C++: Make InitializeParameter and Uninitialized return memory results

The IR avoids having non-trivially-copyable and non-trivially-assignable types in register results, because objects of those types need to exist at a particular memory location. The `InitializeParameter` and `Uninitialized` instructions were violating this restriction because they returned register results, which were then stored into the destination location via a `Store`. This change makes those two instructions take the destination address as an operand, and return a memory result representing the (un-)initialized memory, removing the need for a separate `Store` instruction.
2026-04-30 03:05:15 +02:00 · 2018-08-18 10:22:14 -07:00
parent e1f3637b66
commit f2053c488e
10 changed files with 4629 additions and 4988 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/internal/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/Instruction.qll
@@ -545,6 +545,10 @@ class InitializeParameterInstruction extends VariableInstruction {
  final Parameter getParameter() {
    result = var.(IRUserVariable).getVariable()
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class FieldAddressInstruction extends FieldInstruction {
@@ -561,6 +565,10 @@ class UninitializedInstruction extends Instruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class NoOpInstruction extends Instruction {
--- a/cpp/ql/src/semmle/code/cpp/ir/internal/InstructionTag.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/InstructionTag.qll
@@ -17,8 +17,6 @@ private predicate elementIsInitialized(int elementIndex) {

 newtype TInstructionTag =
  OnlyInstructionTag() or  // Single instruction (not including implicit Load)
-  InitializerUninitializedTag() or  // Source expression of initializer
-  ParameterInitializerTag() or
  InitializeThisTag() or
  InitializerVariableAddressTag() or
  InitializerLoadStringTag() or
@@ -88,8 +86,6 @@ newtype TInstructionTag =
 */
 string getInstructionTagId(TInstructionTag tag) {
  tag = OnlyInstructionTag() and result = "Only" or  // Single instruction (not including implicit Load)
-  tag = InitializerUninitializedTag() and result = "InitUninit" or  // Source expression of initializer
-  tag = ParameterInitializerTag() and result = "ParamInit" or
  tag = InitializerVariableAddressTag() and result = "InitVarAddr" or
  tag = InitializerStoreTag() and result = "InitStore" or
  tag = AssignOperationLoadTag() and result = "AssignOpLoad" or
--- a/cpp/ql/src/semmle/code/cpp/ir/internal/Opcode.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/Opcode.qll
@@ -92,8 +92,8 @@ abstract class BuiltInOpcode extends Opcode {}

 module Opcode {
  class NoOp extends Opcode, TNoOp { override final string toString() { result = "NoOp" } }
-  class Uninitialized extends Opcode, TUninitialized { override final string toString() { result = "Uninitialized" } }
-  class InitializeParameter extends Opcode, TInitializeParameter { override final string toString() { result = "InitializeParameter" } }
+  class Uninitialized extends MemoryAccessOpcode, TUninitialized { override final string toString() { result = "Uninitialized" } }
+  class InitializeParameter extends MemoryAccessOpcode, TInitializeParameter { override final string toString() { result = "InitializeParameter" } }
  class InitializeThis extends Opcode, TInitializeThis { override final string toString() { result = "InitializeThis" } }
  class EnterFunction extends Opcode, TEnterFunction { override final string toString() { result = "EnterFunction" } }
  class ExitFunction extends Opcode, TExitFunction { override final string toString() { result = "ExitFunction" } }
--- a/cpp/ql/src/semmle/code/cpp/ir/internal/TranslatedDeclarationEntry.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/TranslatedDeclarationEntry.qll
@@ -98,8 +98,8 @@ abstract class TranslatedVariableDeclaration extends

