Binary: Add 'Type' to the IR.

Author: MathiasVP

binary/ql/lib/semmle/code/binary/ast/instructions.qll

@@ -4,7 +4,7 @@ private import Headers
 private import Sections
 private import codeql.util.Unit
 
-private class TElement = @x86_instruction or @operand or @il_instruction or @method or @il_parameter;
+private class TElement = @x86_instruction or @operand or @il_instruction or @method or @il_parameter or @type;
 
 class Element extends TElement {
   final string toString() { none() }

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -1,5 +1,26 @@
 private import binary
 
+/**
+ * A CIL type (class, struct, interface, etc.).
+ */
+class CilType extends @type {
+  string toString() { result = this.getName() }
+
+  /** Gets the full name of this type (e.g., "System.Collections.Generic.List`1"). */
+  string getFullName() { types(this, result, _, _) }
+
+  /** Gets the namespace of this type (e.g., "System.Collections.Generic"). */
+  string getNamespace() { types(this, _, result, _) }
+
+  /** Gets the simple name of this type (e.g., "List`1"). */
+  string getName() { types(this, _, _, result) }
+
+  /** Gets a method declared in this type. */
+  CilMethod getAMethod() { result.getDeclaringType() = this }
+
+  Location getLocation() { none() } // TODO: Extract
+}
+
 /** A local variable defined in a CIL method body. */
 class CilVariable extends @il_local_variable {
   string toString() { result = "local_" + this.getIndex().toString() }
@@ -52,6 +73,8 @@ class CilMethod extends @method {
     result.getIndex() = i
   }
 
+  CilType getDeclaringType() { methods(this, _, _, result) }
+
   Location getLocation() { none() } // TODO: Extract
 }
 

binary/ql/lib/semmle/code/binary/ast/ir/IR.qll

@@ -20,6 +20,24 @@ private module FinalInstruction {
     Location getLocation() { result = super.getLocation() }
 
     predicate isProgramEntryPoint() { super.isProgramEntryPoint() }
+
+    Type getDeclaringType() { result = super.getDeclaringType() }
+
+    predicate isPublic() { super.isPublic() }
+  }
+
+  class Type instanceof Instruction::Type {
+    Function getAFunction() { result = super.getAFunction() }
+
+    string toString() { result = super.toString() }
+
+    string getFullName() { result = super.getFullName() }
+
+    string getNamespace() { result = super.getNamespace() }
+
+    string getName() { result = super.getName() }
+
+    Location getLocation() { result = super.getLocation() }
   }
 
   class Operand instanceof Instruction::Operand {

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Function.qll

@@ -2,6 +2,7 @@ private import TranslatedFunction
 private import Instruction
 private import semmle.code.binary.ast.Location
 private import BasicBlock
+private import Type
 
 newtype TFunction = TMkFunction(TranslatedFunction f)
 
@@ -22,5 +23,7 @@ class Function extends TFunction {
 
   predicate isProgramEntryPoint() { f.isProgramEntryPoint() }
 
-  predicate isExported() { f.isExported() }
+  predicate isPublic() { f.isPublic() }
+
+  Type getDeclaringType() { result.getAFunction() = this }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction0.qll

@@ -3,6 +3,7 @@ import semmle.code.binary.ast.ir.internal.InstructionSig
 module Instruction0 implements InstructionSig {
   import Instruction
   import Function
+  import Type
   import Operand
   import Variable
   import BasicBlock

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -44,6 +44,8 @@ private predicate shouldTranslateMethod(Raw::CilMethod m) { any() }
  */
 private predicate shouldTranslateCilParameter(Raw::CilParameter p) { any() }
 
+private predicate shouldTranslatedCilType(Raw::CilType t) { any() }
+
 /**
  * The "base type" for all translated elements.
  *
@@ -124,8 +126,13 @@ newtype TTranslatedElement =
   TTranslatedCilLoadString(Raw::CilLdstr ldstr) { shouldTranslateCilInstr(ldstr) } or
   TTranslatedCilParameter(Raw::CilParameter param) { shouldTranslateCilParameter(param) } or
   TTranslatedCilLoadArg(Raw::CilLoadArgument ldstr) { shouldTranslateCilInstr(ldstr) } or
-  TTranslatedCilLoadIndirect(Raw::CilLoadIndirectInstruction ldind) { shouldTranslateCilInstr(ldind) } or
-  TTranslatedCilStoreIndirect(Raw::CilStoreIndirectInstruction stind) { shouldTranslateCilInstr(stind) }
+  TTranslatedCilLoadIndirect(Raw::CilLoadIndirectInstruction ldind) {
+    shouldTranslateCilInstr(ldind)
+  } or
+  TTranslatedCilStoreIndirect(Raw::CilStoreIndirectInstruction stind) {
+    shouldTranslateCilInstr(stind)
+  } or
+  TTranslatedCilType(Raw::CilType type) { shouldTranslatedCilType(type) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll

@@ -51,7 +51,7 @@ abstract class TranslatedFunction extends TranslatedElement {
 
   abstract predicate isProgramEntryPoint();
 
-  abstract predicate isExported();
+  abstract predicate isPublic();
 
   final override string getDumpId() { result = this.getName() }
 
@@ -105,14 +105,14 @@ class TranslatedX86Function extends TranslatedFunction, TTranslatedX86Function {
     if this.isProgramEntryPoint()
     then result = "Program_entry_function"
     else
-      if this.isExported()
+      if this.isPublic()
       then result = "Exported_function_" + entry.getIndex()
       else result = "Function_" + entry.getIndex()
   }
 
   final override predicate isProgramEntryPoint() { entry instanceof Raw::ProgramEntryInstruction }
 
-  final override predicate isExported() { entry instanceof Raw::ExportedEntryInstruction }
+  final override predicate isPublic() { entry instanceof Raw::ExportedEntryInstruction }
 
   final override predicate hasOrdering(LocalVariableTag tag, int ordering) {
     exists(Raw::X86Register r | tag = X86RegisterTag(r) |
@@ -217,7 +217,7 @@ class TranslatedCilMethod extends TranslatedFunction, TTranslatedCilMethod {
 
   override predicate isProgramEntryPoint() { none() }
 
-  override predicate isExported() { none() }
+  override predicate isPublic() { any() } // TODO: We need to extract this
 
   override Instruction getBodyEntry() {
     result = this.getParameter(0).getEntry()

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedType.qll

@@ -0,0 +1,66 @@
+private import semmle.code.binary.ast.Location
+private import semmle.code.binary.ast.instructions as Raw
+private import TranslatedElement
+private import codeql.util.Option
+private import semmle.code.binary.ast.ir.internal.Opcode as Opcode
+private import Variable
+private import Instruction
+private import TranslatedInstruction
+private import TranslatedFunction
+private import semmle.code.binary.ast.ir.internal.Tags
+private import InstructionTag
+private import codeql.controlflow.SuccessorType
+
+abstract class TranslatedType extends TranslatedElement {
+  final override predicate producesResult() { none() }
+
+  final override Variable getResultVariable() { none() }
+
+  final override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) { none() }
+
+  final FunEntryInstruction getEntry() { none() }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    none()
+  }
+
+  final override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) { none() }
+
+  abstract string getName();
+
+  abstract string getNamespace();
+
+  abstract TranslatedFunction getAFunction();
+
+  final override string toString() { result = "Translation of " + this.getName() }
+
+  final override TranslatedFunction getEnclosingFunction() { none() }
+
+  final override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) {
+    none()
+  }
+
+  final override string getDumpId() { result = this.getName() }
+}
+
+class TranslatedCiLType extends TranslatedType, TTranslatedCilType {
+  Raw::CilType type;
+
+  TranslatedCiLType() { this = TTranslatedCilType(type) }
+
+  final override Raw::Element getRawElement() { result = type }
+
+  final override string getName() { result = type.getName() }
+
+  final override string getNamespace() { result = type.getNamespace() }
+
+  final override TranslatedCilMethod getAFunction() {
+    result = getTranslatedFunction(type.getAMethod())
+  }
+
+  final override Location getLocation() { result = type.getLocation() }
+}
+
+TranslatedType getTranslatedType(Raw::Element raw) { result.getRawElement() = raw }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Type.qll

@@ -0,0 +1,23 @@
+private import Function
+private import semmle.code.binary.ast.Location
+private import TranslatedType
+
+newtype TType = TMkType(TranslatedType t)
+
+class Type extends TType {
+  TranslatedType t;
+
+  Type() { this = TMkType(t) }
+
+  Function getAFunction() { result = TMkFunction(t.getAFunction()) }
+
+  string toString() { result = this.getName() }
+
+  string getFullName() { result = this.getNamespace() + "." + this.getName() }
+
+  string getNamespace() { result = t.getNamespace() }
+
+  string getName() { result = t.getName() }
+
+  Location getLocation() { result = t.getLocation() }
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll

@@ -4,6 +4,21 @@ private import codeql.controlflow.SuccessorType
 private import semmle.code.binary.ast.Location
 
 signature module InstructionSig {
+
+  class Type {
+    Function getAFunction();
+
+    string toString();
+
+    string getFullName();
+
+    string getNamespace();
+
+    string getName();
+
+    Location getLocation();
+  }
+
   class Function {
     string getName();
 
@@ -16,6 +31,10 @@ signature module InstructionSig {
     Location getLocation();
 
     predicate isProgramEntryPoint();
+
+    Type getDeclaringType();
+
+    predicate isPublic();
   }
 
   class Operand {