Base SSA classes on shared SSA library

Author: owen-mc

go/ql/lib/semmle/go/dataflow/SSA.qll

@@ -61,7 +61,7 @@ private predicate unresolvedIdentifier(Ident id, string name) {
 /**
  * An SSA variable.
  */
-class SsaVariable extends TSsaDefinition {
+class SsaVariable instanceof SsaDefinition {
   /** Gets the source variable corresponding to this SSA variable. */
   SsaSourceVariable getSourceVariable() { result = this.(SsaDefinition).getSourceVariable() }
 
@@ -107,27 +107,26 @@ class SsaVariable extends TSsaDefinition {
 /**
  * An SSA definition.
  */
-class SsaDefinition extends TSsaDefinition {
+class SsaDefinition instanceof ZZZDefinition {
+  /**
+   * Holds if this SSA definition defines `v` at index `i` in basic block `bb`.
+   * Phi nodes are considered to be at index `-1`, while normal variable writes
+   * are at the index of the control flow node they wrap.
+   */
+  predicate definesAt(SsaSourceVariable v, BasicBlock bb, int i) {
+    this.(ZZZDefinition).definesAt(v, bb, i)
+  }
+
   /** Gets the SSA variable defined by this definition. */
   SsaVariable getVariable() { result = this }
 
   /** Gets the source variable defined by this definition. */
-  abstract SsaSourceVariable getSourceVariable();
+  SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) }
 
   /**
    * Gets the basic block to which this definition belongs.
    */
-  abstract ReachableBasicBlock getBasicBlock();
-
-  /**
-   * INTERNAL: Use `getBasicBlock()` and `getSourceVariable()` instead.
-   *
-   * Holds if this is a definition of source variable `v` at index `idx` in basic block `bb`.
-   *
-   * Phi nodes are considered to be at index `-1`, all other definitions at the index of
-   * the control flow node they correspond to.
-   */
-  abstract predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int idx);
+  ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) }
 
   /**
    * INTERNAL: Use `toString()` instead.
@@ -146,12 +145,12 @@ class SsaDefinition extends TSsaDefinition {
   /** Gets the innermost function or file to which this SSA definition belongs. */
   ControlFlow::Root getRoot() { result = this.getBasicBlock().getRoot() }
 
+  /** Gets the location of this SSA definition. */
+  Location getLocation() { result = this.(ZZZDefinition).getLocation() }
+
   /** Gets a textual representation of this element. */
   string toString() { result = this.prettyPrintDef() }
 
-  /** Gets the source location for this element. */
-  abstract Location getLocation();
-
   /**
    * DEPRECATED: Use `getLocation()` instead.
    *
@@ -178,32 +177,24 @@ class SsaDefinition extends TSsaDefinition {
 /**
  * An SSA definition that corresponds to an explicit assignment or other variable definition.
  */
-class SsaExplicitDefinition extends SsaDefinition, TExplicitDef {
+class SsaExplicitDefinition extends SsaDefinition {
+  SsaExplicitDefinition() { not this instanceof SsaImplicitDefinition }
+
   /** Gets the instruction where the definition happens. */
   IR::Instruction getInstruction() {
-    exists(BasicBlock bb, int i | this = TExplicitDef(bb, i, _) | result = bb.getNode(i))
+    exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(i))
   }
 
   /** Gets the right-hand side of the definition. */
   IR::Instruction getRhs() { this.getInstruction().writes(_, result) }
 
-  override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) {
-    this = TExplicitDef(bb, i, v)
-  }
-
-  override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) }
-
-  override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) }
-
   override string prettyPrintRef() {
     exists(Location loc | loc = this.getLocation() |
       result = "def@" + loc.getStartLine() + ":" + loc.getStartColumn()
     )
   }
 
   override string prettyPrintDef() { result = "definition of " + this.getSourceVariable() }
-
-  override Location getLocation() { result = this.getInstruction().getLocation() }
 }
 
