Add support for CIL ldind and stind instructions

gfs · gfs · commit e4c6fd0e5441 · 2025-12-05T11:27:52.000-08:00
Introduces translation classes and tags for CIL ldind.* (load indirect) and stind.* (store indirect) instructions in the IR. Updates InstructionTag, TempVariableTag, and TranslatedElement to recognize and handle these new instruction types.
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/InstructionTag.qll
@@ -59,7 +59,9 @@ newtype TInstructionTag =
   CilUnconditionalBranchTag() or
   CilUnconditionalBranchRefTag() or
   CilCallTag() or
-  CilCallTargetTag()
+  CilCallTargetTag() or
+  CilLdindLoadTag() or
+  CilStindStoreTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() {
@@ -220,6 +222,12 @@ class InstructionTag extends TInstructionTag {
     or
     this = CilCallTargetTag() and
     result = "CilCallTarget"
+    or
+    this = CilLdindLoadTag() and
+    result = "CilLdindLoad"
+    or
+    this = CilStindStoreTag() and
+    result = "CilStindStore"
   }
 }
 
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TempVariableTag.qll
@@ -32,7 +32,8 @@ newtype TTempVariableTag =
   CallReturnValueTag() or
   CilCallTargetVarTag() or
   CilLoadStringVarTag() or
-  CilLoadArgVarTag()
+  CilLoadArgVarTag() or
+  CilLdindVarTag()
 
 class TempVariableTag extends TTempVariableTag {
   string toString() {
@@ -137,5 +138,8 @@ class TempVariableTag extends TTempVariableTag {
     or
     this = CilLoadArgVarTag() and
     result = "ldarg"
+    or
+    this = CilLdindVarTag() and
+    result = "ldind"
   }
 }
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll
@@ -122,7 +122,9 @@ newtype TTranslatedElement =
   TTranslatedCilCall(Raw::CilCall call) { shouldTranslateCilInstr(call) } or
   TTranslatedCilLoadString(Raw::CilLdstr ldstr) { shouldTranslateCilInstr(ldstr) } or
   TTranslatedCilParameter(Raw::CilParameter param) { shouldTranslateCilParameter(param) } or
-  TTranslatedCilLoadArg(Raw::CilLoadArgument ldstr) { shouldTranslateCilInstr(ldstr) }
+  TTranslatedCilLoadArg(Raw::CilLoadArgument ldstr) { shouldTranslateCilInstr(ldstr) } or
+  TTranslatedCilLoadIndirect(Raw::CilLoadIndirectInstruction ldind) { shouldTranslateCilInstr(ldind) } or
+  TTranslatedCilStoreIndirect(Raw::CilStoreIndirectInstruction stind) { shouldTranslateCilInstr(stind) }
 
 TranslatedElement getTranslatedElement(Raw::Element raw) {
   result.getRawElement() = raw and
diff --git a/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll b/binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedInstruction.qll
@@ -2372,3 +2372,98 @@ class TranslatedCilLoadArg extends TranslatedCilInstruction, TTranslatedCilLoadA
     result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i - 1)
   }
 }
+
+/**
+ * Translation for CIL ldind.* instructions (load indirect through pointer).
+ * These instructions pop an address from the stack and push the value at that address.
+ */
+class TranslatedCilLoadIndirect extends TranslatedCilInstruction, TTranslatedCilLoadIndirect {
+  override Raw::CilLoadIndirectInstruction instr;
+
+  TranslatedCilLoadIndirect() { this = TTranslatedCilLoadIndirect(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::Load and
+    tag = CilLdindLoadTag() and
+    v.asSome() = this.getTempVariable(CilLdindVarTag())
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag) { tag = CilLdindVarTag() }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CilLdindLoadTag() and
+    operandTag instanceof LoadAddressTag and
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(0)
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = CilLdindLoadTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(CilLdindLoadTag()) }
+
+  override Variable getResultVariable() { result = this.getTempVariable(CilLdindVarTag()) }
+
+  final override Variable getStackElement(int i) {
+    i = 0 and
+    result = this.getInstruction(CilLdindLoadTag()).getResultVariable()
+    or
+    i > 0 and
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i)
+  }
+}
+
+/**
+ * Translation for CIL stind.* instructions (store indirect through pointer).
+ * These instructions pop a value and an address from the stack, then store the value at that address.
+ */
+class TranslatedCilStoreIndirect extends TranslatedCilInstruction, TTranslatedCilStoreIndirect {
+  override Raw::CilStoreIndirectInstruction instr;
+
+  TranslatedCilStoreIndirect() { this = TTranslatedCilStoreIndirect(instr) }
+
+  final override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Option<Variable>::Option v
+  ) {
+    opcode instanceof Opcode::Store and
+    tag = CilStindStoreTag() and
+    v.isNone()
+  }
+
+  override predicate producesResult() { any() }
+
+  override Variable getVariableOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CilStindStoreTag() and
+    exists(Raw::CilInstruction pred | pred = instr.getABackwardPredecessor() |
+      operandTag instanceof StoreAddressTag and
+      result = getTranslatedCilInstruction(pred).getStackElement(1)
+      or
+      operandTag instanceof StoreValueTag and
+      result = getTranslatedCilInstruction(pred).getStackElement(0)
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child, SuccessorType succType) { none() }
+
+  override Instruction getSuccessor(InstructionTag tag, SuccessorType succType) {
+    tag = CilStindStoreTag() and
+    succType instanceof DirectSuccessor and
+    result = getTranslatedInstruction(instr.getASuccessor()).getEntry()
+  }
+
+  override Instruction getEntry() { result = this.getInstruction(CilStindStoreTag()) }
+
+  override Variable getResultVariable() { none() }
+
+  final override Variable getStackElement(int i) {
+    result = getTranslatedCilInstruction(instr.getABackwardPredecessor()).getStackElement(i + 2)
+  }
+}
