C++: IR translation for non-runtime-initialized static local variables.

2025-12-23 04:06:37 +01:00 · 2023-04-18 19:19:59 +01:00
parent 4bf03e7962
commit d14ee931e1
10 changed files with 50 additions and 28 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
@@ -6,7 +6,7 @@ private import IRFunctionBaseInternal
 private newtype TIRFunction =
  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
-  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }
+  TVarInitIRFunction(Language::Variable var) { IRConstruction::Raw::varHasIRFunc(var) }
 /**
 * The IR for a function. This base class contains only the predicates that are the same between all
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -37,7 +37,13 @@ module Raw {
  predicate functionHasIR(Function func) { exists(getTranslatedFunction(func)) }
  cached
-  predicate varHasIRFunc(GlobalOrNamespaceVariable var) {
+  predicate varHasIRFunc(Variable var) {
    (
      var instanceof GlobalOrNamespaceVariable
      or
      not var.isFromUninstantiatedTemplate(_) and
      var instanceof StaticInitializedStaticLocalVariable
    ) and
    var.hasInitializer() and
    (
      not var.getType().isDeeplyConst()
@@ -75,9 +81,10 @@ module Raw {
  }
  cached
-  predicate hasDynamicInitializationFlag(Function func, StaticLocalVariable var, CppType type) {
+  predicate hasDynamicInitializationFlag(
    Function func, RuntimeInitializedStaticLocalVariable var, CppType type
  ) {
    var.getFunction() = func and
    var.hasDynamicInitialization() and
    type = getBoolType()
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -62,15 +62,6 @@ private predicate ignoreExprAndDescendants(Expr expr) {
  // constant value.
  isIRConstant(getRealParent(expr))
  or
  // Only translate the initializer of a static local if it uses run-time data.
  // Otherwise the initializer does not run in function scope.
  exists(Initializer init, StaticStorageDurationVariable var |
    init = var.getInitializer() and
    not var.hasDynamicInitialization() and
    expr = init.getExpr().getFullyConverted() and
    not var instanceof GlobalOrNamespaceVariable
  )
  or
  // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`.
  getRealParent(expr) instanceof AssumeExpr
  or
@@ -438,6 +429,17 @@ predicate hasTranslatedSyntheticTemporaryObject(Expr expr) {
  not expr.hasLValueToRValueConversion()
 }
 class StaticInitializedStaticLocalVariable extends StaticLocalVariable {
  StaticInitializedStaticLocalVariable() {
    this.hasInitializer() and
    not this.hasDynamicInitialization()
  }
 }
 class RuntimeInitializedStaticLocalVariable extends StaticLocalVariable {
  RuntimeInitializedStaticLocalVariable() { this.hasDynamicInitialization() }
 }
 /**
 * Holds if the specified `DeclarationEntry` needs an IR translation. An IR translation is only
 * necessary for automatic local variables, or for static local variables with dynamic
@@ -453,7 +455,7 @@ private predicate translateDeclarationEntry(IRDeclarationEntry entry) {
      not var.isStatic()
      or
      // Ignore static variables unless they have a dynamic initializer.
-      var.(StaticLocalVariable).hasDynamicInitialization()
+      var instanceof RuntimeInitializedStaticLocalVariable
    )
  )
 }
@@ -755,7 +757,7 @@ newtype TTranslatedElement =
  } or
  // The side effect that initializes newly-allocated memory.
