Module IR

Provides classes that describe the Intermediate Representation (IR) of the program.

The IR is a representation of the semantics of the program, with very little dependence on the syntax that was used to write the program. For example, in C++, the statements i += 1;, i++, and ++i all have the same semantic effect, but appear in the AST as three different types of Expr node. In the IR, all three statements are broken down into a sequence of fundamental operations similar to:

r1(int*) = VariableAddress[i]  // Compute the address of variable `i`
r2(int) = Load &:r1, m0  // Load the value of `i`
r3(int) = Constant[1]  // An integer constant with the value `1`
r4(int) = Add r2, r3  // Add `1` to the value of `i`
r5(int) = Store &r1, r4  // Store the new value back into the variable `i`

This allows IR-based analysis to focus on the fundamental operations, rather than having to be concerned with the various ways of expressing those operations in source code.

The key classes in the IR are:

IRFunction - Contains the IR for an entire function definition, including all of that function’s Instructions, IRBlocks, and IRVariables.
Instruction - A single operation in the IR. An instruction specifies the operation to be performed, the operands that produce the inputs to that operation, and the type of the result of the operation. Control flows from an Instruction to one of a set of successor Instructions.
Operand - An input value of an Instruction. All inputs of an Instruction are explicitly represented as Operands, even if the input was implicit in the source code. An Operand has a link to the Instruction that consumes its value (its “use”) and a link to the Instruction that produces its value (its “definition”).
IRVariable - A variable accessed by the IR for a particular function. An IRVariable is created for each variable directly accessed by the function. In addition, IRVariables are created to represent certain temporary storage locations that do not have explicitly declared variables in the source code, such as the return value of the function.
IRBlock - A “basic block” in the control flow graph of a function. An IRBlock contains a sequence of instructions such that control flow can only enter the block at the first instruction, and can only leave the block from the last instruction.
IRType - The type of a value accessed in the IR. Unlike the Type class in the AST, IRType is language-neutral. For example, in C++, unsigned int, char32_t, and wchar_t might all be represented as the IRType uint4, a four-byte unsigned integer.

