C++: Perform a TC to skip conversions when special-casing materialization of temporaries.

MathiasVP · MathiasVP · commit 7d41e8ef730f · 2024-06-21T13:35:09.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll
@@ -193,6 +193,46 @@ private module Cached {
     )
   }
 
+  /** Holds if `operand`'s definition is a `VariableAddressInstruction` whose variable is a temporary */
+  private predicate isIRTempVariable(Operand operand) {
+    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
+  }
+
+  /**
+   * Holds if `node` is an indirect operand whose operand is an argument, and
+   * the `n`'th expression associated with the operand is `e`.
+   */
+  private predicate isIndirectOperandOfArgument(
+    IndirectOperand node, ArgumentOperand operand, Expr e, int n
+  ) {
+    node.hasOperandAndIndirectionIndex(operand, 1) and
+    e = getConvertedResultExpression(operand.getDef(), n)
+  }
+
+  /**
+   * Holds if `opFrom` is an operand to a conversion, and `opTo` is the unique
+   * use of the conversion.
+   */
+  private predicate isConversionStep(Operand opFrom, Operand opTo) {
+    exists(Instruction mid |
+      conversionFlow(opFrom, mid, false, false) and
+      opTo = unique( | | getAUse(mid))
+    )
+  }
+
+  /**
+   * Holds if an operand that satisfies `isIRTempVariable` flows to `op`
+   * through a (possibly empty) sequence of conversions.
+   */
+  private predicate irTempOperandConversionFlows(Operand op) {
+    isIRTempVariable(op)
+    or
+    exists(Operand mid |
+      irTempOperandConversionFlows(mid) and
+      isConversionStep(mid, op)
+    )
+  }
+
   /** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
   private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
     exists(ArgumentOperand operand |
@@ -203,9 +243,8 @@ private module Cached {
       // result. However, the instruction actually represents the _address_ of
       // the argument. So to fix this mismatch, we have the indirection of the
       // `VariableAddressInstruction` map to the expression.
-      node.hasOperandAndIndirectionIndex(operand, 1) and
-      e = getConvertedResultExpression(operand.getDef(), n) and
-      operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
+      isIndirectOperandOfArgument(node, operand, e, n) and
+      irTempOperandConversionFlows(operand)
     )
   }
 
