C++: Fix missing type for Phi nodes.

MathiasVP · MathiasVP · commit 959237e8d217 · 2023-03-02T22:48:10.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -43,7 +43,7 @@ class Node0Impl extends TIRDataFlowNode0 {
   /**
    * Gets the type of this node.
    *
-   * If `asInstruction().isGLValue()` holds, then the type of this node
+   * If `isGLValue()` holds, then the type of this node
    * should be thought of as "pointer to `getType()`".
    */
   DataFlowType getType() { none() } // overridden in subclasses
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -498,7 +498,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
 
-  override DataFlowType getType() { result = this.getAnInput().getType().getUnspecifiedType() }
+  override DataFlowType getType() {
+    exists(Ssa::SourceVariable sv |
+      this.getPhiNode().definesAt(sv, _, _, _) and
+      result = sv.getType()
+    )
+  }
+
+  override predicate isGLValue() { phi.getSourceVariable().isGLValue() }
 
   final override Location getLocationImpl() { result = phi.getBasicBlock().getLocation() }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -48,6 +48,16 @@ private module SourceVariables {
      * indirections) of this source variable.
      */
     abstract BaseSourceVariable getBaseVariable();
+
+    /** Holds if this variable is a glvalue. */
+    predicate isGLValue() { none() }
+
+    /**
+     * Gets the type of this source variable. If `isGLValue()` holds, then
+     * the type of this source variable should be thought of as "pointer
+     * to `getType()`".
+     */
+    abstract DataFlowType getType();
   }
 
   class SourceIRVariable extends SourceVariable, TSourceIRVariable {
@@ -66,6 +76,12 @@ private module SourceVariables {
       ind > 0 and
       result = this.getIRVariable().toString() + " indirection"
     }
+
+    override predicate isGLValue() { ind = 0 }
+
+    override DataFlowType getType() {
+      if ind = 0 then result = var.getType() else result = getTypeImpl(var.getType(), ind - 1)
+    }
   }
 
   class CallVariable extends SourceVariable, TCallVariable {
@@ -84,6 +100,8 @@ private module SourceVariables {
       ind > 0 and
       result = "Call indirection"
     }
+
+    override DataFlowType getType() { result = getTypeImpl(call.getResultType(), ind) }
   }
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected
@@ -1,8 +1,3 @@
 failures
 astTypeBugs
 irTypeBugs
-| test.cpp:15:3:15:6 | test.cpp:15:3:15:6 | test.cpp:15:3:15:6 | Phi |
-| test.cpp:43:10:43:20 | test.cpp:43:10:43:20 | test.cpp:43:10:43:20 | Phi |
-| test.cpp:43:10:43:20 | test.cpp:43:10:43:20 | test.cpp:43:10:43:20 | Phi |
-| test.cpp:628:3:628:18 | test.cpp:628:3:628:18 | test.cpp:628:3:628:18 | Phi |
-| test.cpp:628:3:628:18 | test.cpp:628:3:628:18 | test.cpp:628:3:628:18 | Phi |

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ class Node0Impl extends TIRDataFlowNode0 {`
`43`	`43`	`/**`
`44`	`44`	`* Gets the type of this node.`
`45`	`45`	`*`
`46`		- * If `asInstruction().isGLValue()` holds, then the type of this node
	`46`	+ * If `isGLValue()` holds, then the type of this node
`47`	`47`	* should be thought of as "pointer to `getType()`".
`48`	`48`	`*/`
`49`	`49`	`DataFlowType getType() { none() } // overridden in subclasses`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,16 @@ private module SourceVariables {`
`48`	`48`	`* indirections) of this source variable.`
`49`	`49`	`*/`
`50`	`50`	`abstract BaseSourceVariable getBaseVariable();`
	`51`	`+`
	`52`	`+ /** Holds if this variable is a glvalue. */`
	`53`	`+ predicate isGLValue() { none() }`
	`54`	`+`
	`55`	`+ /**`
	`56`	+ * Gets the type of this source variable. If `isGLValue()` holds, then
	`57`	`+ * the type of this source variable should be thought of as "pointer`
	`58`	+ * to `getType()`".
	`59`	`+ */`
	`60`	`+ abstract DataFlowType getType();`
`51`	`61`	`}`
`52`	`62`
`53`	`63`	`class SourceIRVariable extends SourceVariable, TSourceIRVariable {`
`@@ -66,6 +76,12 @@ private module SourceVariables {`
`66`	`76`	`ind > 0 and`
`67`	`77`	`result = this.getIRVariable().toString() + " indirection"`
`68`	`78`	`}`
	`79`	`+`
	`80`	`+ override predicate isGLValue() { ind = 0 }`
	`81`	`+`
	`82`	`+ override DataFlowType getType() {`
	`83`	`+ if ind = 0 then result = var.getType() else result = getTypeImpl(var.getType(), ind - 1)`
	`84`	`+ }`
`69`	`85`	`}`
`70`	`86`
`71`	`87`	`class CallVariable extends SourceVariable, TCallVariable {`
`@@ -84,6 +100,8 @@ private module SourceVariables {`
`84`	`100`	`ind > 0 and`
`85`	`101`	`result = "Call indirection"`
`86`	`102`	`}`
	`103`	`+`
	`104`	`+ override DataFlowType getType() { result = getTypeImpl(call.getResultType(), ind) }`
`87`	`105`	`}`
`88`	`106`	`}`
`89`	`107`