CPP: Add delete/delete[] calls to the IR.

Author: alexet

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -130,13 +130,17 @@ class CallOrAllocationExpr extends Expr {
     this instanceof Call
     or
     this instanceof NewOrNewArrayExpr
+    or
+    this instanceof DeleteOrDeleteArrayExpr
   }
 
   /** Gets the `Function` invoked by this expression, if known. */
   final Function getTarget() {
     result = this.(Call).getTarget()
     or
     result = this.(NewOrNewArrayExpr).getAllocator()
+    or
+    result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -350,6 +350,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
     or
     expr instanceof NewOrNewArrayExpr and
     result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
+    or
+    expr instanceof DeleteOrDeleteArrayExpr and
+    result = getTranslatedDeallocatorCall(expr).getInstruction(CallTag())
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -75,19 +75,18 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     // REVIEW: Ignore initializers for `NewArrayExpr` until we determine how to
     // represent them.
     newExpr.getInitializer().getFullyConverted() = expr
-  )
+  ) or
+  exists(DeleteOrDeleteArrayExpr deleteExpr |
+    // Ignore the deallocator call, because we always synthesize it.
+    deleteExpr.getDeallocatorCall() = expr
+  ) 
   or
   // Do not translate input/output variables in GNU asm statements
   //  getRealParent(expr) instanceof AsmStmt
   //  or
   ignoreExprAndDescendants(getRealParent(expr)) // recursive case
   or
-  // We do not yet translate destructors properly, so for now we ignore any
-  // custom deallocator call, if present.
-  exists(DeleteExpr deleteExpr | deleteExpr.getDeallocatorCall() = expr)
-  or
-  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDeallocatorCall() = expr)
-  or
+  // va_start doesn't evaluate its argument, so we don't need to translate it.
   exists(BuiltInVarArgsStart vaStartExpr |
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
@@ -104,20 +103,19 @@ private predicate ignoreExprOnly(Expr expr) {
     newExpr.getAllocatorCall() = expr
   )
   or
+  exists(DeleteOrDeleteArrayExpr deleteExpr |
+    // Ignore the destructor call as we don't model it yet. Don't ignore
+    // its arguments, though, as they are the arguments to the deallocator.
+    deleteExpr.getDestructorCall() = expr
+  )
+  or
   // The extractor deliberately emits an `ErrorExpr` as the first argument to
   // the allocator call, if any, of a `NewOrNewArrayExpr`. That `ErrorExpr`
   // should not be translated.
   exists(NewOrNewArrayExpr new | expr = new.getAllocatorCall().getArgument(0))
   or
   not translateFunction(getEnclosingFunction(expr)) and
   not Raw::varHasIRFunc(getEnclosingVariable(expr))
-  or
-  // We do not yet translate destructors properly, so for now we ignore the
-  // destructor call. We do, however, translate the expression being
-  // destructed, and that expression can be a child of the destructor call.
-  exists(DeleteExpr deleteExpr | deleteExpr.getDestructorCall() = expr)
-  or
-  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDestructorCall() = expr)
 }
 
 /**
@@ -724,6 +722,8 @@ newtype TTranslatedElement =
   } or
   // An allocator call in a `new` or `new[]` expression
   TTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) { not ignoreExpr(newExpr) } or
+  // An deallocator call in a `delete` or `delete[]` expression
+  TTranslatedDeallocatorCall(DeleteOrDeleteArrayExpr newExpr) { not ignoreExpr(newExpr) } or
   // An allocation size for a `new` or `new[]` expression
   TTranslatedAllocationSize(NewOrNewArrayExpr newExpr) { not ignoreExpr(newExpr) } or
   // The declaration/initialization part of a `ConditionDeclExpr`

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2017,6 +2017,48 @@ TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
   result.getAst() = newExpr
 }
 
+/**
+ * The IR translation of a call to `operator delete` as part of a `delete` or `delete[]`
+ * expression.
+ */
+class TranslatedDeallocatorCall extends TTranslatedDeallocatorCall, TranslatedDirectCall {
+  override DeleteOrDeleteArrayExpr expr;
+
+  TranslatedDeallocatorCall() { this = TTranslatedDeallocatorCall(expr) }
+
+  final override string toString() { result = "Deallocator call for " + expr.toString() }
+
+  final override predicate producesExprResult() { none() }
+
+  override Function getInstructionFunction(InstructionTag tag) {
+    tag = CallTargetTag() and result = expr.getDeallocator()
+  }
+
+  final override Type getCallResultType() { result = expr.getType() }
+
+  final override TranslatedExpr getQualifier() { none() }
+
+  final override predicate hasArguments() {
+    // All deallocator calls have at least one argument.
+    any()
+  }
+
+  final override int getNumberOfArguments() {
+    // We ignore the other arguments for now as we would have to synthesize them.
+    result = 1
+  }
+
+  final override TranslatedExpr getArgument(int index) {
+    // The only argument we define is the pointer to be deallocated.
+    index = 0 and
+    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
+  }
+}
+
+TranslatedDeallocatorCall getTranslatedDeallocatorCall(DeleteOrDeleteArrayExpr newExpr) {
+  result.getAst() = newExpr
+}
+
 /**
  * Abstract class implemented by any `TranslatedElement` that has a child
  * expression that is a call to a constructor or destructor, in order to
@@ -2955,75 +2997,60 @@ class TranslatedNewArrayExpr extends TranslatedNewOrNewArrayExpr {
 }
 
