Binary: Load instructions's operand now have a LoadOperand type.

MathiasVP · MathiasVP · commit 33753b6a6bab · 2025-11-30T18:13:36.000Z
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll
@@ -144,7 +144,7 @@ class CopyInstruction extends Instruction {
 class LoadInstruction extends Instruction {
   override Opcode::Load opcode;
 
-  UnaryOperand getOperand() { result = this.getAnOperand() }
+  LoadAddressOperand getOperand() { result = this.getAnOperand() }
 }
 
 class StoreInstruction extends Instruction {
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Operand.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Operand.qll
@@ -57,6 +57,10 @@ class UnaryOperand extends Operand {
   override UnaryTag operandTag;
 }
 
+class LoadAddressOperand extends Operand {
+  override LoadAddressTag operandTag;
+}
+
 class ConditionOperand extends Operand {
   override CondTag operandTag;
 }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedOperand.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedOperand.qll
@@ -440,7 +440,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd2Tag()).getResultVariable()
   }
 
@@ -469,7 +469,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd1Tag()).getResultVariable()
   }
 
@@ -498,7 +498,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd2Tag()).getResultVariable()
   }
 
@@ -517,7 +517,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd1Tag()).getResultVariable()
   }
 
@@ -536,15 +536,15 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd1Tag()).getResultVariable()
   }
 
   // Compute base
   Variable case6(InstructionTag tag, OperandTag operandTag) {
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getX86RegisterVariable(op.getBaseRegister().getTarget())
     // If we are in case6 and we do not need to load the result will be the base register
   }
@@ -574,7 +574,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd1Tag()).getResultVariable()
   }
 
@@ -593,7 +593,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandMulTag()).getResultVariable()
   }
 
@@ -612,15 +612,15 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
     // Load from [x]
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandAdd1Tag()).getResultVariable()
   }
 
   // Compute index
   Variable case10(InstructionTag tag, OperandTag operandTag) {
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getX86RegisterVariable(op.getIndexRegister().getTarget())
     // If we are in case10 and we do not need to load the result will be the index register
   }
@@ -629,7 +629,7 @@ class TranslatedX86MemoryOperand extends TranslatedX86Operand, TTranslatedX86Mem
   Variable case11(InstructionTag tag, OperandTag operandTag) {
     this.isLoaded() and
     tag = MemoryOperandLoadTag() and
-    operandTag = UnaryTag() and
+    operandTag = LoadAddressTag() and
     result = this.getInstruction(MemoryOperandConstDisplacementTag()).getResultVariable()
     // If we are in case11 and we do not need to load the result will be the displacement constant
   }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll
@@ -36,6 +36,8 @@ signature module InstructionSig {
 
   class UnaryOperand extends Operand;
 
+  class LoadAddressOperand extends Operand;
+
   class ConditionOperand extends Operand;
 
   class ConditionJumpTargetOperand extends Operand;
@@ -183,7 +185,7 @@ signature module InstructionSig {
   }
 
   class LoadInstruction extends Instruction {
-    UnaryOperand getOperand();
+    LoadAddressOperand getOperand();
   }
 
   class StoreInstruction extends Instruction {
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Tags.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Tags.qll
@@ -28,6 +28,7 @@ newtype TOperandTag =
   RightTag() or
   UnaryTag() or
   StoreValueTag() or
+  LoadAddressTag() or
   StoreAddressTag() or
   CallTargetTag() or
   CondTag() or
@@ -45,6 +46,9 @@ class OperandTag extends TOperandTag {
     this = UnaryTag() and
     result = 0
     or
+    this = LoadAddressTag() and
+    result = 0
+    or
     this = StoreValueTag() and
     result = 1
     or
@@ -87,6 +91,9 @@ class OperandTag extends TOperandTag {
     this = UnaryTag() and
     result = "Unary"
     or
+    this = LoadAddressTag() and
+    result = "LoadAddr"
+    or
     this = StoreValueTag() and
     result = "StoreValue"
     or
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/TransformInstruction/TransformInstruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/TransformInstruction/TransformInstruction.qll
@@ -596,7 +596,7 @@ module Transform<InstructionSig Input> {
     class LoadInstruction extends Instruction {
       LoadInstruction() { this.getOpcode() instanceof Opcode::Load }
 