 /** Provides a helper predicate for working with explicit SSA definitions. */
@@ -230,8 +221,6 @@ abstract class SsaImplicitDefinition extends SsaDefinition {
       result = this.getKind() + "@" + loc.getStartLine() + ":" + loc.getStartColumn()
     )
   }
-
-  override Location getLocation() { result = this.getBasicBlock().getLocation() }
 }
 
 /**
@@ -241,24 +230,16 @@ abstract class SsaImplicitDefinition extends SsaDefinition {
  * Capturing definitions appear at the beginning of such functions, as well as
  * at any function call that may affect the value of the variable.
  */
-class SsaVariableCapture extends SsaImplicitDefinition, TCapture {
-  override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) {
-    this = TCapture(bb, i, v)
+class SsaVariableCapture extends SsaImplicitDefinition {
+  SsaVariableCapture() {
+    exists(BasicBlock bb, int i, SsaSourceVariable v | this.definesAt(v, bb, i) |
+      mayCapture(bb, i, v)
+    )
   }
 
-  override ReachableBasicBlock getBasicBlock() { this.definesAt(_, result, _) }
-
-  override SsaSourceVariable getSourceVariable() { this.definesAt(result, _, _) }
-
   override string getKind() { result = "capture" }
 
   override string prettyPrintDef() { result = "capture variable " + this.getSourceVariable() }
-
-  override Location getLocation() {
-    exists(ReachableBasicBlock bb, int i | this.definesAt(_, bb, i) |
-      result = bb.getNode(i).getLocation()
-    )
-  }
 }
 
 /**
@@ -283,26 +264,16 @@ abstract class SsaPseudoDefinition extends SsaImplicitDefinition {
  * in the flow graph where otherwise two or more definitions for the variable
  * would be visible.
  */
-class SsaPhiNode extends SsaPseudoDefinition, TPhi {
+class SsaPhiNode extends SsaPseudoDefinition instanceof ZZZPhiNode {
   override SsaVariable getAnInput() {
     result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(), this.getSourceVariable())
   }
 
-  override predicate definesAt(SsaSourceVariable v, ReachableBasicBlock bb, int i) {
-    bb = this.getBasicBlock() and v = this.getSourceVariable() and i = -1
-  }
-
-  override ReachableBasicBlock getBasicBlock() { this = TPhi(result, _) }
-
-  override SsaSourceVariable getSourceVariable() { this = TPhi(_, result) }
-
   override string getKind() { result = "phi" }
 
   override string prettyPrintDef() {
     result = this.getSourceVariable() + " = phi(" + this.ppInputs() + ")"
   }
-
-  override Location getLocation() { result = this.getBasicBlock().getLocation() }
 }
 
 /**

go/ql/lib/semmle/go/dataflow/SsaImpl.qll

@@ -21,61 +21,6 @@ private module Internal {
     bb.getNode(i).(IR::Instruction).reads(v)
   }
 