 /**
- * A placeholder for the translation of a `delete[]` expression.
- *
- * Proper translation is not yet implemented, but this stub implementation
- * ensures that code following a `delete[]` is not unreachable.
+ * The IR translation of a `delete` or `delete[]` expression.
  */
-class TranslatedDeleteArrayExprPlaceHolder extends TranslatedSingleInstructionExpr {
-  override DeleteArrayExpr expr;
+abstract class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr {
+  override DeleteOrDeleteArrayExpr expr;
+
+  final override TranslatedElement getChild(int id) {
+    id = 0 and result = this.getDeallocatorCall()
+  }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = OnlyInstructionTag() and
+    opcode instanceof Opcode::Convert and
+    resultType = this.getResultType()
+  }
 
   final override Instruction getFirstInstruction() {
-    result = this.getOperand().getFirstInstruction()
+    result = this.getDeallocatorCall().getFirstInstruction()
   }
 
-  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
+  final override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) }
 
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    kind instanceof GotoEdge and
     tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this) and
-    kind instanceof GotoEdge
+    result = this.getParent().getChildSuccessor(this)
   }
 
   final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
+    child = this.getDeallocatorCall() and result = this.getInstruction(OnlyInstructionTag())
   }
 
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    none()
+    tag = OnlyInstructionTag() and
+    operandTag instanceof UnaryOperandTag and
+    result = this.getDeallocatorCall().getResult()
   }
 
-  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
-
-  private TranslatedExpr getOperand() {
-    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
+  private TranslatedDeallocatorCall getDeallocatorCall() {
+    result = getTranslatedDeallocatorCall(expr)
   }
 }
 
 /**
- * A placeholder for the translation of a `delete` expression.
- *
- * Proper translation is not yet implemented, but this stub implementation
- * ensures that code following a `delete` is not unreachable.
+ * The IR translation of a `delete` expression.
  */
-class TranslatedDeleteExprPlaceHolder extends TranslatedSingleInstructionExpr {
+class TranslatedDeleteExpr extends TranslatedDeleteOrDeleteArrayExpr {
   override DeleteExpr expr;
+}
 
-  final override Instruction getFirstInstruction() {
-    result = this.getOperand().getFirstInstruction()
-  }
-
-  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
-
-  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this) and
-    kind instanceof GotoEdge
-  }
-
-  final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    none()
-  }
-
-  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
-
-  private TranslatedExpr getOperand() {
-    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
-  }
+/**
+ * The IR translation of a `delete[]` expression.
+ */
+class TranslatedDeleteArrayExpr extends TranslatedDeleteOrDeleteArrayExpr {
+  override DeleteArrayExpr expr;
 }
 
