C++: Handle field initialization via NSDMI in IR generation

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll

@@ -831,7 +831,11 @@ module Public {
 
     /** Gets the parameter through which this value is assigned. */
     Parameter getParameter() {
-      result = this.getCallInstruction().getStaticCallTarget().getParameter(this.getArgumentIndex())
+      result =
+        this.getCallInstruction()
+            .getStaticCallTarget()
+            .(Function)
+            .getParameter(this.getArgumentIndex())
     }
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -175,7 +175,8 @@ private class PointerWrapperTypeIndirection extends Indirection instanceof Point
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
-      this = call.getStaticCallTarget().getClassAndName(["operator*", "operator->", "get"]) and
+      this =
+        call.getStaticCallTarget().(Function).getClassAndName(["operator*", "operator->", "get"]) and
       address = call.getThisArgumentOperand()
     )
   }
@@ -194,7 +195,7 @@ private module IteratorIndirections {
 
     override predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) {
       exists(CallInstruction call | call.getArgumentOperand(0) = value.asOperand() |
-        this = call.getStaticCallTarget().getClassAndName("operator=") and
+        this = call.getStaticCallTarget().(Function).getClassAndName("operator=") and
         address = call.getThisArgumentOperand() and
         certain = false
       )

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -495,7 +495,7 @@ class FieldInstruction extends Instruction {
  * `FunctionAddress` instruction.
  */
 class FunctionInstruction extends Instruction {
-  Language::Function funcSymbol;
+  Language::Declaration funcSymbol;
 
   FunctionInstruction() { funcSymbol = Raw::getInstructionFunction(this) }
 
@@ -504,7 +504,7 @@ class FunctionInstruction extends Instruction {
   /**
    * Gets the function that this instruction references.
    */
-  final Language::Function getFunctionSymbol() { result = funcSymbol }
+  final Language::Declaration getFunctionSymbol() { result = funcSymbol }
 }
 
 /**
@@ -1678,7 +1678,7 @@ class CallInstruction extends Instruction {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  final Language::Function getStaticCallTarget() {
+  final Language::Declaration getStaticCallTarget() {
     result = this.getCallTarget().(FunctionAddressInstruction).getFunctionSymbol()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -495,7 +495,7 @@ class FieldInstruction extends Instruction {
  * `FunctionAddress` instruction.
  */
 class FunctionInstruction extends Instruction {
-  Language::Function funcSymbol;
+  Language::Declaration funcSymbol;
 
   FunctionInstruction() { funcSymbol = Raw::getInstructionFunction(this) }
 
@@ -504,7 +504,7 @@ class FunctionInstruction extends Instruction {
   /**
    * Gets the function that this instruction references.
    */
-  final Language::Function getFunctionSymbol() { result = funcSymbol }
+  final Language::Declaration getFunctionSymbol() { result = funcSymbol }
 }
 
 /**
@@ -1678,7 +1678,7 @@ class CallInstruction extends Instruction {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  final Language::Function getStaticCallTarget() {
+  final Language::Declaration getStaticCallTarget() {
     result = this.getCallTarget().(FunctionAddressInstruction).getFunctionSymbol()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -9,12 +9,13 @@
 private import semmle.code.cpp.ir.internal.TempVariableTag
 private import InstructionTag
 private import TranslatedCondition
 private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedCall
 private import TranslatedStmt
 private import TranslatedFunction
 private import TranslatedGlobalVar
+private import TranslatedNonStaticDataMember
 private import TranslatedInitialization
 
 TranslatedElement getInstructionTranslatedElement(Instruction instruction) {
@@ -45,6 +46,8 @@
       or
       not var.isFromUninstantiatedTemplate(_) and
       var instanceof StaticInitializedStaticLocalVariable
+      or
+      var instanceof Field
     ) and
     var.hasInitializer() and
     (
@@ -64,6 +67,8 @@
     getTranslatedFunction(decl).hasUserVariable(var, type)
     or
     getTranslatedVarInit(decl).hasUserVariable(var, type)
+    or
+    getTranslatedFieldInit(decl).hasUserVariable(var, type)
   }
 
   cached
@@ -110,7 +115,7 @@
   }
 
   cached
-  Function getInstructionFunction(Instruction instruction) {
+  Declaration getInstructionFunction(Instruction instruction) {
     result =
       getInstructionTranslatedElement(instruction)
           .getInstructionFunction(getInstructionTag(instruction))