-  /**
-   * A data type representing SSA definitions.
-   *
-   * We distinguish three kinds of SSA definitions:
-   *
-   *   1. Variable definitions, including declarations, assignments and increments/decrements.
-   *   2. Pseudo-definitions for captured variables at the beginning of the capturing function
-   *      as well as after calls.
-   *   3. Phi nodes.
-   *
-   * SSA definitions are only introduced where necessary. In particular,
-   * unreachable code has no SSA definitions associated with it, and neither
-   * have dead assignments (that is, assignments whose value is never read).
-   */
-  cached
-  newtype TSsaDefinition =
-    /**
-     * An SSA definition that corresponds to an explicit assignment or other variable definition.
-     */
-    TExplicitDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) {
-      defAt(bb, i, v) and
-      (liveAfterDef(bb, i, v) or v.isCaptured())
-    } or
-    /**
-     * An SSA definition representing the capturing of an SSA-convertible variable
-     * in the closure of a nested function.
-     *
-     * Capturing definitions appear at the beginning of such functions, as well as
-     * at any function call that may affect the value of the variable.
-     */
-    TCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) {
-      mayCapture(bb, i, v) and
-      liveAfterDef(bb, i, v)
-    } or
-    /**
-     * An SSA phi node, that is, a pseudo-definition for a variable at a point
-     * in the flow graph where otherwise two or more definitions for the variable
-     * would be visible.
-     */
-    TPhi(ReachableJoinBlock bb, SsaSourceVariable v) {
-      liveAtEntry(bb, v) and
-      inDefDominanceFrontier(bb, v)
-    }
-
-  /**
-   * Holds if `bb` is in the dominance frontier of a block containing a definition of `v`.
-   */
-  pragma[noinline]
-  private predicate inDefDominanceFrontier(ReachableJoinBlock bb, SsaSourceVariable v) {
-    exists(ReachableBasicBlock defbb, SsaDefinition def |
-      def.definesAt(v, defbb, _) and
-      bb.inDominanceFrontierOf(defbb)
-    )
-  }
-
   /**
    * Holds if `v` is a captured variable which is declared in `declFun` and read in `useFun`.
    */
@@ -104,7 +49,8 @@ private module Internal {
    * modeling updates to captured variable `v`. Whether the definition is actually
    * introduced depends on whether `v` is live at this point in the program.
    */
-  private predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) {
+  cached
+  predicate mayCapture(ReachableBasicBlock bb, int i, SsaSourceVariable v) {
     exists(FuncDef capturingContainer, FuncDef declContainer |
       // capture initial value of variable declared in enclosing scope
       readsCapturedVar(capturingContainer, v, declContainer) and
@@ -143,31 +89,6 @@ private module Internal {
     ref(bb, i, v, tp)
   }
 
-  /**
-   * Gets the maximum rank among all references to `v` in basic block `bb`.
-   */
-  private int maxRefRank(ReachableBasicBlock bb, SsaSourceVariable v) {
-    result = max(refRank(bb, _, v, _))
-  }
-
-  /**
-   * Holds if variable `v` is live after the `i`th node of basic block `bb`, where
-   * `i` is the index of a node that may assign or capture `v`.
-   *
-   * For the purposes of this predicate, function calls are considered as writes of captured variables.
-   */
-  private predicate liveAfterDef(ReachableBasicBlock bb, int i, SsaSourceVariable v) {
-    exists(int r | r = refRank(bb, i, v, WriteRef()) |
-      // the next reference to `v` inside `bb` is a read
-      r + 1 = refRank(bb, _, v, ReadRef())
-      or
-      // this is the last reference to `v` inside `bb`, but `v` is live at entry
-      // to a successor basic block of `bb`
-      r = maxRefRank(bb, v) and
-      liveAtSuccEntry(bb, v)
-    )
-  }
-
   /**
    * Holds if variable `v` is live at the beginning of basic block `bb`.
    *
@@ -486,6 +407,8 @@ private module Internal {
     predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
       defAt(bb, i, v) and
       certain = true
+      or
+      mayCapture(bb, i, v) and certain = true
     }
 
     /**
@@ -496,19 +419,21 @@ private module Internal {
     predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
       useAt(bb, i, v) and certain = true
       or
-      mayCapture(bb, i, v) and certain = false
+      mayCapture(bb, i, v) and certain = true
     }
   }
 
   import SsaImplCommon::Make<Location, SsaInput> as Impl
 
-  final class SsaInputDefinition = Impl::Definition;
+  final class ZZZDefinition = Impl::Definition;
 
-  final class SsaInputWriteDefinition = Impl::WriteDefinition;
+  final class ZZZWriteDefinition = Impl::WriteDefinition;
 
-  final class SsaInputUncertainWriteDefinition = Impl::UncertainWriteDefinition;
+  final class ZZZUncertainWriteDefinition = Impl::UncertainWriteDefinition;
 
-  final class SsaInputPhiNode = Impl::PhiNode;
+  final class ZZZPhiNode = Impl::PhiNode;
 }
 
 import Internal
+
+predicate captures = Internal::mayCapture/3;