codeql
codeql copied to clipboard
github
C++: Provide an initial SSA definition of the address of a variable
This PR fixes a subtle problem in the C++ SSA. Consider an example such as:
void test() {
int x;
sink(&x);
}
a basic requirement for SSA is that any use of a variable should be dominated by its definition. For the value of x this holds because the IR inserts an UninitializedInstruction providing the initial value of x. However, the address of x isn't initialized by this instruction, and so there's no initial definition of the address of x. When you're starting flow at a use of x which didn't have an implicit lvalue-to-rvalue conversion this meant that you didn't get flow out of that expression. Consider, for example, this example:
struct S { int x; };
void test() {
S s;
s.x = 0;
sink(&s);
}
The qualifier of s.x doesn't have an lvalue-to-rvalue conversion, so you're writing node.asExpr() = any(FieldAccess fa).getQualifier() you're selecting the address of s, and since the address of s didn't have an initial SSA definition, you'd not get flow out of s.x and into &s.
This PR fixes this issue by providing an initial SSA definition of the SSA variable that represents the address.
Commit-by-commit review recommended. Most of the changes are basic refactorings, and really the meat of the change is in https://github.com/github/codeql/commit/cf162aa41240ccb9bd7ae39c2c6c068a4b3644eb
