Binary: Generate IR for CIL's newobject instruction.

Author: MathiasVP

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -362,9 +362,13 @@ class CilDup extends @il_dup, CilInstruction { }
 
 class CilIl_pop extends @il_il_pop, CilInstruction { }
 
-abstract class CilCall extends CilInstruction {
+abstract class CilCallOrNewObject extends CilInstruction {
   final int getNumberOfArguments() { il_number_of_arguments(this, result) }
 
+  final string getExternalName() { il_call_target_unresolved(this, result) }
+}
+
+abstract class CilCall extends CilCallOrNewObject {
   final predicate hasReturnValue() { il_call_has_return_value(this) }
 
   CilMethod getTarget() { result.getFullyQualifiedName() = this.getExternalName() }
@@ -591,7 +595,10 @@ class CilLdstr extends @il_ldstr, CilInstruction {
   string getValue() { il_operand_string(this, result) }
 }
 
-class CilNewobj extends @il_newobj, CilInstruction { }
+class CilNewobj extends @il_newobj, CilCallOrNewObject {
+  /** ... If it exists. */
+  CilMethod getConstructor() { result.getFullyQualifiedName() = this.getExternalName() }
+}
 
 class CilCastclass extends @il_castclass, CilInstruction { }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll

@@ -53,7 +53,10 @@ newtype TInstructionTag =
   CilCallTag() or
   CilCallTargetTag() or
   CilLdindLoadTag() or
-  CilStindStoreTag()
+  CilStindStoreTag() or
+  CilNewObjInitTag() or
+  CilNewObjCallTag() or
+  CilNewObjExternalRefTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -196,6 +199,15 @@ class InstructionTag extends TInstructionTag {
     or
     this = CilStindStoreTag() and
     result = "CilStindStore"
+    or
+    this = CilNewObjInitTag() and
+    result = "CilNewObjInit"
+    or
+    this = CilNewObjCallTag() and
+    result = "CilNewObjCall"
+    or
+    this = CilNewObjExternalRefTag() and
+    result = "CilNewObjExternalRef"
   }
 }
 
@@ -211,7 +223,7 @@ private newtype TOperandTag =
   TCondJumpTargetTag() or
   TJumpTargetTag() or
   TCilOperandTag(int i) {
-    i = [0 .. max(CilCall call, int k | k = call.getNumberOfArguments() - 1 | k)]
+    i = [0 .. max(CilCallOrNewObject call, int k | k = call.getNumberOfArguments() | k)]
   }
 
 abstract class OperandTag extends TOperandTag {

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll

@@ -29,7 +29,9 @@ newtype TTempVariableTag =
   CilCallTargetVarTag() or
   CilLoadStringVarTag() or
   CilLoadArgVarTag() or
-  CilLdindVarTag()
+  CilLdindVarTag() or
+  CilNewObjInitVarTag() or
+  CilNewObjCallExternalVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -125,5 +127,11 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilLdindVarTag() and
     result = "ldind"
+    or
+    this = CilNewObjInitVarTag() and
+    result = "newobj"
+    or
+    this = CilNewObjCallExternalVarTag() and
+    result = "newobj_ext"
   }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -132,7 +132,8 @@ newtype TTranslatedElement =
   TTranslatedCilStoreIndirect(Raw::CilStoreIndirectInstruction stind) {
     shouldTranslateCilInstr(stind)
   } or
-  TTranslatedCilType(Raw::CilType type) { shouldTranslatedCilType(type) }
+  TTranslatedCilType(Raw::CilType type) { shouldTranslatedCilType(type) } or
+  TTranslatedNewObject(Raw::CilNewobj newObj) { shouldTranslateCilInstr(newObj) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll

@@ -2400,3 +2400,108 @@ class TranslatedCilStoreIndirect extends TranslatedCilInstruction, TTranslatedCi
     result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i + 2)
   }
 }
+
+// Translate a `nobjc<constructor>` CIL instruction to:
+// 1. x = init
+// 2. call co constructor(x, args...)
+class TranslatedNewObject extends TranslatedCilInstruction, TTranslatedNewObject {
+  override Raw::CilNewobj instr;
+
+  TranslatedNewObject() { this = TTranslatedNewObject(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    not exists(instr.getConstructor()) and
+    opcode instanceof Opcode::ExternalRef and
+    tag = CilNewObjExternalRefTag() and
+    v.asSome() = this.getTempVariable(CilNewObjCallExternalVarTag())
+    or
+    opcode instanceof Opcode::Init and
+    tag = CilNewObjInitTag() and
+    v.asSome() = this.getTempVariable(CilNewObjInitVarTag())
+    or
+    opcode instanceof Opcode::Call and
+    tag = CilNewObjCallTag() and
+    v.isNone()
+  }
+
+  override string getExternalName(InstructionTag tag) {
+    not exists(instr.getConstructor()) and
+    tag = CilCallTargetTag() and
+    result = instr.getExternalName()
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) {
+    tag = CilNewObjInitVarTag()
+    or
+    not exists(instr.getConstructor()) and tag = CilNewObjCallExternalVarTag()
+  }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CilNewObjCallTag() and
+    (
+      not exists(instr.getConstructor()) and
+      operandTag instanceof CallTargetTag and
+      result = this.getInstruction(CilNewObjExternalRefTag()).getResultVariable()
+      or
+      exists(int i | i = operandTag.(CilOperandTag).getCilIndex() |
+        // The 0'th argument to the constructor is the just-zero-initialized new object
+        if i = 0
+        then result = this.getInstruction(CilNewObjInitTag()).getResultVariable()
+        else
+          // And the other arguments are the constructor arguments
+          result =
+            getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
+      )
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = CilNewObjInitTag() and
+    succType instanceof DirectSuccessor and
+    (
+      if exists(instr.getConstructor())
+      then result = this.getInstruction(CilNewObjCallTag())
+      else result = this.getInstruction(CilNewObjExternalRefTag())
+    )
+    or
+    not exists(instr.getConstructor()) and
+    (
+      tag = CilNewObjExternalRefTag() and
+      succType instanceof DirectSuccessor and
+      result = this.getInstruction(CilNewObjCallTag())
+    )
+    or
+    tag = CilNewObjCallTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(CilNewObjInitTag()) }
+
+  override Variable getResultVariable() { result = this.getTempVariable(CilNewObjInitVarTag()) }
+
+  final override TranslatedCilMethod getStaticCallTarget(InstructionTag tag) {
+    tag = CilNewObjCallTag() and
+    result = getTranslatedFunction(instr.getConstructor())
+  }
+
+  final override Variable getStackElement(int i) {
+    // The new top element is the constructed object
+    if i = 0
+    then result = this.getTempVariable(CilNewObjInitVarTag())
+    else
+      // And the other arguments have been popped off the stack.
+      // Note: We don't subtract 1 because the number of arguments is actually
+      // one more than `instr.getNumberOfArguments()` since we the 0'th
+      // argument is the newly-constructed object.
+      result =
+        getTranslatedCilInstruction(instr.getABackwardPredecessor())
+            .getStackElement(i + instr.getNumberOfArguments())
+  }
+}