Import path

import semmle.code.cpp.ir.IR

Classes

AddInstruction	An instruction that computes the sum of two numeric operands.
AddressOperand	The address operand of an instruction that loads or stores a value from memory (e.g. `Load`, `Store`).
AliasedDefinitionInstruction	An instruction that initializes all escaped memory.
AliasedUseInstruction	An instruction that consumes all escaped memory on exit from the function.
ArgumentOperand	An operand representing an argument to a function call. This includes both positional arguments (represented by `PositionalArgumentOperand`) and the implicit `this` argument, if any (represented by `ThisArgumentOperand`).
ArithmeticInstruction	An instruction that computes the result of an arithmetic operation.
ArithmeticOpcode	The `Opcode` for an `ArithmeticInstruction`.
BinaryArithmeticInstruction	An instruction that performs an arithmetic operation on two numeric operands.
BinaryArithmeticOpcode	The `Opcode` for a `BinaryArithmeticInstruction`.
BinaryBitwiseInstruction	An instruction that performs a bitwise operation on two integer operands.
BinaryBitwiseOpcode	The `Opcode` for a `BinaryBitwiseInstruction`.
BinaryInstruction	An instruction whose result is computed from two operands.
BinaryOpcode	The `Opcode` for a `BinaryInstruction`.
BitAndInstruction	An instruction that computes the bitwise “and” of two integer operands.
BitComplementInstruction	An instruction that computes the bitwise complement of its operand.
BitOrInstruction	An instruction that computes the bitwise “or” of two integer operands.
BitXorInstruction	An instruction that computes the bitwise “xor” of two integer operands.
BitwiseInstruction	An instruction that computes the result of a bitwise operation.
BitwiseOpcode	The `Opcode` for a `BitwiseInstruction`.
BufferAccessOpcode	An opcode that accesses a memory buffer.
BufferMayWriteSideEffectInstruction	An instruction representing the write of an indirect buffer parameter within a function call.
BufferMemoryAccess	The operand or result accesses memory starting at the address specified by the `AddressOperand` on the same instruction, accessing a number of consecutive elements given by the `BufferSizeOperand`.
BufferMustWriteSideEffectInstruction	An instruction representing the write of an indirect buffer parameter within a function call. The entire buffer is overwritten.
BufferReadSideEffectInstruction	An instruction representing the read of an indirect buffer parameter within a function call.
BufferSizeOperand	The buffer size operand of an instruction that represents a read or write of a buffer.
BuiltInInstruction	An instruction representing a built-in operation that does not have a specific opcode. The actual operation is specified by the `getBuiltInOperation()` predicate.
BuiltInOperationInstruction	An instruction representing a built-in operation.
BuiltInOperationOpcode	The `Opcode` for a `BuiltInOperationInstruction`.
CallInstruction	An instruction that calls a function.
CallReadSideEffectInstruction	An instruction representing the side effect of a function call on any memory that might be read by that call.
CallSideEffectInstruction	An instruction representing the side effect of a function call on any memory that might be accessed by that call.
CallTargetOperand	The operand representing the target function of an `Call` instruction.
CaseEdge	A “case” edge, representing the successor of a `Switch` instruction when the the condition value matches a corresponding `case` label.
CatchAnyInstruction	An instruction that catches any exception.
CatchByTypeInstruction	An instruction that catches an exception of a specific type.
CatchInstruction	An instruction that starts a `catch` handler.
CatchOpcode	The `Opcode` for a `CatchInstruction`.
CheckedConvertOrNullInstruction	An instruction that converts the address of a polymorphic object to the address of a different subobject of the same polymorphic object, returning a null address if the dynamic type of the object is not compatible with the result type.
CheckedConvertOrThrowInstruction	An instruction that converts the address of a polymorphic object to the address of a different subobject of the same polymorphic object, throwing an exception if the dynamic type of the object is not compatible with the result type.
ChiInstruction	An instruction representing the effect that a write to a memory may have on potential aliases of that memory.
ChiPartialMemoryAccess	The operand is a ChiPartial operand, which accesses the same memory as its definition.
ChiPartialOperand	The partial operand of a Chi node, representing the value being written to part of the memory.
ChiTotalMemoryAccess	The operand is a ChiTotal operand, which accesses the same memory as its definition.
ChiTotalOperand	The total operand of a Chi node, representing the previous value of the memory.
CompareEQInstruction	An instruction that returns a `true` result if its operands are equal.
CompareGEInstruction	An instruction that returns a `true` result if its left operand is greater than or equal to its right operand.
