C++: Expose SSA definitions from dataflow.

MathiasVP · MathiasVP · commit 5a91aa2105ba · 2025-07-31T13:45:03.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -2576,3 +2576,13 @@ Function getARuntimeTarget(Call call) {
     result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()
   )
 }
+
+class Definition = Ssa::Definition;
+
+class ExplicitDefinition = Ssa::ExplicitDefinition;
+
+class DirectExplicitDefinition = Ssa::DirectExplicitDefinition;
+
+class IndirectExplicitDefinition = Ssa::IndirectExplicitDefinition;
+
+class PhiNode = Ssa::PhiNode;
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -1140,6 +1140,15 @@ class Definition extends SsaImpl::Definition {
     not result instanceof PhiNode
   }
 
+  /** Gets a `Node` that represents a use of this definition. */
+  Node getAUse() {
+    exists(SourceVariable sv, IRBlock bb, int i, UseImpl use |
+      ssaDefReachesRead(sv, this, bb, i) and
+      use.hasIndexInBlock(bb, i, sv) and
+      result = use.getNode()
+    )
+  }
+
   /**
    * INTERNAL: Do not use.
    */
@@ -1172,4 +1181,54 @@ class Definition extends SsaImpl::Definition {
   Type getUnspecifiedType() { result = this.getUnderlyingType().getUnspecifiedType() }
 }
 
+/**
+ * An SSA definition that corresponds to an explicit definition.
+ */
+class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition {
+  DefImpl def;
+
+  ExplicitDefinition() {
+    exists(IRBlock bb, int i, SourceVariable sv |
+      this.definesAt(sv, bb, i) and
+      def.hasIndexInBlock(sv, bb, i)
+    )
+  }
+
+  /**
+   * Gets the `Node` computing the value that is written by this SSA definition.
+   */
+  Node getAssignedValue() { result.asInstruction() = def.getValue().asInstruction() }
+}
+
+/**
+ * An explicit SSA definition that writes an indirect value to a pointer.
+ *
+ * For example in:
+ * ```cpp
+ * int x = 42;  // (1)
+ * int* p = &x; // (2)
+ * ```
+ * There are three `ExplicitDefinition`:
+ * 1. A `DirectExplicitDefinition` at (1) which writes `42` to the SSA variable
+ * corresponding to `x`.
+ * 2. A `DirectExplicitDefinition` at (2) which writes `&x` to the SSA variable
+ * corresponding to `p`.
+ * 3. A `IndirectExplicitDefinition` at (2) which writes `*&x` (i.e., `x`) to
+ * the SSA vairable corresponding to `*p`.
+ */
+class IndirectExplicitDefinition extends ExplicitDefinition {
+  IndirectExplicitDefinition() { this.getIndirectionIndex() > 0 }
+}
+
+/**
+ * An SSA definition that corresponds to an explicit definition.
+ *
+ * Unlike `ExplicitDefinition` this class does not include indirect
+ * explicit definition. See `IndirectExplicitDefinition` if you want to include
+ * those.
+ */
+class DirectExplicitDefinition extends ExplicitDefinition {
+  DirectExplicitDefinition() { this.getIndirectionIndex() = 0 }
+}
+
 import SsaCached

Original file line number	Diff line number	Diff line change
`@@ -2576,3 +2576,13 @@ Function getARuntimeTarget(Call call) {`
`2576`	`2576`	`result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()`
`2577`	`2577`	`)`
`2578`	`2578`	`}`
	`2579`	`+`
	`2580`	`+class Definition = Ssa::Definition;`
	`2581`	`+`
	`2582`	`+class ExplicitDefinition = Ssa::ExplicitDefinition;`
	`2583`	`+`
	`2584`	`+class DirectExplicitDefinition = Ssa::DirectExplicitDefinition;`
	`2585`	`+`
	`2586`	`+class IndirectExplicitDefinition = Ssa::IndirectExplicitDefinition;`
	`2587`	`+`
	`2588`	`+class PhiNode = Ssa::PhiNode;`