C++: Better IR for varargs

This PR changes the IR we generate for functions that accept a variable argument list. Rather than simply using `BuiltInOperationInstruction` to model the various `va_*` macros as mysterious function-like operations, we now model them in more detail. The intent is to enable better alias analysis and taint flow through varargs.

The `va_start` macro now generates a unary `VarArgsStart` instruction that takes the address of the ellipsis pseudo-parameter as its operand, and returns a value of type `std::va_list`. This value is then stored into the actual `std::va_list` variable via a regular `Store`.

The `va_arg` macro now loads the `std::va_list` argument, then emits a `VarArg` instruction on the result. This returns the address of the vararg argument to be loaded. That address is later used as the address operand of a regular `Load` to return the value of the argument. To model the side effect of moving to the next argument, we emit a `NextVarArg` instruction that takes the previous `std::va_list` value and returns an updated one, which is then stored back into the `std::va_list` variable.

The `va_end` macro just emits a `VarArgsEnd` unary instruction that takes the address of the `std::va_list` argument and does nothing, since `va_end` doesn't really do anything on most compiler implementations anyway.

The `va_copy` macro is just modeled as a plain copy.

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -8,6 +8,22 @@ abstract class BuiltInOperation extends Expr {
   override string getCanonicalQLClass() { result = "BuiltInOperation" }
 }
 
+/**
+ * A C/C++ built-in operation that is used to support functions with variable numbers of arguments.
+ * This includes `va_start`, `va_end`, `va_copy`, and `va_arg`.
+ */
+class VarArgsExpr extends BuiltInOperation {
+  VarArgsExpr() {
+    this instanceof BuiltInVarArgsStart
+    or
+    this instanceof BuiltInVarArgsEnd
+    or
+    this instanceof BuiltInVarArg
+    or
+    this instanceof BuiltInVarArgCopy
+  }
+}
+
 /**
  * A C/C++ `__builtin_va_start` built-in operation (used by some
  * implementations of `va_start`).
@@ -20,6 +36,20 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
   override string toString() { result = "__builtin_va_start" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsStart" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() {
+    result = getChild(0)
+  }
+
+  /**
+   * Gets the argument that specifies the last named parameter before the ellipsis.
+   */
+  final VariableAccess getLastNamedParameter() {
+    result = getChild(1)
+  }
 }
 
 /**
@@ -35,6 +65,13 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
   override string toString() { result = "__builtin_va_end" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsEnd" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() {
+    result = getChild(0)
+  }
 }
 
 /**
@@ -48,6 +85,13 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
   override string toString() { result = "__builtin_va_arg" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArg" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() {
+    result = getChild(0)
+  }
 }
 
 /**
@@ -63,6 +107,20 @@ class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
   override string toString() { result = "__builtin_va_copy" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgCopy" }
+
+  /**
+   * Gets the destination `va_list` argument.
+   */
+  final Expr getDestinationVAList() {
+    result = getChild(0)
+  }
+
+  /**
+   * Gets the the source `va_list` argument.
+   */
+  final Expr getSourceVAList() {
+    result = getChild(1)
+  }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -70,7 +70,7 @@ private newtype TOpcode =
   TVarArgsStart() or
   TVarArgsEnd() or
   TVarArg() or
-  TVarArgCopy() or
+  TNextVarArg() or
   TCallSideEffect() or
   TCallReadSideEffect() or
   TIndirectReadSideEffect() or
@@ -629,20 +629,20 @@ module Opcode {
     final override string toString() { result = "BuiltIn" }
   }
 
-  class VarArgsStart extends BuiltInOperationOpcode, TVarArgsStart {
+  class VarArgsStart extends UnaryOpcode, TVarArgsStart {
     final override string toString() { result = "VarArgsStart" }
   }
 
-  class VarArgsEnd extends BuiltInOperationOpcode, TVarArgsEnd {
+  class VarArgsEnd extends UnaryOpcode, TVarArgsEnd {
     final override string toString() { result = "VarArgsEnd" }
   }
 
-  class VarArg extends BuiltInOperationOpcode, TVarArg {
+  class VarArg extends UnaryOpcode, TVarArg {
     final override string toString() { result = "VarArg" }
   }
 
-  class VarArgCopy extends BuiltInOperationOpcode, TVarArgCopy {
-    final override string toString() { result = "VarArgCopy" }
+  class NextVarArg extends UnaryOpcode, TNextVarArg {
+    final override string toString() { result = "NextVarArg" }
   }
 
   class CallSideEffect extends WriteSideEffectOpcode, EscapedWriteOpcode, MayWriteOpcode,

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -64,6 +64,13 @@ newtype TInstructionTag =
   InitializerElementAddressTag() or
   InitializerElementDefaultValueTag() or
   InitializerElementDefaultValueStoreTag() or
+  VarArgsStartEllipsisAddressTag() or
+  VarArgsStartTag() or
+  VarArgsVAListLoadTag() or
+  VarArgsArgAddressTag() or
+  VarArgsArgLoadTag() or
+  VarArgsMoveNextTag() or
+  VarArgsVAListStoreTag() or
   AsmTag() or
   AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) }
 
@@ -188,6 +195,20 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = InitializerElementDefaultValueStoreTag() and result = "InitElemDefValStore"
   or
+  tag = VarArgsStartEllipsisAddressTag() and result = "VarArgsStartEllipsisAddr"
+  or
+  tag = VarArgsStartTag() and result = "VarArgsStart"
+  or
+  tag = VarArgsVAListLoadTag() and result = "VarArgsVAListLoad"
+  or
+  tag = VarArgsArgAddressTag() and result = "VarArgsArgAddr"
+  or
+  tag = VarArgsArgLoadTag() and result = "VaArgsArgLoad"
+  or
+  tag = VarArgsMoveNextTag() and result = "VarArgsMoveNext"
+  or
+  tag = VarArgsVAListStoreTag() and result = "VarArgsVAListStore"
+  or
   tag = AsmTag() and result = "Asm"
   or
   exists(int index | tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")")

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -83,6 +83,10 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   exists(DeleteExpr deleteExpr | deleteExpr.getAllocatorCall() = expr)
   or
   exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getAllocatorCall() = expr)
+  or
+  exists(BuiltInVarArgsStart vaStartExpr |
+    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
+  )
 }
 
 /**
@@ -109,6 +113,22 @@ private predicate ignoreExprOnly(Expr expr) {
   exists(DeleteExpr deleteExpr | deleteExpr.getDestructorCall() = expr)
   or
   exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDestructorCall() = expr)
+  or
+  expr instanceof Conversion and
+  exists(VarArgsExpr parent |
+    // Ignore any conversions applied to a `va_list` argument to a varargs-related macro. In the
+    // Unix ABI, the `va_list` undergoes an array-to-pointer conversion, but we only want the
+    // underlying variable access.
+    expr = parent.(BuiltInVarArgsStart).getVAList().getFullyConverted()
+    or
+    expr = parent.(BuiltInVarArgsEnd).getVAList().getFullyConverted()
+    or
+    expr = parent.(BuiltInVarArg).getVAList().getFullyConverted()
+    or
+    expr = parent.(BuiltInVarArgCopy).getSourceVAList().getFullyConverted()
+    or
+    expr = parent.(BuiltInVarArgCopy).getDestinationVAList().getFullyConverted()
+  )
 }
 
 /**