Merge pull request github#3082 from dbartol/dbartol/VarArgIR

C++: Model varargs in IR, Part I

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/exprs/Call.qll

@@ -196,7 +196,7 @@ class FunctionCall extends Call, @funbindexpr {
    * constructor calls, this predicate instead gets the `Class` of the constructor
    * being called.
    */
-  private Type getTargetType() { result = Call.super.getType().stripType() }
+  Type getTargetType() { result = Call.super.getType().stripType() }
 
   /**
    * Gets the expected return type of the function called by this call.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -402,6 +402,7 @@ newtype TTranslatedElement =
       translateFunction(func)
     )
   } or
+  TTranslatedEllipsisParameter(Function func) { translateFunction(func) and func.isVarargs() } or
   TTranslatedReadEffects(Function func) { translateFunction(func) } or
   // The read side effects in a function's return block
   TTranslatedReadEffect(Parameter param) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -10,12 +10,39 @@ private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedInitialization
 private import TranslatedStmt
+private import VarArgs
 
 /**
  * Gets the `TranslatedFunction` that represents function `func`.
  */
 TranslatedFunction getTranslatedFunction(Function func) { result.getAST() = func }
 
+/**
+ * Gets the size, in bytes, of the variable used to represent the `...` parameter in a varargs
+ * function. This is determined by finding the total size of all of the arguments passed to the
+ * `...` in each call in the program, and choosing the maximum of those, with a minimum of 8 bytes.
+ */
+private int getEllipsisVariableByteSize() {
+  result =
+    max(int variableSize |
+      variableSize =
+        max(Call call, int callSize |
+          callSize =
+            sum(int argIndex |
+              isEllipsisArgumentIndex(call, argIndex)
+            |
+              call.getArgument(argIndex).getType().getSize()
+            )
+        |
+          callSize
+        )
+      or
+      variableSize = 8
+    |
+      variableSize
+    )
+}
+
 /**
  * Represents the IR translation of a function. This is the root elements for
  * all other elements associated with this function.
@@ -60,6 +87,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 
   final private TranslatedParameter getParameter(int index) {
     result = getTranslatedParameter(func.getParameter(index))
+    or
+    index = getEllipsisParameterIndexForFunction(func) and
+    result = getTranslatedEllipsisParameter(func)
   }
 
   final override Instruction getFirstInstruction() { result = getInstruction(EnterFunctionTag()) }
@@ -113,7 +143,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Instruction getChildSuccessor(TranslatedElement child) {
     exists(int paramIndex |
       child = getParameter(paramIndex) and
-      if exists(func.getParameter(paramIndex + 1))
+      if
+        exists(func.getParameter(paramIndex + 1)) or
+        getEllipsisParameterIndexForFunction(func) = paramIndex + 1
       then result = getParameter(paramIndex + 1).getFirstInstruction()
       else result = getConstructorInitList().getFirstInstruction()
     )
@@ -237,10 +269,18 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     result = getReturnVariable()
   }
 
+  final override predicate needsUnknownOpaqueType(int byteSize) {
+    byteSize = getEllipsisVariableByteSize()
+  }
+
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     tag = ReturnValueTempVar() and
     hasReturnValue() and
     type = getTypeForPRValue(getReturnType())
+    or
+    tag = EllipsisTempVar() and
+    func.isVarargs() and
+    type = getUnknownOpaqueType(getEllipsisVariableByteSize())
   }
 
   /**
@@ -316,34 +356,29 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 }
 
 /**
- * Gets the `TranslatedParameter` that represents parameter `param`.
+ * Gets the `TranslatedPositionalParameter` that represents parameter `param`.
  */
-TranslatedParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
+TranslatedPositionalParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
 
 /**
- * Represents the IR translation of a function parameter, including the
- * initialization of that parameter with the incoming argument.
+ * Gets the `TranslatedEllipsisParameter` for function `func`, if one exists.
  */
-class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
-  Parameter param;
-
-  TranslatedParameter() { this = TTranslatedParameter(param) }
-
-  final override string toString() { result = param.toString() }
-
-  final override Locatable getAST() { result = param }
+TranslatedEllipsisParameter getTranslatedEllipsisParameter(Function func) {
+  result.getFunction() = func
+}
 
-  final override Function getFunction() {
-    result = param.getFunction() or
-    result = param.getCatchBlock().getEnclosingFunction()
-  }
+/**
+ * The IR translation of a parameter to a function. This can be either a user-declared parameter
+ * (`TranslatedPositionParameter`) or the synthesized parameter used to represent a `...` in a
+ * varargs function (`TranslatedEllipsisParameter`).
+ */
+abstract class TranslatedParameter extends TranslatedElement {
+  final override TranslatedElement getChild(int id) { none() }
 
   final override Instruction getFirstInstruction() {
     result = getInstruction(InitializerVariableAddressTag())
   }
 
-  final override TranslatedElement getChild(int id) { none() }
-
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
     (
@@ -368,16 +403,16 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     tag = InitializerVariableAddressTag() and
     opcode instanceof Opcode::VariableAddress and
-    resultType = getTypeForGLValue(getVariableType(param))
+    resultType = getGLValueType()
     or
     tag = InitializerStoreTag() and
     opcode instanceof Opcode::InitializeParameter and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectAddressTag() and
     opcode instanceof Opcode::Load and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectStoreTag() and
@@ -391,7 +426,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
       tag = InitializerVariableAddressTag() or
       tag = InitializerIndirectStoreTag()
     ) and
-    result = getIRUserVariable(getFunction(), param)
+    result = getIRVariable()
   }
 
   final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
@@ -416,13 +451,74 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
     result = getInstruction(InitializerIndirectAddressTag())
   }
 
