mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Merge pull request #2667 from dbartol/dbartol/NoEscape
C++/C#: Make escape analysis unsound by default
This commit is contained in:
Robert Marsh
@@ -1,3 +1,7 @@
|
||||
/**
|
||||
* Module used to configure the IR generation process.
|
||||
*/
|
||||
|
||||
private import internal.IRConfigurationInternal
|
||||
|
||||
private newtype TIRConfiguration = MkIRConfiguration()
|
||||
@@ -13,3 +17,18 @@ class IRConfiguration extends TIRConfiguration {
|
||||
*/
|
||||
predicate shouldCreateIRForFunction(Language::Function func) { any() }
|
||||
}
|
||||
|
||||
private newtype TIREscapeAnalysisConfiguration = MkIREscapeAnalysisConfiguration()
|
||||
|
||||
/**
|
||||
* The query can extend this class to control what escape analysis is used when generating SSA.
|
||||
*/
|
||||
class IREscapeAnalysisConfiguration extends TIREscapeAnalysisConfiguration {
|
||||
string toString() { result = "IREscapeAnalysisConfiguration" }
|
||||
|
||||
/**
|
||||
* Holds if the escape analysis done by SSA construction should be sound. By default, the SSA is
|
||||
* built assuming that no variable's address ever escapes.
|
||||
*/
|
||||
predicate useSoundEscapeAnalysis() { none() }
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
import IRConfiguration
|
||||
|
||||
/**
|
||||
* Overrides the default IR configuration to use sound escape analysis, instead of assuming that
|
||||
* variable addresses never escape.
|
||||
*/
|
||||
class SoundEscapeAnalysisConfiguration extends IREscapeAnalysisConfiguration {
|
||||
override predicate useSoundEscapeAnalysis() { any() }
|
||||
}
|
||||
@@ -2,6 +2,7 @@ private import AliasAnalysisInternal
|
||||
private import cpp
|
||||
private import InputIR
|
||||
private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
|
||||
private import semmle.code.cpp.ir.implementation.IRConfiguration
|
||||
private import semmle.code.cpp.models.interfaces.Alias
|
||||
|
||||
private class IntValue = Ints::IntValue;
|
||||
@@ -277,9 +278,14 @@ private predicate automaticVariableAddressEscapes(IRAutomaticVariable var) {
|
||||
* analysis.
|
||||
*/
|
||||
predicate variableAddressEscapes(IRVariable var) {
|
||||
automaticVariableAddressEscapes(var.(IRAutomaticVariable))
|
||||
exists(IREscapeAnalysisConfiguration config |
|
||||
config.useSoundEscapeAnalysis() and
|
||||
automaticVariableAddressEscapes(var.(IRAutomaticVariable))
|
||||
)
|
||||
or
|
||||
// All variables with static storage duration have their address escape.
|
||||
// All variables with static storage duration have their address escape, even when escape analysis
|
||||
// is allowed to be unsound. Otherwise, we won't have a definition for any non-escaped global
|
||||
// variable. Normally, we rely on `AliasedDefinition` to handle that.
|
||||
not var instanceof IRAutomaticVariable
|
||||
}
|
||||
|
||||
|
||||
@@ -107,7 +107,7 @@ class PropertyProvider extends IRPropertyProvider {
|
||||
exists(
|
||||
MemoryLocation useLocation, IRBlock predBlock, IRBlock defBlock, int defIndex, Overlap overlap
|
||||
|
|
||||
hasPhiOperandDefinition(_, useLocation, block, predBlock, defBlock, defIndex, overlap) and
|
||||
hasPhiOperandDefinition(_, useLocation, block, predBlock, defBlock, defIndex) and
|
||||
key = "PhiUse[" + useLocation.toString() + " from " + predBlock.getDisplayIndex().toString() +
|
||||
"]" and
|
||||
result = defBlock.getDisplayIndex().toString() + "_" + defIndex + " (" + overlap.toString() +
|
||||
|
||||
@@ -43,93 +43,34 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
|
||||
* Represents the IR translation of the declaration of a local variable,
|
||||
* including its initialization, if any.
|
||||
*/
|
||||
abstract class TranslatedVariableDeclaration extends TranslatedElement, InitializationContext {
|
||||
abstract class TranslatedLocalVariableDeclaration extends TranslatedVariableInitialization {
|
||||
/**
|
||||
* Gets the local variable being declared.