 /**

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -4887,10 +4887,70 @@
 | ir.cpp:1011:12:1011:12 | Unary | r1011_3 |
 | ir.cpp:1015:6:1015:19 | ChiPartial | partial:m1015_3 |
 | ir.cpp:1015:6:1015:19 | ChiTotal | total:m1015_2 |
-| ir.cpp:1015:6:1015:19 | SideEffect | m1015_3 |
+| ir.cpp:1015:6:1015:19 | SideEffect | ~m1020_5 |
+| ir.cpp:1016:3:1016:35 | CallTarget | func:r1016_1 |
+| ir.cpp:1016:3:1016:35 | ChiPartial | partial:m1016_4 |
+| ir.cpp:1016:3:1016:35 | ChiTotal | total:m1015_4 |
+| ir.cpp:1016:3:1016:35 | SideEffect | ~m1015_4 |
+| ir.cpp:1016:3:1016:35 | Unary | v1016_3 |
+| ir.cpp:1016:10:1016:35 | Arg(0) | 0:r1016_2 |
+| ir.cpp:1017:3:1017:38 | CallTarget | func:r1017_1 |
+| ir.cpp:1017:3:1017:38 | ChiPartial | partial:m1017_4 |
+| ir.cpp:1017:3:1017:38 | ChiTotal | total:m1016_5 |
+| ir.cpp:1017:3:1017:38 | SideEffect | ~m1016_5 |
+| ir.cpp:1017:3:1017:38 | Unary | v1017_3 |
+| ir.cpp:1017:10:1017:38 | Arg(0) | 0:r1017_2 |
+| ir.cpp:1018:3:1018:44 | CallTarget | func:r1018_1 |
+| ir.cpp:1018:3:1018:44 | ChiPartial | partial:m1018_4 |
+| ir.cpp:1018:3:1018:44 | ChiTotal | total:m1017_5 |
+| ir.cpp:1018:3:1018:44 | SideEffect | ~m1017_5 |
+| ir.cpp:1018:3:1018:44 | Unary | v1018_3 |
+| ir.cpp:1018:10:1018:44 | Arg(0) | 0:r1018_2 |
+| ir.cpp:1019:3:1019:43 | CallTarget | func:r1019_1 |
+| ir.cpp:1019:3:1019:43 | ChiPartial | partial:m1019_4 |
+| ir.cpp:1019:3:1019:43 | ChiTotal | total:m1018_5 |
+| ir.cpp:1019:3:1019:43 | SideEffect | ~m1018_5 |
+| ir.cpp:1019:3:1019:43 | Unary | v1019_3 |
+| ir.cpp:1019:10:1019:43 | Arg(0) | 0:r1019_2 |
+| ir.cpp:1020:3:1020:47 | CallTarget | func:r1020_1 |
+| ir.cpp:1020:3:1020:47 | ChiPartial | partial:m1020_4 |
+| ir.cpp:1020:3:1020:47 | ChiTotal | total:m1019_5 |
+| ir.cpp:1020:3:1020:47 | SideEffect | ~m1019_5 |
+| ir.cpp:1020:3:1020:47 | Unary | v1020_3 |
+| ir.cpp:1020:10:1020:47 | Arg(0) | 0:r1020_2 |
 | ir.cpp:1024:6:1024:24 | ChiPartial | partial:m1024_3 |
 | ir.cpp:1024:6:1024:24 | ChiTotal | total:m1024_2 |
-| ir.cpp:1024:6:1024:24 | SideEffect | m1024_3 |
+| ir.cpp:1024:6:1024:24 | SideEffect | ~m1029_5 |
+| ir.cpp:1025:3:1025:37 | CallTarget | func:r1025_1 |
+| ir.cpp:1025:3:1025:37 | ChiPartial | partial:m1025_4 |
+| ir.cpp:1025:3:1025:37 | ChiTotal | total:m1024_4 |
+| ir.cpp:1025:3:1025:37 | SideEffect | ~m1024_4 |
+| ir.cpp:1025:3:1025:37 | Unary | v1025_3 |
+| ir.cpp:1025:12:1025:37 | Arg(0) | 0:r1025_2 |
+| ir.cpp:1026:3:1026:40 | CallTarget | func:r1026_1 |
+| ir.cpp:1026:3:1026:40 | ChiPartial | partial:m1026_4 |
+| ir.cpp:1026:3:1026:40 | ChiTotal | total:m1025_5 |
+| ir.cpp:1026:3:1026:40 | SideEffect | ~m1025_5 |
+| ir.cpp:1026:3:1026:40 | Unary | v1026_3 |
+| ir.cpp:1026:12:1026:40 | Arg(0) | 0:r1026_2 |
+| ir.cpp:1027:3:1027:46 | CallTarget | func:r1027_1 |
+| ir.cpp:1027:3:1027:46 | ChiPartial | partial:m1027_4 |
+| ir.cpp:1027:3:1027:46 | ChiTotal | total:m1026_5 |
+| ir.cpp:1027:3:1027:46 | SideEffect | ~m1026_5 |
+| ir.cpp:1027:3:1027:46 | Unary | v1027_3 |
+| ir.cpp:1027:12:1027:46 | Arg(0) | 0:r1027_2 |
+| ir.cpp:1028:3:1028:45 | CallTarget | func:r1028_1 |
+| ir.cpp:1028:3:1028:45 | ChiPartial | partial:m1028_4 |
+| ir.cpp:1028:3:1028:45 | ChiTotal | total:m1027_5 |
+| ir.cpp:1028:3:1028:45 | SideEffect | ~m1027_5 |
+| ir.cpp:1028:3:1028:45 | Unary | v1028_3 |
+| ir.cpp:1028:12:1028:45 | Arg(0) | 0:r1028_2 |
+| ir.cpp:1029:3:1029:49 | CallTarget | func:r1029_1 |
+| ir.cpp:1029:3:1029:49 | ChiPartial | partial:m1029_4 |
+| ir.cpp:1029:3:1029:49 | ChiTotal | total:m1028_5 |
+| ir.cpp:1029:3:1029:49 | SideEffect | ~m1028_5 |
+| ir.cpp:1029:3:1029:49 | Unary | v1029_3 |
+| ir.cpp:1029:12:1029:49 | Arg(0) | 0:r1029_2 |
 | ir.cpp:1034:6:1034:20 | ChiPartial | partial:m1034_3 |
 | ir.cpp:1034:6:1034:20 | ChiTotal | total:m1034_2 |
 | ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |