Extract and model CIL local variables and float/double operands

Adds extraction of local variables and their types from CIL method bodies, and models their usage in QL. Also extracts float and double operands for IL instructions and updates the QL schema and extractor to support these features. Enhances QL classes to provide access to local variables and their indices, and supports float/double constant values in instructions.

Author: gfs

binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs

@@ -108,6 +108,15 @@ private void ExtractMethod(MethodDefinition method, int typeId) {
   private void ExtractMethodBody(MethodDefinition method, int methodId) {
     var body = method.Body;
 
+    // Extract local variables
+    if (body.HasVariables) {
+      foreach (var variable in body.Variables) {
+        var varId = trap.GetId();
+        trap.WriteTuple("il_local_variable", varId, methodId, variable.Index, 
+                        variable.VariableType.FullName);
+      }
+    }
+
     // Write each IL instruction
     var index = 0;
     foreach (var instruction in body.Instructions) {
@@ -142,6 +151,9 @@ private void ExtractMethodBody(MethodDefinition method, int methodId) {
         if(methodRef.MethodReturnType.ReturnType.MetadataType is not Mono.Cecil.MetadataType.Void) {
           trap.WriteTuple("il_call_has_return_value", instrId);
         }
+      } else if (instruction.Operand is VariableDefinition varDef) {
+        // Local variable reference (ldloc, stloc, ldloca)
+        trap.WriteTuple("il_operand_local_index", instrId, varDef.Index);
       } else if (instruction.Operand is string str) {
         trap.WriteTuple("il_operand_string", instrId, str);
       } else if (instruction.Operand is sbyte sb) {
@@ -152,6 +164,10 @@ private void ExtractMethodBody(MethodDefinition method, int methodId) {
         trap.WriteTuple("il_operand_int", instrId, i);
       } else if (instruction.Operand is long l) {
         trap.WriteTuple("il_operand_long", instrId, l);
+      } else if (instruction.Operand is float f) {
+        trap.WriteTuple("il_operand_float", instrId, f);
+      } else if (instruction.Operand is double d) {
+        trap.WriteTuple("il_operand_double", instrId, d);
       }
 
       index++;

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -1,8 +1,17 @@
 private import binary
 
-// TODO
-class CilVariable instanceof @method {
-  string toString() { none() }
+/** A local variable defined in a CIL method body. */
+class CilVariable extends @il_local_variable {
+  string toString() { result = "local_" + this.getIndex().toString() }
+
+  /** Gets the method that defines this local variable. */
+  CilMethod getMethod() { il_local_variable(this, result, _, _) }
+
+  /** Gets the index of this local variable in the method's local variable list. */
+  int getIndex() { il_local_variable(this, _, result, _) }
+
+  /** Gets the type name of this local variable. */
+  string getTypeName() { il_local_variable(this, _, _, result) }
 }
 
 class CilParameter instanceof @il_parameter {
@@ -30,7 +39,11 @@ class CilMethod extends @method {
 
   CilInstruction getInstruction(int i) { il_instruction_parent(result, i, this) }
 
-  CilVariable getVariable(int i) { none() } // TODO
+  /** Gets the local variable at the given index in this method. */
+  CilVariable getVariable(int i) {
+    result.getMethod() = this and
+    result.getIndex() = i
+  }
 
   CilParameter getParameter(int i) {
     result.getMethod() = this and
@@ -156,21 +169,36 @@ class CilStarg_S extends @il_starg_S, CilStoreArgument { }
 
 class CilLdloc_S extends @il_ldloc_S, CilLoadLocal {
   override int getLocalVariableIndex() {
-    none() // TODO: Extract
+    il_operand_local_index(this, result)
   }
 }
 
 abstract class CilLoadLocal extends CilInstruction {
   abstract int getLocalVariableIndex();
+
+  /** Gets the local variable that this instruction loads. */
+  CilVariable getLocalVariable() {
+    result = this.getEnclosingMethod().getVariable(this.getLocalVariableIndex())
+  }
 }
 
-abstract class CilLoadAddressOfLocal extends CilInstruction { }
+abstract class CilLoadAddressOfLocal extends CilInstruction {
+  /** Gets the local variable index. */
+  int getLocalVariableIndex() {
+    il_operand_local_index(this, result)
+  }
+
+  /** Gets the local variable whose address this instruction loads. */
+  CilVariable getLocalVariable() {
+    result = this.getEnclosingMethod().getVariable(this.getLocalVariableIndex())
+  }
+}
 
 class CilLdloca_S extends @il_ldloca_S, CilLoadAddressOfLocal { }
 
 class CilStloc_S extends @il_stloc_S, CilStoreLocal {
   override int getLocalVariableIndex() {
-    none() // TODO: Extract
+    il_operand_local_index(this, result)
   }
 }
 
@@ -279,17 +307,29 @@ class CilLdc_I8 extends @il_ldc_I8, CilLoadConstant {
 
 class CilLdc_R4 extends @il_ldc_R4, CilLoadConstant {
   final override string getValue() {
-    none() // TODO
+    exists(float f |
+      il_operand_float(this, f) and
+      result = f.toString()
+    )
   }
 
+  /** Gets the float value loaded by this instruction. */
+  float getFloatValue() { il_operand_float(this, result) }
+
   final override int getSize() { result = 4 } // float32
 }
 
 class CilLdc_R8 extends @il_ldc_R8, CilLoadConstant {
   final override string getValue() {
-    none() // TODO
+    exists(float d |
+      il_operand_double(this, d) and
+      result = d.toString()
+    )
   }
 
+  /** Gets the double value loaded by this instruction. */
+  float getDoubleValue() { il_operand_double(this, result) }
+
   final override int getSize() { result = 8 } // float64
 }
 
@@ -741,11 +781,11 @@ class CilStarg extends @il_starg, CilInstruction { }
 
 class CilLdloc extends @il_ldloc, CilLoadLocal {
   override int getLocalVariableIndex() {
-    none() // TODO: Extract
+    il_operand_local_index(this, result)
   }
 }
 
-class CilLdloca extends @il_ldloca, CilInstruction { }
+class CilLdloca extends @il_ldloca, CilLoadAddressOfLocal { }
 
 abstract class CilStoreLocal extends CilInstruction {
   abstract int getLocalVariableIndex();
@@ -757,7 +797,7 @@ abstract class CilStoreLocal extends CilInstruction {
 
 class CilStloc extends @il_stloc, CilStoreLocal {
   override int getLocalVariableIndex() {
-    none() // TODO: Extract
+    il_operand_local_index(this, result)
   }
 }
 

binary/ql/lib/semmlecode.binary.dbscheme

@@ -2475,6 +2475,44 @@ il_operand_long(
   int value: int ref
 );
 
+/**
+ * Float operands for IL instructions.
+ * Used for ldc.r4 (load constant float32) instructions.
+ */
+il_operand_float(
+  int instruction: @il_instruction ref,
+  float value: float ref
+);
+
+/**
+ * Double operands for IL instructions.
+ * Used for ldc.r8 (load constant float64) instructions.
+ */
+il_operand_double(
+  int instruction: @il_instruction ref,
+  float value: float ref
+);
+
+/**
+ * Local variable index operands for IL instructions.
+ * Used for ldloc, stloc, ldloca instructions that reference local variables.
+ */
+il_operand_local_index(
+  int instruction: @il_instruction ref,
+  int index: int ref
+);
+
+/**
+ * Local variables defined in method bodies.
+ * Each local variable has an index and a type.
+ */
+il_local_variable(
+  unique int id: @il_local_variable,
+  int method: @method ref,
+  int index: int ref,
+  string type_name: string ref
+);
+
 /**
  * Exception handlers (try/catch/finally blocks) in methods.
  * Each handler represents a try block with its associated catch/finally/fault handler.