-  predicate hasIndirection() {
+  abstract predicate hasIndirection();
+
+  abstract CppType getGLValueType();
+
+  abstract CppType getPRValueType();
+
+  abstract IRAutomaticVariable getIRVariable();
+}
+
+/**
+ * Represents the IR translation of a function parameter, including the
+ * initialization of that parameter with the incoming argument.
+ */
+class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedParameter {
+  Parameter param;
+
+  TranslatedPositionalParameter() { this = TTranslatedParameter(param) }
+
+  final override string toString() { result = param.toString() }
+
+  final override Locatable getAST() { result = param }
+
+  final override Function getFunction() {
+    result = param.getFunction() or
+    result = param.getCatchBlock().getEnclosingFunction()
+  }
+
+  final override predicate hasIndirection() {
     exists(Type t | t = param.getUnspecifiedType() |
       t instanceof ArrayType or
       t instanceof PointerType or
       t instanceof ReferenceType
     )
   }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(getVariableType(param)) }
+
+  final override CppType getPRValueType() { result = getTypeForPRValue(getVariableType(param)) }
+
+  final override IRAutomaticUserVariable getIRVariable() {
+    result = getIRUserVariable(getFunction(), param)
+  }
+}
+
+/**
+ * The IR translation of the synthesized parameter used to represent the `...` in a varargs
+ * function.
+ */
+class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllipsisParameter {
+  Function func;
+
+  TranslatedEllipsisParameter() { this = TTranslatedEllipsisParameter(func) }
+
+  final override string toString() { result = "..." }
+
+  final override Locatable getAST() { result = func }
+
+  final override Function getFunction() { result = func }
+
+  final override predicate hasIndirection() { any() }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }
+
+  final override CppType getPRValueType() {
+    result = getUnknownOpaqueType(getEllipsisVariableByteSize())
+  }
+
+  final override IREllipsisVariable getIRVariable() { result.getEnclosingFunction() = func }
 }
 
 private TranslatedConstructorInitList getTranslatedConstructorInitList(Function func) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/VarArgs.qll

@@ -0,0 +1,62 @@
+/**
+ * Utilities for determining which parameters and arguments correspond to the `...` parameter for
+ * varargs functions.
+ */
+
+private import cpp
+
+/**
+ * Gets the index of the `...` parameter, if any. If present, the value will always be equal to
+ * `func.getNumberOfParameters()`.
+ */
+int getEllipsisParameterIndexForFunction(Function func) {
+  func.isVarargs() and result = func.getNumberOfParameters()
+}
+
+/**
+ * Gets the index of the `...` parameter, if any.
+ */
+int getEllipsisParameterIndexForRoutineType(RoutineType type) {
+  // Since the extractor doesn't record this information directly, we look for routine types whose
+  // last parameter type is `UnknownType`.
+  type.getParameterType(result) instanceof UnknownType and
+  result = strictcount(type.getAParameterType()) - 1
+}
+
+/**
+ * Gets the index of the `...` parameter, if any. This will be one greater than the index of the
+ * last declared positional parameter.
+ */
+int getEllipsisParameterIndex(Call call) {
+  exists(FunctionCall funcCall |
+    funcCall = call and
+    if funcCall.getTargetType() instanceof RoutineType
+    then result = getEllipsisParameterIndexForRoutineType(funcCall.getTargetType())
+    else result = getEllipsisParameterIndexForFunction(funcCall.getTarget())
+  )
+  or
+  exists(ExprCall exprCall |
+    exprCall = call and
+    result = getEllipsisParameterIndexForRoutineType(exprCall.getExpr().getType().stripType())
+  )
+}
+
+/**
+ * Gets the index of the parameter that will be initialized with the value of the argument
+ * specified by `argIndex`. For ordinary positional parameters, the argument and parameter indices
+ * will be equal. For a call to a varargs function, all arguments passed to the `...` will be
+ * mapped to the index returned by `getEllipsisParameterIndex()`.
+ */
+int getParameterIndexForArgument(Call call, int argIndex) {
+  exists(call.getArgument(argIndex)) and
+  if argIndex >= getEllipsisParameterIndex(call)
+  then result = getEllipsisParameterIndex(call)
+  else result = argIndex
+}
+
+/**
+ * Holds if the argument specified by `index` is an argument to the `...` of a varargs function.
+ */
+predicate isEllipsisArgumentIndex(Call call, int index) {
+  exists(call.getArgument(index)) and index >= getEllipsisParameterIndex(call)
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll

@@ -2,7 +2,8 @@ newtype TTempVariableTag =
   ConditionValueTempVar() or
   ReturnValueTempVar() or
   ThrowTempVar() or
-  LambdaTempVar()
+  LambdaTempVar() or
+  EllipsisTempVar()
 
 string getTempVariableTagId(TTempVariableTag tag) {
   tag = ConditionValueTempVar() and result = "CondVal"
@@ -12,4 +13,6 @@ string getTempVariableTagId(TTempVariableTag tag) {
   tag = ThrowTempVar() and result = "Throw"
   or
   tag = LambdaTempVar() and result = "Lambda"
+  or
+  tag = EllipsisTempVar() and result = "Ellipsis"
 }