|
||||
*/
|
||||
abstract LocalVariable getVariable();
|
||||
|
||||
override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
|
||||
final override Type getTargetType() { result = getVariableType(getVariable()) }
|
||||
|
||||
override Instruction getFirstInstruction() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
opcode instanceof Opcode::VariableAddress and
|
||||
resultType = getTypeForGLValue(getVariableType(getVariable()))
|
||||
or
|
||||
hasUninitializedInstruction() and
|
||||
tag = InitializerStoreTag() and
|
||||
opcode instanceof Opcode::Uninitialized and
|
||||
resultType = getTypeForPRValue(getVariableType(getVariable()))
|
||||
}
|
||||
|
||||
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
|
||||
(
|
||||
tag = InitializerVariableAddressTag() and
|
||||
kind instanceof GotoEdge and
|
||||
if hasUninitializedInstruction()
|
||||
then result = getInstruction(InitializerStoreTag())
|
||||
else result = getInitialization().getFirstInstruction()
|
||||
)
|
||||
or
|
||||
hasUninitializedInstruction() and
|
||||
kind instanceof GotoEdge and
|
||||
tag = InitializerStoreTag() and
|
||||
(
|
||||
result = getInitialization().getFirstInstruction()
|
||||
or
|
||||
not exists(getInitialization()) and result = getParent().getChildSuccessor(this)
|
||||
)
|
||||
}
|
||||
|
||||
override Instruction getChildSuccessor(TranslatedElement child) {
|
||||
child = getInitialization() and result = getParent().getChildSuccessor(this)
|
||||
}
|
||||
|
||||
override IRVariable getInstructionVariable(InstructionTag tag) {
|
||||
(
|
||||
tag = InitializerVariableAddressTag()
|
||||
or
|
||||
hasUninitializedInstruction() and tag = InitializerStoreTag()
|
||||
) and
|
||||
result = getIRUserVariable(getFunction(), getVariable())
|
||||
}
|
||||
|
||||
override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
|
||||
hasUninitializedInstruction() and
|
||||
tag = InitializerStoreTag() and
|
||||
operandTag instanceof AddressOperandTag and
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override Instruction getTargetAddress() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override Type getTargetType() { result = getVariableType(getVariable()) }
|
||||
|
||||
private TranslatedInitialization getInitialization() {
|
||||
final override TranslatedInitialization getInitialization() {
|
||||
result = getTranslatedInitialization(getVariable()
|
||||
.getInitializer()
|
||||
.getExpr()
|
||||
.getFullyConverted())
|
||||
}
|
||||
|
||||
private predicate hasUninitializedInstruction() {
|
||||
not exists(getInitialization()) or
|
||||
getInitialization() instanceof TranslatedListInitialization or
|
||||
getInitialization() instanceof TranslatedConstructorInitialization or
|
||||
getInitialization().(TranslatedStringLiteralInitialization).zeroInitRange(_, _)
|
||||
final override Instruction getInitializationSuccessor() {
|
||||
result = getParent().getChildSuccessor(this)
|
||||
}
|
||||
|
||||
final override IRVariable getIRVariable() {
|
||||
result = getIRUserVariable(getFunction(), getVariable())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents the IR translation of a local variable declaration within a declaration statement.
|
||||
*/
|
||||
class TranslatedVariableDeclarationEntry extends TranslatedVariableDeclaration,
|
||||
class TranslatedVariableDeclarationEntry extends TranslatedLocalVariableDeclaration,
|
||||
TranslatedDeclarationEntry {
|
||||
LocalVariable var;
|
||||
|
||||
@@ -151,7 +92,7 @@ TranslatedRangeBasedForVariableDeclaration getTranslatedRangeBasedForVariableDec
|
||||
/**
|
||||
* Represents the IR translation of a compiler-generated variable in a range-based `for` loop.
|
||||
*/
|
||||
class TranslatedRangeBasedForVariableDeclaration extends TranslatedVariableDeclaration,
|
||||
class TranslatedRangeBasedForVariableDeclaration extends TranslatedLocalVariableDeclaration,
|
||||
TTranslatedRangeBasedForVariableDeclaration {
|
||||
RangeBasedForStmt forStmt;
|
||||
LocalVariable var;
|
||||
@@ -181,7 +122,7 @@ TranslatedConditionDecl getTranslatedConditionDecl(ConditionDeclExpr expr) {
|
||||
* }
|
||||
* ```
|
||||
*/
|
||||
class TranslatedConditionDecl extends TranslatedVariableDeclaration, TTranslatedConditionDecl {
|
||||
class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTranslatedConditionDecl {
|
||||
ConditionDeclExpr conditionDeclExpr;
|
||||
|
||||
TranslatedConditionDecl() { this = TTranslatedConditionDecl(conditionDeclExpr) }
|
||||
|
||||
@@ -1932,40 +1932,22 @@ abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr {
|
||||
* IR translation of a `throw` expression with an argument
|
||||
* (e.g. `throw std::bad_alloc()`).
|
||||
*/
|
||||
class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContext {
|
||||
class TranslatedThrowValueExpr extends TranslatedThrowExpr, TranslatedVariableInitialization {
|
||||
TranslatedThrowValueExpr() { not expr instanceof ReThrowExpr }
|
||||
|
||||
override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
|
||||
|
||||
override Instruction getFirstInstruction() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
|
||||
TranslatedThrowExpr.super.hasInstruction(opcode, tag, resultType)
|
||||
or
|
||||
tag = InitializerVariableAddressTag() and
|
||||
opcode instanceof Opcode::VariableAddress and
|
||||
resultType = getTypeForGLValue(getExceptionType())
|
||||
TranslatedVariableInitialization.super.hasInstruction(opcode, tag, resultType)
|
||||
}
|
||||
|
||||
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
|
||||
result = TranslatedThrowExpr.super.getInstructionSuccessor(tag, kind)
|
||||
or
|
||||
tag = InitializerVariableAddressTag() and
|
||||
result = getInitialization().getFirstInstruction() and
|
||||
kind instanceof GotoEdge
|
||||
result = TranslatedVariableInitialization.super.getInstructionSuccessor(tag, kind)
|
||||
}
|
||||
|
||||
override Instruction getChildSuccessor(TranslatedElement child) {
|
||||
child = getInitialization() and
|
||||
result = getInstruction(ThrowTag())
|
||||
}
|
||||
|
||||
override IRVariable getInstructionVariable(InstructionTag tag) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
result = getIRTempVariable(expr, ThrowTempVar())
|
||||
}
|
||||
final override Instruction getInitializationSuccessor() { result = getInstruction(ThrowTag()) }
|
||||
|
||||
final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
|
||||
tag = ThrowTempVar() and
|
||||
@@ -1973,6 +1955,8 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex
|
||||
}
|
||||
|
||||
final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
|
||||
result = TranslatedVariableInitialization.super.getInstructionOperand(tag, operandTag)
|
||||
or
|
||||
tag = ThrowTag() and
|
||||
(
|
||||
operandTag instanceof AddressOperandTag and
|
||||
@@ -1989,16 +1973,14 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex
|
||||
result = getTypeForPRValue(getExceptionType())
|
||||
}
|
||||
|
||||
override Instruction getTargetAddress() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override Type getTargetType() { result = getExceptionType() }
|
||||
|
||||
TranslatedInitialization getInitialization() {
|
||||
final override TranslatedInitialization getInitialization() {
|
||||
result = getTranslatedInitialization(expr.getExpr().getFullyConverted())
|
||||
}
|
||||
|
||||
final override IRVariable getIRVariable() { result = getIRTempVariable(expr, ThrowTempVar()) }
|
||||
|
||||
final override Opcode getThrowOpcode() { result instanceof Opcode::ThrowValue }
|
||||
|
||||
private Type getExceptionType() { result = expr.getType() }
|
||||
|
||||
@@ -30,6 +30,98 @@ abstract class InitializationContext extends TranslatedElement {
|
||||
abstract Type getTargetType();
|
||||
}
|
||||
|
||||
/**
|
||||
* Base class for any element that initializes a stack variable. Examples include local variable
|
||||
* declarations, `return` statements, and `throw` expressions.
