CIL: Support parameters and loading of parameters.

Author: MathiasVP

binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs

@@ -85,6 +85,12 @@ private void ExtractMethod(MethodDefinition method, int typeId) {
     if (method.HasBody) {
       ExtractMethodBody(method, methodId);
     }
+
+    for(int i = 0; i < method.Parameters.Count; i++) {
+      var param = method.Parameters[i];
+      var paramId = trap.GetId();
+      trap.WriteTuple("il_parameter", paramId, methodId, i, param.Name);
+    }
   }
 
   private void ExtractMethodBody(MethodDefinition method, int methodId) {

binary/ql/lib/semmle/code/binary/ast/instructions.qll

@@ -4,7 +4,7 @@ private import Headers
 private import Sections
 private import codeql.util.Unit
 
-private class TElement = @x86_instruction or @operand or @il_instruction or @method;
+private class TElement = @x86_instruction or @operand or @il_instruction or @method or @il_parameter;
 
 class Element extends TElement {
   final string toString() { none() }

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -5,6 +5,16 @@ class CilVariable instanceof @method {
   string toString() { none() }
 }
 
+class CilParameter instanceof @il_parameter {
+  string toString() { result = this.getName() }
+
+  CilMethod getMethod() { il_parameter(this, result, _, _) }
+
+  int getIndex() { il_parameter(this, _, result, _) }
+
+  string getName() { il_parameter(this, _, _, result) }
+}
+
 class CilMethod extends @method {
   string getName() { methods(this, result, _, _) }
 
@@ -21,6 +31,11 @@ class CilMethod extends @method {
   CilInstruction getInstruction(int i) { il_instruction_parent(result, i, this) }
 
   CilVariable getVariable(int i) { none() } // TODO
+
+  CilParameter getParameter(int i) {
+    result.getMethod() = this and
+    result.getIndex() = i
+  }
 }
 
 pragma[nomagic]
@@ -77,13 +92,21 @@ class CilNop extends @il_nop, CilInstruction { }
 
 class CilBreak extends @il_break, CilInstruction { }
 
-class CilLdarg_0 extends @il_ldarg_0, CilInstruction { }
+class CilLdarg_0 extends @il_ldarg_0, CilLoadArgument {
+  override int getArgumentIndex() { result = 0 }
+}
 
-class CilLdarg_1 extends @il_ldarg_1, CilInstruction { }
+class CilLdarg_1 extends @il_ldarg_1, CilLoadArgument {
+  override int getArgumentIndex() { result = 1 }
+}
 
-class CilLdarg_2 extends @il_ldarg_2, CilInstruction { }
+class CilLdarg_2 extends @il_ldarg_2, CilLoadArgument {
+  override int getArgumentIndex() { result = 2 }
+}
 
-class CilLdarg_3 extends @il_ldarg_3, CilInstruction { }
+class CilLdarg_3 extends @il_ldarg_3, CilLoadArgument {
+  override int getArgumentIndex() { result = 3 }
+}
 
 class CilLdloc_0 extends @il_ldloc_0, CilLoadLocal {
   override int getLocalVariableIndex() { result = 0 }
@@ -117,11 +140,15 @@ class CilStloc_3 extends @il_stloc_3, CilStoreLocal {
   override int getLocalVariableIndex() { result = 3 }
 }
 
-abstract class CilLoadArgument extends CilInstruction { }
+abstract class CilLoadArgument extends CilInstruction {
+  abstract int getArgumentIndex();
+}
 
-class CilLdarg_S extends @il_ldarg_S, CilLoadArgument { }
+class CilLdarg_S extends @il_ldarg_S, CilLoadArgument {
+  override int getArgumentIndex() { il_operand_byte(this, result) }
+}
 
-class CilLdarga_S extends @il_ldarga_S, CilLoadArgument { }
+class CilLdarga_S extends @il_ldarga_S, CilInstruction { }
 
 abstract class CilStoreArgument extends CilInstruction { }
 
@@ -677,7 +704,9 @@ class CilLdftn extends @il_ldftn, CilInstruction { }
 
 class CilLdvirtftn extends @il_ldvirtftn, CilInstruction { }
 
-class CilLdarg extends @il_ldarg, CilInstruction { }
+class CilLdarg extends @il_ldarg, CilLoadArgument {
+  override int getArgumentIndex() { il_operand_int(this, result) }
+}
 
 class CilLdarga extends @il_ldarga, CilInstruction { }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll

@@ -31,7 +31,8 @@ newtype TTempVariableTag =
   CilUnconditionalBranchRefVarTag() or
   CallReturnValueTag() or
   CilCallTargetVarTag() or
-  CilLoadStringVarTag()
+  CilLoadStringVarTag() or
+  CilLoadArgVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -133,5 +134,8 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilLoadStringVarTag() and
     result = "ldstr"
+    or
+    this = CilLoadArgVarTag() and
+    result = "ldarg"
   }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -26,6 +26,8 @@ private predicate shouldTranslateCilInstr(Raw::CilInstruction instr) { any() }
 
 private predicate shouldTranslateMethod(Raw::CilMethod m) { any() }
 
+private predicate shouldTranslateCilParameter(Raw::CilParameter p) { any() }
+
 newtype TTranslatedElement =
   TTranslatedX86Function(Raw::X86Instruction entry) {
     shouldTranslateX86Instr(entry) and
@@ -91,7 +93,9 @@ newtype TTranslatedElement =
   } or
   TTranslatedCilRet(Raw::CilIl_ret ret) { shouldTranslateCilInstr(ret) } or
   TTranslatedCilCall(Raw::CilCall call) { shouldTranslateCilInstr(call) } or
-  TTranslatedCilLoadString(Raw::CilLdstr ldstr) { shouldTranslateCilInstr(ldstr) }
+  TTranslatedCilLoadString(Raw::CilLdstr ldstr) { shouldTranslateCilInstr(ldstr) } or
+  TTranslatedCilParameter(Raw::CilParameter param) { shouldTranslateCilParameter(param) } or
+  TTranslatedCilLoadArg(Raw::CilLoadArgument ldstr) { shouldTranslateCilInstr(ldstr) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll

@@ -127,6 +127,54 @@ class TranslatedX86Function extends TranslatedFunction, TTranslatedX86Function {
   }
 }
 
+class TranslatedCilParameter extends TranslatedElement, TTranslatedCilParameter {
+  Raw::CilParameter p;
+
+  TranslatedCilParameter() { this = TTranslatedCilParameter(p) }
+
+  override Raw::Element getRawElement() { result = p }
+
+  override Variable getResultVariable() { none() }
+
+  override TranslatedFunction getEnclosingFunction() {
+    result = getTranslatedFunction(p.getMethod())
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, Option<Variable>::Option v) {
+    opcode instanceof Opcode::Init and
+    tag = SingleTag() and
+    v.asSome() = this.getLocalVariable(CilParameterVarTag(p.getIndex()))
+  }
+
+  override predicate hasLocalVariable(LocalVariableTag tag) {
+    tag = CilParameterVarTag(p.getIndex())
+  }
+
+  override string getDumpId() { result = p.getName() }
+
+  override string toString() { result = "Translation of " + p.getName() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) { none() }
+
+  override predicate producesResult() { any() }
+
+  final override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = SingleTag() and
+    result = this.getEnclosingFunction().getChildSuccessor(this, succType)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) {
+    none()
+  }
+
+  Instruction getEntry() { result = this.getInstruction(SingleTag()) }
+}
+
+private TranslatedCilParameter getTranslatedParameter(Raw::CilParameter p) {
+  result.getRawElement() = p and
+  result.producesResult()
+}
+
 class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
   Raw::CilMethod method;
 
@@ -142,7 +190,21 @@ class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
 
   override Instruction getBodySuccessor(InstructionTag tag, SuccessorType succType) { none() }
 
-  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+  private TranslatedCilParameter getParameter(int index) {
+    result = getTranslatedParameter(method.getParameter(index))
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) {
+    exists(int index |
+      child = this.getParameter(index) and
+      succType instanceof DirectSuccessor
+    |
+      result = this.getParameter(index + 1).getEntry()
+      or
+      not exists(this.getParameter(index + 1)) and
+      result = getTranslatedInstruction(method.getInstruction(0)).getEntry()
+    )
+  }
 
   override string getName() { result = method.getName() }
 
@@ -151,6 +213,9 @@ class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
   override predicate isExported() { none() }
 
   override Instruction getBodyEntry() {
+    result = this.getParameter(0).getEntry()
+    or
+    not exists(this.getParameter(0)) and
     result = getTranslatedInstruction(method.getInstruction(0)).getEntry()
   }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll

@@ -2328,3 +2328,47 @@ class TranslatedCilLoadString extends TranslatedCilInstruction, TTranslatedCilLo
     result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
   }
 }
+
+class TranslatedCilLoadArg extends TranslatedCilInstruction, TTranslatedCilLoadArg {
+  override Raw::CilLoadArgument instr;
+
+  TranslatedCilLoadArg() { this = TTranslatedCilLoadArg(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::Copy and
+    tag = SingleTag() and
+    v.asSome() = this.getVariable(CilLoadArgVarTag())
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) { tag = CilLoadArgVarTag() }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = SingleTag() and
+    operandTag instanceof UnaryTag and
+    result = this.getLocalVariable(CilParameterVarTag(instr.getArgumentIndex()))
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = SingleTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(SingleTag()) }
+
+  override Variable getResultVariable() { result = this.getVariable(CilLoadArgVarTag()) }
+
+  final override Variable getStackElement(int i) {
+    i = 0 and
+    result = this.getInstruction(SingleTag()).getResultVariable()
+    or
+    i > 0 and
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
+  }
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/Tags.qll

@@ -6,7 +6,8 @@ private import semmle.code.binary.ast.internal.instructions
 newtype LocalVariableTag =
   CmpRegisterTag() or
   X86RegisterTag(X86Register r) or
-  StlocVarTag(int index) { any(CilStoreLocal stloc).getLocalVariableIndex() = index }
+  StlocVarTag(int index) { any(CilStoreLocal stloc).getLocalVariableIndex() = index } or
+  CilParameterVarTag(int index) { any(CilParameter p).getIndex() = index }
 
 string stringOfLocalVariableTag(LocalVariableTag tag) {
   tag = CmpRegisterTag() and
@@ -21,4 +22,9 @@ string stringOfLocalVariableTag(LocalVariableTag tag) {
     tag = X86RegisterTag(r) and
     result = r.toString()
   )
+  or
+  exists(int index |
+    tag = CilParameterVarTag(index) and
+    result = "param_" + index.toString()
+  )
 }

binary/ql/lib/semmlecode.binary.dbscheme

@@ -2420,6 +2420,13 @@ il_call_has_return_value(
   int instruction: @il_instruction ref
 );
 
+il_parameter(
+  unique int p: @il_parameter,
+  int method: @method ref,
+  int index: int ref,
+  string name: string ref
+);
+
 /**
  * Unresolved method call targets.
  * The target_method_name is the fully qualified name of the called method.