Merge pull request github#3587 from rdmarsh2/ir-this-parameter-2

C++: IR return indirections for `this`

Author: jbj

cpp/ql/src/semmle/code/cpp/Parameter.qll

@@ -165,6 +165,7 @@ class Parameter extends LocalScopeVariable, @parameter {
 class ParameterIndex extends int {
   ParameterIndex() {
     exists(Parameter p | this = p.getIndex()) or
-    exists(Call c | exists(c.getArgument(this))) // permit indexing varargs
+    exists(Call c | exists(c.getArgument(this))) or // permit indexing varargs
+    this = -1 // used for `this`
   }
 }

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -86,7 +86,12 @@ class ReturnValueNode extends ReturnNode {
 class ReturnIndirectionNode extends ReturnNode {
   override ReturnIndirectionInstruction primary;
 
-  override ReturnKind getKind() { result = TIndirectReturnKind(primary.getParameter().getIndex()) }
+  override ReturnKind getKind() {
+    result = TIndirectReturnKind(-1) and
+    primary.isThisIndirection()
+    or
+    result = TIndirectReturnKind(primary.getParameter().getIndex())
+  }
 }
 
 /** A data flow node that represents the output of a call. */

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -217,19 +217,23 @@ class IRThrowVariable extends IRTempVariable {
  * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
  * function that accepts a variable number of arguments.
  */
-class IREllipsisVariable extends IRTempVariable {
+class IREllipsisVariable extends IRTempVariable, IRParameter {
   IREllipsisVariable() { tag = EllipsisTempVar() }
 
   final override string toString() { result = "#ellipsis" }
+
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }
 
 /**
  * A temporary variable generated to hold the `this` pointer.
  */
-class IRThisVariable extends IRTempVariable {
+class IRThisVariable extends IRTempVariable, IRParameter {
   IRThisVariable() { tag = ThisTempVar() }
 
   final override string toString() { result = "#this" }
+
+  final override int getIndex() { result = -1 }
 }
 
 /**
@@ -274,3 +278,29 @@ class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitial
 
   final override string getBaseString() { result = "#init:" + var.toString() + ":" }
 }
+
+/**
+ * An IR variable which acts like a function parameter, including positional parameters and the
+ * temporary variables generated for `this` and ellipsis parameters.
+ */
+class IRParameter extends IRAutomaticVariable {
+  IRParameter() {
+    this.(IRAutomaticUserVariable).getVariable() instanceof Language::Parameter
+    or
+    this = TIRTempVariable(_, _, ThisTempVar(), _)
+    or
+    this = TIRTempVariable(_, _, EllipsisTempVar(), _)
+  }
+
+  /**
+   * Gets the zero-based index of this parameter. The `this` parameter has index -1.
+   */
+  int getIndex() { none() }
+}
+
+/**
+ * An IR variable representing a positional parameter.
+ */
+class IRPositionalParameter extends IRParameter, IRAutomaticUserVariable {
+  final override int getIndex() { result = getVariable().(Language::Parameter).getIndex() }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -541,6 +541,11 @@ class ReturnIndirectionInstruction extends VariableInstruction {
    * function.
    */
   final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  /**
+   * Holds if this instruction is the return indirection for `this`.
+   */
+  final predicate isThisIndirection() { var instanceof IRThisVariable }
 }
 
 class CopyInstruction extends Instruction {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -217,19 +217,23 @@ class IRThrowVariable extends IRTempVariable {
  * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
  * function that accepts a variable number of arguments.
  */
-class IREllipsisVariable extends IRTempVariable {
+class IREllipsisVariable extends IRTempVariable, IRParameter {
   IREllipsisVariable() { tag = EllipsisTempVar() }
 
   final override string toString() { result = "#ellipsis" }
+
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }
 
 /**
  * A temporary variable generated to hold the `this` pointer.
  */
-class IRThisVariable extends IRTempVariable {
+class IRThisVariable extends IRTempVariable, IRParameter {
   IRThisVariable() { tag = ThisTempVar() }
 
   final override string toString() { result = "#this" }
+
+  final override int getIndex() { result = -1 }
 }
 
