Merge branch 'main' into destructors-for-unconditional-unnamed

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -6,6 +6,7 @@ private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowUtil
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import DataFlowPrivate
+private import TypeFlow
 private import semmle.code.cpp.ir.ValueNumbering
 
 /**
@@ -955,11 +956,7 @@ private module Cached {
    * Holds if the address computed by `operand` is guaranteed to write
    * to a specific address.
    */
-  private predicate isCertainAddress(Operand operand) {
-    valueNumberOfOperand(operand).getAnInstruction() instanceof VariableAddressInstruction
-    or
-    operand.getType() instanceof Cpp::ReferenceType
-  }
+  private predicate isCertainAddress(Operand operand) { isPointerToSingleObject(operand.getDef()) }
 
   /**
    * Holds if `address` is a use of an SSA variable rooted at `base`, and the

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll

@@ -0,0 +1,278 @@
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import codeql.typeflow.TypeFlow
+
+private module Input implements TypeFlowInput<Location> {
+  /** Holds if `alloc` dynamically allocates a single object. */
+  private predicate isSingleObjectAllocation(AllocationExpr alloc) {
+    // i.e., `new int`;
+    alloc instanceof NewExpr
+    or
+    // i.e., `malloc(sizeof(int))`
+    exists(SizeofTypeOperator sizeOf | sizeOf = alloc.getSizeExpr() |
+      not sizeOf.getTypeOperand().getUnspecifiedType() instanceof ArrayType
+    )
+  }
+
+  /**
+   * Holds if `i` is the result of a dynamic allocation.
+   *
+   * `isObject` is `true` if the allocation allocated a single object,
+   * and `false` otherwise.
+   */
+  private predicate isAllocation(Instruction i, boolean isObject) {
+    exists(AllocationExpr alloc | alloc = i.getUnconvertedResultExpression() |
+      if isSingleObjectAllocation(alloc) then isObject = true else isObject = false
+    )
+  }
+
+  private predicate hasExactSingleType(Instruction i) {
+    // The address of a variable is always a single object
+    i instanceof VariableAddressInstruction
+    or
+    // A reference always points to a single object
+    i.getResultLanguageType().hasUnspecifiedType(any(ReferenceType rt), false)
+    or
+    // `this` is never an array
+    i instanceof InitializeThisInstruction
+    or
+    // An allocation of a non-array object
+    isAllocation(i, true)
+  }
+
+  private predicate hasExactBufferType(Instruction i) {
+    // Anything with an array type is a buffer
+    i.getResultLanguageType().hasUnspecifiedType(any(ArrayType at), false)
+    or
+    // An allocation expression that we couldn't conclude allocated a single
+    // expression is assigned a buffer type.
+    isAllocation(i, false)
+  }
+
+  private newtype TTypeFlowNode =
+    TInstructionNode(Instruction i) or
+    TFunctionNode(IRFunction func)
+
+  abstract class TypeFlowNode extends TTypeFlowNode {
+    /** Gets a textual representation of this node. */
+    abstract string toString();
+
+    /**
+     * Gets the type of this node. This type may not be the most precise
+     * possible type, but will be used as a starting point of the analysis.
+     */
+    abstract Type getType();
+
+    /** Gets the location of this node. */
+    abstract Location getLocation();
+
+    /** Gets the underlying `Instruction` of this node, if any. */
+    Instruction asInstruction() { none() }
+
+    /** Gets the underlying `IRFunction` of this node, if any. */
+    IRFunction asFunction() { none() }
+
+    /** Holds if the value of this node is always null. */
+    abstract predicate isNullValue();
+  }
+
+  private class InstructionNode extends TypeFlowNode, TInstructionNode {
+    Instruction instr;
+
+    InstructionNode() { this = TInstructionNode(instr) }
+
+    override string toString() { result = instr.toString() }
+
+    override Type getType() {
+      if hasExactSingleType(instr) then result.isSingle() else result.isBuffer()
+    }
+
+    override Location getLocation() { result = instr.getLocation() }
+
+    override Instruction asInstruction() { result = instr }
+
+    override predicate isNullValue() {
+      instr.(ConstantInstruction).getValue() = "0" and
+      instr.getResultIRType() instanceof IRAddressType
+    }
+  }
+
+  /** Gets the `TypeFlowNode` corresponding to `i`. */
+  additional InstructionNode instructionNode(Instruction i) { result.asInstruction() = i }
+
+  private class FunctionNode extends TypeFlowNode, TFunctionNode {
+    IRFunction func;
+
+    FunctionNode() { this = TFunctionNode(func) }
+
+    override string toString() { result = func.toString() }
+
+    Instruction getReturnValueInstruction() {
+      result = func.getReturnInstruction().(ReturnValueInstruction).getReturnValue()
+    }
+
+    override Type getType() { result = instructionNode(this.getReturnValueInstruction()).getType() }
+
+    override Location getLocation() { result = func.getLocation() }
+
+    override IRFunction asFunction() { result = func }
+
+    override predicate isNullValue() {
+      instructionNode(this.getReturnValueInstruction()).isNullValue()
+    }
+  }
+
+  /**
+   * Gets an ultimiate definition of `phi`. That is, an input to `phi` that is