|
||||
*/
|
||||
abstract class TranslatedVariableInitialization extends TranslatedElement, InitializationContext {
|
||||
final override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
|
||||
|
||||
final override Instruction getFirstInstruction() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
opcode instanceof Opcode::VariableAddress and
|
||||
resultType = getTypeForGLValue(getTargetType())
|
||||
or
|
||||
hasUninitializedInstruction() and
|
||||
tag = InitializerStoreTag() and
|
||||
opcode instanceof Opcode::Uninitialized and
|
||||
resultType = getTypeForPRValue(getTargetType())
|
||||
}
|
||||
|
||||
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
|
||||
(
|
||||
tag = InitializerVariableAddressTag() and
|
||||
kind instanceof GotoEdge and
|
||||
if hasUninitializedInstruction()
|
||||
then result = getInstruction(InitializerStoreTag())
|
||||
else result = getInitialization().getFirstInstruction()
|
||||
)
|
||||
or
|
||||
hasUninitializedInstruction() and
|
||||
kind instanceof GotoEdge and
|
||||
tag = InitializerStoreTag() and
|
||||
(
|
||||
result = getInitialization().getFirstInstruction()
|
||||
or
|
||||
not exists(getInitialization()) and result = getInitializationSuccessor()
|
||||
)
|
||||
}
|
||||
|
||||
final override Instruction getChildSuccessor(TranslatedElement child) {
|
||||
child = getInitialization() and result = getInitializationSuccessor()
|
||||
}
|
||||
|
||||
override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
|
||||
hasUninitializedInstruction() and
|
||||
tag = InitializerStoreTag() and
|
||||
operandTag instanceof AddressOperandTag and
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
final override IRVariable getInstructionVariable(InstructionTag tag) {
|
||||
(
|
||||
tag = InitializerVariableAddressTag()
|
||||
or
|
||||
hasUninitializedInstruction() and tag = InitializerStoreTag()
|
||||
) and
|
||||
result = getIRVariable()
|
||||
}
|
||||
|
||||
final override Instruction getTargetAddress() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the initialization for the variable.
|
||||
*/
|
||||
abstract TranslatedInitialization getInitialization();
|
||||
|
||||
/**
|
||||
* Get the `IRVariable` to be initialized. This may be an `IRTempVariable`.
|
||||
*/
|
||||
abstract IRVariable getIRVariable();
|
||||
|
||||
/**
|
||||
* Gets the `Instruction` to be executed immediately after the initialization.
|
||||
*/
|
||||
abstract Instruction getInitializationSuccessor();
|
||||
|
||||
/**
|
||||
* Holds if this initialization requires an `Uninitialized` instruction to be emitted before
|
||||
* evaluating the initializer.
|
||||
*/
|
||||
final predicate hasUninitializedInstruction() {
|
||||
not exists(getInitialization()) or
|
||||
getInitialization() instanceof TranslatedListInitialization or
|
||||
getInitialization() instanceof TranslatedConstructorInitialization or
|
||||
getInitialization().(TranslatedStringLiteralInitialization).zeroInitRange(_, _)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents the IR translation of any initialization, whether from an
|
||||
* initializer list or from a direct initializer.
|
||||
|
||||
@@ -130,46 +130,20 @@ abstract class TranslatedReturnStmt extends TranslatedStmt {
|
||||
}
|
||||
}
|
||||
|
||||
class TranslatedReturnValueStmt extends TranslatedReturnStmt, InitializationContext {
|
||||
class TranslatedReturnValueStmt extends TranslatedReturnStmt, TranslatedVariableInitialization {
|
||||
TranslatedReturnValueStmt() { stmt.hasExpr() }
|
||||
|
||||
override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() }
|
||||
|
||||
override Instruction getFirstInstruction() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
opcode instanceof Opcode::VariableAddress and
|
||||
resultType = getTypeForGLValue(getEnclosingFunction().getReturnType())
|
||||
}
|
||||
|
||||
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
result = getInitialization().getFirstInstruction() and
|
||||
kind instanceof GotoEdge
|
||||
}
|
||||
|
||||
override Instruction getChildSuccessor(TranslatedElement child) {
|
||||
child = getInitialization() and
|
||||
final override Instruction getInitializationSuccessor() {
|
||||
result = getEnclosingFunction().getReturnSuccessorInstruction()
|
||||
}
|
||||
|
||||
override IRVariable getInstructionVariable(InstructionTag tag) {
|
||||
tag = InitializerVariableAddressTag() and
|
||||
result = getEnclosingFunction().getReturnVariable()
|
||||
}
|
||||
final override Type getTargetType() { result = getEnclosingFunction().getReturnType() }
|
||||
|
||||
override Instruction getTargetAddress() {
|
||||
result = getInstruction(InitializerVariableAddressTag())
|
||||
}
|
||||
|
||||
override Type getTargetType() { result = getEnclosingFunction().getReturnType() }
|
||||
|
||||
TranslatedInitialization getInitialization() {
|
||||
final override TranslatedInitialization getInitialization() {
|
||||
result = getTranslatedInitialization(stmt.getExpr().getFullyConverted())
|
||||
}
|
||||
|
||||
final override IRVariable getIRVariable() { result = getEnclosingFunction().getReturnVariable() }
|
||||
}
|
||||
|
||||
class TranslatedReturnVoidStmt extends TranslatedReturnStmt {
|
||||
|
||||
@@ -2,6 +2,7 @@ private import AliasAnalysisInternal
|
||||
private import cpp
|
||||
private import InputIR
|
||||
private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
|
||||
private import semmle.code.cpp.ir.implementation.IRConfiguration
|
||||
private import semmle.code.cpp.models.interfaces.Alias
|
||||
|
||||
private class IntValue = Ints::IntValue;
|
||||
@@ -277,9 +278,14 @@ private predicate automaticVariableAddressEscapes(IRAutomaticVariable var) {
|
||||
* analysis.
