Merge pull request #5854 from dbartol/dbartol/smart-pointers/side-effects

C++: Generate side effect instructions for smart pointer indirections

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -416,3 +416,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll

@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -1073,7 +1073,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -7,6 +7,7 @@
 
 private import cpp
 private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
@@ -39,7 +40,8 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
       exists(Type t | t = expr.getUnspecifiedType() |
         t instanceof ArrayType or
         t instanceof PointerType or
-        t instanceof ReferenceType
+        t instanceof ReferenceType or
+        t instanceof PointerWrapper
       ) and
       (
         isWrite = true and

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -416,3 +416,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll

@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -1073,7 +1073,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 

cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -157,11 +157,11 @@ private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, Side
           // parameter.
           result.isParameter(1)
         else result.isParameterDeref(0)
+        or
+        // One of the functions that takes ownership of a raw pointer.
+        param0.getUnspecifiedType() instanceof PointerType and
+        result.isParameter(0)
       )
-      or
-      // One of the functions that takes ownership of a raw pointer.
-      param0.getUnspecifiedType() instanceof PointerType and
-      result.isParameter(0)
     )
   }
 }