-      UnaryOperand getOperand() { result = this.getAnOperand() }
+      LoadAddressOperand getOperand() { result = this.getAnOperand() }
     }
 
     class StoreInstruction extends Instruction {
@@ -843,6 +843,10 @@ module Transform<InstructionSig Input> {
       StoreAddressOperand() { this.getOperandTag() instanceof StoreAddressTag }
     }
 
+    class LoadAddressOperand extends Operand {
+      LoadAddressOperand() { this.getOperandTag() instanceof LoadAddressTag }
+    }
+
     class UnaryOperand extends Operand {
       UnaryOperand() { this.getOperandTag() instanceof UnaryTag }
     }

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ class CopyInstruction extends Instruction {`
`144`	`144`	`class LoadInstruction extends Instruction {`
`145`	`145`	`override Opcode::Load opcode;`
`146`	`146`
`147`		`- UnaryOperand getOperand() { result = this.getAnOperand() }`
	`147`	`+ LoadAddressOperand getOperand() { result = this.getAnOperand() }`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`class StoreInstruction extends Instruction {`
Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,10 @@ class UnaryOperand extends Operand {`
`57`	`57`	`override UnaryTag operandTag;`
`58`	`58`	`}`
`59`	`59`
	`60`	`+class LoadAddressOperand extends Operand {`
	`61`	`+ override LoadAddressTag operandTag;`
	`62`	`+}`
	`63`	`+`
`60`	`64`	`class ConditionOperand extends Operand {`
`61`	`65`	`override CondTag operandTag;`
`62`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ signature module InstructionSig {`
`36`	`36`
`37`	`37`	`class UnaryOperand extends Operand;`
`38`	`38`
	`39`	`+ class LoadAddressOperand extends Operand;`
	`40`	`+`
`39`	`41`	`class ConditionOperand extends Operand;`
`40`	`42`
`41`	`43`	`class ConditionJumpTargetOperand extends Operand;`
`@@ -183,7 +185,7 @@ signature module InstructionSig {`
`183`	`185`	`}`
`184`	`186`
`185`	`187`	`class LoadInstruction extends Instruction {`
`186`		`- UnaryOperand getOperand();`
	`188`	`+ LoadAddressOperand getOperand();`
`187`	`189`	`}`
`188`	`190`
`189`	`191`	`class StoreInstruction extends Instruction {`
Original file line number	Diff line number	Diff line change
`@@ -596,7 +596,7 @@ module Transform<InstructionSig Input> {`
`596`	`596`	`class LoadInstruction extends Instruction {`
`597`	`597`	`LoadInstruction() { this.getOpcode() instanceof Opcode::Load }`
`598`	`598`
`599`		`- UnaryOperand getOperand() { result = this.getAnOperand() }`
	`599`	`+ LoadAddressOperand getOperand() { result = this.getAnOperand() }`
`600`	`600`	`}`
`601`	`601`
`602`	`602`	`class StoreInstruction extends Instruction {`
`@@ -843,6 +843,10 @@ module Transform<InstructionSig Input> {`
`843`	`843`	`StoreAddressOperand() { this.getOperandTag() instanceof StoreAddressTag }`
`844`	`844`	`}`
`845`	`845`
	`846`	`+ class LoadAddressOperand extends Operand {`
	`847`	`+ LoadAddressOperand() { this.getOperandTag() instanceof LoadAddressTag }`
	`848`	`+ }`
	`849`	`+`
`846`	`850`	`class UnaryOperand extends Operand {`
`847`	`851`	`UnaryOperand() { this.getOperandTag() instanceof UnaryTag }`
`848`	`852`	`}`