|
||||
*/
|
||||
predicate variableAddressEscapes(IRVariable var) {
|
||||
automaticVariableAddressEscapes(var.(IRAutomaticVariable))
|
||||
exists(IREscapeAnalysisConfiguration config |
|
||||
config.useSoundEscapeAnalysis() and
|
||||
automaticVariableAddressEscapes(var.(IRAutomaticVariable))
|
||||
)
|
||||
or
|
||||
// All variables with static storage duration have their address escape.
|
||||
// All variables with static storage duration have their address escape, even when escape analysis
|
||||
// is allowed to be unsound. Otherwise, we won't have a definition for any non-escaped global
|
||||
// variable. Normally, we rely on `AliasedDefinition` to handle that.
|
||||
not var instanceof IRAutomaticVariable
|
||||
}
|
||||
|
||||
|
||||
@@ -107,7 +107,7 @@ class PropertyProvider extends IRPropertyProvider {
|
||||
exists(
|
||||
MemoryLocation useLocation, IRBlock predBlock, IRBlock defBlock, int defIndex, Overlap overlap
|
||||
|
|
||||
hasPhiOperandDefinition(_, useLocation, block, predBlock, defBlock, defIndex, overlap) and
|
||||
hasPhiOperandDefinition(_, useLocation, block, predBlock, defBlock, defIndex) and
|
||||
key = "PhiUse[" + useLocation.toString() + " from " + predBlock.getDisplayIndex().toString() +
|
||||
"]" and
|
||||
result = defBlock.getDisplayIndex().toString() + "_" + defIndex + " (" + overlap.toString() +
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:62:14:62:14 | AST only |
|
||||
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:64:14:64:14 | AST only |
|
||||
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:66:14:66:14 | AST only |
|
||||
| clang.cpp:12:9:12:20 | clang.cpp:18:8:18:19 | AST only |
|
||||
| clang.cpp:12:9:12:20 | clang.cpp:22:8:22:20 | AST only |
|
||||
| clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only |
|
||||
| clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only |
|
||||
@@ -24,7 +23,6 @@
|
||||
| lambdas.cpp:8:10:8:15 | lambdas.cpp:18:8:18:8 | AST only |
|
||||
| lambdas.cpp:8:10:8:15 | lambdas.cpp:21:3:21:6 | AST only |
|
||||
| lambdas.cpp:8:10:8:15 | lambdas.cpp:29:3:29:6 | AST only |
|
||||
| lambdas.cpp:8:10:8:15 | lambdas.cpp:35:8:35:8 | AST only |
|
||||
| lambdas.cpp:8:10:8:15 | lambdas.cpp:41:8:41:8 | AST only |
|
||||
| lambdas.cpp:43:7:43:12 | lambdas.cpp:46:7:46:7 | AST only |
|
||||
| ref.cpp:29:11:29:16 | ref.cpp:62:10:62:11 | AST only |
|
||||
|
||||
@@ -7,6 +7,8 @@
|
||||
| BarrierGuard.cpp:55:13:55:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source |
|
||||
| acrossLinkTargets.cpp:12:8:12:8 | (int)... | acrossLinkTargets.cpp:19:27:19:32 | call to source |
|
||||
| acrossLinkTargets.cpp:12:8:12:8 | x | acrossLinkTargets.cpp:19:27:19:32 | call to source |
|
||||
| clang.cpp:18:8:18:19 | (const int *)... | clang.cpp:12:9:12:20 | sourceArray1 |
|
||||
| clang.cpp:18:8:18:19 | sourceArray1 | clang.cpp:12:9:12:20 | sourceArray1 |
|
||||
| clang.cpp:37:10:37:11 | m2 | clang.cpp:34:32:34:37 | call to source |
|
||||
| clang.cpp:41:18:41:19 | m2 | clang.cpp:39:42:39:47 | call to source |
|
||||
| clang.cpp:45:17:45:18 | m2 | clang.cpp:43:35:43:40 | call to source |
|
||||
@@ -30,6 +32,7 @@
|
||||
| dispatch.cpp:96:8:96:8 | x | dispatch.cpp:107:17:107:22 | call to source |
|
||||
| dispatch.cpp:96:8:96:8 | x | dispatch.cpp:140:8:140:13 | call to source |
|
||||
| dispatch.cpp:96:8:96:8 | x | dispatch.cpp:144:8:144:13 | call to source |
|
||||
| lambdas.cpp:35:8:35:8 | a | lambdas.cpp:8:10:8:15 | call to source |
|
||||
| test.cpp:7:8:7:9 | t1 | test.cpp:6:12:6:17 | call to source |
|
||||
| test.cpp:9:8:9:9 | t1 | test.cpp:6:12:6:17 | call to source |
|
||||
| test.cpp:10:8:10:9 | t2 | test.cpp:6:12:6:17 | call to source |
|
||||
|
||||
@@ -13,13 +13,11 @@
|
||||
| taint.cpp:181:8:181:9 | taint.cpp:185:11:185:16 | AST only |
|
||||
| taint.cpp:195:7:195:7 | taint.cpp:192:23:192:28 | AST only |
|
||||
| taint.cpp:195:7:195:7 | taint.cpp:193:6:193:6 | AST only |
|
||||
| taint.cpp:215:7:215:7 | taint.cpp:207:6:207:11 | AST only |
|
||||
| taint.cpp:216:7:216:7 | taint.cpp:207:6:207:11 | AST only |
|
||||
| taint.cpp:229:3:229:6 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:233:8:233:8 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:236:3:236:6 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:244:3:244:6 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:250:8:250:8 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:256:8:256:8 | taint.cpp:223:10:223:15 | AST only |
|
||||
| taint.cpp:261:7:261:7 | taint.cpp:258:7:258:12 | AST only |
|
||||
| taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
|
||||
@@ -31,7 +29,6 @@
|
||||
| taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
|
||||
| taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |
|
||||
| taint.cpp:429:7:429:7 | taint.cpp:428:13:428:18 | IR only |
|
||||
| taint.cpp:430:9:430:14 | taint.cpp:428:13:428:18 | AST only |
|
||||
| taint.cpp:438:7:438:7 | taint.cpp:437:15:437:20 | AST only |
|
||||
| taint.cpp:439:10:439:18 | taint.cpp:437:15:437:20 | AST only |
|
||||
| taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
|
||||
|
||||
@@ -9,6 +9,8 @@
|
||||
| taint.cpp:167:8:167:13 | call to source | taint.cpp:167:8:167:13 | call to source |
|
||||
| taint.cpp:168:8:168:14 | tainted | taint.cpp:164:19:164:24 | call to source |
|
||||
| taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source |
|
||||
| taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source |
|
||||
| taint.cpp:250:8:250:8 | a | taint.cpp:223:10:223:15 | call to source |
|
||||
| taint.cpp:280:7:280:7 | t | taint.cpp:275:6:275:11 | call to source |
|
||||
| taint.cpp:289:7:289:7 | t | taint.cpp:275:6:275:11 | call to source |
|
||||
| taint.cpp:290:7:290:7 | x | taint.cpp:275:6:275:11 | call to source |
|
||||
@@ -16,3 +18,4 @@
|
||||
| taint.cpp:337:7:337:7 | t | taint.cpp:330:6:330:11 | call to source |
|
||||
| taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |
|
||||
| taint.cpp:429:7:429:7 | b | taint.cpp:428:13:428:18 | call to source |
|
||||
| taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import default
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.AliasAnalysis
|
||||
import semmle.code.cpp.ir.implementation.raw.IR
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
|
||||
predicate shouldEscape(IRAutomaticUserVariable var) {
|
||||
exists(string name |
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import default
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.internal.AliasAnalysis
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
|
||||
predicate shouldEscape(IRAutomaticUserVariable var) {
|
||||
exists(string name |
|
||||
|
||||
@@ -8056,6 +8056,20 @@ ir.cpp:
|
||||
# 1166| 0: [VariableAccess] y
|
||||
# 1166| Type = [IntType] int
|
||||
# 1166| ValueCategory = prvalue(load)
|
||||
# 1169| [TopLevelFunction] String ReturnObjectImpl()
|
||||
# 1169| params:
|
||||
# 1169| body: [Block] { ... }
|
||||
# 1170| 0: [ReturnStmt] return ...
|
||||
# 1170| 0: [ConstructorCall] call to String
|
||||
# 1170| Type = [Struct] String
|
||||
# 1170| ValueCategory = prvalue
|
||||
# 1170| 0: [ArrayToPointerConversion] array to pointer conversion
|
||||
# 1170| Type = [PointerType] const char *
|
||||
# 1170| ValueCategory = prvalue
|
||||
# 1170| expr: foo
|
||||
# 1170| Type = [ArrayType] const char[4]
|
||||
# 1170| Value = [StringLiteral] "foo"
|
||||
# 1170| ValueCategory = lvalue
|
||||
perf-regression.cpp:
|
||||
# 4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
|
||||
# 4| params:
|
||||
|
||||
2
cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.ql
Normal file
2
cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.ql
Normal file
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.IRSanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,26 @@
|
||||
missingOperand
|
||||
| ir.cpp:809:7:809:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:810:7:810:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:823:7:823:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:824:7:824:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
unexpectedOperand
|
||||
duplicateOperand
|
||||
missingPhiOperand
|
||||
missingOperandType
|
||||
duplicateChiOperand
|
||||
sideEffectWithoutPrimary
|
||||
instructionWithoutSuccessor
|
||||
ambiguousSuccessors
|
||||
unexplainedLoop
|
||||
unnecessaryPhiInstruction
|
||||
operandAcrossFunctions
|
||||
instructionWithoutUniqueBlock
|
||||
containsLoopOfForwardEdges
|
||||
lostReachability
|
||||
backEdgeCountMismatch
|
||||
useNotDominatedByDefinition
|
||||
missingCanonicalLanguageType
|
||||
multipleCanonicalLanguageTypes
|
||||
missingIRType
|
||||
multipleIRTypes
|
||||
missingCppType
|
||||
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.internal.SSASanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,2 @@
|
||||
multipleOperandMemoryLocations
|
||||
missingVirtualVariableForMemoryLocation
|
||||
@@ -1166,4 +1166,8 @@ int ModeledCallTarget(int x) {
|
||||
return y;
|
||||
}
|
||||
|
||||
String ReturnObjectImpl() {
|
||||
return String("foo");
|
||||
}
|
||||
|
||||
// semmle-extractor-options: -std=c++17 --clang
|
||||
|
||||
@@ -3371,15 +3371,16 @@ ir.cpp:
|
||||
|
||||
# 731| Block 7
|
||||
# 731| r731_11(glval<String>) = VariableAddress[#throw731:19] :
|
||||
# 731| r731_12(glval<unknown>) = FunctionAddress[String] :
|
||||
# 731| r731_13(glval<char[14]>) = StringConstant["String object"] :
|
||||
# 731| r731_14(char *) = Convert : r731_13
|
||||
# 731| v731_15(void) = Call : func:r731_12, this:r731_11, 0:r731_14
|
||||
# 731| mu731_16(unknown) = ^CallSideEffect : ~mu724_3
|
||||
# 731| mu731_17(String) = ^IndirectMayWriteSideEffect[-1] : &:r731_11
|
||||
# 731| v731_18(void) = ^BufferReadSideEffect[0] : &:r731_14, ~mu724_3
|
||||
# 731| mu731_19(unknown) = ^BufferMayWriteSideEffect[0] : &:r731_14
|
||||
# 731| v731_20(void) = ThrowValue : &:r731_11, ~mu724_3
|
||||
# 731| mu731_12(String) = Uninitialized[#throw731:19] : &:r731_11
|
||||
# 731| r731_13(glval<unknown>) = FunctionAddress[String] :
|
||||
# 731| r731_14(glval<char[14]>) = StringConstant["String object"] :
|
||||
# 731| r731_15(char *) = Convert : r731_14
|
||||
# 731| v731_16(void) = Call : func:r731_13, this:r731_11, 0:r731_15
|
||||
# 731| mu731_17(unknown) = ^CallSideEffect : ~mu724_3
|
||||
# 731| mu731_18(String) = ^IndirectMayWriteSideEffect[-1] : &:r731_11
|
||||
# 731| v731_19(void) = ^BufferReadSideEffect[0] : &:r731_15, ~mu724_3
|
||||
# 731| mu731_20(unknown) = ^BufferMayWriteSideEffect[0] : &:r731_15
|
||||
# 731| v731_21(void) = ThrowValue : &:r731_11, ~mu724_3
|
||||
#-----| Exception -> Block 9
|
||||
|
||||
# 733| Block 8
|
||||
@@ -3399,15 +3400,16 @@ ir.cpp:
|
||||
# 735| r735_4(char *) = Load : &:r735_2, ~mu735_3
|
||||
# 735| mu735_5(unknown) = InitializeIndirection[s] : &:r735_4
|
||||
# 736| r736_1(glval<String>) = VariableAddress[#throw736:5] :
|
||||
# 736| r736_2(glval<unknown>) = FunctionAddress[String] :
|
||||
# 736| r736_3(glval<char *>) = VariableAddress[s] :
|
||||
# 736| r736_4(char *) = Load : &:r736_3, ~mu724_3
|
||||
# 736| v736_5(void) = Call : func:r736_2, this:r736_1, 0:r736_4
|
||||
# 736| mu736_6(unknown) = ^CallSideEffect : ~mu724_3
|
||||
# 736| mu736_7(String) = ^IndirectMayWriteSideEffect[-1] : &:r736_1
|
||||
# 736| v736_8(void) = ^BufferReadSideEffect[0] : &:r736_4, ~mu724_3
|
||||
# 736| mu736_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r736_4
|
||||
# 736| v736_10(void) = ThrowValue : &:r736_1, ~mu724_3
|
||||
# 736| mu736_2(String) = Uninitialized[#throw736:5] : &:r736_1
|
||||
# 736| r736_3(glval<unknown>) = FunctionAddress[String] :
|
||||
# 736| r736_4(glval<char *>) = VariableAddress[s] :
|
||||
# 736| r736_5(char *) = Load : &:r736_4, ~mu724_3
|
||||
# 736| v736_6(void) = Call : func:r736_3, this:r736_1, 0:r736_5
|
||||
# 736| mu736_7(unknown) = ^CallSideEffect : ~mu724_3
|
||||
# 736| mu736_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r736_1
|
||||
# 736| v736_9(void) = ^BufferReadSideEffect[0] : &:r736_5, ~mu724_3
|
||||
# 736| mu736_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r736_5
|
||||
# 736| v736_11(void) = ThrowValue : &:r736_1, ~mu724_3
|
||||
#-----| Exception -> Block 2
|
||||
|
||||
# 738| Block 11
|
||||
@@ -5728,15 +5730,16 @@ ir.cpp:
|
||||
|
||||
# 1140| Block 7
|
||||
# 1140| r1140_11(glval<String>) = VariableAddress[#throw1140:19] :
|
||||
# 1140| r1140_12(glval<unknown>) = FunctionAddress[String] :
|
||||
# 1140| r1140_13(glval<char[14]>) = StringConstant["String object"] :
|
||||
# 1140| r1140_14(char *) = Convert : r1140_13
|
||||
# 1140| v1140_15(void) = Call : func:r1140_12, this:r1140_11, 0:r1140_14
|
||||
# 1140| mu1140_16(unknown) = ^CallSideEffect : ~mu1133_3
|
||||
# 1140| mu1140_17(String) = ^IndirectMayWriteSideEffect[-1] : &:r1140_11
|
||||
# 1140| v1140_18(void) = ^BufferReadSideEffect[0] : &:r1140_14, ~mu1133_3
|
||||
# 1140| mu1140_19(unknown) = ^BufferMayWriteSideEffect[0] : &:r1140_14
|
||||
# 1140| v1140_20(void) = ThrowValue : &:r1140_11, ~mu1133_3
|
||||
# 1140| mu1140_12(String) = Uninitialized[#throw1140:19] : &:r1140_11
|
||||
# 1140| r1140_13(glval<unknown>) = FunctionAddress[String] :
|
||||
# 1140| r1140_14(glval<char[14]>) = StringConstant["String object"] :
|
||||
# 1140| r1140_15(char *) = Convert : r1140_14
|
||||
# 1140| v1140_16(void) = Call : func:r1140_13, this:r1140_11, 0:r1140_15
|
||||
# 1140| mu1140_17(unknown) = ^CallSideEffect : ~mu1133_3
|
||||
# 1140| mu1140_18(String) = ^IndirectMayWriteSideEffect[-1] : &:r1140_11
|
||||
# 1140| v1140_19(void) = ^BufferReadSideEffect[0] : &:r1140_15, ~mu1133_3
|
||||
# 1140| mu1140_20(unknown) = ^BufferMayWriteSideEffect[0] : &:r1140_15
|
||||
# 1140| v1140_21(void) = ThrowValue : &:r1140_11, ~mu1133_3
|
||||
#-----| Exception -> Block 9
|
||||
|
||||
# 1142| Block 8
|
||||
@@ -5756,15 +5759,16 @@ ir.cpp:
|
||||
# 1144| r1144_4(char *) = Load : &:r1144_2, ~mu1144_3
|
||||
# 1144| mu1144_5(unknown) = InitializeIndirection[s] : &:r1144_4
|
||||
# 1145| r1145_1(glval<String>) = VariableAddress[#throw1145:5] :
|
||||
# 1145| r1145_2(glval<unknown>) = FunctionAddress[String] :
|
||||
# 1145| r1145_3(glval<char *>) = VariableAddress[s] :
|
||||
# 1145| r1145_4(char *) = Load : &:r1145_3, ~mu1133_3
|
||||
# 1145| v1145_5(void) = Call : func:r1145_2, this:r1145_1, 0:r1145_4
|
||||
# 1145| mu1145_6(unknown) = ^CallSideEffect : ~mu1133_3
|
||||
# 1145| mu1145_7(String) = ^IndirectMayWriteSideEffect[-1] : &:r1145_1
|
||||
# 1145| v1145_8(void) = ^BufferReadSideEffect[0] : &:r1145_4, ~mu1133_3
|
||||
# 1145| mu1145_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r1145_4
|
||||
# 1145| v1145_10(void) = ThrowValue : &:r1145_1, ~mu1133_3
|
||||
# 1145| mu1145_2(String) = Uninitialized[#throw1145:5] : &:r1145_1
|
||||
# 1145| r1145_3(glval<unknown>) = FunctionAddress[String] :
|
||||
# 1145| r1145_4(glval<char *>) = VariableAddress[s] :
|
||||
# 1145| r1145_5(char *) = Load : &:r1145_4, ~mu1133_3
|
||||
# 1145| v1145_6(void) = Call : func:r1145_3, this:r1145_1, 0:r1145_5
|
||||
# 1145| mu1145_7(unknown) = ^CallSideEffect : ~mu1133_3
|
||||
# 1145| mu1145_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r1145_1
|
||||
# 1145| v1145_9(void) = ^BufferReadSideEffect[0] : &:r1145_5, ~mu1133_3
|
||||
# 1145| mu1145_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r1145_5
|
||||
# 1145| v1145_11(void) = ThrowValue : &:r1145_1, ~mu1133_3
|
||||
#-----| Exception -> Block 2
|
||||
|
||||
# 1147| Block 11
|
||||
@@ -5878,6 +5882,27 @@ ir.cpp:
|
||||
# 1163| v1163_9(void) = AliasedUse : ~mu1163_3
|
||||
# 1163| v1163_10(void) = ExitFunction :
|
||||
|
||||
# 1169| String ReturnObjectImpl()
|
||||
# 1169| Block 0
|
||||
# 1169| v1169_1(void) = EnterFunction :
|
||||
# 1169| mu1169_2(unknown) = AliasedDefinition :
|
||||
# 1169| mu1169_3(unknown) = UnmodeledDefinition :
|
||||
# 1170| r1170_1(glval<String>) = VariableAddress[#return] :
|
||||
# 1170| mu1170_2(String) = Uninitialized[#return] : &:r1170_1
|
||||
# 1170| r1170_3(glval<unknown>) = FunctionAddress[String] :
|
||||
# 1170| r1170_4(glval<char[4]>) = StringConstant["foo"] :
|
||||
# 1170| r1170_5(char *) = Convert : r1170_4
|
||||
# 1170| r1170_6(String) = Call : func:r1170_3, this:r1170_1, 0:r1170_5
|
||||
# 1170| mu1170_7(unknown) = ^CallSideEffect : ~mu1169_3
|
||||
# 1170| mu1170_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r1170_1
|
||||
# 1170| v1170_9(void) = ^BufferReadSideEffect[0] : &:r1170_5, ~mu1169_3
|
||||
# 1170| mu1170_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r1170_5
|
||||
# 1169| r1169_4(glval<String>) = VariableAddress[#return] :
|
||||
# 1169| v1169_5(void) = ReturnValue : &:r1169_4, ~mu1169_3
|
||||
# 1169| v1169_6(void) = UnmodeledUse : mu*
|
||||
# 1169| v1169_7(void) = AliasedUse : ~mu1169_3
|
||||
# 1169| v1169_8(void) = ExitFunction :
|
||||
|
||||
perf-regression.cpp:
|
||||
# 6| void Big::Big()
|
||||
# 6| Block 0
|
||||
|
||||
2
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.ql
Normal file
2
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.ql
Normal file
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.IRSanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,26 @@
|
||||
missingOperand
|
||||
| ir.cpp:809:7:809:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:810:7:810:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:823:7:823:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:824:7:824:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
unexpectedOperand
|
||||
duplicateOperand
|
||||
missingPhiOperand
|
||||
missingOperandType
|
||||
duplicateChiOperand
|
||||
sideEffectWithoutPrimary
|
||||
instructionWithoutSuccessor
|
||||
ambiguousSuccessors
|
||||
unexplainedLoop
|
||||
unnecessaryPhiInstruction
|
||||
operandAcrossFunctions
|
||||
instructionWithoutUniqueBlock
|
||||
containsLoopOfForwardEdges
|
||||
lostReachability
|
||||
backEdgeCountMismatch
|
||||
useNotDominatedByDefinition
|
||||
missingCanonicalLanguageType
|
||||
multipleCanonicalLanguageTypes
|
||||
missingIRType
|
||||
multipleIRTypes
|
||||
missingCppType
|
||||
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSASanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,2 @@
|
||||
multipleOperandMemoryLocations
|
||||
missingVirtualVariableForMemoryLocation
|
||||
6
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.ql
Normal file
6
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.ql
Normal file
@@ -0,0 +1,6 @@
|
||||
/**
|
||||
* @kind graph
|
||||
*/
|
||||
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.PrintIR
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
1085
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
Normal file
1085
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
Normal file
File diff suppressed because it is too large
Load Diff
2
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.ql
Normal file
2
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.ql
Normal file
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.IRSanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,22 @@
|
||||
missingOperand
|
||||
unexpectedOperand
|
||||
duplicateOperand
|
||||
missingPhiOperand
|
||||
missingOperandType
|
||||
duplicateChiOperand
|
||||
sideEffectWithoutPrimary
|
||||
instructionWithoutSuccessor
|
||||
ambiguousSuccessors
|
||||
unexplainedLoop
|
||||
unnecessaryPhiInstruction
|
||||
operandAcrossFunctions
|
||||
instructionWithoutUniqueBlock
|
||||
containsLoopOfForwardEdges
|
||||
lostReachability
|
||||
backEdgeCountMismatch
|
||||
useNotDominatedByDefinition
|
||||
missingCanonicalLanguageType
|
||||
multipleCanonicalLanguageTypes
|
||||
missingIRType
|
||||
multipleIRTypes
|
||||
missingCppType
|
||||
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.aliased_ssa.internal.SSASanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,2 @@
|
||||
multipleOperandMemoryLocations
|
||||
missingVirtualVariableForMemoryLocation
|
||||
6
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.ql
Normal file
6
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.ql
Normal file
@@ -0,0 +1,6 @@
|
||||
/**
|
||||
* @kind graph
|
||||
*/
|
||||
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.PrintIR
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
1028
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
Normal file
1028
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
Normal file
File diff suppressed because it is too large
Load Diff
2
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.ql
Normal file
2
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.ql
Normal file
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.IRSanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,22 @@
|
||||
missingOperand
|
||||
unexpectedOperand
|
||||
duplicateOperand
|
||||
missingPhiOperand
|
||||
missingOperandType
|
||||
duplicateChiOperand
|
||||
sideEffectWithoutPrimary
|
||||
instructionWithoutSuccessor
|
||||
ambiguousSuccessors
|
||||
unexplainedLoop
|
||||
unnecessaryPhiInstruction
|
||||
operandAcrossFunctions
|
||||
instructionWithoutUniqueBlock
|
||||
containsLoopOfForwardEdges
|
||||
lostReachability
|
||||
backEdgeCountMismatch
|
||||
useNotDominatedByDefinition
|
||||
missingCanonicalLanguageType
|
||||
multipleCanonicalLanguageTypes
|
||||
missingIRType
|
||||
multipleIRTypes
|
||||
missingCppType
|
||||
@@ -0,0 +1,2 @@
|
||||
import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSASanity
|
||||
import semmle.code.cpp.ir.implementation.UseSoundEscapeAnalysis
|
||||
@@ -0,0 +1,2 @@
|
||||
multipleOperandMemoryLocations
|
||||
missingVirtualVariableForMemoryLocation
|
||||
@@ -16,8 +16,7 @@
|
||||
| inline_assembly.c:10:3:10:7 | Store: ... = ... | positive strictlyPositive |
|
||||
| inline_assembly.c:10:7:10:7 | Constant: (unsigned int)... | positive strictlyPositive |
|
||||
| inline_assembly.c:12:32:12:32 | Load: y | positive strictlyPositive |
|
||||
| inline_assembly.c:21:29:21:29 | Load: x | positive |
|
||||
| inline_assembly.c:21:32:21:32 | Load: y | positive |
|
||||
| inline_assembly.c:21:32:21:32 | Load: y | positive strictlyPositive |
|
||||
| minmax.c:16:9:16:10 | Constant: 1 | positive strictlyPositive |
|
||||
| minmax.c:16:9:16:10 | Store: 1 | positive strictlyPositive |
|
||||
| minmax.c:16:16:16:17 | Constant: 2 | positive strictlyPositive |
|
||||
|
||||
@@ -27,7 +27,6 @@ missingOperand
|
||||
| ir.cpp:823:7:823:13 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| ir.cpp:824:7:824:26 | IndirectMayWriteSideEffect: call to Base | Instruction 'IndirectMayWriteSideEffect' is missing an expected operand with tag 'Address' in function '$@'. | ir.cpp:799:6:799:25 | IR: HierarchyConversions | void HierarchyConversions() |
|
||||
| misc.c:125:5:125:11 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:97:6:97:10 | IR: misc3 | void misc3() |
|
||||
| try_catch.cpp:13:5:13:16 | Chi: call to exn1 | Instruction 'Chi' is missing an expected operand with tag 'ChiTotal' in function '$@'. | try_catch.cpp:11:6:11:17 | IR: bypass_catch | void bypass_catch() |
|
||||
unexpectedOperand
|
||||
duplicateOperand
|
||||
missingPhiOperand
|
||||
|
||||
Reference in New Issue
Block a user