :
+ * <actual initialization of `c`>
+ *   r1225_8(bool)       = Constant[1]        :
+ *   mu1225_9(bool)      = Store              : &:r1225_1, r1225_8
+ * Goto -> Block 3
+ *
+ * Block 3
+ * ```
+ *
+ * Note that the flag variable, `c#init`, is assumed to be zero-initialized at program startup, just
+ * like any other variable with static storage duration.
+ */
+class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclarationEntry {
+  StaticLocalVariable var;
+
+  TranslatedStaticLocalVariableDeclarationEntry() { var = entry.getDeclaration() }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
+    tag = DynamicInitializationFlagAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    type = getBoolGLValueType()
+    or
+    tag = DynamicInitializationFlagLoadTag() and
+    opcode instanceof Opcode::Load and
+    type = getBoolType()
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    opcode instanceof Opcode::ConditionalBranch and
+    type = getVoidType()
+    or
+    tag = DynamicInitializationFlagConstantTag() and
+    opcode instanceof Opcode::Constant and
+    type = getBoolType()
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    opcode instanceof Opcode::Store and
+    type = getBoolType()
+  }
+
+  final override Instruction getFirstInstruction() {
+    result = getInstruction(DynamicInitializationFlagAddressTag())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = DynamicInitializationFlagAddressTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationFlagLoadTag())
+    or
+    tag = DynamicInitializationFlagLoadTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationConditionalBranchTag())
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    (
+      kind instanceof TrueEdge and
+      result = getParent().getChildSuccessor(this)
+      or
+      kind instanceof FalseEdge and
+      result = getInitialization().getFirstInstruction()
+    )
+    or
+    tag = DynamicInitializationFlagConstantTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(DynamicInitializationFlagStoreTag())
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getInitialization() and
+    result = getInstruction(DynamicInitializationFlagConstantTag())
+  }
+
+  final override IRDynamicInitializationFlag getInstructionVariable(InstructionTag tag) {
+    tag = DynamicInitializationFlagAddressTag() and
+    result.getVariable() = var
+  }
+
+  final override string getInstructionConstantValue(InstructionTag tag) {
+    tag = DynamicInitializationFlagConstantTag() and result = "1"
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = DynamicInitializationFlagLoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(DynamicInitializationFlagAddressTag())
+      or
+      operandTag instanceof LoadOperandTag and
+      result = getTranslatedFunction(var.getFunction()).getUnmodeledDefinitionInstruction()
+    )
+    or
+    tag = DynamicInitializationConditionalBranchTag() and
+    operandTag instanceof ConditionOperandTag and
+    result = getInstruction(DynamicInitializationFlagLoadTag())
+    or
+    tag = DynamicInitializationFlagStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(DynamicInitializationFlagAddressTag())
+      or
+      operandTag instanceof StoreValueOperandTag and
+      result = getInstruction(DynamicInitializationFlagConstantTag())
+    )
+  }
+
+  private TranslatedStaticLocalVariableInitialization getInitialization() {
+    result.getVariable() = var
+  }
+}
+
+/**
+ * The initialization of a static local variable. This element will only exist for a static variable
+ * with a dynamic initializer.
+ */
+class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
+  TranslatedLocalVariableDeclaration, TTranslatedStaticLocalVariableInitialization {
+  VariableDeclarationEntry entry;
+  StaticLocalVariable var;
+
+  TranslatedStaticLocalVariableInitialization() {
+    this = TTranslatedStaticLocalVariableInitialization(entry) and
+    var = entry.getDeclaration()
+  }
+
+  final override string toString() { result = "init: " + entry.toString() }
+
+  final override Locatable getAST() { result = entry }
+
+  final override LocalVariable getVariable() { result = var }
+
+  final override Function getFunction() { result = var.getFunction() }
+}
+
 /**
  * Gets the `TranslatedRangeBasedForVariableDeclaration` that represents the declaration of
  * `var`.