Binary/X86: Support arguments and parameters in X86.

Author: MathiasVP

binary/ql/lib/semmle/code/binary/ast/instructions.qll

@@ -52,13 +52,23 @@ private module Pre {
       }
     }
 
-    class BaseX86Register extends Internal::X86Register { }
+    class BaseX86Register extends Internal::X86Register {
+      BaseX86Register getASubRegister() { result = super.getASubRegister() }
+    }
+
+    class BaseRipRegister extends BaseX86Register instanceof Internal::RipRegister { }
+
+    class BaseRspRegister extends BaseX86Register instanceof Internal::RspRegister { }
+
+    class BaseRbpRegister extends BaseX86Register instanceof Internal::RbpRegister { }
+
+    class BaseRcxRegister extends BaseX86Register instanceof Internal::RcxRegister { }
 
-    class BaseRipRegister extends BaseX86Register, Internal::RipRegister { }
+    class BaseRdxRegister extends BaseX86Register instanceof Internal::RdxRegister { }
 
-    class BaseRspRegister extends BaseX86Register, Internal::RspRegister { }
+    class BaseR8Register extends BaseX86Register instanceof Internal::R8Register { }
 
-    class BaseRbpRegister extends BaseX86Register, Internal::RbpRegister { }
+    class BaseR9Register extends BaseX86Register instanceof Internal::R9Register { }
 
     class BaseX86Operand extends Internal::X86Operand { }
 
@@ -198,13 +208,23 @@ private module Input implements Internal::InstructionInputSig {
     result = Pre::PreInput::getJumpTarget(b)
   }
 
-  class BaseX86Register extends Pre::Instructions::X86Register { }
+  class BaseX86Register extends Pre::Instructions::X86Register {
+    BaseX86Register getASubRegister() { result = super.getASubRegister() }
+  }
+
+  class BaseRipRegister extends BaseX86Register instanceof Pre::Instructions::RipRegister { }
+
+  class BaseRspRegister extends BaseX86Register instanceof Pre::Instructions::RspRegister { }
+
+  class BaseRbpRegister extends BaseX86Register instanceof Pre::Instructions::RbpRegister { }
+
+  class BaseRcxRegister extends BaseX86Register instanceof Pre::Instructions::RcxRegister { }
 
-  class BaseRipRegister extends BaseX86Register, Pre::Instructions::RipRegister { }
+  class BaseRdxRegister extends BaseX86Register instanceof Pre::Instructions::RdxRegister { }
 
-  class BaseRspRegister extends BaseX86Register, Pre::Instructions::RspRegister { }
+  class BaseR8Register extends BaseX86Register instanceof Pre::Instructions::R8Register { }
 
-  class BaseRbpRegister extends BaseX86Register, Pre::Instructions::RbpRegister { }
+  class BaseR9Register extends BaseX86Register instanceof Pre::Instructions::R9Register { }
 
   class BaseX86Operand extends Pre::Instructions::X86Operand {
     BaseX86Operand() { this.getUse() instanceof BaseX86Instruction }

binary/ql/lib/semmle/code/binary/ast/internal/instructions.qll

@@ -13,6 +13,8 @@ signature module InstructionInputSig {
 
   class BaseX86Register {
     string toString();
+
+    BaseX86Register getASubRegister();
   }
 
   class BaseRipRegister extends BaseX86Register;
@@ -21,6 +23,14 @@ signature module InstructionInputSig {
 
   class BaseRbpRegister extends BaseX86Register;
 
+  class BaseRcxRegister extends BaseX86Register;
+
+  class BaseRdxRegister extends BaseX86Register;
+
+  class BaseR8Register extends BaseX86Register;
+
+  class BaseR9Register extends BaseX86Register;
+
   class BaseX86RegisterAccess {
     string toString();
 
@@ -122,6 +132,22 @@ module MakeInstructions<InstructionInputSig InstructionInput> {
 
   class RbpRegister extends FinalRbpRegister { }
 
+  final private class FinalRcxRegister = BaseRcxRegister;
+
+  class RcxRegister extends FinalRcxRegister { }
+
+  final private class FinalRdxRegister = BaseRdxRegister;
+
+  class RdxRegister extends FinalRdxRegister { }
+
+  final private class FinalR8Register = BaseR8Register;
+
+  class R8Register extends FinalR8Register { }
+
+  final private class FinalR9Register = BaseR9Register;
+
+  class R9Register extends FinalR9Register { }
+
   final private class FinalX86RegisterAccess = BaseX86RegisterAccess;
 
   class X86RegisterAccess extends FinalX86RegisterAccess { }
@@ -3953,18 +3979,50 @@ private module InstructionInput0 implements InstructionInputSig {
 
   class BaseX86Register extends @register {
     string toString() { register(this, result) }
+
+    abstract BaseX86Register getASubRegister();
   }
 
   class BaseRipRegister extends BaseX86Register {
     BaseRipRegister() { register(this, "rip") } // TODO: Or eip?
+
+    final override BaseX86Register getASubRegister() { register(result, "eip") }
   }
 
   class BaseRspRegister extends BaseX86Register {
     BaseRspRegister() { register(this, "rsp") } // TODO: Or esp?
+
+    final override BaseX86Register getASubRegister() { register(result, "esp") }
   }
 
   class BaseRbpRegister extends BaseX86Register {
     BaseRbpRegister() { register(this, "rbp") } // TODO: Or ebp?
+
+    final override BaseX86Register getASubRegister() { register(result, "rbp") }
+  }
+
+  class BaseRcxRegister extends BaseX86Register {
+    BaseRcxRegister() { register(this, "rcx") } // TODO: Or ecx?
+
+    final override BaseX86Register getASubRegister() { register(result, "ecx") }
+  }
+
+  class BaseRdxRegister extends BaseX86Register {
+    BaseRdxRegister() { register(this, "rdx") } // TODO: Or edx?
+
+    final override BaseX86Register getASubRegister() { register(result, "edx") }
+  }
+
+  class BaseR8Register extends BaseX86Register {
+    BaseR8Register() { register(this, "r8") }
+
+    final override BaseX86Register getASubRegister() { register(result, "r8d") }
+  }
+
+  class BaseR9Register extends BaseX86Register {
+    BaseR9Register() { register(this, "r9") }
+
+    final override BaseX86Register getASubRegister() { register(result, "r9d") }
   }
 
   class BaseX86RegisterAccess extends @register_access {

binary/ql/lib/semmle/code/binary/ast/ir/internal/Consistency.qll

@@ -15,6 +15,12 @@ module StagedConsistencyInput<InstructionSig Input> {
     k > 1
   }
 
+  query predicate nonUniqueOperandVariable(Input::Function f, Input::Operand op, int k) {
+    op.getEnclosingFunction() = f and
+    strictcount(op.getVariable()) = k and
+    k > 1
+  }
+
   query predicate missingSuccessor(Input::Function f, Input::Instruction i) {
     i.getEnclosingFunction() = f and
     not i instanceof Input::RetInstruction and

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/BasicBlock.qll

@@ -1,6 +1,7 @@
 private import semmle.code.binary.ast.Location
 private import Instruction
 private import Operand
+private import InstructionTag
 private import codeql.controlflow.BasicBlock as BB
 private import codeql.util.Unit
 private import codeql.controlflow.SuccessorType
@@ -86,15 +87,12 @@ module BinaryCfg implements BB::CfgSig<Location> {
 
     ControlFlowNode getSuccessor(SuccessorType t) {
       t instanceof DirectSuccessor and
-      exists(Instruction i, OperandTag tag |
+      exists(Instruction i, OperandTag tag | this.asOperand() = i.getOperand(tag) |
+        result.asOperand() = i.getOperand(tag.getSuccessorTag())
+        or
         this.asOperand() = i.getOperand(tag) and
-        (
-          result.asOperand() = i.getOperand(tag.getSuccessorTag())
-          or
-          this.asOperand() = i.getOperand(tag) and
-          not exists(tag.getSuccessorTag()) and
-          result.asInstruction() = i
-        )
+        not exists(i.getOperand(tag.getSuccessorTag())) and
+        result.asInstruction() = i
       )
       or
       exists(Instruction i | i = this.asInstruction().getSuccessor(t) |

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Function.qll

@@ -14,7 +14,7 @@ class Function extends TFunction {
 
   string toString() { result = this.getName() }
 
-  Instruction getEntryInstruction() { result = f.getEntry() }
+  FunEntryInstruction getEntryInstruction() { result = f.getEntry() }
 
   BasicBlock getEntryBlock() { result = f.getEntry().getBasicBlock() }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll

@@ -178,6 +178,10 @@ class InstrRefInstruction extends Instruction {
   }
 }
 
+class FunEntryInstruction extends Instruction {
+  override Opcode::FunEntry opcode;
+}
+
 class BinaryInstruction extends Instruction {
   override Opcode::BinaryOpcode opcode;
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll

@@ -3,6 +3,7 @@ private import semmle.code.binary.ast.ir.internal.Opcode
 
 newtype TInstructionTag =
   SingleTag() or
+  FunEntryTag() or
   X86JumpInstrRefTag() or
   X86JumpTag() or
   X86CJumpInstrRefTag() or
@@ -62,6 +63,9 @@ class InstructionTag extends TInstructionTag {
     this = SingleTag() and
     result = "Single"
     or
+    this = FunEntryTag() and
+    result = "FunEntry"
+    or
     this = X86JumpInstrRefTag() and
     result = "X86JumpInstrRef"
     or
@@ -209,3 +213,105 @@ class InstructionTag extends TInstructionTag {
     result = "CilUnconditionalBranchRef"
   }
 }
+
+private newtype TOperandTag =
+  TLeftTag() or
+  TRightTag() or
+  TUnaryTag() or
+  TStoreValueTag() or
+  TLoadAddressTag() or
+  TStoreAddressTag() or
+  TCallTargetTag() or
+  TCondTag() or
+  TCondJumpTargetTag() or
+  TJumpTargetTag()
+
+abstract class OperandTag extends TOperandTag {
+  abstract int getIndex();
+
+  abstract OperandTag getSuccessorTag();
+
+  final OperandTag getPredecessorTag() { result.getSuccessorTag() = this }
+
+  abstract string toString();
+}
+
+class LeftTag extends OperandTag, TLeftTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { result instanceof RightTag }
+
+  final override string toString() { result = "Left" }
+}
+
+class RightTag extends OperandTag, TRightTag {
+  final override int getIndex() { result = 1 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "Right" }
+}
+
+class UnaryTag extends OperandTag, TUnaryTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "Unary" }
+}
+
+class StoreValueTag extends OperandTag, TStoreValueTag {
+  final override int getIndex() { result = 1 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "StoreValue" }
+}
+
+class LoadAddressTag extends OperandTag, TLoadAddressTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "LoadAddr" }
+}
+
+class StoreAddressTag extends OperandTag, TStoreAddressTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { result instanceof StoreValueTag }
+
+  final override string toString() { result = "StoreDest" }
+}
+
+class CallTargetTag extends OperandTag, TCallTargetTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "CallTarget" }
+}
+
+class CondTag extends OperandTag, TCondTag {
+  final override int getIndex() { result = 1 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "CondJump" }
+}
+
+class CondJumpTargetTag extends OperandTag, TCondJumpTargetTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { result instanceof CondTag }
+
+  final override string toString() { result = "CondJumpTarget" }
+}
+
+class JumpTargetTag extends OperandTag, TJumpTargetTag {
+  final override int getIndex() { result = 0 }
+
+  final override OperandTag getSuccessorTag() { none() }
+
+  final override string toString() { result = "JumpTarget" }
+}

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Operand.qll

@@ -1,6 +1,5 @@
 private import semmle.code.binary.ast.Location
 private import TranslatedElement
-private import semmle.code.binary.ast.ir.internal.Tags
 private import InstructionTag
 private import Instruction
 private import semmle.code.binary.ast.ir.internal.Opcode as Opcode
@@ -18,7 +17,7 @@ newtype TOperand =
 class Operand extends TOperand {
   TranslatedElement te;
   InstructionTag tag;
-  TOperandTag operandTag;
+  OperandTag operandTag;
 
   Operand() { this = MkOperand(te, tag, operandTag) }
 
@@ -72,7 +71,3 @@ class ConditionJumpTargetOperand extends Operand {
 class JumpTargetOperand extends Operand {
   override JumpTargetTag operandTag;
 }
-
-private import semmle.code.binary.ast.ir.internal.Tags as Tags
-
-class OperandTag = Tags::OperandTag;