Initial work for objects and statements

Andrei Diaconu · AndreiDiaconu1 · commit 35b028e626ee · 2019-08-28T12:25:13.000+01:00
Objects now work, although I will refactor the code quite a bit for clarity
If and while statements now produce good code
Began work on try statements
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll
@@ -42,8 +42,8 @@ private newtype TOpcode =
   TDynamicCastToVoid() or
   TVariableAddress() or
   TFieldAddress() or
-  TIndexedElementAddress() or
   TFunctionAddress() or
+  TIndexedElementAddress() or
   TConstant() or
   TStringConstant() or
   TConditionalBranch() or
@@ -72,7 +72,8 @@ private newtype TOpcode =
   TBufferMayWriteSideEffect() or
   TChi() or
   TInlineAsm() or
-  TUnreached()
+  TUnreached() or
+  TNewObj()
 
 class Opcode extends TOpcode {
   string toString() {
@@ -221,4 +222,5 @@ module Opcode {
   class Chi extends Opcode, TChi { override final string toString() { result = "Chi" } }
   class InlineAsm extends Opcode, TInlineAsm { override final string toString() { result = "InlineAsm" } }
   class Unreached extends Opcode, TUnreached { override final string toString() { result = "Unreached" } }
+  class NewObj extends Opcode, TNewObj { override final string toString() { result = "NewObj" } }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll
@@ -59,6 +59,7 @@ newtype TInstructionTag =
   LoadTag() or  // Implicit load due to lvalue-to-rvalue conversion
   CatchTag() or
   ThrowTag() or
+  NewObjTag() or
   UnwindTag() or
   InitializerUninitializedTag() or
   InitializerFieldAddressTag(Field field) {
@@ -141,6 +142,7 @@ string getInstructionTagId(TInstructionTag tag) {
   tag = CatchTag() and result = "Catch" or
   tag = ThrowTag() and result = "Throw" or
   tag = UnwindTag() and result = "Unwind" or
+  tag = NewObjTag() and result = "NewObj" or
   // TODO: Reread
 //  exists(Field field, Class cls, int index, string tagName |
 //    field = cls.getCanonicalMember(index) and
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCall.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -314,8 +314,8 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
 /**
  * Represents the IR translation of a call to a constructor (can't call destructor explicitly in C#.
  */
-class TranslatedStructorCall extends TranslatedFunctionCall {
-  TranslatedStructorCall() {
+class TranslatedConstructorCall extends TranslatedFunctionCall {
+  TranslatedConstructorCall() {
     expr instanceof ObjectCreation
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -173,7 +173,7 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
     if (getVariable().getInitializer() instanceof ArrayCreation) then
         result = getTranslatedInitialization(getVariable().getInitializer().(ArrayCreation).getInitializer())
     else if (getVariable().getInitializer() instanceof ObjectCreation) then
-        result = getTranslatedInitialization(getVariable().getInitializer().(ObjectCreation).getInitializer())
+        result = getTranslatedInitialization(getVariable().getInitializer())
     else // then the simple variable initialization
         result = getTranslatedInitialization(getVariable().getInitializer())
   }
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -229,6 +229,7 @@ newtype TTranslatedElement =
         not expr instanceof ObjectCreation) or
         
       // Then treat complex ones
+      exists(ObjectCreation objCreation | objCreation = expr) or
       exists(ArrayInitializer arrInit | arrInit = expr) or
       exists(ObjectInitializer objInit | objInit = expr) or
       
@@ -316,15 +317,12 @@ newtype TTranslatedElement =
   } or
   // A local declaration
   TTranslatedDeclarationEntry(Declaration entry) {
-    exists(LocalVariableDeclStmt declStmt |
-      translateStmt(declStmt) and
-      declStmt.getAVariableDeclExpr().getVariable() = entry
+    exists(LocalVariableDeclExpr declExpr |
+      declExpr.getVariable() = entry
     )
   } or
-  // An allocator call in a `new` or `new[]` expression
-  TTranslatedAllocatorCall(ObjectCreation newExpr) { not ignoreExpr(newExpr) } or
-  // An allocation size for a `new` or `new[]` expression
-  TTranslatedAllocationSize(ObjectCreation newExpr) { not ignoreExpr(newExpr) }
+  // An allocator call generated by an ObjectCreation expression
+  TTranslatedAllocatorCall(ObjectCreation newExpr) { not ignoreExpr(newExpr) }
 
 /**
  * Gets the index of the first explicitly initialized element in `initList`
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -1853,18 +1853,17 @@ class TranslatedAssignOperation extends TranslatedAssignment {
 //  }
 //}
 
-///**
-// * The IR translation of a call to `operator new` as part of a `new` or `new[]`
-// * expression.
-// */
+/**
+ * The IR translation of a call to `operator new` as part of a `new` expression.
+ */
 //class TranslatedAllocatorCall extends TTranslatedAllocatorCall,
-//    TranslatedDirectCall {
-//  override NewOrNewArrayExpr expr;
+//    TranslatedExpr {
+//  override ObjectCreation expr;
 //
 //  TranslatedAllocatorCall() {
 //    this = TTranslatedAllocatorCall(expr)
 //  }
-//
+//    
 //  override final string toString() {
 //    result = "Allocator call for " + expr.toString()
 //  }
@@ -1873,42 +1872,98 @@ class TranslatedAssignOperation extends TranslatedAssignment {
 //    none()
 //  }
 //
-//  override Function getInstructionFunction(InstructionTag tag) {
-//    tag = CallTargetTag() and result = expr.getAllocator()
+//  override final TranslatedElement getChild(int id) {
+//      none()
+//  }
+//    
+//  // TODO: Will probably need a side effect instruction
+//  override predicate hasInstruction(Opcode opcode, InstructionTag tag,
+//      Type resultType, boolean isLValue) {
+//      tag = NewObjTag() and
+//      opcode instanceof Opcode::NewObj and 
+//      resultType = expr.getType() and
+//      isLValue = false
+//  }
+//  
+//  override final Instruction getFirstInstruction() {
+//    result = getInstruction(NewObjTag())
+//  }
+//  
+//  override final Instruction getChildSuccessor(TranslatedElement element) {
+//    none()  
+//  }
+//    
+//  override final Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+//    tag = NewObjTag() and
+//    kind instanceof GotoEdge and
+//    result = getParent().getChildSuccessor(this)
+//  }
+//  
+//  override final Instruction getResult() {
+//    none()
+//  }
+//}
+
+//TranslatedAllocatorCall getTranslatedAllocatorCall(ObjectCreation newExpr) {
+//  result.getAST() = newExpr
+//}
+
+//class TranslatedObjectCreation extends TranslatedNonConstantExpr,
+//    InitializationContext {
+//  override ObjectCreation expr;
+//
+//  override final TranslatedElement getChild(int id) {
+//    id = 0 and result = getInitialization()
 //  }
 //
-//  override final Type getCallResultType() {
-//    result = expr.getAllocator().getUnspecifiedType()
+//  override final predicate hasInstruction(Opcode opcode, InstructionTag tag,
+//      Type resultType, boolean isLValue) {
+//      tag = NewObjTag() and
+//      opcode instanceof Opcode::NewObj and 
+//      resultType = expr.getType() and
+//      isLValue = false
 //  }
 //
-//  override final TranslatedExpr getQualifier() {
-//    none()
+//  override final Instruction getFirstInstruction() {
+//    result = getInstruction(NewObjTag())
 //  }
 //
-//  override final predicate hasArguments() {
-//    // All allocator calls have at least one argument.
-//    any()
+//  override final Instruction getResult() {
+//    result = getInstruction(NewObjTag())
 //  }
 //
-//  override final TranslatedExpr getArgument(int index) {
-//    // If the allocator is the default operator new(void*), there will be no
-//    // allocator call in the AST. Otherwise, there will be an allocator call
-//    // that includes all arguments to the allocator, including the size,
-//    // alignment (if any), and placement args. However, the size argument is
-//    // an error node, so we need to provide the correct size argument in any
-//    // case.
-//    if index = 0 then
-//      result = getTranslatedAllocationSize(expr)
-//    else if(index = 1 and expr.hasAlignedAllocation()) then
-//      result = getTranslatedExpr(expr.getAlignmentArgument())
+//  override final Instruction getInstructionSuccessor(InstructionTag tag,
+//      EdgeKind kind) {
+//    kind instanceof GotoEdge and
+//    tag = NewObjTag() and
+//    if exists(getInitialization()) then
+//      result = getInitialization().getFirstInstruction()
 //    else
-//      result = getTranslatedExpr(expr.getAllocatorCall().getArgument(index))
+//      result = getParent().getChildSuccessor(this)
+//  }
+//
+//  override final Instruction getChildSuccessor(TranslatedElement child) {
+//    child = getInitialization() and result = getParent().getChildSuccessor(this)
+//  }
+//
+//  override final Instruction getInstructionOperand(InstructionTag tag,
+//      OperandTag operandTag) {
+//    none()
+//  }
+//  
+//  override final Instruction getTargetAddress() {
+//    result = getInstruction(NewObjTag())
+//  }
+//
+//  override final Type getTargetType() {
+//    result = expr.getType()
+//  }
+//
+//  final TranslatedInitialization getInitialization() {
+//    result = getTranslatedInitialization(expr)
 //  }
 //}
 