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -142,15 +142,23 @@ class CallOrAllocationExpr extends Expr {
     this instanceof NewOrNewArrayExpr
     or
     this instanceof DeleteOrDeleteArrayExpr
+    or
+    exists(
+      ConstructorFieldInit init |
+      this = init and
+      not exists(init.getExpr()) and
+      exists(init.getTarget().getInitializer()))
   }
 
-  /** Gets the `Function` invoked by this expression, if known. */
-  final Function getTarget() {
+  /** Gets the `Declaration` invoked by this expression, if known. */
+  final Declaration getTarget() {
     result = this.(Call).getTarget()
     or
     result = this.(NewOrNewArrayExpr).getAllocator()
     or
     result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
+    or
+    result = this.(ConstructorFieldInit).getTarget()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -10,6 +10,7 @@ private import SideEffects
 private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedFunction
+private import TranslatedInitialization
 private import DefaultOptions as DefaultOptions
 
 /**
@@ -348,7 +349,7 @@ class TranslatedExprCall extends TranslatedCallExpr {
 class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
   override FunctionCall expr;
 
-  override Function getInstructionFunction(InstructionTag tag) {
+  override Declaration getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and result = expr.getTarget()
   }
 
@@ -429,6 +430,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
     or
     expr instanceof DeleteOrDeleteArrayExpr and
     result = getTranslatedDeleteOrDeleteArray(expr).getInstruction(CallTag())
+    or
+    expr instanceof ConstructorFieldInit and
+    result = getTranslatedConstructorFieldInitialization(expr).getInstruction(CallTag())
   }
 }
 
@@ -508,7 +512,7 @@ abstract class TranslatedSideEffect extends TranslatedElement {
  * The IR translation of a single argument side effect for a call.
  */
 abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
-  Call call;
+  CallOrAllocationExpr callOrInit;
   int index;
   SideEffectOpcode sideEffectOpcode;
 
@@ -524,7 +528,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
     result = "(read side effect for " + this.getArgString() + ")"
   }
 
-  override Call getPrimaryExpr() { result = call }
+  override Expr getPrimaryExpr() { result = callOrInit }
 
   override predicate sortOrder(int group, int indexInGroup) {
     indexInGroup = index and
@@ -586,7 +590,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
     tag instanceof OnlyInstructionTag and
     operandTag instanceof BufferSizeOperandTag and
     result =
-      getTranslatedExpr(call.getArgument(call.getTarget()
+      getTranslatedExpr(callOrInit.(Call).getArgument(callOrInit.getTarget()
               .(SideEffectFunction)
               .getParameterSizeIndex(index)).getFullyConverted()).getResult()
   }
@@ -616,7 +620,7 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
   Expr arg;
 
   TranslatedArgumentExprSideEffect() {
-    this = TTranslatedArgumentExprSideEffect(call, arg, index, sideEffectOpcode)
+    this = TTranslatedArgumentExprSideEffect(callOrInit, arg, index, sideEffectOpcode)
   }
 
   final override Locatable getAst() { result = arg }
@@ -647,21 +651,24 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect
   TTranslatedStructorQualifierSideEffect
 {
   TranslatedStructorQualifierSideEffect() {
-    this = TTranslatedStructorQualifierSideEffect(call, sideEffectOpcode) and
+    this = TTranslatedStructorQualifierSideEffect(callOrInit, sideEffectOpcode) and
     index = -1
   }
 
-  final override Locatable getAst() { result = call }
+  final override Locatable getAst() { result = callOrInit }
 
