CIL: Support calls.

Author: MathiasVP

binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs

@@ -120,6 +120,10 @@ private void ExtractMethodBody(MethodDefinition method, int methodId) {
         var targetMethodName =
             $"{methodRef.DeclaringType.FullName}.{methodRef.Name}";
         trap.WriteTuple("il_call_target_unresolved", instrId, targetMethodName);
+        trap.WriteTuple("il_number_of_arguments", instrId, methodRef.Parameters.Count);
+        if(methodRef.MethodReturnType.ReturnType.MetadataType is not Mono.Cecil.MetadataType.Void) {
+          trap.WriteTuple("il_call_has_return_value", instrId);
+        }
       } else if (instruction.Operand is string str) {
         trap.WriteTuple("il_operand_string", instrId, str);
       } else if (instruction.Operand is sbyte sb) {

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -270,7 +270,15 @@ class CilDup extends @il_dup, CilInstruction { }
 
 class CilIl_pop extends @il_il_pop, CilInstruction { }
 
-abstract class CilCall extends CilInstruction { }
+abstract class CilCall extends CilInstruction {
+  final int getNumberOfArguments() { il_number_of_arguments(this, result) }
+
+  final predicate hasReturnValue() { il_call_has_return_value(this) }
+
+  string getExternalName() {
+    il_call_target_unresolved(this, result)
+  }
+}
 
 class CilIl_jmp extends @il_il_jmp, CilCall { }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll

@@ -178,6 +178,14 @@ class InstrRefInstruction extends Instruction {
   }
 }
 
+class ExternalRefInstruction extends Instruction {
+  override Opcode::ExternalRef opcode;
+
+  string getExternalName() { result = te.getExternalName(tag) }
+
+  final override string getImmediateValue() { result = this.getExternalName() }
+}
+
 class FunEntryInstruction extends Instruction {
   override Opcode::FunEntry opcode;
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll

@@ -1,5 +1,6 @@
 private import codeql.util.Boolean
 private import semmle.code.binary.ast.ir.internal.Opcode
+private import semmle.code.binary.ast.internal.CilInstructions
 
 newtype TInstructionTag =
   SingleTag() or
@@ -56,7 +57,9 @@ newtype TInstructionTag =
   CilBoolBranchConstTag() or
   CilBoolBranchCJumpTag() or
   CilUnconditionalBranchTag() or
-  CilUnconditionalBranchRefTag()
+  CilUnconditionalBranchRefTag() or
+  CilCallTag() or
+  CilCallTargetTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -211,6 +214,12 @@ class InstructionTag extends TInstructionTag {
     or
     this = CilUnconditionalBranchRefTag() and
     result = "CilUnconditionalBranchRef"
+    or
+    this = CilCallTag() and
+    result = "CilCall"
+    or
+    this = CilCallTargetTag() and
+    result = "CilCallTarget"
   }
 }
 
@@ -224,7 +233,10 @@ private newtype TOperandTag =
   TCallTargetTag() or
   TCondTag() or
   TCondJumpTargetTag() or
-  TJumpTargetTag()
+  TJumpTargetTag() or
+  TCilOperandTag(int i) {
+    i = [0 .. max(CilCall call, int k | k = call.getNumberOfArguments() - 1 | k)]
+  }
 
 abstract class OperandTag extends TOperandTag {
   abstract int getIndex();
@@ -287,7 +299,10 @@ class StoreAddressTag extends OperandTag, TStoreAddressTag {
 class CallTargetTag extends OperandTag, TCallTargetTag {
   final override int getIndex() { result = 0 }
 
-  final override OperandTag getSuccessorTag() { none() }
+  final override OperandTag getSuccessorTag() {
+    // Note: This will be `none` on x86 DBs.
+    result.(CilOperandTag).getCilIndex() = 0
+  }
 
   final override string toString() { result = "CallTarget" }
 }
@@ -315,3 +330,18 @@ class JumpTargetTag extends OperandTag, TJumpTargetTag {
 
   final override string toString() { result = "JumpTarget" }
 }
+
+class CilOperandTag extends OperandTag, TCilOperandTag {
+  final override int getIndex() { result = this.getCilIndex() }
+
+  final int getCilIndex() { this = TCilOperandTag(result) }
+
+  final override OperandTag getSuccessorTag() {
+    exists(int i |
+      this = TCilOperandTag(i) and
+      result = TCilOperandTag(i + 1)
+    )
+  }
+
+  final override string toString() { result = "CilOperand(" + this.getIndex().toString() + ")" }
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll

@@ -28,7 +28,9 @@ newtype TTempVariableTag =
   CilBoolBranchConstVarTag() or
   CilBoolBranchSubVarTag() or
   CilBoolBranchRefVarTag() or
-  CilUnconditionalBranchRefVarTag()
+  CilUnconditionalBranchRefVarTag() or
+  CallReturnValueTag() or
+  CilCallTargetVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -121,5 +123,11 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilBoolBranchRefVarTag() and
     result = "cbb_ir"
+    or
+    this = CallReturnValueTag() and
+    result = "call_ret"
+    or
+    this = CilCallTargetVarTag() and
+    result = "call_target"
   }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -89,7 +89,8 @@ newtype TTranslatedElement =
   TTranslatedCilBooleanBranchInstruction(Raw::CilBooleanBranchInstruction cbr) {
     shouldTranslateCilInstr(cbr)
   } or
-  TTranslatedCilRet(Raw::CilIl_ret ret) { shouldTranslateCilInstr(ret) }
+  TTranslatedCilRet(Raw::CilIl_ret ret) { shouldTranslateCilInstr(ret) } or
+  TTranslatedCilCall(Raw::CilCall call) { shouldTranslateCilInstr(call) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and
@@ -125,6 +126,8 @@ abstract class TranslatedElement extends TTranslatedElement {
 
   int getConstantValue(InstructionTag tag) { none() }
 
+  string getExternalName(InstructionTag tag) { none() }
+
   Instruction getReferencedInstruction(InstructionTag tag) { none() }
 
   abstract Raw::Element getRawElement();

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll

@@ -2198,3 +2198,88 @@ class TranslatedCilRet extends TranslatedCilInstruction, TTranslatedCilRet {
     )
   }
 }
+
+class TranslatedCilCall extends TranslatedCilInstruction, TTranslatedCilCall {
+  override Raw::CilCall instr;
+
+  TranslatedCilCall() { this = TTranslatedCilCall(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::Call and
+    tag = CilCallTag() and
+    if instr.hasReturnValue()
+    then v.asSome() = this.getVariable(CallReturnValueTag())
+    else v.isNone()
+    or
+    opcode instanceof Opcode::ExternalRef and
+    tag = CilCallTargetTag() and
+    v.asSome() = this.getVariable(CilCallTargetVarTag())
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) {
+    instr.hasReturnValue() and
+    tag = CallReturnValueTag()
+    or
+    tag = CilCallTargetVarTag()
+  }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CilCallTag() and
+    (
+      exists(int index |
+        operandTag.(CilOperandTag).getIndex() = index and
+        getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(index) = result
+      )
+      or
+      operandTag instanceof CallTargetTag and
+      result = this.getInstruction(CilCallTargetTag()).getResultVariable()
+    )
+  }
+
+  override string getExternalName(InstructionTag tag) {
+    tag = CilCallTargetTag() and
+    result = instr.getExternalName()
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = CilCallTargetTag() and
+    succType instanceof DirectSuccessor and
+    result = this.getInstruction(CilCallTag())
+    or
+    tag = CilCallTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(CilCallTargetTag()) }
+
+  override Variable getResultVariable() {
+    instr.hasReturnValue() and
+    result = this.getVariable(CallReturnValueTag())
+  }
+
+  final override Variable getStackElement(int i) {
+    if instr.hasReturnValue()
+    then
+      // If the call has a return value, it will be on top of the stack
+      if i = 0
+      then result = this.getInstruction(CilCallTag()).getResultVariable()
+      else
+        // Otherwise, get the stack element from the predecessor. However, the call also popped the arguments
+        // off the stack, so we need to adjust the index accordingly.
+        result =
+          getTranslatedCilInstruction(instr.getABackwardPredecessor())
+              .getStackElement(i + instr.getNumberOfArguments() - 1)
+    else
+      // If the call has no return value, just get the stack element from the predecessor, adjusting for the popped arguments.
+      result =
+        getTranslatedCilInstruction(instr.getABackwardPredecessor())
+            .getStackElement(i + instr.getNumberOfArguments())
+  }
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/InstructionSig.qll

@@ -93,7 +93,7 @@ signature module InstructionSig {
 
     Operand getAnAccess();
   }
-  
+
   predicate variableHasOrdering(Variable v, int ordering);
 
   class TempVariable extends Variable;
@@ -176,6 +176,10 @@ signature module InstructionSig {
 
   class InitInstruction extends Instruction;
 
+  class ExternalRefInstruction extends Instruction {
+    string getExternalName();
+  }
+
   class SubInstruction extends BinaryInstruction;
 
   class AddInstruction extends BinaryInstruction;

binary/ql/lib/semmle/code/binary/ast/ir/internal/Opcode.qll

@@ -25,6 +25,8 @@ private newtype TOpcode =
   TNot() or
   TInit() or
   TInstrRef() or
+  // TODO: Ideally, this should either be removed when we handle unresolved CIL calls better.
+  TExternalRef() or
   TFunEntry()
 
 class Opcode extends TOpcode {
@@ -139,6 +141,10 @@ class InstrRef extends Opcode, TInstrRef {
   override string toString() { result = "InstrRef" }
 }
 
+class ExternalRef extends Opcode, TExternalRef {
+  override string toString() { result = "ExternalRef" }
+}
+
 class Init extends Opcode, TInit {
   override string toString() { result = "Init" }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/TransformInstruction/TransformInstruction.qll

@@ -719,6 +719,17 @@ module Transform<InstructionSig Input> {
       }
     }
 
+    class ExternalRefInstruction extends Instruction {
+      ExternalRefInstruction() { this.getOpcode() instanceof Opcode::ExternalRef }
+
+      string getExternalName() {
+        exists(Input::ExternalRefInstruction extRef |
+          this = TOldInstruction(extRef) and
+          result = extRef.getExternalName()
+        )
+      }
+    }
+
     private class NewInstruction extends MkInstruction, Instruction {
       Opcode opcode;
       TranslatedElement te;