CompareGTInstruction	An instruction that returns a `true` result if its left operand is greater than its right operand.
CompareInstruction	An instruction that compares two numeric operands.
CompareLEInstruction	An instruction that returns a `true` result if its left operand is less than or equal to its right operand.
CompareLTInstruction	An instruction that returns a `true` result if its left operand is less than its right operand.
CompareNEInstruction	An instruction that returns a `true` result if its operands are not equal.
CompareOpcode	The `Opcode` for a `CompareInstruction`.
CompleteObjectAddressInstruction	An instruction that returns the address of the complete object that contains the subobject pointed to by its operand.
ConditionOperand	The condition operand of a `ConditionalBranch` or `Switch` instruction.
ConditionalBranchInstruction	An instruction that branches to one of two successor instructions based on the value of a Boolean operand.
ConstantInstruction	An instruction whose result is a constant value.
ConstantValueInstruction	An instruction whose result is a compile-time constant value.
ConvertInstruction	An instruction that converts the value of its operand to a value of a different type.
ConvertToBaseInstruction	An instruction that converts from the address of a derived class to the address of a base class.
ConvertToBaseOpcode	The `Opcode` for a `ConvertToBaseInstruction`.
ConvertToDerivedInstruction	An instruction that converts from the address of a base class to the address of a direct non-virtual derived class.
ConvertToNonVirtualBaseInstruction	An instruction that converts from the address of a derived class to the address of a direct non-virtual base class.
ConvertToVirtualBaseInstruction	An instruction that converts from the address of a derived class to the address of a virtual base class.
CopyInstruction	An instruction that returns a copy of its operand.
CopyOpcode	The `Opcode` for a `CopyInstruction`.
CopyValueInstruction	An instruction that returns a register result containing a copy of its register operand.
DefaultEdge	A “default” edge, representing the successor of a `Switch` instruction when none of the case values matches the condition value.
DivInstruction	An instruction that computes the quotient of two numeric operands.
EdgeKind	Represents the kind of an edge in the IR control flow graph. Each `Instruction` or `IRBlock` has at most one successor of any single `EdgeKind`.
ElementsAddressInstruction	An instruction that computes the address of the first element of a managed array.
EnterFunctionInstruction	An instruction representing the entry point to a function.
EntireAllocationAccessOpcode	An opcode that access an entire memory allocation.
EntireAllocationMemoryAccess	The operand or results accesses all memory in the contiguous allocation that contains the address specified by the `AddressOperand` on the same instruction.
EntireAllocationReadOpcode	An opcode that reads from an entire memory allocation.
EntireAllocationWriteOpcode	An opcode that write to an entire memory allocation.
ErrorInstruction	An instruction that produces a well-defined but unknown result and has unknown side effects, including side effects that are not conservatively modeled in the SSA graph.
EscapedMemoryAccess	The operand or result accesses all memory whose address has escaped.
EscapedReadOpcode	An opcode that might read from any escaped memory location.
EscapedWriteOpcode	An opcode that might write to any escaped memory location.
ExceptionEdge	An “exception” edge, representing the successor of an instruction when that instruction’s evaluation throws an exception.
ExitFunctionInstruction	An instruction representing the exit point of a function.
FalseEdge	A “false” edge, representing the successor of a conditional branch when the condition is zero.
FieldAddressInstruction	An instruction that computes the address of a non-static field of an object.
FieldInstruction	An instruction that refers to a field of a class, struct, or union.
FloatConstantInstruction	An instruction whose result is a constant value of floating-point type.
FunctionAddressInstruction	An instruction that returns the address of a function.
FunctionInstruction	An instruction that refers to a function.
GotoEdge	A “goto” edge, representing the unconditional successor of an `Instruction` or `IRBlock`.
IRAddressType	An address type, representing the memory address of data. Used to represent pointers, references, and lvalues, include those that are garbage collected.
IRAutomaticUserVariable	A user-declared variable that is allocated on the stack. This includes all parameters and non-static local variables.
IRAutomaticVariable	A variable (user-declared or temporary) that is allocated on the stack. This includes all parameters, non-static local variables, and temporary variables.
IRBlock	A basic block with additional information about its predecessor and successor edges. Each edge corresponds to the control flow between the last instruction of one block and the first instruction of another block.
