Binary: More consistent distinquishing of local variables and temp variables in the IR.

Author: MathiasVP

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -1,4 +1,4 @@
-import binary
+private import binary
 
 // TODO
 class CilVariable instanceof @method {

binary/ql/lib/semmle/code/binary/ast/internal/instructions.qll

@@ -85,6 +85,8 @@ module MakeInstructions<InstructionInputSig InstructionInput> {
 
     Location getLocation() { result instanceof EmptyLocation }
 
+    X86Instruction getAPredecessor() { this = result.getASuccessor() }
+
     X86Instruction getASuccessor() {
       result.getIndex() = this.getIndex() + this.getLength().toBigInt()
     }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll

@@ -79,14 +79,7 @@ class Instruction extends TInstruction {
 
   Location getLocation() { result instanceof EmptyLocation }
 
-  Function getEnclosingFunction() {
-    exists(TranslatedFunction f |
-      result = TMkFunction(f) and
-      f.getEntry() = this
-    )
-    or
-    result = this.getAPredecessor().getEnclosingFunction()
-  }
+  Function getEnclosingFunction() { result = TMkFunction(te.getEnclosingFunction()) }
 
   BasicBlock getBasicBlock() { result.getANode().asInstruction() = this }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction0.qll

@@ -7,5 +7,5 @@ module Instruction0 implements InstructionSig {
   import Variable
   import BasicBlock
   import InstructionTag
-  import VariableTag
+  import TempVariableTag
 }

…ir/internal/Instruction0/VariableTag.qll …nternal/Instruction0/TempVariableTag.qllbinary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/VariableTag.qll renamed to binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/VariableTag.qll renamed to binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll

@@ -1,4 +1,4 @@
-newtype TVariableTag =
+newtype TTempVariableTag =
   X86JumpInstrRefVarTag() or
   X86CJumpInstrRefVarTag() or
   TestVarTag() or
@@ -30,7 +30,7 @@ newtype TVariableTag =
   CilBoolBranchRefVarTag() or
   CilUnconditionalBranchRefVarTag()
 
-class VariableTag extends TVariableTag {
+class TempVariableTag extends TTempVariableTag {
   string toString() {
     this = X86JumpInstrRefVarTag() and
     result = "j_ir"

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -2,7 +2,7 @@ private import semmle.code.binary.ast.instructions as Raw
 private import codeql.controlflow.SuccessorType
 private import semmle.code.binary.ast.ir.internal.Tags
 private import InstructionTag
-private import VariableTag
+private import TempVariableTag
 private import Instruction
 private import semmle.code.binary.ast.ir.internal.Opcode as Opcode
 private import codeql.util.Either
@@ -109,13 +109,17 @@ TranslatedCilInstruction getTranslatedCilInstruction(Raw::CilInstruction raw) {
 abstract class TranslatedElement extends TTranslatedElement {
   abstract predicate hasInstruction(Opcode opcode, InstructionTag tag, Option<Variable>::Option v);
 
-  predicate hasTempVariable(VariableTag tag) { none() }
+  predicate hasTempVariable(TempVariableTag tag) { none() }
 
   predicate hasJumpCondition(InstructionTag tag, Opcode::ConditionKind kind) { none() }
 
-  predicate hasSynthVariable(SynthRegisterTag tag) { none() }
+  predicate hasLocalVariable(LocalVariableTag tag) { none() }
 
-  Variable getVariable(VariableTag tag) { result = TTempVariable(this, tag) }
+  final Variable getLocalVariable(LocalVariableTag tag) {
+    result = TLocalVariable(this.getEnclosingFunction(), tag)
+  }
+
+  Variable getVariable(TempVariableTag tag) { result = TTempVariable(this, tag) }
 
   final Instruction getInstruction(InstructionTag tag) { result = MkInstruction(this, tag) }
 
@@ -143,10 +147,17 @@ abstract class TranslatedElement extends TTranslatedElement {
   abstract string getDumpId();
 
   TranslatedFunction getStaticCallTarget(InstructionTag tag) { none() }
+
+  abstract TranslatedFunction getEnclosingFunction();
 }
 
 predicate hasInstruction(TranslatedElement te, InstructionTag tag) { te.hasInstruction(_, tag, _) }
 
-predicate hasTempVariable(TranslatedElement te, VariableTag tag) { te.hasTempVariable(tag) }
+predicate hasTempVariable(TranslatedElement te, TempVariableTag tag) { te.hasTempVariable(tag) }
 
-predicate hasSynthVariable(SynthRegisterTag tag) { any(TranslatedElement te).hasSynthVariable(tag) }
+predicate hasLocalVariable(TranslatedFunction tf, LocalVariableTag tag) {
+  exists(TranslatedElement te |
+    te.getEnclosingFunction() = tf and
+    te.hasLocalVariable(tag)
+  )
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedFunction.qll

@@ -27,12 +27,12 @@ abstract class TranslatedFunction extends TranslatedElement {
   abstract predicate isExported();
 
   final override string getDumpId() { result = this.getName() }
-}
 
-TranslatedX86Function getTranslatedFunction(Raw::X86Instruction entry) {
-  result.getRawElement() = entry
+  final override TranslatedFunction getEnclosingFunction() { result = this }
 }
 
+TranslatedFunction getTranslatedFunction(Raw::Element raw) { result.getRawElement() = raw }
+
 class TranslatedX86Function extends TranslatedFunction, TTranslatedX86Function {
   Raw::X86Instruction entry;
 
@@ -58,6 +58,12 @@ class TranslatedX86Function extends TranslatedFunction, TTranslatedX86Function {
     tag = InitStackPtrTag() and
     succType instanceof DirectSuccessor and
     result = getTranslatedInstruction(entry).getEntry()
+    }
+
+  override predicate hasLocalVariable(LocalVariableTag tag) {
+    tag = X86RegisterTag(any(Raw::RspRegister sp))
+    or
+    tag = X86RegisterTag(any(Raw::RbpRegister fp))
   }
 
   override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }