Add JVM IR translation support and test model

Introduces JVM instruction, type, method, and parameter translation to the IR, including new tags and classes for JVM elements. Updates core IR files to handle JVM instructions and variables, and adds a test model for Java vulnerable calls. Also updates workspace and qlpack configuration to support new data extensions.

Author: gfs

binary/extractor/jvm/semmlecode.binary.dbscheme.stats

@@ -1 +1 @@
-stats
+<dbstats><typesizes /><stats /></dbstats>

binary/ql/lib/semmle/code/binary/ast/instructions.qll

@@ -4,7 +4,7 @@ private import Headers
 private import Sections
 private import codeql.util.Unit
 
-private class TElement = @x86_instruction or @operand or @il_instruction or @method or @il_parameter or @type;
+private class TElement = @x86_instruction or @operand or @il_instruction or @method or @il_parameter or @type or @jvm_instruction or @jvm_parameter;
 
 class Element extends TElement {
   final string toString() { none() }
@@ -266,3 +266,4 @@ class ExportedEntryInstruction extends X86Instruction {
 }
 
 import internal.CilInstructions
+import internal.JvmInstructions

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll

@@ -60,7 +60,24 @@ newtype TInstructionTag =
   CilStoreFieldAddressTag() or
   CilStoreFieldStoreTag() or
   CilLoadFieldAddressTag() or
-  CilLoadFieldLoadTag()
+  CilLoadFieldLoadTag() or
+  // JVM instruction tags
+  JvmCallTag() or
+  JvmCallTargetTag() or
+  JvmReturnTag() or
+  JvmLoadLocalTag() or
+  JvmStoreLocalTag() or
+  JvmBranchCJumpTag() or
+  JvmGotoJumpTag() or
+  JvmArithOpTag() or
+  JvmFieldAddressTag() or
+  JvmFieldLoadTag() or
+  JvmFieldStoreTag() or
+  JvmNewInitTag() or
+  JvmConstTag() or
+  JvmDupCopyTag() or
+  JvmPopTag() or
+  JvmNopTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -224,6 +241,55 @@ class InstructionTag extends TInstructionTag {
     or
     this = CilLoadFieldLoadTag() and
     result = "CilLoadFieldLoad"
+    or
+    // JVM instruction tags
+    this = JvmCallTag() and
+    result = "JvmCall"
+    or
+    this = JvmCallTargetTag() and
+    result = "JvmCallTarget"
+    or
+    this = JvmReturnTag() and
+    result = "JvmReturn"
+    or
+    this = JvmLoadLocalTag() and
+    result = "JvmLoadLocal"
+    or
+    this = JvmStoreLocalTag() and
+    result = "JvmStoreLocal"
+    or
+    this = JvmBranchCJumpTag() and
+    result = "JvmBranchCJump"
+    or
+    this = JvmGotoJumpTag() and
+    result = "JvmGotoJump"
+    or
+    this = JvmArithOpTag() and
+    result = "JvmArithOp"
+    or
+    this = JvmFieldAddressTag() and
+    result = "JvmFieldAddress"
+    or
+    this = JvmFieldLoadTag() and
+    result = "JvmFieldLoad"
+    or
+    this = JvmFieldStoreTag() and
+    result = "JvmFieldStore"
+    or
+    this = JvmNewInitTag() and
+    result = "JvmNewInit"
+    or
+    this = JvmConstTag() and
+    result = "JvmConst"
+    or
+    this = JvmDupCopyTag() and
+    result = "JvmDupCopy"
+    or
+    this = JvmPopTag() and
+    result = "JvmPop"
+    or
+    this = JvmNopTag() and
+    result = "JvmNop"
   }
 }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll

@@ -35,7 +35,17 @@ newtype TTempVariableTag =
   CilDupVarTag() or
   CilStoreFieldAddressVarTag() or
   CilLoadFieldAddressVarTag() or
-  CilLoadFieldLoadVarTag()
+  CilLoadFieldLoadVarTag() or
+  // JVM temp variable tags
+  JvmCallTargetVarTag() or
+  JvmCallResultVarTag() or
+  JvmLoadLocalResultVarTag() or
+  JvmConstVarTag() or
+  JvmDupVarTag() or
+  JvmArithResultVarTag() or
+  JvmNewObjVarTag() or
+  JvmFieldAddressVarTag() or
+  JvmFieldLoadVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -149,5 +159,33 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilLoadFieldLoadVarTag() and
     result = "ldfld"
+    or
+    // JVM temp variable tags
+    this = JvmCallTargetVarTag() and
+    result = "jvm_call_target"
+    or
+    this = JvmCallResultVarTag() and
+    result = "jvm_call_ret"
+    or
+    this = JvmLoadLocalResultVarTag() and
+    result = "jvm_ldloc"
+    or
+    this = JvmConstVarTag() and
+    result = "jvm_const"
+    or
+    this = JvmDupVarTag() and
+    result = "jvm_dup"
+    or
+    this = JvmArithResultVarTag() and
+    result = "jvm_arith"
+    or
+    this = JvmNewObjVarTag() and
+    result = "jvm_new"
+    or
+    this = JvmFieldAddressVarTag() and
+    result = "jvm_fldaddr"
+    or
+    this = JvmFieldLoadVarTag() and
+    result = "jvm_ldfld"
   }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -46,6 +46,26 @@ private predicate shouldTranslateCilParameter(Raw::CilParameter p) { any() }
 
