CIL: Support strings.

MathiasVP · MathiasVP · commit 24667c078a08 · 2025-12-01T17:27:03.000Z
diff --git a/binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll b/binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll
@@ -275,9 +275,7 @@ abstract class CilCall extends CilInstruction {
 
   final predicate hasReturnValue() { il_call_has_return_value(this) }
 
-  string getExternalName() {
-    il_call_target_unresolved(this, result)
-  }
+  string getExternalName() { il_call_target_unresolved(this, result) }
 }
 
 class CilIl_jmp extends @il_il_jmp, CilCall { }
@@ -487,7 +485,9 @@ class CilCpobj extends @il_cpobj, CilInstruction { }
 
 class CilLdobj extends @il_ldobj, CilInstruction { }
 
-class CilLdstr extends @il_ldstr, CilInstruction { }
+class CilLdstr extends @il_ldstr, CilInstruction {
+  string getValue() { il_operand_string(this, result) }
+}
 
 class CilNewobj extends @il_newobj, CilInstruction { }
 
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll
@@ -100,7 +100,13 @@ class ConstInstruction extends Instruction {
 
   int getValue() { result = te.getConstantValue(tag) }
 
-  override string getImmediateValue() { result = this.getValue().toString() }
+  string getStringValue() { result = te.getStringConstant(tag) }
+
+  override string getImmediateValue() {
+    result = this.getValue().toString()
+    or
+    result = this.getStringValue()
+  }
 }
 
 class CJumpInstruction extends Instruction {
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll
@@ -30,7 +30,8 @@ newtype TTempVariableTag =
   CilBoolBranchRefVarTag() or
   CilUnconditionalBranchRefVarTag() or
   CallReturnValueTag() or
-  CilCallTargetVarTag()
+  CilCallTargetVarTag() or
+  CilLoadStringVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -129,5 +130,8 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilCallTargetVarTag() and
     result = "call_target"
+    or
+    this = CilLoadStringVarTag() and
+    result = "ldstr"
   }
 }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll
@@ -90,7 +90,8 @@ newtype TTranslatedElement =
     shouldTranslateCilInstr(cbr)
   } or
   TTranslatedCilRet(Raw::CilIl_ret ret) { shouldTranslateCilInstr(ret) } or
-  TTranslatedCilCall(Raw::CilCall call) { shouldTranslateCilInstr(call) }
+  TTranslatedCilCall(Raw::CilCall call) { shouldTranslateCilInstr(call) } or
+  TTranslatedCilLoadString(Raw::CilLdstr ldstr) { shouldTranslateCilInstr(ldstr) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and
@@ -126,6 +127,8 @@ abstract class TranslatedElement extends TTranslatedElement {
 
   int getConstantValue(InstructionTag tag) { none() }
 
+  string getStringConstant(InstructionTag tag) { none() }
+
   string getExternalName(InstructionTag tag) { none() }
 
   Instruction getReferencedInstruction(InstructionTag tag) { none() }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll
@@ -2283,3 +2283,48 @@ class TranslatedCilCall extends TranslatedCilInstruction, TTranslatedCilCall {
             .getStackElement(i + instr.getNumberOfArguments())
   }
 }
+
+class TranslatedCilLoadString extends TranslatedCilInstruction, TTranslatedCilLoadString {
+  override Raw::CilLdstr instr;
+
+  TranslatedCilLoadString() { this = TTranslatedCilLoadString(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::Const and
+    tag = SingleTag() and
+    v.asSome() = this.getVariable(CilLoadStringVarTag())
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) { tag = CilLoadStringVarTag() }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) { none() }
+
+  override string getStringConstant(InstructionTag tag) {
+    tag = SingleTag() and
+    result = instr.getValue()
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = SingleTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(SingleTag()) }
+
+  override Variable getResultVariable() { result = this.getVariable(CilLoadStringVarTag()) }
+
+  final override Variable getStackElement(int i) {
+    i = 0 and
+    result = this.getInstruction(SingleTag()).getResultVariable()
+    or
+    i > 0 and
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
+  }
+}
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll
@@ -236,6 +236,8 @@ signature module InstructionSig {
 
   class ConstInstruction extends Instruction {
     int getValue();
+
+    string getStringValue();
   }
 
   class ControlFlowNode {
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/TransformInstruction/TransformInstruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/TransformInstruction/TransformInstruction.qll
@@ -691,6 +691,13 @@ module Transform<InstructionSig Input> {
         )
       }
 
+      string getStringValue() {
+        exists(Input::ConstInstruction const |
+          this = TOldInstruction(const) and
+          result = const.getStringValue()
+        )
+      }
+
       override string getImmediateValue() { result = this.getValue().toString() }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -236,6 +236,8 @@ signature module InstructionSig {`
`236`	`236`
`237`	`237`	`class ConstInstruction extends Instruction {`
`238`	`238`	`int getValue();`
	`239`	`+`
	`240`	`+ string getStringValue();`
`239`	`241`	`}`
`240`	`242`
`241`	`243`	`class ControlFlowNode {`
Original file line number	Diff line number	Diff line change
`@@ -691,6 +691,13 @@ module Transform<InstructionSig Input> {`
`691`	`691`	`)`
`692`	`692`	`}`
`693`	`693`
	`694`	`+ string getStringValue() {`
	`695`	`+ exists(Input::ConstInstruction const \|`
	`696`	`+ this = TOldInstruction(const) and`
	`697`	`+ result = const.getStringValue()`
	`698`	`+ )`
	`699`	`+ }`
	`700`	`+`
`694`	`701`	`override string getImmediateValue() { result = this.getValue().toString() }`
`695`	`702`	`}`
`696`	`703`