 /**
 * Represents the IR translation of a local variable with no initializer. The
- * generated IR stores the result of an `Uninitialized` instruction into the
- * variable.
+ * generated IR stores into the variable using an `Uninitialized` instruction,
+ * rather than a `Store`.
 */
 class TranslatedUninitializedVariable extends
  TranslatedVariableDeclaration {
@@ -127,12 +127,6 @@ class TranslatedUninitializedVariable extends
    ) or
    ( 
      tag = InitializerStoreTag() and
-      opcode instanceof Opcode::Store and
-      resultType = var.getType().getUnspecifiedType() and
-      isGLValue = false
-    ) or
-    (
-      tag = InitializerUninitializedTag() and
      opcode instanceof Opcode::Uninitialized and
      resultType = var.getType().getUnspecifiedType() and
      isGLValue = false
@@ -145,10 +139,6 @@ class TranslatedUninitializedVariable extends
    (
      (
        tag = InitializerVariableAddressTag() and
-        result = getInstruction(InitializerUninitializedTag())
-      ) or
-      (
-        tag = InitializerUninitializedTag() and
        result = getInstruction(InitializerStoreTag())
      ) or
      (
@@ -169,11 +159,7 @@ class TranslatedUninitializedVariable extends
      (
        operandTag instanceof LoadStoreAddressOperand and
        result = getInstruction(InitializerVariableAddressTag())
-      ) or
-      (
-        operandTag instanceof CopySourceOperand and
-        result = getInstruction(InitializerUninitializedTag())
-      )
+      ) 
    )
  }

--- a/cpp/ql/src/semmle/code/cpp/ir/internal/TranslatedFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/TranslatedFunction.qll
@@ -323,7 +323,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
  }

  override final Instruction getFirstInstruction() {
-    result = getInstruction(ParameterInitializerTag())
+    result = getInstruction(InitializerVariableAddressTag())
  }

  override final TranslatedElement getChild(int id) {
@@ -334,10 +334,6 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
    EdgeKind kind) {
    kind instanceof GotoEdge and
    (
-      (
-        tag = ParameterInitializerTag() and
-        result = getInstruction(InitializerVariableAddressTag())
-      ) or
      (
        tag = InitializerVariableAddressTag() and
        result = getInstruction(InitializerStoreTag())
@@ -355,12 +351,6 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {

  override final predicate hasInstruction(Opcode opcode, InstructionTag tag,
    Type resultType, boolean isGLValue) {
-    (
-      tag = ParameterInitializerTag() and
-      opcode instanceof Opcode::InitializeParameter and
-      resultType = param.getType().getUnspecifiedType() and
-      isGLValue = false
-    ) or
    (
      tag = InitializerVariableAddressTag() and
      opcode instanceof Opcode::VariableAddress and
@@ -369,7 +359,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
    ) or
    (
      tag = InitializerStoreTag() and
-      opcode instanceof Opcode::Store and
+      opcode instanceof Opcode::InitializeParameter and
      resultType = param.getType().getUnspecifiedType() and
      isGLValue = false
    )
@@ -377,7 +367,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {

  override final IRVariable getInstructionVariable(InstructionTag tag) {
    (
-      tag = ParameterInitializerTag() or
+      tag = InitializerStoreTag() or
      tag = InitializerVariableAddressTag()
    ) and
    result = getIRUserVariable(getFunction(), param)
@@ -390,10 +380,6 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
      (
        operandTag instanceof LoadStoreAddressOperand and
        result = getInstruction(InitializerVariableAddressTag())
-      ) or
-      (
-        operandTag instanceof CopySourceOperand and
-        result = getInstruction(ParameterInitializerTag())
      )
    )
  }
--- a/cpp/ql/src/semmle/code/cpp/ssa/internal/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ssa/internal/aliased_ssa/Instruction.qll
@@ -545,6 +545,10 @@ class InitializeParameterInstruction extends VariableInstruction {
  final Parameter getParameter() {
    result = var.(IRUserVariable).getVariable()
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class FieldAddressInstruction extends FieldInstruction {
@@ -561,6 +565,10 @@ class UninitializedInstruction extends Instruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class NoOpInstruction extends Instruction {
--- a/cpp/ql/src/semmle/code/cpp/ssa/internal/ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ssa/internal/ssa/Instruction.qll
@@ -545,6 +545,10 @@ class InitializeParameterInstruction extends VariableInstruction {
  final Parameter getParameter() {
    result = var.(IRUserVariable).getVariable()
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class FieldAddressInstruction extends FieldInstruction {
@@ -561,6 +565,10 @@ class UninitializedInstruction extends Instruction {
  UninitializedInstruction() {
    opcode instanceof Opcode::Uninitialized
  }
+
+  override final MemoryAccessKind getResultMemoryAccess() {
+    result instanceof IndirectMemoryAccess
+  }
 }

 class NoOpInstruction extends Instruction {