-//TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
-//  result.getAST() = newExpr
-//}
 /**
  * Abstract class implemented by any `TranslatedElement` that has a child
  * expression that is a call to a constructor or destructor, in order to
@@ -2454,21 +2509,22 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr,
 ///**
 // * The IR translation of a `new` or `new[]` expression.
 // */
-//abstract class TranslatedNewOrNewArrayExpr extends TranslatedNonConstantExpr,
+//abstract class TranslatedNewExpr extends TranslatedNonConstantExpr,
 //    InitializationContext {
-//  override NewOrNewArrayExpr expr;
+//  override ObjectCreation expr;
 //
 //  override final TranslatedElement getChild(int id) {
 //    id = 0 and result = getAllocatorCall() or
 //    id = 1 and result = getInitialization()
 //  }
 //
+//  final TranslatedInitialization getInitialization() {
+//    result = getTranslatedInitialization(expr.getInitializer())
+//  }
+//
 //  override final predicate hasInstruction(Opcode opcode, InstructionTag tag,
-//      Type resultType, boolean ) {
-//    tag = OnlyInstructionTag() and
-//    opcode instanceof Opcode::Convert and
-//    resultType = getResultType() and
-//     = false
+//      Type resultType, boolean isLValue) {
+//    none()
 //  }
 //
 //  override final Instruction getFirstInstruction() {
@@ -2489,6 +2545,10 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr,
 //      result = getParent().getChildSuccessor(this)
 //  }
 //
+//  override final Type getTargetType() {
+//    result = expr.getType()
+//  }
+//
 //  override final Instruction getChildSuccessor(TranslatedElement child) {
 //    child = getAllocatorCall() and result = getInstruction(OnlyInstructionTag()) or
 //    child = getInitialization() and result = getParent().getChildSuccessor(this)
@@ -2508,41 +2568,9 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr,
 //  private TranslatedAllocatorCall getAllocatorCall() {
 //    result = getTranslatedAllocatorCall(expr)
 //  }
-//
-//  abstract TranslatedInitialization getInitialization();
-//}
-//
-///**
-// * The IR translation of a `new` expression.
-// */
-//class TranslatedNewExpr extends TranslatedNewOrNewArrayExpr {
-//  override NewExpr expr;
-//
-//  override final Type getTargetType() {
-//    result = expr.getAllocatedType().getUnspecifiedType()
-//  }
-//
-//  override final TranslatedInitialization getInitialization() {
-//    result = getTranslatedInitialization(expr.getInitializer())
-//  }
-//}
-//
-///**
-// * The IR translation of a `new[]` expression.
-// */
-//class TranslatedNewArrayExpr extends TranslatedNewOrNewArrayExpr {
-//  override NewArrayExpr expr;
-//
-//  override final Type getTargetType() {
-//    result = expr.getAllocatedType().getUnspecifiedType()
-//  }
-//
-//  override final TranslatedInitialization getInitialization() {
-//    // REVIEW: Figure out how we want to model array initialization in the IR.
-//    none()
-//  }
 //}
 
+
 /**
  * The IR translation of a `ConditionDeclExpr`, which represents the value of the declared variable
  * after conversion to `bool` in code such as:
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -216,27 +216,63 @@ class TranslatedSimpleDirectInitialization extends TranslatedDirectInitializatio
   }
 }
 
-class TranslatedConstructorInitialization extends TranslatedDirectInitialization, StructorCallContext {
+class TranslatedObjectCreationInitialization extends TranslatedDirectInitialization, StructorCallContext {
   override ObjectCreation expr;
-
+  
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue) {
-    none()
+    (
+     tag = InitializerStoreTag() and
+     opcode instanceof Opcode::Store and
+     resultType = getContext().getTargetType() and
+     isLValue = false
+    )
+    or
+    (
+     tag = NewObjTag() and
+     opcode instanceof Opcode::NewObj and 
+     resultType = expr.getType() and
+     isLValue = false
+    )
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    none()
+    (
+     tag = NewObjTag() and
+     kind instanceof GotoEdge and
+     result = getInitializer().getFirstInstruction()
+    )
+    or
+    (
+     tag = InitializerStoreTag() and
+     result = getParent().getChildSuccessor(this) and
+     kind instanceof GotoEdge
+    )
   }
 
+  override Instruction getFirstInstruction() {
+    result = getInstruction(NewObjTag())   
+  }
+  
   override Instruction getChildSuccessor(TranslatedElement child) {
-    child = getInitializer() and result = getParent().getChildSuccessor(this)
+    child = getInitializer() and result = getInstruction(InitializerStoreTag())
   }
 
   override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
-    none()
+    tag = InitializerStoreTag() and
+    (
+      (
+        operandTag instanceof AddressOperandTag and
+        result = getContext().getTargetAddress()
+      ) or
+      (
+        operandTag instanceof StoreValueOperandTag and
+        result = getInstruction(NewObjTag())
+      )
+    )
   }
 
   override Instruction getReceiver() {
-    result = getContext().getTargetAddress()
+    result = getInstruction(NewObjTag())
   }
 }
 
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll

Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,7 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali`
`173`	`173`	`if (getVariable().getInitializer() instanceof ArrayCreation) then`
`174`	`174`	`result = getTranslatedInitialization(getVariable().getInitializer().(ArrayCreation).getInitializer())`
`175`	`175`	`else if (getVariable().getInitializer() instanceof ObjectCreation) then`
`176`		`- result = getTranslatedInitialization(getVariable().getInitializer().(ObjectCreation).getInitializer())`
	`176`	`+ result = getTranslatedInitialization(getVariable().getInitializer())`
`177`	`177`	`else // then the simple variable initialization`
`178`	`178`	`result = getTranslatedInitialization(getVariable().getInitializer())`
`179`	`179`	`}`