-  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
+  final override Type getIndirectionType() { result = callOrInit.getTarget().getDeclaringType() }
 
   final override string getArgString() { result = "this" }
 
   final override Instruction getArgInstruction() {
     exists(TranslatedStructorCall structorCall |
-      structorCall.getExpr() = call and
+      structorCall.getExpr() = callOrInit and
       result = structorCall.getQualifierResult()
     )
+    or
+    callOrInit instanceof ConstructorFieldInit and
+    result = getTranslatedFunction(callOrInit.getEnclosingFunction()).getLoadThisInstruction()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -36,7 +36,8 @@ abstract class TranslatedCondition extends TranslatedElement {
   final override Declaration getFunction() {
     result = getEnclosingFunction(expr) or
     result = getEnclosingVariable(expr).(GlobalOrNamespaceVariable) or
-    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable)
+    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable) or
+    result = getEnclosingVariable(expr).(Field)
   }
 
   final Type getResultType() { result = expr.getUnspecifiedType() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -36,6 +36,7 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
       or
       not entry.getDeclaration() instanceof StaticInitializedStaticLocalVariable and
       not entry.getDeclaration() instanceof GlobalOrNamespaceVariable and
+      not entry.getDeclaration() instanceof Field and
       result = stmt.getEnclosingFunction()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -775,6 +775,16 @@ newtype TTranslatedElement =
       position = -1
     )
   } or
+  // The initialization of a field via a default member initializer.
+  TTranslatedDefaultFieldInitialization(Expr ast, Field field) {
+    exists(ConstructorFieldInit init |
+      not ignoreExpr(init) and
+      ast = init and
+      field = init.getTarget() and
+      not exists(init.getExpr()) and
+      exists(field.getInitializer())
+    )
+  } or
   // The value initialization of a field due to an omitted member of an
   // initializer list.
   TTranslatedFieldValueInitialization(Expr ast, Field field) {
@@ -910,15 +920,30 @@ newtype TTranslatedElement =
   } or
   // Constructor calls lack a qualifier (`this`) expression, so we need to handle the side effects
   // on `*this` without an `Expr`.
-  TTranslatedStructorQualifierSideEffect(Call call, SideEffectOpcode opcode) {
+  TTranslatedStructorQualifierSideEffect(CallOrAllocationExpr call, SideEffectOpcode opcode) {
     not ignoreExpr(call) and
     not ignoreSideEffects(call) and
+    (
     call instanceof ConstructorCall and
     opcode = getASideEffectOpcode(call, -1)
+    )
+    or
+    (
+      call instanceof ConstructorFieldInit and
+      (
+        opcode instanceof Opcode::IndirectReadSideEffect
+        or
+        opcode instanceof Opcode::IndirectMayWriteSideEffect
+      )
+
+    )
   } or
   // The side effect that initializes newly-allocated memory.
   TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
-  TTranslatedStaticStorageDurationVarInit(Variable var) { Raw::varHasIRFunc(var) } or
+  TTranslatedStaticStorageDurationVarInit(Variable var) {
+    Raw::varHasIRFunc(var) and not var instanceof Field
+  } or
+  TTranslatedNonStaticDataMemberVarInit(Field var) { Raw::varHasIRFunc(var) } or
   TTranslatedAssertionOperand(MacroInvocation mi, int index) { hasAssertionOperand(mi, index) }
 
 /**
@@ -1179,7 +1204,7 @@ abstract class TranslatedElement extends TTranslatedElement {
    * If the instruction specified by `tag` is a `FunctionInstruction`, gets the
    * `Function` for that instruction.
    */
-  Function getInstructionFunction(InstructionTag tag) { none() }
+  Declaration getInstructionFunction(InstructionTag tag) { none() }
 
   /**
    * If the instruction specified by `tag` is a `VariableInstruction`, gets the
@@ -1297,5 +1322,7 @@ abstract class TranslatedRootElement extends TranslatedElement {
     this instanceof TTranslatedFunction
     or
     this instanceof TTranslatedStaticStorageDurationVarInit
+    or
+    this instanceof TTranslatedNonStaticDataMemberVarInit
   }
 }