github · dave-bartolomeo · Oct 28, 2019 · Oct 28, 2019 · Oct 28, 2019 · jbj
@@ -23,7 +23,7 @@ import semmle.code.cpp.ir.ValueNumbering
 class NullInstruction extends ConstantValueInstruction {
   NullInstruction() {
     this.getValue() = "0" and
-    this.getResultType().getUnspecifiedType() instanceof PointerType
+    this.getResultIRType() instanceof IRAddressType
   }
 }
 
@@ -42,8 +42,8 @@ predicate explicitNullTestOfInstruction(Instruction checked, Instruction bool) {
   or
   bool = any(ConvertInstruction convert |
       checked = convert.getUnary() and
-      convert.getResultType() instanceof BoolType and
-      checked.getResultType() instanceof PointerType
+      convert.getResultIRType() instanceof IRBooleanType and
+      checked.getResultIRType() instanceof IRAddressType
     )
 }
 

@@ -5,6 +5,7 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.controlflow.IRGuards
+private import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 
 /**
  * A newtype wrapper to prevent accidental casts between `Node` and
@@ -33,7 +34,16 @@ class Node extends TIRDataFlowNode {
   Function getFunction() { result = instr.getEnclosingFunction() }
 
   /** Gets the type of this node. */
-  Type getType() { result = instr.getResultType() }
+  Type getType() {
+    exists(Language::LanguageType resultType |
+      resultType = instr.getResultLanguageType() and
+      (
+        resultType.hasUnspecifiedType(result, _)
+        or
+        not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType
+      )
+    )
+  }
 
   Instruction asInstruction() { this = MkIRDataFlowNode(result) }
 

@@ -120,7 +120,7 @@ class IRBooleanType extends IRSizedType, TIRBooleanType {
 }
 
 /**
- * A numberic type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and
+ * A numeric type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and
  * `IRFloatingPointType`.
  */
 class IRNumericType extends IRSizedType {
@@ -131,11 +131,21 @@ class IRNumericType extends IRSizedType {
   }
 }
 
+/**
+ * An integer type. This includes `IRSignedIntegerType` and `IRUnsignedIntegerType`.
+ */
+class IRIntegerType extends IRNumericType {
+  IRIntegerType() {
+    this = TIRSignedIntegerType(byteSize) or
+    this = TIRUnsignedIntegerType(byteSize)
+  }
+}
+
 /**
  * A signed two's-complement integer. Also used to represent enums whose underlying type is a signed
  * integer, as well as character types whose representation is signed.
  */
-class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType {
+class IRSignedIntegerType extends IRIntegerType, TIRSignedIntegerType {
   final override string toString() { result = "int" + byteSize.toString() }
 
   final override Language::LanguageType getCanonicalLanguageType() {
@@ -147,7 +157,7 @@ class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType {
  * An unsigned two's-complement integer. Also used to represent enums whose underlying type is an
  * unsigned integer, as well as character types whose representation is unsigned.
  */
-class IRUnsignedIntegerType extends IRNumericType, TIRUnsignedIntegerType {
+class IRUnsignedIntegerType extends IRIntegerType, TIRUnsignedIntegerType {
   final override string toString() { result = "uint" + byteSize.toString() }
 
   final override Language::LanguageType getCanonicalLanguageType() {

@@ -115,7 +115,7 @@ module InstructionSanity {
 
   query predicate missingOperandType(Operand operand, string message) {
     exists(Language::Function func, Instruction use |
-      not exists(operand.getType()) and
+      not exists(operand.getLanguageType()) and
       use = operand.getUse() and
       func = use.getEnclosingFunction() and
       message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString()
@@ -455,52 +455,11 @@ class Instruction extends Construction::TInstruction {
    */
   final IRType getResultIRType() { result = getResultLanguageType().getIRType() }
 
-  /**
-   * Gets the type of the result produced by this instruction. If the
-   * instruction does not produce a result, its result type will be `VoidType`.
-   *
-   * If `isGLValue()` holds, then the result type of this instruction should be
-   * thought of as "pointer to `getResultType()`".
-   */
-  final Language::Type getResultType() {
-    exists(Language::LanguageType resultType |
-      resultType = getResultLanguageType() and
-      (
-        resultType.hasUnspecifiedType(result, _)
-        or
-        not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType
-      )
-    )
-  }
-
-  /**
-   * Holds if the result produced by this instruction is a glvalue. If this
-   * holds, the result of the instruction represents the address of a location,
-   * and the type of the location is given by `getResultType()`. If this does
-   * not hold, the result of the instruction represents a value whose type is
-   * given by `getResultType()`.
-   *
-   * For example, the statement `y = x;` generates the following IR:
-   * r1_0(glval: int) = VariableAddress[x]
-   * r1_1(int)        = Load r1_0, mu0_1
-   * r1_2(glval: int) = VariableAddress[y]
-   * mu1_3(int)       = Store r1_2, r1_1
-   *
-   * The result of each `VariableAddress` instruction is a glvalue of type
-   * `int`, representing the address of the corresponding integer variable. The
-   * result of the `Load` instruction is a prvalue of type `int`, representing
-   * the integer value loaded from variable `x`.
-   */
-  final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) }
-
   /**
    * Gets the size of the result produced by this instruction, in bytes. If the
    * result does not have a known constant size, this predicate does not hold.
-   *
-   * If `this.isGLValue()` holds for this instruction, the value of
-   * `getResultSize()` will always be the size of a pointer.
    */
-  final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() }
+  final int getResultSize() { result = getResultLanguageType().getByteSize() }
 
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
@@ -799,11 +758,13 @@ class ConstantInstruction extends ConstantValueInstruction {
 }
 
 class IntegerConstantInstruction extends ConstantInstruction {
-  IntegerConstantInstruction() { getResultType() instanceof Language::IntegralType }
+  IntegerConstantInstruction() {
+    getResultIRType() instanceof IRIntegerType or getResultIRType() instanceof IRBooleanType
+  }
 }
 
 class FloatConstantInstruction extends ConstantInstruction {
-  FloatConstantInstruction() { getResultType() instanceof Language::FloatingPointType }
+  FloatConstantInstruction() { getResultIRType() instanceof IRFloatingPointType }
 }
 
 class StringConstantInstruction extends Instruction {

@@ -155,24 +155,6 @@ class Operand extends TOperand {
    */
   final IRType getIRType() { result = getLanguageType().getIRType() }
 
-  /**
-   * Gets the type of the value consumed by this operand. This is usually the same as the
-   * result type of the definition instruction consumed by this operand. For register operands,
-   * this is always the case. For some memory operands, the operand type may be different from
-   * the definition type, such as in the case of a partial read or a read from a pointer that
-   * has been cast to a different type.
-   */
-  final Language::Type getType() { getLanguageType().hasType(result, _) }
-
-  /**
-   * Holds if the value consumed by this operand is a glvalue. If this
-   * holds, the value of the operand represents the address of a location,
-   * and the type of the location is given by `getType()`. If this does
-   * not hold, the value of the operand represents a value whose type is
-   * given by `getType()`.
-   */
-  final predicate isGLValue() { getLanguageType().hasType(_, true) }
-
   /**
    * Gets the size of the value consumed by this operand, in bytes. If the operand does not have
    * a known constant size, this predicate does not hold.

@@ -55,7 +55,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       instr instanceof PointerDiffInstruction
       or
       // Converting an address to a `bool` does not escape the address.
-      instr.(ConvertInstruction).getResultType() instanceof BoolType
+      instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
     )
   )
   or
@@ -125,15 +125,8 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
       bitOffset = Ints::unknown()
       or
       // Conversion to another pointer type propagates the source address.
-      exists(ConvertInstruction convert, Type resultType |
-        convert = instr and
-        resultType = convert.getResultType() and
-        (
-          resultType instanceof PointerType or
-          resultType instanceof Class //REVIEW: Remove when all glvalues are pointers
-        ) and
-        bitOffset = 0
-      )
+      instr.(ConvertInstruction).getResultIRType() instanceof IRAddressType and
+      bitOffset = 0
       or
       // Adding an integer to or subtracting an integer from a pointer propagates
       // the address with an offset.

@@ -115,7 +115,7 @@ module InstructionSanity {
 
   query predicate missingOperandType(Operand operand, string message) {
     exists(Language::Function func, Instruction use |
-      not exists(operand.getType()) and
+      not exists(operand.getLanguageType()) and
       use = operand.getUse() and
       func = use.getEnclosingFunction() and
       message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString()
@@ -455,52 +455,11 @@ class Instruction extends Construction::TInstruction {
    */
   final IRType getResultIRType() { result = getResultLanguageType().getIRType() }
 
-  /**
-   * Gets the type of the result produced by this instruction. If the
-   * instruction does not produce a result, its result type will be `VoidType`.
-   *
-   * If `isGLValue()` holds, then the result type of this instruction should be
-   * thought of as "pointer to `getResultType()`".
-   */
-  final Language::Type getResultType() {
-    exists(Language::LanguageType resultType |
-      resultType = getResultLanguageType() and
-      (
-        resultType.hasUnspecifiedType(result, _)
-        or
-        not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType
-      )
-    )
-  }
-
-  /**
-   * Holds if the result produced by this instruction is a glvalue. If this
-   * holds, the result of the instruction represents the address of a location,
-   * and the type of the location is given by `getResultType()`. If this does
-   * not hold, the result of the instruction represents a value whose type is
-   * given by `getResultType()`.
-   *
-   * For example, the statement `y = x;` generates the following IR:
-   * r1_0(glval: int) = VariableAddress[x]
-   * r1_1(int)        = Load r1_0, mu0_1
-   * r1_2(glval: int) = VariableAddress[y]
-   * mu1_3(int)       = Store r1_2, r1_1
-   *
-   * The result of each `VariableAddress` instruction is a glvalue of type
-   * `int`, representing the address of the corresponding integer variable. The
-   * result of the `Load` instruction is a prvalue of type `int`, representing
-   * the integer value loaded from variable `x`.
-   */
-  final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) }
-
   /**
    * Gets the size of the result produced by this instruction, in bytes. If the
    * result does not have a known constant size, this predicate does not hold.
-   *
-   * If `this.isGLValue()` holds for this instruction, the value of
-   * `getResultSize()` will always be the size of a pointer.
    */
-  final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() }
+  final int getResultSize() { result = getResultLanguageType().getByteSize() }
 
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
@@ -799,11 +758,13 @@ class ConstantInstruction extends ConstantValueInstruction {
 }
 
 class IntegerConstantInstruction extends ConstantInstruction {
-  IntegerConstantInstruction() { getResultType() instanceof Language::IntegralType }
+  IntegerConstantInstruction() {
+    getResultIRType() instanceof IRIntegerType or getResultIRType() instanceof IRBooleanType
+  }
 }
 
 class FloatConstantInstruction extends ConstantInstruction {
-  FloatConstantInstruction() { getResultType() instanceof Language::FloatingPointType }
+  FloatConstantInstruction() { getResultIRType() instanceof IRFloatingPointType }
 }
 
 class StringConstantInstruction extends Instruction {

@@ -155,24 +155,6 @@ class Operand extends TOperand {
    */
   final IRType getIRType() { result = getLanguageType().getIRType() }
 
-  /**
-   * Gets the type of the value consumed by this operand. This is usually the same as the
-   * result type of the definition instruction consumed by this operand. For register operands,
-   * this is always the case. For some memory operands, the operand type may be different from
-   * the definition type, such as in the case of a partial read or a read from a pointer that
-   * has been cast to a different type.
-   */
-  final Language::Type getType() { getLanguageType().hasType(result, _) }
-
-  /**
-   * Holds if the value consumed by this operand is a glvalue. If this
-   * holds, the value of the operand represents the address of a location,
-   * and the type of the location is given by `getType()`. If this does
-   * not hold, the value of the operand represents a value whose type is
-   * given by `getType()`.
-   */
-  final predicate isGLValue() { getLanguageType().hasType(_, true) }
-
   /**
    * Gets the size of the value consumed by this operand, in bytes. If the operand does not have
    * a known constant size, this predicate does not hold.