C++: add indexes for specific side effects

Author: rdmarsh2

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
   final string getValue() { result = value }
 }
 
+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
   EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -342,6 +342,11 @@ private module Cached {
     result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField()
   }
 
+  cached
+  int getInstructionIndex(Instruction instruction) {
+    result = getOldInstruction(instruction).(OldIR::IndexedInstruction).getIndex()
+  }
+
   cached
   Function getInstructionFunction(Instruction instruction) {
     result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol()

cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll

@@ -72,6 +72,8 @@ class BufferSizeOperandTag extends RegisterOperandTag, TBufferSizeOperand {
   final override int getSortOrder() { result = 1 }
 }
 
+BufferSizeOperandTag bufferSizeOperand() { result = TBufferSizeOperand() }
+
 /**
  * The operand representing the read side effect of a `SideEffectInstruction`.
  */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
   final string getValue() { result = value }
 }
 
+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
   EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -259,6 +259,14 @@ private module Cached {
           .getInstructionConstantValue(getInstructionTag(instruction))
   }
 
+  cached
+  int getInstructionIndex(Instruction instruction) {
+    exists(TranslatedElement element, InstructionTag tag |
+      instructionOrigin(instruction, element, tag) and
+      result = element.getInstructionIndex(tag)
+    )
+  }
+
   cached
   StringLiteral getInstructionStringLiteral(Instruction instruction) {
     result = getInstructionTranslatedElement(instruction)

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -456,6 +456,12 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
     operandTag instanceof SideEffectOperandTag and
     call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(index, _) and
     result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    or
+    tag instanceof OnlyInstructionTag and
+    operandTag instanceof BufferSizeOperandTag and
+    result = getTranslatedExpr(call
+            .getArgument(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index)).getFullyConverted())
+          .getResult()
   }
 
   override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
@@ -471,15 +477,26 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
 
   predicate hasSpecificWriteSideEffect(Opcode op) {
     exists(boolean buffer, boolean mustWrite |
-      call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, buffer, mustWrite) and
-      (
-        buffer = true and mustWrite = false and op instanceof Opcode::BufferMayWriteSideEffect
-        or
-        buffer = false and mustWrite = false and op instanceof Opcode::IndirectMayWriteSideEffect
-        or
-        buffer = true and mustWrite = true and op instanceof Opcode::BufferMustWriteSideEffect
-        or
-        buffer = false and mustWrite = true and op instanceof Opcode::IndirectMustWriteSideEffect
+      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
+      then
+        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, true, mustWrite) and
+        buffer = true and
+        (
+          mustWrite = false and op instanceof Opcode::SizedBufferMayWriteSideEffect
+          or
+          mustWrite = true and op instanceof Opcode::SizedBufferMustWriteSideEffect
+        )
+      else (
+        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, buffer, mustWrite) and
+        (
+          buffer = true and mustWrite = false and op instanceof Opcode::BufferMayWriteSideEffect
+          or
+          buffer = false and mustWrite = false and op instanceof Opcode::IndirectMayWriteSideEffect
+          or
+          buffer = true and mustWrite = true and op instanceof Opcode::BufferMustWriteSideEffect
+          or
+          buffer = false and mustWrite = true and op instanceof Opcode::IndirectMustWriteSideEffect
+        )
       )
     )
     or
@@ -495,7 +512,9 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
   predicate hasSpecificReadSideEffect(Opcode op) {
     exists(boolean buffer |
       call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(index, buffer) and
-      (
+      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
+      then buffer = true and op instanceof Opcode::SizedBufferReadSideEffect
+      else (
         buffer = true and op instanceof Opcode::BufferReadSideEffect
         or
         buffer = false and op instanceof Opcode::IndirectReadSideEffect
@@ -506,6 +525,11 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
     op instanceof Opcode::IndirectReadSideEffect
   }
 
+  final override int getInstructionIndex(InstructionTag tag) {
+    tag = OnlyInstructionTag() and
+    result = index
+  }
+
   /**
    * Gets the `TranslatedFunction` containing this expression.
    */

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -600,6 +600,12 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   string getInstructionConstantValue(InstructionTag tag) { none() }
 
+  /**
+   * If the instruction specified by `tag` is an `IndexedInstruction`, gets the
+   * index for that instruction.
+   */
+  int getInstructionIndex(InstructionTag tag) { none() }
+
   /**
    * If the instruction specified by `tag` is a `PointerArithmeticInstruction`,
    * gets the size of the type pointed to by the pointer.

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -644,6 +644,17 @@ class ConstantValueInstruction extends Instruction {
   final string getValue() { result = value }
 }
 
+class IndexedInstruction extends Instruction {
+  int index;
+
+  IndexedInstruction() { index = Construction::getInstructionIndex(this) }
+  
+
+  final override string getImmediateString() { result = index.toString() }
+
+  final int getIndex() { result = index }
+}
+
 class EnterFunctionInstruction extends Instruction {
   EnterFunctionInstruction() { getOpcode() instanceof Opcode::EnterFunction }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -342,6 +342,11 @@ private module Cached {
     result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField()
   }
 
+  cached
+  int getInstructionIndex(Instruction instruction) {
+    result = getOldInstruction(instruction).(OldIR::IndexedInstruction).getIndex()
+  }
+
   cached
   Function getInstructionFunction(Instruction instruction) {
     result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol()

cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -57,5 +57,12 @@ class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction
   override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
     i = 1 and buffer = true
   }
-}
 
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) {
+    result = 2 and
+    (
+      i = 0 or
+      i = 1
+    )
+  }
+}