IRBlockBase	A basic block in the IR. A basic block consists of a sequence of `Instructions` with the only incoming edges at the beginning of the sequence and the only outgoing edges at the end of the sequence.
IRBooleanType	A Boolean type, which can hold the values `true` (non-zero) or `false` (zero).
IRDynamicInitializationFlag	A variable generated to track whether a specific non-stack variable has been initialized. This is used to model the runtime initialization of static local variables in C++, as well as static fields in C#.
IREllipsisVariable	A temporary variable generated to hold the contents of all arguments passed to the `...` of a function that accepts a variable number of arguments.
IRErrorType	An error type. Used when an error in the source code prevents the extractor from determining the proper type.
IRFloatingPointType	A floating-point type.
IRFunction	The IR for a function.
IRFunctionAddressType	An address type, representing the memory address of code. Used to represent function pointers, function references, and the target of a direct function call.
IRFunctionBase	The IR for a function. This base class contains only the predicates that are the same between all phases of the IR. Each instantiation of `IRFunction` extends this class.
IRGeneratedVariable	A variable that is not user-declared. This includes temporary variables generated as part of IR construction, as well as string literals.
IRIntegerType	An integer type. This includes `IRSignedIntegerType` and `IRUnsignedIntegerType`.
IRNumericType	A numeric type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and `IRFloatingPointType`.
IROpaqueType	A type with known size that does not fit any of the other kinds of type. Used to represent classes, structs, unions, fixed-size arrays, pointers-to-member, and more.
IRParameter	An IR variable which acts like a function parameter, including positional parameters and the temporary variables generated for `this` and ellipsis parameters.
IRPositionalParameter	An IR variable representing a positional parameter.
IRPropertyProvider	A class that provides additional properties to be dumped for IR instructions and blocks when using the PrintIR module. Libraries that compute additional facts about IR elements can extend the single instance of this class to specify the additional properties computed by the library.
IRReturnVariable	A temporary variable generated to hold the return value of a function.
IRSignedIntegerType	A signed two’s-complement integer. Also used to represent enums whose underlying type is a signed integer, as well as character types whose representation is signed.
IRStaticUserVariable	A user-declared variable that is not allocated on the stack. This includes all global variables, namespace-scope variables, static fields, and static local variables.
IRStringLiteral	A variable generated to represent the contents of a string literal. This variable acts much like a read-only global variable.
IRTempVariable	A temporary variable introduced by IR construction. The most common examples are the variable generated to hold the return value of a function, or the variable generated to hold the result of a condition operator (`a ? b : c`).
IRThisVariable	A temporary variable generated to hold the `this` pointer.
IRThrowVariable	A temporary variable generated to hold the exception thrown by a `ThrowValue` instruction.
IRType	The language-neutral type of an IR `Instruction`, `Operand`, or `IRVariable`. The interface to `IRType` and its subclasses is the same across all languages for which the IR is supported, so analyses that expect to be used for multiple languages should generally use `IRType` rather than a language-specific type.
IRUnknownType	An unknown type. Generally used to represent results and operands that access an unknown set of memory locations, such as the side effects of a function call.
IRUnsignedIntegerType	An unsigned two’s-complement integer. Also used to represent enums whose underlying type is an unsigned integer, as well as character types whose representation is unsigned.
IRUserVariable	A user-declared variable referenced by the IR for a function.
IRVariable	A variable referenced by the IR for a function.
IRVoidType	A void type, which has no values. Used to represent the result type of an instruction that does not produce a result.
IndexedInstruction	An instruction that refers to an argument of a `Call` instruction.
IndirectMayWriteSideEffectInstruction	An instruction representing the potential write of an indirect parameter within a function call.
IndirectMemoryAccess	The operand or result accesses memory at the address specified by the `AddressOperand` on the same instruction.
IndirectMemoryAccessOpcode	An opcode that accesses a single memory location via an `AddressOperand`.
IndirectMustWriteSideEffectInstruction	An instruction representing the write of an indirect parameter within a function call.
IndirectReadOpcode	An opcode that reads from a single memory location via an `AddressOperand`.
IndirectReadSideEffectInstruction	An instruction representing the read of an indirect parameter within a function call.