+   * not itself a `PhiInstruction`.
+   */
+  private Instruction getAnUltimateLocalDefinition(PhiInstruction phi) {
+    result = phi.getAnInput*() and not result instanceof PhiInstruction
+  }
+
+  /**
+   * Holds if this function is private (i.e., cannot be accessed outside its
+   * compilation unit). This means we can use a closed-world assumption about
+   * calls to this function.
+   */
+  private predicate isPrivate(Function func) {
+    // static functions have internal linkage
+    func.isStatic()
+    or
+    // anonymous namespaces have internal linkage
+    func.getNamespace().getParentNamespace*().isAnonymous()
+    or
+    // private member functions are only called internally from inside the class
+    func.(MemberFunction).isPrivate()
+  }
+
+  /**
+   * Holds if `arg` is an argument for the parameter `p` in a private callable.
+   */
+  pragma[nomagic]
+  private predicate privateParamArg(InitializeParameterInstruction p, Instruction arg) {
+    exists(CallInstruction call, int i, Function func |
+      call.getArgument(pragma[only_bind_into](i)) = arg and
+      func = call.getStaticCallTarget() and
+      func.getParameter(pragma[only_bind_into](i)) = p.getParameter() and
+      isPrivate(func)
+    )
+  }
+
+  predicate joinStep(TypeFlowNode n1, TypeFlowNode n2) {
+    // instruction -> phi
+    getAnUltimateLocalDefinition(n2.asInstruction()) = n1.asInstruction()
+    or
+    // return value -> function
+    n2.(FunctionNode).getReturnValueInstruction() = n1.asInstruction()
+    or
+    // function -> call
+    exists(Function func | func = n1.asFunction().getFunction() |
+      not func.isVirtual() and
+      n2.asInstruction().(CallInstruction).getStaticCallTarget() = func
+    )
+    or
+    // Argument -> parameter where the parameter's enclosing function
+    // is "private".
+    exists(Instruction arg, Instruction p |
+      privateParamArg(p, arg) and
+      n1.asInstruction() = arg and
+      n2.asInstruction() = p
+    )
+  }
+
+  /**
+   * Holds if knowing whether `i1` points to a single object or buffer implies
+   * knowing whether `i2` points to a single object or buffer.
+   */
+  private predicate instructionStep(Instruction i1, Instruction i2) {
+    i2.(CopyInstruction).getSourceValue() = i1
+    or
+    i2.(CopyValueInstruction).getSourceValue() = i1
+    or
+    i2.(ConvertInstruction).getUnary() = i1
+    or
+    i2.(CheckedConvertOrNullInstruction).getUnary() = i1
+    or
+    i2.(InheritanceConversionInstruction).getUnary() = i1
+    or
+    i2.(PointerArithmeticInstruction).getLeft() = i1
+  }
+
+  predicate step(TypeFlowNode n1, TypeFlowNode n2) {
+    instructionStep(n1.asInstruction(), n2.asInstruction())
+  }
+
+  predicate isNullValue(TypeFlowNode n) { n.isNullValue() }
+
+  private newtype TType =
+    TSingle() or
+    TBuffer()
+
+  class Type extends TType {
+    string toString() {
+      this.isSingle() and
+      result = "Single"
+      or
+      this.isBuffer() and
+      result = "Buffer"
+    }
+
+    /** Holds if this type is the type that represents a single object. */
+    predicate isSingle() { this = TSingle() }
+
+    /** Holds if this type is the type that represents a buffer. */
+    predicate isBuffer() { this = TBuffer() }
+
+    /**
+     * Gets a super type of this type, if any.
+     *
+     * The type relation is `Single <: Buffer`.
+     */
+    Type getASupertype() {
+      this.isSingle() and
+      result.isBuffer()
+    }
+  }
+
+  predicate exactTypeBase(TypeFlowNode n, Type t) {
+    exists(Instruction instr | instr = n.asInstruction() |
+      hasExactSingleType(instr) and t.isSingle()
+      or
+      hasExactBufferType(instr) and t.isBuffer()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate upcastCand(TypeFlowNode n, Type t1, Type t2) {
+    exists(TypeFlowNode next |
+      step(n, next)
+      or
+      joinStep(n, next)
+    |
+      n.getType() = t1 and
+      next.getType() = t2 and
+      t1 != t2
+    )
+  }
+
+  private predicate upcast(TypeFlowNode n, Type t1) {
+    exists(Type t2 | upcastCand(n, t1, t2) |
+      // No need for transitive closure since the subtyping relation is just `Single <: Buffer`
+      t1.getASupertype() = t2
+    )
+  }
+
+  predicate typeFlowBaseCand(TypeFlowNode n, Type t) { upcast(n, t) }
+}
+
+private module TypeFlow = Make<Location, Input>;
+
+/**
+ * Holds if `i` is an instruction that computes an address that points to a
+ * single object (as opposed to pointing into a buffer).
+ */
+pragma[nomagic]
+predicate isPointerToSingleObject(Instruction i) {
+  TypeFlow::bestTypeFlow(Input::instructionNode(i), any(Input::Type t | t.isSingle()), _)
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -544,8 +544,7 @@ private module IRDeclarationEntries {
    * An entity that represents a declaration entry in the database.
    *
    * This class exists to work around the fact that `DeclStmt`s in some cases
-   * do not have `DeclarationEntry`s. Currently, this is the case for:
-   * - `DeclStmt`s in template instantiations.
+   * do not have `DeclarationEntry`s in older databases.
    *
    * So instead, the IR works with `IRDeclarationEntry`s that synthesize missing
    * `DeclarationEntry`s when there is no result for `DeclStmt::getDeclarationEntry`.

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -123,7 +123,7 @@ class IteratorCrementNonMemberOperator extends Operator {
 }
 
 private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMemberOperator,
-  DataFlowFunction
+  DataFlowFunction, SideEffectFunction, AliasFunction
 {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input = getIteratorArgumentInput(this, 0) and
@@ -131,6 +131,24 @@ private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMe
     or
     input.isParameterDeref(0) and output.isReturnValueDeref()
   }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = false
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    // See the comment on `IteratorCrementMemberOperatorModel::hasSpecificWriteSideEffect`
+    // for an explanation of these values.
+    i = 0 and buffer = false and mustWrite = false
+  }
+
+  override predicate parameterNeverEscapes(int index) { none() }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
 }
 
 /**
@@ -146,7 +164,7 @@ class IteratorCrementMemberOperator extends MemberFunction {
 }
 
 private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOperator,
-  DataFlowFunction, TaintFunction
+  DataFlowFunction, TaintFunction, SideEffectFunction, AliasFunction
 {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and
@@ -163,6 +181,28 @@ private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOp
     input.isQualifierObject() and
     output.isReturnValueDeref()
   }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = -1 and buffer = false
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    // We have two choices here: either `buffer` must be `true` or `mustWrite`
+    // must be `false` to ensure that the IR alias analysis doesn't think that
+    // `it++` completely override the value of the iterator.
+    // We choose `mustWrite` must be `false`. In that case, the value of
+    // `buffer` isn't super important (it just decides which kind of read side
+    // effect will be emitted).
+    i = -1 and buffer = false and mustWrite = false
+  }
+
+  override predicate parameterNeverEscapes(int index) { index = -1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
 }
 
