C++: add AliasedDefinition for aliased SSA

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -54,6 +54,7 @@ private newtype TOpcode =
   TUnwind() or
   TUnmodeledDefinition() or
   TUnmodeledUse() or
+  TAliasedDefinition() or
   TPhi() or
   TVarArgsStart() or
   TVarArgsEnd() or
@@ -180,6 +181,7 @@ module Opcode {
   class Unwind extends Opcode, TUnwind { override final string toString() { result = "Unwind" } }
   class UnmodeledDefinition extends Opcode, TUnmodeledDefinition { override final string toString() { result = "UnmodeledDefinition" } }
   class UnmodeledUse extends Opcode, TUnmodeledUse { override final string toString() { result = "UnmodeledUse" } }
+  class AliasedDefinition extends Opcode, TAliasedDefinition { override final string toString() { result = "AliasedDefinition" } }
   class Phi extends Opcode, TPhi { override final string toString() { result = "Phi" } }
   class VarArgsStart extends BuiltInOpcode, TVarArgsStart { override final string toString() { result = "VarArgsStart" } }
   class VarArgsEnd extends BuiltInOpcode, TVarArgsEnd { override final string toString() { result = "VarArgsEnd" } }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1322,6 +1322,16 @@ class UnmodeledDefinitionInstruction extends Instruction {
   }
 }
 
+class AliasedDefinitionInstruction extends Instruction {
+  AliasedDefinitionInstruction() {
+    opcode instanceof Opcode::AliasedDefinition
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMemoryAccess
+  }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() {
     opcode instanceof Opcode::UnmodeledUse

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -93,7 +93,8 @@ private newtype TMemoryAccess =
     )
   }
   or
-  TUnknownMemoryAccess(UnknownVirtualVariable uvv)
+  TUnknownMemoryAccess(UnknownVirtualVariable uvv) or
+  TTotalUnknownMemoryAccess(UnknownVirtualVariable uvv)
 
 private VariableMemoryAccess getVariableMemoryAccess(IRVariable var, IntValue offset, IntValue size) {
   result.getVirtualVariable() = getVirtualVariable(var) and
@@ -170,6 +171,26 @@ class UnknownMemoryAccess extends TUnknownMemoryAccess, MemoryAccess {
   }
 }
 
+class TotalUnknownMemoryAccess extends TTotalUnknownMemoryAccess, MemoryAccess {
+  UnknownVirtualVariable vvar;
+  
+  TotalUnknownMemoryAccess() {
+    this = TTotalUnknownMemoryAccess(vvar)
+  }
+  
+  final override string toString() {
+    result = vvar.toString()
+  }
+  
+  final override VirtualVariable getVirtualVariable() {
+    result = vvar
+  }
+  
+  Type getType() {
+    result instanceof UnknownType
+  }
+}
+
 Overlap getOverlap(MemoryAccess def, MemoryAccess use) {
   def instanceof VariableMemoryAccess and
   def = use and
@@ -200,10 +221,16 @@ Overlap getOverlap(MemoryAccess def, MemoryAccess use) {
   )
   or
   exists(UnknownVirtualVariable uvv |
-    uvv = def.getVirtualVariable() and
+    def = TUnknownMemoryAccess(uvv) and
     uvv = use.getVirtualVariable() and
     result instanceof MayPartiallyOverlap
   )
+  or
+  exists(UnknownVirtualVariable uvv |
+    def = TTotalUnknownMemoryAccess(uvv) and
+    uvv = use.getVirtualVariable() and
+    result instanceof MustTotallyOverlap
+  )
 }
 
 MemoryAccess getResultMemoryAccess(Instruction instr) {
@@ -215,8 +242,14 @@ MemoryAccess getResultMemoryAccess(Instruction instr) {
     resultPointsTo(instr.getAnOperand().(AddressOperand).getDefinitionInstruction(), var, i) and
     result = getVariableMemoryAccess(var, i, instr.getResultSize())
   )
-  else
-    result = TUnknownMemoryAccess(TUnknownVirtualVariable(instr.getFunctionIR()))
+  else (
+    result = TUnknownMemoryAccess(TUnknownVirtualVariable(instr.getFunctionIR())) and
+    not instr instanceof UnmodeledDefinitionInstruction and
+    not instr instanceof AliasedDefinitionInstruction
+    or
+    result = TTotalUnknownMemoryAccess(TUnknownVirtualVariable(instr.getFunctionIR())) and
+    instr instanceof AliasedDefinitionInstruction
+  )
 }
 
 MemoryAccess getOperandMemoryAccess(Operand operand) {
@@ -228,6 +261,8 @@ MemoryAccess getOperandMemoryAccess(Operand operand) {
     resultPointsTo(operand.getAddressOperand().getDefinitionInstruction(), var, i) and
     result = getVariableMemoryAccess(var, i, operand.getDefinitionInstruction().getResultSize())
   )
-  else
-    result = TUnknownMemoryAccess(TUnknownVirtualVariable(operand.getInstruction().getFunctionIR()))
+  else (
+    result = TUnknownMemoryAccess(TUnknownVirtualVariable(operand.getInstruction().getFunctionIR())) and
+    not operand.getInstruction() instanceof UnmodeledUseInstruction
+  )
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -157,7 +157,7 @@ cached private module Cached {
               else
                 result = getPhiInstruction(instruction.getFunction(), defBlock, vvar)
             )
-          ) 
+          )
           else (
             result = instruction.getFunctionIR().getUnmodeledDefinitionInstruction()
           )

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -1322,6 +1322,16 @@ class UnmodeledDefinitionInstruction extends Instruction {
   }
 }
 
+class AliasedDefinitionInstruction extends Instruction {
+  AliasedDefinitionInstruction() {
+    opcode instanceof Opcode::AliasedDefinition
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMemoryAccess
+  }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() {
     opcode instanceof Opcode::UnmodeledUse

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -40,6 +40,7 @@ newtype TInstructionTag =
   ExitFunctionTag() or
   UnmodeledDefinitionTag() or
   UnmodeledUseTag() or
+  AliasedDefinitionTag() or
   SwitchBranchTag() or
   CallTargetTag() or
   CallTag() or

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -76,6 +76,9 @@ class TranslatedFunction extends TranslatedElement,
     (
       (
         tag = EnterFunctionTag() and
+        result = getInstruction(AliasedDefinitionTag())
+      ) or (
+        tag = AliasedDefinitionTag() and
         result = getInstruction(UnmodeledDefinitionTag())
       ) or
       (
@@ -153,6 +156,12 @@ class TranslatedFunction extends TranslatedElement,
         resultType instanceof UnknownType and
         isGLValue = false
       ) or
+      (
+        tag = AliasedDefinitionTag() and
+        opcode instanceof Opcode::AliasedDefinition and
+        resultType instanceof UnknownType and
+        isGLValue = false
+      ) or
       (
         tag = InitializeThisTag() and
         opcode instanceof Opcode::InitializeThis and

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -1322,6 +1322,16 @@ class UnmodeledDefinitionInstruction extends Instruction {
   }
 }
 
+class AliasedDefinitionInstruction extends Instruction {
+  AliasedDefinitionInstruction() {
+    opcode instanceof Opcode::AliasedDefinition
+  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof EscapedMemoryAccess
+  }
+}
+
 class UnmodeledUseInstruction extends Instruction {
   UnmodeledUseInstruction() {
     opcode instanceof Opcode::UnmodeledUse