 private predicate shouldTranslatedCilType(Raw::CilType t) { any() }
 
+/**
+ * Holds if the JVM instruction `instr` should be translated into IR.
+ */
+private predicate shouldTranslateJvmInstr(Raw::JvmInstruction instr) { any() }
+
+/**
+ * Holds if the JVM method `m` should be translated into IR.
+ */
+private predicate shouldTranslateJvmMethod(Raw::JvmMethod m) { any() }
+
+/**
+ * Holds if the JVM parameter `p` should be translated into IR.
+ */
+private predicate shouldTranslateJvmParameter(Raw::JvmParameter p) { any() }
+
+/**
+ * Holds if the JVM type `t` should be translated into IR.
+ */
+private predicate shouldTranslateJvmType(Raw::JvmType t) { any() }
+
 /**
  * The "base type" for all translated elements.
  *
@@ -136,7 +156,50 @@ newtype TTranslatedElement =
   TTranslatedNewObject(Raw::CilNewobj newObj) { shouldTranslateCilInstr(newObj) } or
   TTranslatedDup(Raw::CilDup dup) { shouldTranslateCilInstr(dup) } or
   TTranslatedCilStoreField(Raw::CilStfld store) { shouldTranslateCilInstr(store) } or
-  TTranslatedCilLoadField(Raw::CilLdfld load) { shouldTranslateCilInstr(load) }
+  TTranslatedCilLoadField(Raw::CilLdfld load) { shouldTranslateCilInstr(load) } or
+  // JVM translated elements
+  TTranslatedJvmMethod(Raw::JvmMethod m) { shouldTranslateJvmMethod(m) } or
+  TTranslatedJvmType(Raw::JvmType t) { shouldTranslateJvmType(t) } or
+  TTranslatedJvmParameter(Raw::JvmParameter p) { shouldTranslateJvmParameter(p) } or
+  TTranslatedJvmInvoke(Raw::JvmInvoke invoke) { shouldTranslateJvmInstr(invoke) } or
+  TTranslatedJvmReturn(Raw::JvmReturn ret) { shouldTranslateJvmInstr(ret) } or
+  TTranslatedJvmLoadLocal(Raw::JvmLoadLocal load) { shouldTranslateJvmInstr(load) } or
+  TTranslatedJvmStoreLocal(Raw::JvmStoreLocal store) { shouldTranslateJvmInstr(store) } or
+  TTranslatedJvmBranch(Raw::JvmBranch branch) { shouldTranslateJvmInstr(branch) } or
+  TTranslatedJvmGoto(Raw::JvmGoto goto) { shouldTranslateJvmInstr(goto) } or
+  TTranslatedJvmArithmetic(Raw::JvmInstruction arith) {
+    shouldTranslateJvmInstr(arith) and
+    (
+      arith instanceof Raw::JvmIadd or arith instanceof Raw::JvmIsub or
+      arith instanceof Raw::JvmImul or arith instanceof Raw::JvmIdiv or
+      arith instanceof Raw::JvmLadd or arith instanceof Raw::JvmLsub or
+      arith instanceof Raw::JvmLmul or arith instanceof Raw::JvmLdiv or
+      arith instanceof Raw::JvmFadd or arith instanceof Raw::JvmFsub or
+      arith instanceof Raw::JvmFmul or arith instanceof Raw::JvmFdiv or
+      arith instanceof Raw::JvmDadd or arith instanceof Raw::JvmDsub or
+      arith instanceof Raw::JvmDmul or arith instanceof Raw::JvmDdiv
+    )
+  } or
+  TTranslatedJvmFieldAccess(Raw::JvmFieldAccess field) { shouldTranslateJvmInstr(field) } or
+  TTranslatedJvmNew(Raw::JvmNew newObj) { shouldTranslateJvmInstr(newObj) } or
+  TTranslatedJvmDup(Raw::JvmDup dup) { shouldTranslateJvmInstr(dup) } or
+  TTranslatedJvmPop(Raw::JvmPop pop) { shouldTranslateJvmInstr(pop) } or
+  TTranslatedJvmNop(Raw::JvmNop nop) { shouldTranslateJvmInstr(nop) } or
+  TTranslatedJvmLoadConstant(Raw::JvmInstruction ldc) {
+    shouldTranslateJvmInstr(ldc) and
+    (
+      ldc instanceof Raw::JvmLdc or ldc instanceof Raw::JvmLdcW or
+      ldc instanceof Raw::JvmLdc2W or ldc instanceof Raw::JvmBipush or
+      ldc instanceof Raw::JvmSipush or ldc instanceof Raw::JvmIconstM1 or
+      ldc instanceof Raw::JvmIconst0 or ldc instanceof Raw::JvmIconst1 or
+      ldc instanceof Raw::JvmIconst2 or ldc instanceof Raw::JvmIconst3 or
+      ldc instanceof Raw::JvmIconst4 or ldc instanceof Raw::JvmIconst5 or
+      ldc instanceof Raw::JvmLconst0 or ldc instanceof Raw::JvmLconst1 or
+      ldc instanceof Raw::JvmFconst0 or ldc instanceof Raw::JvmFconst1 or
+      ldc instanceof Raw::JvmFconst2 or ldc instanceof Raw::JvmDconst0 or
+      ldc instanceof Raw::JvmDconst1 or ldc instanceof Raw::JvmAconstNull
+    )
+  }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and
@@ -153,6 +216,11 @@ TranslatedCilInstruction getTranslatedCilInstruction(Raw::CilInstruction raw) {
   result.producesResult()
 }
 
