Merge pull request github#3092 from dbartol/dbartol/VarArgIR2_ElectricBoogaloo

C++: Better IR for varargs

Author: jbj

cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -8,6 +8,22 @@ abstract class BuiltInOperation extends Expr {
   override string getCanonicalQLClass() { result = "BuiltInOperation" }
 }
 
+/**
+ * A C/C++ built-in operation that is used to support functions with variable numbers of arguments.
+ * This includes `va_start`, `va_end`, `va_copy`, and `va_arg`.
+ */
+class VarArgsExpr extends BuiltInOperation {
+  VarArgsExpr() {
+    this instanceof BuiltInVarArgsStart
+    or
+    this instanceof BuiltInVarArgsEnd
+    or
+    this instanceof BuiltInVarArg
+    or
+    this instanceof BuiltInVarArgCopy
+  }
+}
+
 /**
  * A C/C++ `__builtin_va_start` built-in operation (used by some
  * implementations of `va_start`).
@@ -20,6 +36,16 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
   override string toString() { result = "__builtin_va_start" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsStart" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
+
+  /**
+   * Gets the argument that specifies the last named parameter before the ellipsis.
+   */
+  final VariableAccess getLastNamedParameter() { result = getChild(1) }
 }
 
 /**
@@ -35,6 +61,11 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
   override string toString() { result = "__builtin_va_end" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsEnd" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
 }
 
 /**
@@ -48,6 +79,11 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
   override string toString() { result = "__builtin_va_arg" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArg" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
 }
 
 /**
@@ -63,6 +99,16 @@ class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
   override string toString() { result = "__builtin_va_copy" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgCopy" }
+
+  /**
+   * Gets the destination `va_list` argument.
+   */
+  final Expr getDestinationVAList() { result = getChild(0) }
+
+  /**
+   * Gets the the source `va_list` argument.
+   */
+  final Expr getSourceVAList() { result = getChild(1) }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -70,7 +70,7 @@ private newtype TOpcode =
   TVarArgsStart() or
   TVarArgsEnd() or
   TVarArg() or
-  TVarArgCopy() or
+  TNextVarArg() or
   TCallSideEffect() or
   TCallReadSideEffect() or
   TIndirectReadSideEffect() or
@@ -629,20 +629,20 @@ module Opcode {
     final override string toString() { result = "BuiltIn" }
   }
 
-  class VarArgsStart extends BuiltInOperationOpcode, TVarArgsStart {
+  class VarArgsStart extends UnaryOpcode, TVarArgsStart {
     final override string toString() { result = "VarArgsStart" }
   }
 
-  class VarArgsEnd extends BuiltInOperationOpcode, TVarArgsEnd {
+  class VarArgsEnd extends UnaryOpcode, TVarArgsEnd {
     final override string toString() { result = "VarArgsEnd" }
   }
 
-  class VarArg extends BuiltInOperationOpcode, TVarArg {
+  class VarArg extends UnaryOpcode, TVarArg {
     final override string toString() { result = "VarArg" }
   }
 
-  class VarArgCopy extends BuiltInOperationOpcode, TVarArgCopy {
-    final override string toString() { result = "VarArgCopy" }
+  class NextVarArg extends UnaryOpcode, TNextVarArg {
+    final override string toString() { result = "NextVarArg" }
   }
 
   class CallSideEffect extends WriteSideEffectOpcode, EscapedWriteOpcode, MayWriteOpcode,

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -64,6 +64,13 @@ newtype TInstructionTag =
   InitializerElementAddressTag() or
   InitializerElementDefaultValueTag() or
   InitializerElementDefaultValueStoreTag() or
+  VarArgsStartEllipsisAddressTag() or
+  VarArgsStartTag() or
+  VarArgsVAListLoadTag() or
+  VarArgsArgAddressTag() or
+  VarArgsArgLoadTag() or
+  VarArgsMoveNextTag() or
+  VarArgsVAListStoreTag() or
   AsmTag() or
   AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) }
 
@@ -188,6 +195,20 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = InitializerElementDefaultValueStoreTag() and result = "InitElemDefValStore"
   or
+  tag = VarArgsStartEllipsisAddressTag() and result = "VarArgsStartEllipsisAddr"
+  or
+  tag = VarArgsStartTag() and result = "VarArgsStart"
+  or
+  tag = VarArgsVAListLoadTag() and result = "VarArgsVAListLoad"
+  or
+  tag = VarArgsArgAddressTag() and result = "VarArgsArgAddr"
+  or
+  tag = VarArgsArgLoadTag() and result = "VaArgsArgLoad"
+  or
+  tag = VarArgsMoveNextTag() and result = "VarArgsMoveNext"
+  or
+  tag = VarArgsVAListStoreTag() and result = "VarArgsVAListStore"
+  or
   tag = AsmTag() and result = "Asm"
   or
   exists(int index | tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")")

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -83,6 +83,10 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   exists(DeleteExpr deleteExpr | deleteExpr.getAllocatorCall() = expr)
   or
   exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getAllocatorCall() = expr)
+  or
+  exists(BuiltInVarArgsStart vaStartExpr |
+    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
+  )
 }
 
 /**