  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
-  TTranslatedGlobalOrNamespaceVarInit(GlobalOrNamespaceVariable var) { Raw::varHasIRFunc(var) }
+  TTranslatedStaticStorageDurationVarInit(Variable var) { Raw::varHasIRFunc(var) }
 /**
 * Gets the index of the first explicitly initialized element in `initList`
@@ -1043,6 +1045,6 @@ abstract class TranslatedRootElement extends TranslatedElement {
  TranslatedRootElement() {
    this instanceof TTranslatedFunction
    or
-    this instanceof TTranslatedGlobalOrNamespaceVarInit
+    this instanceof TTranslatedStaticStorageDurationVarInit
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -322,6 +322,8 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
      (
        var instanceof GlobalOrNamespaceVariable
        or
        var instanceof StaticLocalVariable
        or
        var instanceof MemberVariable and not var instanceof Field
      ) and
      exists(VariableAccess access |
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
@@ -8,16 +8,16 @@ private import TranslatedInitialization
 private import InstructionTag
 private import semmle.code.cpp.ir.internal.IRUtilities
-class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
+class TranslatedStaticStorageDurationVarInit extends TranslatedRootElement,
-  TTranslatedGlobalOrNamespaceVarInit, InitializationContext
+  TTranslatedStaticStorageDurationVarInit, InitializationContext
 {
-  GlobalOrNamespaceVariable var;
+  Variable var;
-  TranslatedGlobalOrNamespaceVarInit() { this = TTranslatedGlobalOrNamespaceVarInit(var) }
+  TranslatedStaticStorageDurationVarInit() { this = TTranslatedStaticStorageDurationVarInit(var) }
  override string toString() { result = var.toString() }
-  final override GlobalOrNamespaceVariable getAst() { result = var }
+  final override Variable getAst() { result = var }
  final override Declaration getFunction() { result = var }
@@ -111,6 +111,8 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
      (
        varUsed instanceof GlobalOrNamespaceVariable
        or
        varUsed instanceof StaticLocalVariable
        or
        varUsed instanceof MemberVariable and not varUsed instanceof Field
      ) and
      exists(VariableAccess access |
@@ -128,6 +130,4 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
  }
 }
-TranslatedGlobalOrNamespaceVarInit getTranslatedVarInit(GlobalOrNamespaceVariable var) {
+TranslatedStaticStorageDurationVarInit getTranslatedVarInit(Variable var) { result.getAst() = var }
  result.getAst() = var
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -139,7 +139,8 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
  final override Declaration getFunction() {
    result = expr.getEnclosingFunction() or
-    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable)
+    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable) or
    result = expr.getEnclosingVariable().(StaticInitializedStaticLocalVariable)
  }
  final override Locatable getAst() { result = expr }
@@ -654,6 +655,8 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
    result = initList.getEnclosingFunction()
    or
    result = initList.getEnclosingVariable().(GlobalOrNamespaceVariable)
    or
    result = initList.getEnclosingVariable().(StaticInitializedStaticLocalVariable)
  }
  final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
@@ -47,7 +47,7 @@ class Variable = Cpp::Variable;
 class AutomaticVariable = Cpp::StackVariable;
-class StaticVariable = Cpp::Variable;
+class StaticVariable = Cpp::StaticStorageDurationVariable;
 class GlobalVariable = Cpp::GlobalOrNamespaceVariable;
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguageDebug.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguageDebug.qll
@@ -1,3 +1,9 @@
 private import cpp
 private import semmle.code.cpp.Print as Print
-predicate getIdentityString = Print::getIdentityString/1;
+string getIdentityString(Declaration decl) {
  if decl instanceof StaticLocalVariable
  then
    exists(StaticLocalVariable v | v = decl | result = v.getType().toString() + " " + v.getName())
  else result = Print::getIdentityString(decl)
 }
--- a/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
+++ b/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
@@ -18,5 +18,7 @@ predicate shouldDumpFunction(Declaration decl) {
    decl instanceof Function
    or
    decl.(GlobalOrNamespaceVariable).hasInitializer()
    or
    decl.(StaticLocalVariable).hasInitializer()
  )
 }
--- a/csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll
+++ b/csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll
@@ -6,7 +6,7 @@ private import IRFunctionBaseInternal
 private newtype TIRFunction =
  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
-  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }
+  TVarInitIRFunction(Language::Variable var) { IRConstruction::Raw::varHasIRFunc(var) }
 /**
 * The IR for a function. This base class contains only the predicates that are the same between all