Merge pull request github#16907 from MathiasVP/phi-escape-5

C++: Add a new `MemoryLocation` to represent sets of `Allocation`s

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -40,7 +40,8 @@ predicate ignoreInstruction(Instruction instr) {
     instr instanceof AliasedDefinitionInstruction or
     instr instanceof AliasedUseInstruction or
     instr instanceof InitializeNonLocalInstruction or
-    instr instanceof ReturnIndirectionInstruction
+    instr instanceof ReturnIndirectionInstruction or
+    instr instanceof UninitializedGroupInstruction
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -13,7 +13,8 @@ private newtype TMemoryAccessKind =
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
-  TChiPartialMemoryAccess()
+  TChiPartialMemoryAccess() or
+  TGroupedMemoryAccess()
 
 /**
  * Describes the set of memory locations memory accessed by a memory operand or
@@ -99,3 +100,11 @@ class ChiTotalMemoryAccess extends MemoryAccessKind, TChiTotalMemoryAccess {
 class ChiPartialMemoryAccess extends MemoryAccessKind, TChiPartialMemoryAccess {
   override string toString() { result = "chi(partial)" }
 }
+
+/**
+ * The result of an `UninitializedGroup` instruction, which initializes a set of
+ * allocations that are each assigned the same virtual variable.
+ */
+class GroupedMemoryAccess extends MemoryAccessKind, TGroupedMemoryAccess {
+  override string toString() { result = "group" }
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -89,6 +89,7 @@ private newtype TOpcode =
   TSizedBufferMayWriteSideEffect() or
   TInitializeDynamicAllocation() or
   TChi() or
+  TUninitializedGroup() or
   TInlineAsm() or
   TUnreached() or
   TNewObj()
@@ -1237,6 +1238,17 @@ module Opcode {
     }
   }
 
+  /**
+   * The `Opcode` for a `UninitializedGroup`.
+   *
+   * See the `UninitializedGroupInstruction` documentation for more details.
+   */
+  class UninitializedGroup extends Opcode, TUninitializedGroup {
+    final override string toString() { result = "UninitializedGroup" }
+
+    override GroupedMemoryAccess getWriteMemoryAccess() { any() }
+  }
+
   /**
    * The `Opcode` for an `InlineAsmInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -2142,6 +2142,47 @@ class ChiInstruction extends Instruction {
   final predicate isPartialUpdate() { Construction::chiOnlyPartiallyUpdatesLocation(this) }
 }
 
+/**
+ * An instruction that initializes a set of allocations that are each assigned
+ * the same "virtual variable".
+ *
+ * As an example, consider the following snippet:
+ * ```
+ * int a;
+ * int b;
+ * int* p;
+ * if(b) {
+ *   p = &a;
+ * } else {
+ *   p = &b;
+ * }
+ * *p = 5;
+ * int x = a;
+ * ```
+ *
+ * Since both the address of `a` and `b` reach `p` at `*p = 5` the IR alias
+ * analysis will create a region that contains both `a` and `b`. The region
+ * containing both `a` and `b` are initialized by an `UninitializedGroup`
+ * instruction in the entry block of the enclosing function.
+ */
+class UninitializedGroupInstruction extends Instruction {
+  UninitializedGroupInstruction() { this.getOpcode() instanceof Opcode::UninitializedGroup }
+
+  /**
+   * Gets an `IRVariable` whose memory is initialized by this instruction, if any.
+   * Note: Allocations that are not represented as `IRVariable`s (such as
+   * dynamic allocations) are not returned by this predicate even if this
+   * instruction initializes such memory.
+   */
+  final IRVariable getAnIRVariable() {
+    result = Construction::getAnUninitializedGroupVariable(this)
+  }
+
+  final override string getImmediateString() {
+    result = strictconcat(this.getAnIRVariable().toString(), ",")
+  }
+}
+
 /**
  * An instruction representing unreachable code.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -106,8 +106,7 @@ private predicate operandEscapesDomain(Operand operand) {
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
-  not operand.getUse() instanceof ReturnIndirectionInstruction and
-  not operand instanceof PhiInputOperand
+  not operand.getUse() instanceof ReturnIndirectionInstruction
 }
 
 /**
@@ -191,6 +190,11 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
   )
+  or
+  operand = instr.(PhiInstruction).getAnInputOperand() and
+  // Using `unknown` ensures termination since we cannot keep incrementing a bit offset
+  // through the back edge of a loop (or through recursion).
+  bitOffset = Ints::unknown()
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
@@ -212,9 +216,6 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUse())
   or
-  operand instanceof PhiInputOperand and
-  resultEscapesNonReturn(operand.getUse())
-  or
   operandEscapesDomain(operand)
 }
 
@@ -236,9 +237,6 @@ private predicate operandMayReachReturn(Operand operand) {
   operand.getUse() instanceof ReturnValueInstruction
   or
   isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUse())
-  or
-  operand instanceof PhiInputOperand and
-  resultMayReachReturn(operand.getUse())
 }
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll

@@ -101,6 +101,8 @@ class IndirectParameterAllocation extends Allocation, TIndirectParameterAllocati
   final override predicate isAlwaysAllocatedOnStack() { none() }
 
   final override predicate alwaysEscapes() { none() }
+
+  final IRAutomaticVariable getIRVariable() { result = var }
 }
 
 class DynamicAllocation extends Allocation, TDynamicAllocation {