C++: Updates for changes in frontend

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -362,6 +362,12 @@ predicate ignoreLoad(Expr expr) {
     or
     expr instanceof FunctionAccess
     or
+    // The load is duplicated from the operand.
+    expr instanceof ParenthesisExpr
+    or
+    // The load is duplicated from the right operand.
+    expr instanceof CommaExpr
+    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -648,19 +648,7 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr {
 class TranslatedPrefixCrementOperation extends TranslatedCrementOperation {
   override PrefixCrementOperation expr;
 
-  override Instruction getResult() {
-    if expr.isPRValueCategory()
-    then
-      // If this is C, then the result of a prefix crement is a prvalue for the
-      // new value assigned to the operand. If this is C++, then the result is
-      // an lvalue, but that lvalue is being loaded as part of this expression.
-      // EDG doesn't mark this as a load.
-      result = this.getInstruction(CrementOpTag())
-    else
-      // This is C++, where the result is an lvalue for the operand, and that
-      // lvalue is not being loaded as part of this expression.
-      result = this.getUnloadedOperand().getResult()
-  }
+  override Instruction getResult() { result = this.getUnloadedOperand().getResult() }
 }
 
 class TranslatedPostfixCrementOperation extends TranslatedCrementOperation {
@@ -1503,19 +1491,7 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
     result = this.getRightOperand().getFirstInstruction()
   }
 
-  final override Instruction getResult() {
-    if expr.isPRValueCategory()
-    then
-      // If this is C, then the result of an assignment is a prvalue for the new
-      // value assigned to the left operand. If this is C++, then the result is
-      // an lvalue, but that lvalue is being loaded as part of this expression.
-      // EDG doesn't mark this as a load.
-      result = this.getRightOperand().getResult()
-    else
-      // This is C++, where the result is an lvalue for the left operand,
-      // and that lvalue is not being loaded as part of this expression.
-      result = this.getLeftOperand().getResult()
-  }
+  final override Instruction getResult() { result = this.getLeftOperand().getResult() }
 
   final TranslatedExpr getLeftOperand() {
     result = getTranslatedExpr(expr.getLValue().getFullyConverted())
@@ -1641,19 +1617,7 @@ class TranslatedAssignOperation extends TranslatedNonConstantExpr {
     result = this.getRightOperand().getFirstInstruction()
   }
 
-  final override Instruction getResult() {
-    if expr.isPRValueCategory()
-    then
-      // If this is C, then the result of an assignment is a prvalue for the new
-      // value assigned to the left operand. If this is C++, then the result is
-      // an lvalue, but that lvalue is being loaded as part of this expression.
-      // EDG doesn't mark this as a load.
-      result = this.getStoredValue()
-    else
-      // This is C++, where the result is an lvalue for the left operand,
-      // and that lvalue is not being loaded as part of this expression.
-      result = this.getUnloadedLeftOperand().getResult()
-  }
+  final override Instruction getResult() { result = this.getUnloadedLeftOperand().getResult() }
 
   final TranslatedExpr getUnloadedLeftOperand() {
     result = this.getLoadedLeftOperand().getOperand()
@@ -2114,8 +2078,15 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         not this.elseIsVoid() and tag = ConditionValueFalseStoreTag()
       ) and
       opcode instanceof Opcode::Store and
-      resultType = this.getResultType()
+      (
+        not expr.hasLValueToRValueConversion() and
+        resultType = this.getResultType()
+        or
+        expr.hasLValueToRValueConversion() and
+        resultType = getTypeForPRValue(expr.getType())
+      )
       or
+      not expr.hasLValueToRValueConversion() and
       tag = ConditionValueResultLoadTag() and
       opcode instanceof Opcode::Load and
       resultType = this.getResultType()
@@ -2145,8 +2116,15 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
       )
       or
       tag = ConditionValueResultTempAddressTag() and
-      result = this.getInstruction(ConditionValueResultLoadTag())
+      (
+        not expr.hasLValueToRValueConversion() and
+        result = this.getInstruction(ConditionValueResultLoadTag())
+        or
+        expr.hasLValueToRValueConversion() and
+        result = this.getParent().getChildSuccessor(this)
+      )
       or
+      not expr.hasLValueToRValueConversion() and
       tag = ConditionValueResultLoadTag() and
       result = this.getParent().getChildSuccessor(this)
     )
@@ -2175,18 +2153,23 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         result = this.getElse().getResult()
       )
       or
+      not expr.hasLValueToRValueConversion() and
       tag = ConditionValueResultLoadTag() and
-      (
-        operandTag instanceof AddressOperandTag and
-        result = this.getInstruction(ConditionValueResultTempAddressTag())
-      )
+      operandTag instanceof AddressOperandTag and
+      result = this.getInstruction(ConditionValueResultTempAddressTag())
     )
   }
 
