Extract and expose CIL method access flags

gfs · gfs · commit 13f79e6eec09 · 2026-01-05T17:54:25.000-08:00
Adds extraction of ECMA-335 MethodAttributes flags for CIL methods and stores them in a new 'cil_method_access_flags' table. Updates QL libraries to expose these flags and predicates for common access modifiers (public, private, protected, internal, static, final, virtual, abstract). Also updates TranslatedCilMethod to use the new isPublic predicate.
diff --git a/binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs b/binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs
@@ -108,6 +108,9 @@ private void ExtractMethod(MethodDefinition method, int typeId) {
     var signature = GetMethodSignature(method);
     trap.WriteTuple("methods", methodId, method.Name, signature, typeId);
 
+    // Write access flags
+    trap.WriteTuple("cil_method_access_flags", methodId, (int)method.Attributes);
+
     if (method.HasBody) {
       ExtractMethodBody(method, methodId);
     }
diff --git a/binary/extractor/jvm/semmlecode.binary.dbscheme b/binary/extractor/jvm/semmlecode.binary.dbscheme
@@ -2141,6 +2141,29 @@ methods(
   int type_id: @type ref
 );
 
+/**
+ * CIL method access flags.
+ * Stores the method attributes as a bitmask.
+ * See ECMA-335 §II.23.1.10 for flag definitions:
+ *   0x0001 = MemberAccessMask (use with mask)
+ *   0x0006 = Public
+ *   0x0001 = Private
+ *   0x0003 = Family (protected)
+ *   0x0005 = FamORAssem (protected internal)
+ *   0x0010 = Static
+ *   0x0020 = Final (sealed)
+ *   0x0040 = Virtual
+ *   0x0080 = HideBySig
+ *   0x0100 = VtableLayoutMask (use with mask)
+ *   0x0400 = Abstract
+ *   0x0800 = SpecialName
+ *   0x2000 = PInvokeImpl
+ */
+cil_method_access_flags(
+  unique int method: @method ref,
+  int flags: int ref
+);
+
 fields(
   unique int id: @field,
   string name: string ref,
diff --git a/binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll b/binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll
@@ -71,6 +71,57 @@ class CilMethod extends @method {
     this.getSignature().matches("Void%") // TODO: Don't use string parsing here
   }
 
+  /** Gets the raw ECMA-335 MethodAttributes flags for this method. */
+  int getAccessFlags() { cil_method_access_flags(this, result) }
+
+  /** Holds if this method is public. */
+  predicate isPublic() {
+    // MemberAccessMask is 0x0007, Public is 0x0006
+    this.getAccessFlags().bitAnd(7) = 6
+  }
+
+  /** Holds if this method is private. */
+  predicate isPrivate() {
+    // Private is 0x0001
+    this.getAccessFlags().bitAnd(7) = 1
+  }
+
+  /** Holds if this method is protected (family). */
+  predicate isProtected() {
+    // Family is 0x0004
+    this.getAccessFlags().bitAnd(7) = 4
+  }
+
+  /** Holds if this method is internal (assembly). */
+  predicate isInternal() {
+    // Assembly is 0x0003
+    this.getAccessFlags().bitAnd(7) = 3
+  }
+
+  /** Holds if this method is static. */
+  predicate isStatic() {
+    // Static is 0x0010
+    this.getAccessFlags().bitAnd(16) != 0
+  }
+
+  /** Holds if this method is final (sealed). */
+  predicate isFinal() {
+    // Final is 0x0020
+    this.getAccessFlags().bitAnd(32) != 0
+  }
+
+  /** Holds if this method is virtual. */
+  predicate isVirtual() {
+    // Virtual is 0x0040
+    this.getAccessFlags().bitAnd(64) != 0
+  }
+
+  /** Holds if this method is abstract. */
+  predicate isAbstract() {
+    // Abstract is 0x0400
+    this.getAccessFlags().bitAnd(1024) != 0
+  }
+
   CilInstruction getAnInstruction() { il_instruction_method(result, this) }
 
   CilInstruction getInstruction(int i) { il_instruction_parent(result, i, this) }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll
@@ -217,7 +217,7 @@ class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
 
   override predicate isProgramEntryPoint() { none() }
 
-  override predicate isPublic() { any() } // TODO: We need to extract this
+  override predicate isPublic() { method.isPublic() }
 
   override Instruction getBodyEntry() {
     result = this.getParameter(0).getEntry()
diff --git a/binary/ql/lib/semmlecode.binary.dbscheme b/binary/ql/lib/semmlecode.binary.dbscheme
@@ -2141,6 +2141,29 @@ methods(
   int type_id: @type ref
 );
 
+/**
+ * CIL method access flags.
+ * Stores the method attributes as a bitmask.
+ * See ECMA-335 §II.23.1.10 for flag definitions:
+ *   0x0001 = MemberAccessMask (use with mask)
+ *   0x0006 = Public
+ *   0x0001 = Private
+ *   0x0003 = Family (protected)
+ *   0x0005 = FamORAssem (protected internal)
+ *   0x0010 = Static
+ *   0x0020 = Final (sealed)
+ *   0x0040 = Virtual
+ *   0x0080 = HideBySig
+ *   0x0100 = VtableLayoutMask (use with mask)
+ *   0x0400 = Abstract
+ *   0x0800 = SpecialName
+ *   0x2000 = PInvokeImpl
+ */
+cil_method_access_flags(
+  unique int method: @method ref,
+  int flags: int ref
+);
+
 fields(
   unique int id: @field,
   string name: string ref,

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,9 @@ private void ExtractMethod(MethodDefinition method, int typeId) {`
`108`	`108`	`var signature = GetMethodSignature(method);`
`109`	`109`	`trap.WriteTuple("methods", methodId, method.Name, signature, typeId);`
`110`	`110`
	`111`	`+ // Write access flags`
	`112`	`+ trap.WriteTuple("cil_method_access_flags", methodId, (int)method.Attributes);`
	`113`	`+`
`111`	`114`	`if (method.HasBody) {`
`112`	`115`	`ExtractMethodBody(method, methodId);`
`113`	`116`	`}`