 /**
@@ -274,3 +278,29 @@ class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitial
 
   final override string getBaseString() { result = "#init:" + var.toString() + ":" }
 }
+
+/**
+ * An IR variable which acts like a function parameter, including positional parameters and the
+ * temporary variables generated for `this` and ellipsis parameters.
+ */
+class IRParameter extends IRAutomaticVariable {
+  IRParameter() {
+    this.(IRAutomaticUserVariable).getVariable() instanceof Language::Parameter
+    or
+    this = TIRTempVariable(_, _, ThisTempVar(), _)
+    or
+    this = TIRTempVariable(_, _, EllipsisTempVar(), _)
+  }
+
+  /**
+   * Gets the zero-based index of this parameter. The `this` parameter has index -1.
+   */
+  int getIndex() { none() }
+}
+
+/**
+ * An IR variable representing a positional parameter.
+ */
+class IRPositionalParameter extends IRParameter, IRAutomaticUserVariable {
+  final override int getIndex() { result = getVariable().(Language::Parameter).getIndex() }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -541,6 +541,11 @@ class ReturnIndirectionInstruction extends VariableInstruction {
    * function.
    */
   final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  /**
+   * Holds if this instruction is the return indirection for `this`.
+   */
+  final predicate isThisIndirection() { var instanceof IRThisVariable }
 }
 
 class CopyInstruction extends Instruction {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -415,8 +415,11 @@ newtype TTranslatedElement =
   } or
   TTranslatedEllipsisParameter(Function func) { translateFunction(func) and func.isVarargs() } or
   TTranslatedReadEffects(Function func) { translateFunction(func) } or
+  TTranslatedThisReadEffect(Function func) {
+    translateFunction(func) and func.isMember() and not func.isStatic()
+  } or
   // The read side effects in a function's return block
-  TTranslatedReadEffect(Parameter param) {
+  TTranslatedParameterReadEffect(Parameter param) {
     translateFunction(param.getFunction()) and
     exists(Type t | t = param.getUnspecifiedType() |
       t instanceof ArrayType or

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -676,14 +676,17 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
   override string toString() { result = "read effects: " + func.toString() }
 
   override TranslatedElement getChild(int id) {
-    result = getTranslatedReadEffect(func.getParameter(id))
+    result = getTranslatedThisReadEffect(func) and
+    id = -1
+    or
+    result = getTranslatedParameterReadEffect(func.getParameter(id))
   }
 
   override Instruction getFirstInstruction() {
     if exists(getAChild())
     then
       result =
-        min(TranslatedReadEffect child, int id | child = getChild(id) | child order by id)
+        min(TranslatedElement child, int id | child = getChild(id) | child order by id)
             .getFirstInstruction()
     else result = getParent().getChildSuccessor(this)
   }
@@ -709,17 +712,15 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
 }
 
-private TranslatedReadEffect getTranslatedReadEffect(Parameter param) { result.getAST() = param }
-
-class TranslatedReadEffect extends TranslatedElement, TTranslatedReadEffect {
-  Parameter param;
-
-  TranslatedReadEffect() { this = TTranslatedReadEffect(param) }
-
-  override Locatable getAST() { result = param }
+private TranslatedThisReadEffect getTranslatedThisReadEffect(Function func) {
+  result.getAST() = func
+}
 
-  override string toString() { result = "read effect: " + param.toString() }
+private TranslatedParameterReadEffect getTranslatedParameterReadEffect(Parameter param) {
+  result.getAST() = param
+}
 
+abstract class TranslatedReadEffect extends TranslatedElement {
   override TranslatedElement getChild(int id) { none() }
 
   override Instruction getChildSuccessor(TranslatedElement child) { none() }
@@ -732,27 +733,60 @@ class TranslatedReadEffect extends TranslatedElement, TTranslatedReadEffect {
 
   override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
 
-  override Function getFunction() { result = param.getFunction() }
-
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     opcode instanceof Opcode::ReturnIndirection and
     tag = OnlyInstructionTag() and
     resultType = getVoidType()
   }
 
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag = addressOperand() and
-    result = getTranslatedParameter(param).getInstruction(InitializerIndirectAddressTag())
-  }
-
   final override CppType getInstructionMemoryOperandType(
     InstructionTag tag, TypedOperandTag operandTag
   ) {
     tag = OnlyInstructionTag() and
     operandTag = sideEffectOperand() and
     result = getUnknownType()
   }
+}
+
+class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisReadEffect {
+  Function func;
+
+  TranslatedThisReadEffect() { this = TTranslatedThisReadEffect(func) }
+
+  override Locatable getAST() { result = func }
+
+  override Function getFunction() { result = func }
+
+  override string toString() { result = "read effect: this" }
+
+  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = addressOperand() and
+    result = getTranslatedThisParameter(func).getInstruction(InitializerIndirectAddressTag())
+  }
+
+  final override IRVariable getInstructionVariable(InstructionTag tag) {
+    tag = OnlyInstructionTag() and
+    result = getTranslatedFunction(func).getThisVariable()
+  }
+}
+
+class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedParameterReadEffect {
+  Parameter param;
+
+  TranslatedParameterReadEffect() { this = TTranslatedParameterReadEffect(param) }
+
+  override Locatable getAST() { result = param }
+
+  override string toString() { result = "read effect: " + param.toString() }
+
+  override Function getFunction() { result = param.getFunction() }
+
+  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag = addressOperand() and
+    result = getTranslatedParameter(param).getInstruction(InitializerIndirectAddressTag())
+  }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
     tag = OnlyInstructionTag() and

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -217,19 +217,23 @@ class IRThrowVariable extends IRTempVariable {
  * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
  * function that accepts a variable number of arguments.
  */
-class IREllipsisVariable extends IRTempVariable {
+class IREllipsisVariable extends IRTempVariable, IRParameter {
   IREllipsisVariable() { tag = EllipsisTempVar() }
 
   final override string toString() { result = "#ellipsis" }
+
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }
 
 /**
  * A temporary variable generated to hold the `this` pointer.
  */
-class IRThisVariable extends IRTempVariable {
+class IRThisVariable extends IRTempVariable, IRParameter {
   IRThisVariable() { tag = ThisTempVar() }
 
   final override string toString() { result = "#this" }
+
+  final override int getIndex() { result = -1 }
 }
 
 /**
@@ -274,3 +278,29 @@ class IRDynamicInitializationFlag extends IRGeneratedVariable, TIRDynamicInitial
 
   final override string getBaseString() { result = "#init:" + var.toString() + ":" }
 }
+
+/**
+ * An IR variable which acts like a function parameter, including positional parameters and the
+ * temporary variables generated for `this` and ellipsis parameters.
+ */
+class IRParameter extends IRAutomaticVariable {
+  IRParameter() {
+    this.(IRAutomaticUserVariable).getVariable() instanceof Language::Parameter
+    or
+    this = TIRTempVariable(_, _, ThisTempVar(), _)
+    or
+    this = TIRTempVariable(_, _, EllipsisTempVar(), _)
+  }
+
+  /**
+   * Gets the zero-based index of this parameter. The `this` parameter has index -1.
+   */
+  int getIndex() { none() }
+}
+
+/**
+ * An IR variable representing a positional parameter.
+ */
+class IRPositionalParameter extends IRParameter, IRAutomaticUserVariable {
+  final override int getIndex() { result = getVariable().(Language::Parameter).getIndex() }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -541,6 +541,11 @@ class ReturnIndirectionInstruction extends VariableInstruction {
    * function.
    */
   final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  /**
+   * Holds if this instruction is the return indirection for `this`.
+   */
+  final predicate isThisIndirection() { var instanceof IRThisVariable }
 }
 
 class CopyInstruction extends Instruction {