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     not this.resultIsVoid() and
     tag = ConditionValueTempVar() and
-    type = this.getResultType()
+    (
+      not expr.hasLValueToRValueConversion() and
+      type = this.getResultType()
+      or
+      expr.hasLValueToRValueConversion() and
+      type = getTypeForPRValue(expr.getType())
+    )
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -2201,7 +2184,13 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
 
   final override Instruction getResult() {
     not this.resultIsVoid() and
-    result = this.getInstruction(ConditionValueResultLoadTag())
+    (
+      expr.hasLValueToRValueConversion() and
+      result = this.getInstruction(ConditionValueResultTempAddressTag())
+      or
+      not expr.hasLValueToRValueConversion() and
+      result = this.getInstruction(ConditionValueResultLoadTag())
+    )
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -3232,11 +3221,9 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
   (
     expr instanceof AssignExpr
     or
-    expr instanceof AssignOperation and
-    not expr.isPRValueCategory() // is C++
+    expr instanceof AssignOperation
     or
-    expr instanceof PrefixCrementOperation and
-    not expr.isPRValueCategory() // is C++
+    expr instanceof PrefixCrementOperation
     or
     // Because the load is on the `e` in `e++`.
     expr instanceof PostfixCrementOperation

cpp/ql/test/examples/expressions/PrintAST.expected

@@ -763,7 +763,7 @@ StaticMemberAccess.cpp:
 #    7|             ValueCategory = lvalue
 #    7|         getRValue(): [VariableAccess] i
 #    7|             Type = [IntType] int
-#    7|             ValueCategory = prvalue
+#    7|             ValueCategory = prvalue(load)
 #    7|           getQualifier(): [VariableAccess] xref
 #    7|               Type = [LValueReferenceType] X &
 #    7|               ValueCategory = prvalue(load)
@@ -1394,7 +1394,7 @@ union_etc.cpp:
 #   26|                 ValueCategory = lvalue
 #   26|         getRValue(): [AssignExpr] ... = ...
 #   26|             Type = [IntType] int
-#   26|             ValueCategory = prvalue
+#   26|             ValueCategory = prvalue(load)
 #   26|           getLValue(): [ValueFieldAccess] e
 #   26|               Type = [IntType] int
 #   26|               ValueCategory = lvalue
@@ -1406,7 +1406,7 @@ union_etc.cpp:
 #   26|                   ValueCategory = lvalue
 #   26|           getRValue(): [AssignExpr] ... = ...
 #   26|               Type = [IntType] int
-#   26|               ValueCategory = prvalue
+#   26|               ValueCategory = prvalue(load)
 #   26|             getLValue(): [ValueFieldAccess] i
 #   26|                 Type = [IntType] int
 #   26|                 ValueCategory = lvalue

cpp/ql/test/experimental/library-tests/rangeanalysis/signanalysis/SignAnalysis.expected

@@ -675,6 +675,7 @@
 | test.c:398:9:398:22 | CopyValue: ... , ... | positive strictlyPositive |
 | test.c:398:14:398:14 | Load: y | positive strictlyPositive |
 | test.c:398:14:398:19 | Add: ... += ... | positive strictlyPositive |
+| test.c:398:14:398:19 | Load: ... += ... | positive strictlyPositive |
 | test.c:398:14:398:19 | Store: ... += ... | positive strictlyPositive |
 | test.c:398:19:398:19 | Constant: (unsigned int)... | positive strictlyPositive |
 | test.c:398:22:398:22 | Load: y | positive strictlyPositive |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -35,6 +35,7 @@ edges
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
+| test.cpp:146:26:146:26 | p indirection | test.cpp:147:4:147:9 | -- ... |
 | test.cpp:146:26:146:26 | p indirection | test.cpp:148:6:148:9 | * ... |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
@@ -122,6 +123,7 @@ nodes
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:146:26:146:26 | p indirection | semmle.label | p indirection |
+| test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
 | test.cpp:148:6:148:9 | * ... | semmle.label | * ... |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
@@ -175,6 +177,7 @@ subpaths
 | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
 | test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |

cpp/ql/test/library-tests/attributes/deprecated_with_msg/clang421.c

@@ -1,2 +1,2 @@
 static int clang421 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40201 --edg --clang
+// semmle-extractor-options: --gnu_version 40201 --clang_version 30400

cpp/ql/test/library-tests/attributes/deprecated_with_msg/clang450.c

@@ -1,2 +1,2 @@
 static int clang450 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40500 --edg --clang
+// semmle-extractor-options: --gnu_version 40500 --clang_version 30500

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc421.c

@@ -1,2 +1,2 @@
 static int gcc421 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40201 --edg --clang
+// semmle-extractor-options: --gnu_version 40201

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc450.c

@@ -1,2 +1,2 @@
 static int gcc450 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40500 --edg --clang
+// semmle-extractor-options: --gnu_version 40500

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -15,6 +15,7 @@ localCallNodes
 postIsNotPre
 postHasUniquePre
 uniquePostUpdate
+| example.c:24:13:24:18 | coords indirection | Node has multiple PostUpdateNodes. |
 postIsInSameCallable
 reverseRead
 argHasPostUpdate