IndirectWriteOpcode	An opcode that writes to a single memory location via an `AddressOperand`.
InheritanceConversionInstruction	An instruction that converts the address of an object to the address of a different subobject of the same object, without any type checking at runtime.
InitializeDynamicAllocationInstruction	An instruction representing the initial value of newly allocated memory, such as the result of a call to `malloc`.
InitializeIndirectionInstruction	An instruction that initializes the memory pointed to by a parameter of the enclosing function with the value of that memory on entry to the function.
InitializeNonLocalInstruction	An instruction that initializes all memory that existed before this function was called.
InitializeParameterInstruction	An instruction that initializes a parameter of the enclosing function with the value of the corresponding argument passed by the caller.
InitializeThisInstruction	An instruction that initializes the `this` pointer parameter of the enclosing function.
InlineAsmInstruction	An instruction representing a GNU or MSVC inline assembly statement.
Instruction	A single instruction in the IR.
IntegerConstantInstruction	An instruction whose result is a constant value of integer or Boolean type.
LeftOperand	The left operand of a binary instruction (e.g. `Add`, `CompareEQ`).
LoadInstruction	An instruction that returns a register result containing a copy of its memory operand.
LoadOperand	The source value operand of an instruction that loads a value from memory (e.g. `Load`, `ReturnValue`, `ThrowValue`).
LogicalNotInstruction	An instruction that computes the logical complement of its operand.
MayReadOpcode	An opcode whose read memory access is a `may` read, as opposed to a `must` read.
MayWriteOpcode	An opcode whose write memory access is a `may` write, as opposed to a `must` write.
MemoryAccessKind	Describes the set of memory locations memory accessed by a memory operand or memory result.
MemoryOperand	An operand that consumes a memory result (e.g. the `LoadOperand` on a `Load` instruction).
MulInstruction	An instruction that computes the product of two numeric operands.
NegateInstruction	An instruction that negates a single numeric operand.
NewObjInstruction	An instruction that allocates a new object on the managed heap.
NextVarArgInstruction	An instruction that modifies a `va_list` to point to the next argument that was passed to the `...` parameter.
NoOpInstruction	An instruction that has no effect.
NonLocalMemoryAccess	The operand or result access all memory whose address has escaped, other than data on the stack frame of the current function.
NonPhiMemoryOperand	A memory operand other than the operand of a `Phi` instruction.
NonPhiOperand	An operand that is not an operand of a `PhiInstruction`.
Opcode	An opcode that specifies the operation performed by an `Instruction`.
OpcodeWithLoad	An opcode that reads a value from memory.
Operand	An operand of an `Instruction`. The operand represents a use of the result of one instruction (the defining instruction) in another instruction (the use instruction)
PhiInputOperand	An operand of a `PhiInstruction`.
PhiInstruction	An instruction representing the choice of one of multiple input values based on control flow.
PhiMemoryAccess	The operand is a Phi operand, which accesses the same memory as its definition.
PointerAddInstruction	An instruction that adds an integer offset to a pointer.
PointerArithmeticInstruction	An instruction that performs a binary arithmetic operation involving at least one pointer operand.
PointerArithmeticOpcode	The `Opcode` for a `PointerArithmeticInstruction`.
PointerDiffInstruction	An instruction that computes the difference between two pointers.
PointerOffsetInstruction	An instruction that adds or subtracts an integer offset from a pointer.
PointerOffsetOpcode	The `Opcode` for a `PointerOffsetInstruction`.
PointerSubInstruction	An instruction that subtracts an integer offset from a pointer.
PositionalArgumentOperand	An operand representing an argument to a function call.
ReThrowInstruction	An instruction that re-throws the current exception.
ReadSideEffectInstruction	An instruction representing a read side effect of a function call on a specific parameter.
ReadSideEffectOpcode	The `Opcode` for a `ReadSideEffectInstruction`.
RegisterOperand	An operand that consumes a register (non-memory) result.
RelationalInstruction	An instruction that does a relative comparison of two values, such as `<` or `>=`.
RelationalOpcode	The `Opcode` for a `RelationalInstruction`.
RemInstruction	An instruction that computes the remainder of two integer operands.
ReturnIndirectionInstruction	An instruction that represents the use of the value pointed to by a parameter of the function after the function returns control to its caller.
ReturnInstruction	An instruction that returns control to the caller of the function.
ReturnOpcode	The `Opcode` for a `ReturnInstruction`.
ReturnValueInstruction	An instruction that returns control to the caller of the function, including a return value.
ReturnVoidInstruction	An instruction that returns control to the caller of the function, without returning a value.
RightOperand	The right operand of a binary instruction (e.g. `Add`, `CompareEQ`).
ShiftLeftInstruction	An instruction that shifts its left operand to the left by the number of bits specified by its right operand.
ShiftRightInstruction	An instruction that shifts its left operand to the right by the number of bits specified by its right operand.
SideEffectInstruction	An instruction representing a side effect of a function call.
SideEffectOpcode	The `Opcode` for a `SideEffectInstruction`.
SideEffectOperand	An operand representing memory read as a side effect of evaluating another instruction.
SizedBufferAccessOpcode	An opcode that accesses a memory buffer whose size is determined by a `BufferSizeOperand`.
SizedBufferMayWriteSideEffectInstruction	An instruction representing the write of an indirect buffer parameter within a function call.
SizedBufferMustWriteSideEffectInstruction	An instruction representing the write of an indirect buffer parameter within a function call. The entire buffer is overwritten.
SizedBufferReadOpcode	An opcode that reads from a memory buffer whose size is determined by a `BufferSizeOperand`.
SizedBufferReadSideEffectInstruction	An instruction representing the read of an indirect buffer parameter within a function call.
SizedBufferWriteOpcode	An opcode that writes to a memory buffer whose size is determined by a `BufferSizeOperand`.
StoreInstruction	An instruction that returns a memory result containing a copy of its register operand.
StoreValueOperand	The source value operand of a `Store` instruction.
StringConstantInstruction	An instruction whose result is the address of a string literal.
SubInstruction	An instruction that computes the difference of two numeric operands.
SwitchInstruction	An instruction that branches to one of multiple successor instructions based on the value of an integer operand.
TempVariableTag	A reason that a particular IR temporary variable was generated. For example, it could be generated to hold the return value of a function, or to hold the result of a `?:` operator computed on each branch. The set of possible `TempVariableTag`s is language-dependent.
ThisArgumentOperand	An operand representing the implicit `this` argument to a member function call.
ThrowInstruction	An instruction that throws an exception.
ThrowOpcode	The `Opcode` for a `ThrowInstruction`.
ThrowValueInstruction	An instruction that throws a new exception.
TrueEdge	A “true” edge, representing the successor of a conditional branch when the condition is non-zero.
TypedOperand	A memory operand whose type may be different from the type of the result of its definition.
UnaryArithmeticInstruction	An instruction whose result is computed by performing an arithmetic operation on a single numeric operand.
UnaryArithmeticOpcode	The `Opcode` for a `UnaryArithmeticInstruction`.
UnaryBitwiseInstruction	An instruction that performs a bitwise operation on a single integer operand.
UnaryBitwiseOpcode	The `Opcode` for a `UnaryBitwiseInstruction`.
UnaryInstruction	An instruction whose result is computed from a single operand.
UnaryOpcode	The `Opcode` for a `UnaryInstruction`.
UnaryOperand	The sole operand of a unary instruction (e.g. `Convert`, `Negate`, `Copy`).
UninitializedInstruction	An instruction that returns an uninitialized value.
UnreachedInstruction	An instruction representing unreachable code.
UnsignedShiftRightInstruction	An instruction that shifts its left operand to the right by the number of bits specified by its right operand.
UnsizedBufferAccessOpcode	An opcode that accesses a memory buffer of unknown size.
UnsizedBufferReadOpcode	An opcode that reads from a memory buffer of unknown size.
UnsizedBufferWriteOpcode	An opcode that writes to a memory buffer of unknown size.
UnwindInstruction	An instruction that exits the current function by propagating an exception.
VarArgInstruction	An instruction that returns the address of the argument currently pointed to by a `va_list`.
VarArgsEndInstruction	An instruction that cleans up a `va_list` after it is no longer in use.
VarArgsStartInstruction	An instruction that returns a `va_list` to access the arguments passed to the `...` parameter.
VariableAddressInstruction	An instruction that returns the address of a variable.
VariableInstruction	An instruction that refers to a variable.
VirtualDeleteFunctionAddressInstruction	An instruction that returns the address of a “virtual” delete function.
WriteSideEffectInstruction	An instruction representing a write side effect of a function call on a specific parameter.
WriteSideEffectOpcode	The `Opcode` for a `WriteSideEffectInstruction`.

Modules

EdgeKind	Predicates to access the single instance of each `EdgeKind` class.
IRTypeConsistency	INTERNAL: Do not use. Query predicates used to check invariants that should hold for all `IRType` objects. To run all consistency queries for the IR, including the ones below, run “semmle/code/cpp/IR/IRConsistency.ql”.
Opcode	Provides `Opcode`s that specify the operation performed by an `Instruction`.