 /**
@@ -332,7 +372,7 @@ class IteratorAssignArithmeticOperator extends Function {
  * non-member and member versions, use `IteratorPointerDereferenceOperator`.
  */
 class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
-  IteratorReferenceFunction
+  IteratorReferenceFunction, AliasFunction, SideEffectFunction
 {
   IteratorPointerDereferenceMemberOperator() {
     this.getClassAndName("operator*") instanceof Iterator
@@ -345,6 +385,18 @@ class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunc
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate parameterNeverEscapes(int index) { index = -1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = -1 and buffer = false
+  }
 }
 
 /**
@@ -361,7 +413,7 @@ class IteratorPointerDereferenceNonMemberOperator extends Operator, IteratorRefe
 }
 
 private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorPointerDereferenceNonMemberOperator,
-  TaintFunction
+  TaintFunction, AliasFunction, SideEffectFunction
 {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input = getIteratorArgumentInput(this, 0) and
@@ -370,6 +422,18 @@ private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorP
     input.isReturnValueDeref() and
     output.isParameterDeref(0)
   }
+
+  override predicate parameterNeverEscapes(int index) { index = 0 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = false
+  }
 }
 
 /**
@@ -420,6 +484,71 @@ class IteratorAssignmentMemberOperator extends MemberFunction {
   }
 }
 
+/**
+ * A member `operator==` or `operator!=` function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorLogicalOperator`.
+ */
+class IteratorLogicalMemberOperator extends MemberFunction {
+  IteratorLogicalMemberOperator() {
+    this.getClassAndName(["operator!=", "operator=="]) instanceof Iterator
+  }
+}
+
+private class IteratorLogicalMemberOperatorModel extends IteratorLogicalMemberOperator,
+  AliasFunction, SideEffectFunction
+{
+  override predicate parameterNeverEscapes(int index) { index = [-1, 0] }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = -1 and buffer = false
+  }
+}
+
+/**
+ * A member `operator==` or `operator!=` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorLogicalOperator`.
+ */
+class IteratorLogicalNonMemberOperator extends Function {
+  IteratorLogicalNonMemberOperator() {
+    this.hasName(["operator!=", "operator=="]) and
+    exists(getIteratorArgumentInput(this, 0)) and
+    exists(getIteratorArgumentInput(this, 1))
+  }
+}
+
+private class IteratorLogicalNonMemberOperatorModel extends IteratorLogicalNonMemberOperator,
+  AliasFunction, SideEffectFunction
+{
+  override predicate parameterNeverEscapes(int index) { index = [0, 1] }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}
+
+/**
+ * A (member or non-member) `operator==` or `operator!=` function for an iterator type.
+ */
+class IteratorLogicalOperator extends Function {
+  IteratorLogicalOperator() {
+    this instanceof IteratorLogicalNonMemberOperator
+    or
+    this instanceof IteratorLogicalMemberOperator
+  }
+}
+
 /**
  * An `operator=` member function of an iterator class that is not a copy or move assignment
  * operator.
@@ -428,12 +557,26 @@ class IteratorAssignmentMemberOperator extends MemberFunction {
  * `operator*` and use their own `operator=` to assign to the container.
  */
 private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMemberOperator,
-  TaintFunction
+  TaintFunction, SideEffectFunction, AliasFunction
 {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
     output.isQualifierObject()
   }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    // See the comment on `IteratorCrementMemberOperatorModel::hasSpecificWriteSideEffect`
+    // for an explanation of these values.
+    i = -1 and buffer = false and mustWrite = false
+  }
+
+  override predicate parameterNeverEscapes(int index) { index = 0 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { index = -1 }
 }
 
 /**