C++: add InitializeIndirection for pointer params

2025-12-21 11:16:30 +01:00 · 2019-10-18 11:06:09 -07:00
parent dfed7502b6
commit 8905159de7
15 changed files with 1118 additions and 912 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -3,6 +3,7 @@ private newtype TOpcode =
  TUninitialized() or
  TError() or
  TInitializeParameter() or
+  TInitializeIndirection() or
  TInitializeThis() or
  TEnterFunction() or
  TExitFunction() or
@@ -177,6 +178,11 @@ module Opcode {
    final override string toString() { result = "InitializeParameter" }
  }

+  class InitializeIndirection extends MemoryAccessOpcode, TInitializeIndirection {
+    final override string toString() { result = "InitializeIndirection" }
+  }
+
+
  class InitializeThis extends Opcode, TInitializeThis {
    final override string toString() { result = "InitializeThis" }
  }
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -675,6 +675,14 @@ class InitializeParameterInstruction extends VariableInstruction {
  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
 }

+class InitializeIndirectionInstruction extends VariableInstruction {
+  InitializeIndirectionInstruction() { getOpcode() instanceof Opcode::InitializeIndirection }
+
+  final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
+}
+
 /**
 * An instruction that initializes the `this` pointer parameter of the enclosing function.
 */
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -675,6 +675,14 @@ class InitializeParameterInstruction extends VariableInstruction {
  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
 }

+class InitializeIndirectionInstruction extends VariableInstruction {
+  InitializeIndirectionInstruction() { getOpcode() instanceof Opcode::InitializeIndirection }
+
+  final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
+}
+
 /**
 * An instruction that initializes the `this` pointer parameter of the enclosing function.
 */
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -6,6 +6,8 @@ newtype TInstructionTag =
  InitializerVariableAddressTag() or
  InitializerLoadStringTag() or
  InitializerStoreTag() or
+  InitializerIndirectAddressTag() or
+  InitializerIndirectStoreTag() or
  ZeroPadStringConstantTag() or
  ZeroPadStringElementIndexTag() or
  ZeroPadStringElementAddressTag() or
@@ -78,6 +80,10 @@ string getInstructionTagId(TInstructionTag tag) {
  or
  tag = InitializerUninitializedTag() and result = "InitUninit"
  or
+  tag = InitializerIndirectAddressTag() and result = "InitIndirectAddr"
+  or
+  tag = InitializerIndirectStoreTag() and result = "InitIndirectStore"
+  or
  tag = ZeroPadStringConstantTag() and result = "ZeroPadConst"
  or
  tag = ZeroPadStringElementIndexTag() and result = "ZeroPadElemIndex"
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -329,6 +329,14 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
      result = getInstruction(InitializerStoreTag())
      or
      tag = InitializerStoreTag() and
+      if hasIndirection()
+      then result = getInstruction(InitializerIndirectAddressTag())
+      else result = getParent().getChildSuccessor(this)
+      or
+      tag = InitializerIndirectAddressTag() and
+      result = getInstruction(InitializerIndirectStoreTag())
+      or
+      tag = InitializerIndirectStoreTag() and
      result = getParent().getChildSuccessor(this)
    )
  }
@@ -347,12 +355,25 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
    opcode instanceof Opcode::InitializeParameter and
    resultType = getVariableType(param) and
    isGLValue = false
+    or
+    hasIndirection() and
+    tag = InitializerIndirectAddressTag() and
+    opcode instanceof Opcode::Load and
+    resultType = getVariableType(param) and // should this strip a layer of indirection? if so, should isGLValue be true?
+    isGLValue = false
+    or
+    hasIndirection() and
+    tag = InitializerIndirectStoreTag() and
+    opcode instanceof Opcode::InitializeIndirection and
+    resultType instanceof UnknownType and // TODO: differentiate single-element and multi-element pointers
+    isGLValue = false
  }

  final override IRVariable getInstructionVariable(InstructionTag tag) {
    (
      tag = InitializerStoreTag() or
-      tag = InitializerVariableAddressTag()
+      tag = InitializerVariableAddressTag() or
+      tag = InitializerIndirectStoreTag()
    ) and
    result = getIRUserVariable(getFunction(), param)
  }
@@ -363,6 +384,28 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
      operandTag instanceof AddressOperandTag and
      result = getInstruction(InitializerVariableAddressTag())
    )
+    or
+    // this feels a little strange, but I think it's the best we can do
+    tag = InitializerIndirectAddressTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getInstruction(InitializerVariableAddressTag())
+      or
+      operandTag instanceof LoadOperandTag and
+      result = getInstruction(InitializerStoreTag())
+    )
+    or
+    tag = InitializerIndirectStoreTag() and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(InitializerIndirectAddressTag())
+  }
+
+  predicate hasIndirection() {
+    exists(Type t | t = param.getUnspecifiedType() |
+      t instanceof ArrayType or
+      t instanceof PointerType or
+      t instanceof ReferenceType
+    )
  }
 }

--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -675,6 +675,14 @@ class InitializeParameterInstruction extends VariableInstruction {
  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
 }

+class InitializeIndirectionInstruction extends VariableInstruction {
+  InitializeIndirectionInstruction() { getOpcode() instanceof Opcode::InitializeIndirection }
+
+  final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  final override MemoryAccessKind getResultMemoryAccess() { result instanceof IndirectMemoryAccess }
+}
+
 /**
 * An instruction that initializes the `this` pointer parameter of the enclosing function.
 */