+TranslatedJvmInstruction getTranslatedJvmInstruction(Raw::JvmInstruction raw) {
+  result.getRawElement() = raw and
+  result.producesResult()
+}
+
 abstract class TranslatedElement extends TTranslatedElement {
   /**
    * Holds if this translated element generated an instruction with opcode `opcode` that stores

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll

@@ -230,3 +230,108 @@ class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
     none() // I don't think we need to do anything here?
   }
 }
+
+// ============================================================================
+// JVM Translated Elements
+// ============================================================================
+
+class TranslatedJvmParameter extends TranslatedElement, TTranslatedJvmParameter {
+  Raw::JvmParameter p;
+
+  TranslatedJvmParameter() { this = TTranslatedJvmParameter(p) }
+
+  override Raw::Element getRawElement() { result = p }
+
+  final override Location getLocation() { result = p.getLocation() }
+
+  override Variable getResultVariable() { none() }
+
+  override TranslatedFunction getEnclosingFunction() {
+    result = getTranslatedFunction(p.getMethod())
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, Option<Variable>::Option v) {
+    opcode instanceof Opcode::Init and
+    tag = SingleTag() and
+    v.asSome() = this.getLocalVariable(JvmParameterVarTag(p.getSlotIndex()))
+  }
+
+  override predicate hasLocalVariable(LocalVariableTag tag) {
+    tag = JvmParameterVarTag(p.getSlotIndex())
+  }
+
+  override string getDumpId() { result = p.getName() }
+
+  override string toString() { result = "Translation of " + p.getName() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) { none() }
+
+  override predicate producesResult() { any() }
+
+  final override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = SingleTag() and
+    result = this.getEnclosingFunction().getChildSuccessor(this, succType)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) {
+    none()
+  }
+
+  Instruction getEntry() { result = this.getInstruction(SingleTag()) }
+}
+
+private TranslatedJvmParameter getTranslatedJvmParameter(Raw::JvmParameter p) {
+  result.getRawElement() = p and
+  result.producesResult()
+}
+
+class TranslatedJvmMethod extends TranslatedFunction, TTranslatedJvmMethod {
+  Raw::JvmMethod method;
+
+  TranslatedJvmMethod() { this = TTranslatedJvmMethod(method) }
+
+  override Raw::Element getRawElement() { result = method }
+
+  final override Location getLocation() { result = method.getLocation() }
+
+  override predicate hasBodyInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    none()
+  }
+
+  override Instruction getBodySuccessor(InstructionTag tag, SuccessorType succType) { none() }
+
+  private TranslatedJvmParameter getParameter(int index) {
+    result = getTranslatedJvmParameter(method.getParameter(index))
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) {
+    exists(int index |
+      child = this.getParameter(index) and
+      succType instanceof DirectSuccessor
+    |
+      result = this.getParameter(index + 1).getEntry()
+      or
+      not exists(this.getParameter(index + 1)) and
+      result = getTranslatedJvmInstruction(method.getInstruction(0)).getEntry()
+    )
+  }
+
+  override string getName() { result = method.getName() }
+
+  override predicate isProgramEntryPoint() { none() }
+
+  override predicate isPublic() { any() } // TODO: Extract access modifiers
+
+  override Instruction getBodyEntry() {
+    result = this.getParameter(0).getEntry()
+    or
+    not exists(this.getParameter(0)) and
+    result = getTranslatedJvmInstruction(method.getInstruction(0)).getEntry()
+  }
+
+  final override predicate hasOrdering(LocalVariableTag tag, int ordering) {
+    tag = JvmParameterVarTag(ordering)
+  }
+}