Binary: Translate 'CilStfld' to IR.

MathiasVP · MathiasVP · commit 03a907e88a26 · 2025-12-16T17:40:21.000Z
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll
@@ -56,7 +56,9 @@ newtype TInstructionTag =
   CilStindStoreTag() or
   CilNewObjInitTag() or
   CilNewObjCallTag() or
-  CilNewObjExternalRefTag()
+  CilNewObjExternalRefTag() or
+  CilStoreFieldAddressTag() or
+  CilStoreFieldStoreTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -208,6 +210,12 @@ class InstructionTag extends TInstructionTag {
     or
     this = CilNewObjExternalRefTag() and
     result = "CilNewObjExternalRef"
+    or
+    this = CilStoreFieldAddressTag() and
+    result = "CilStoreFieldAddress"
+    or
+    this = CilStoreFieldStoreTag() and
+    result = "CilStoreFieldStore"
   }
 }
 
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll
@@ -32,7 +32,8 @@ newtype TTempVariableTag =
   CilLdindVarTag() or
   CilNewObjInitVarTag() or
   CilNewObjCallExternalVarTag() or
-  CilDupVarTag()
+  CilDupVarTag() or
+  CilStoreFieldAddressVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -137,5 +138,8 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilDupVarTag() and
     result = "dup"
+    or
+    this = CilStoreFieldAddressVarTag() and
+    result = "stfldaddr"
   }
 }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll
@@ -134,7 +134,8 @@ newtype TTranslatedElement =
   } or
   TTranslatedCilType(Raw::CilType type) { shouldTranslatedCilType(type) } or
   TTranslatedNewObject(Raw::CilNewobj newObj) { shouldTranslateCilInstr(newObj) } or
-  TTranslatedDup(Raw::CilDup dup) { shouldTranslateCilInstr(dup) }
+  TTranslatedDup(Raw::CilDup dup) { shouldTranslateCilInstr(dup) } or
+  TTranslatedCilStoreField(Raw::CilStfld store) { shouldTranslateCilInstr(store) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and
@@ -219,6 +220,13 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   string getExternalName(InstructionTag tag) { none() }
 
+  /**
+   * Gets the name of the field referenced by an instruction with the given tag. This `tag` must refer to
+   * a `FieldAddress` instruction (that is, an instruction for which
+   * `hasInstruction(Opcode::FieldAddress, tag, _)` holds.)
+   */
+  string getFieldName(InstructionTag tag) { none() }
+
   /**
    * Gets the raw element that this translated element is a translation of.
    *
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll
@@ -2548,4 +2548,71 @@ class TranslatedDup extends TranslatedCilInstruction, TTranslatedDup {
     i > 0 and
     result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
   }
-}
+}
+
+/**
+ * Translate a CIL stfld instruction to the following sequence:
+ * x = fieldaddress[field] obj
+ * store x value
+ */
+class TranslatedCilStoreField extends TranslatedCilInstruction, TTranslatedCilStoreField {
+  override Raw::CilStfld instr;
+
+  TranslatedCilStoreField() { this = TTranslatedCilStoreField(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::FieldAddress and
+    tag = CilStoreFieldAddressTag() and
+    v.asSome() = this.getTempVariable(CilStoreFieldAddressVarTag())
+    or
+    opcode instanceof Opcode::Store and
+    tag = CilStoreFieldStoreTag() and
+    v.isNone()
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) { tag = CilStoreFieldAddressVarTag() }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CilStoreFieldAddressTag() and
+    operandTag instanceof UnaryTag and
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(1)
+    or
+    tag = CilStoreFieldStoreTag() and
+    (
+      operandTag instanceof StoreAddressTag and
+      result = this.getInstruction(CilStoreFieldAddressTag()).getResultVariable()
+      or
+      operandTag instanceof StoreValueTag and
+      result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(0)
+    )
+  }
+
+  final override string getFieldName(InstructionTag tag) {
+    tag = CilStoreFieldAddressTag() and
+    result = instr.getField().getName()
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = CilStoreFieldAddressTag() and
+    succType instanceof DirectSuccessor and
+    result = this.getInstruction(CilStoreFieldStoreTag())
+    or
+    tag = CilStoreFieldStoreTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(CilStoreFieldAddressTag()) }
+
+  override Variable getResultVariable() { none() }
+
+  final override Variable getStackElement(int i) {
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i + 2)
+  }
+}
