C++: Connect InitializeIndirection to UnmodeledDefinition

The IR generation for `InitializeIndirection` currently connects its load operand to the result of the corresponding `InitializeParameter` instruction. This isn't exactly wrong, but it doesn't fit the IR invariant of "All unmodeled uses consume `UnmodeledDefinition`". Our current code doesn't care, because we just throw away all of the existing def-use information, modeled or otherwise, when we build unaliased SSA. However, some upcoming SSA changes don't work correctly if this invariant is broken.

I've added the trivial IR generation change, along with a new sanity query.

Author: Dave Bartolomeo

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll

@@ -149,6 +149,26 @@ module InstructionSanity {
     count(instr.getBlock().getAPredecessor()) < 2
   }
 
+  /**
+   * Holds if a memory operand is connected to a definition with an unmodeled result, other than
+   * `UnmodeledDefinition` itself.
+   */
+  query predicate memoryOperandDefinitionIsUnmodeled(
+    Instruction instr, string message, IRFunction func, string funcText
+  ) {
+    exists(MemoryOperand operand, Instruction def |
+      operand = instr.getAnOperand() and
+      not operand instanceof UnmodeledUseOperand and
+      def = operand.getAnyDef() and
+      not def.isResultModeled() and
+      not def instanceof UnmodeledDefinitionInstruction and
+      message =
+        "Memory operand definition has unmodeled result, but is not the `UnmodeledDefinition` instruction in function '$@'" and
+      func = instr.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
+
   /**
    * Holds if operand `operand` consumes a value that was defined in
    * a different function.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll

@@ -149,6 +149,26 @@ module InstructionSanity {
     count(instr.getBlock().getAPredecessor()) < 2
   }
 
+  /**
+   * Holds if a memory operand is connected to a definition with an unmodeled result, other than
+   * `UnmodeledDefinition` itself.
+   */
+  query predicate memoryOperandDefinitionIsUnmodeled(
+    Instruction instr, string message, IRFunction func, string funcText
+  ) {
+    exists(MemoryOperand operand, Instruction def |
+      operand = instr.getAnOperand() and
+      not operand instanceof UnmodeledUseOperand and
+      def = operand.getAnyDef() and
+      not def.isResultModeled() and
+      not def instanceof UnmodeledDefinitionInstruction and
+      message =
+        "Memory operand definition has unmodeled result, but is not the `UnmodeledDefinition` instruction in function '$@'" and
+      func = instr.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
+
   /**
    * Holds if operand `operand` consumes a value that was defined in
    * a different function.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -454,7 +454,7 @@ abstract class TranslatedParameter extends TranslatedElement {
       result = getInstruction(InitializerVariableAddressTag())
       or
       operandTag instanceof LoadOperandTag and
-      result = getInstruction(InitializerStoreTag())
+      result = getTranslatedFunction(getFunction()).getUnmodeledDefinitionInstruction()
     )
     or
     tag = InitializerIndirectStoreTag() and

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll

@@ -149,6 +149,26 @@ module InstructionSanity {
     count(instr.getBlock().getAPredecessor()) < 2
   }
 
+  /**
+   * Holds if a memory operand is connected to a definition with an unmodeled result, other than
+   * `UnmodeledDefinition` itself.
+   */
+  query predicate memoryOperandDefinitionIsUnmodeled(
+    Instruction instr, string message, IRFunction func, string funcText
+  ) {
+    exists(MemoryOperand operand, Instruction def |
+      operand = instr.getAnOperand() and
+      not operand instanceof UnmodeledUseOperand and
+      def = operand.getAnyDef() and
+      not def.isResultModeled() and
+      not def instanceof UnmodeledDefinitionInstruction and
+      message =
+        "Memory operand definition has unmodeled result, but is not the `UnmodeledDefinition` instruction in function '$@'" and
+      func = instr.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
+
   /**
    * Holds if operand `operand` consumes a value that was defined in
    * a different function.

cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected

@@ -13,6 +13,7 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
 containsLoopOfForwardEdges

cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity_unsound.expected

@@ -13,6 +13,7 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
 containsLoopOfForwardEdges

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -13,6 +13,7 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
 containsLoopOfForwardEdges

cpp/ql/test/library-tests/ir/ir/raw_sanity.expected

@@ -13,6 +13,7 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
 containsLoopOfForwardEdges

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected

@@ -13,6 +13,7 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
 containsLoopOfForwardEdges