Added support for switch stmt (CS 6.0 style)

Andrei Diaconu · AndreiDiaconu1 · commit 4462babc0b70 · 2019-08-28T12:25:13.000+01:00
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -9,6 +9,7 @@ private import TranslatedExpr
 private import TranslatedFunction
 private import TranslatedInitialization
 private import IRInternal
+private import semmle.code.csharp.ir.internal.IRUtilities
 
 TranslatedStmt getTranslatedStmt(Stmt stmt) {
   result.getAST() = stmt
@@ -663,63 +664,82 @@ class TranslatedJumpStmt extends TranslatedStmt {
     EdgeKind kind) {
     tag = OnlyInstructionTag() and
     kind instanceof GotoEdge and
-    // TODO: FIX THE SUCCESSOR INSTRUCTION
-    result = getTranslatedStmt(stmt).getInstructionSuccessor(tag, kind)
+    // Get the target of the jump
+    // TODO: Make sure this is the best way to do it.
+    // TODO: Does not work if the switch is the last instruction in a void function. 
+    //       Maybe insert a dummy label after the switch like in C++?
+    result = getTranslatedStmt(stmt.getAControlFlowNode().getASuccessor().getElement()).getFirstInstruction()
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
     none()
   }
 }
 
-// TODO: Fix Switch stmts
-//class TranslatedSwitchStmt extends TranslatedStmt {
-//  override SwitchStmt stmt;
-//
-//  private TranslatedExpr getExpr() {
-//    result = getTranslatedExpr(stmt.getExpr())
-//  }
-//
-//  private TranslatedStmt getBody() {
-//    result = getTranslatedStmt(stmt.getBody())
-//  }
-//
-//  override Instruction getFirstInstruction() {
-//    result = getExpr().getFirstInstruction()
-//  }
-//
-//  override TranslatedElement getChild(int id) {
-//    id = 0 and result = getExpr() or
-//    id = 1 and result = getBody()
-//  }
-//
-//  override predicate hasInstruction(Opcode opcode, InstructionTag tag,
-//    Type resultType, boolean isLValue) {
-//    tag = SwitchBranchTag() and
-//    opcode instanceof Opcode::Switch and
-//    resultType instanceof VoidType and
-//    isLValue = false
-//  }
-//
-//  override Instruction getInstructionOperand(InstructionTag tag,
-//      OperandTag operandTag) {
-//    tag = SwitchBranchTag() and
-//    operandTag instanceof ConditionOperandTag and
-//    result = getExpr().getResult()
-//  }
-//
-//  override Instruction getInstructionSuccessor(InstructionTag tag,
-//    EdgeKind kind) {
-//    tag = SwitchBranchTag() and
-//    exists(CaseStmt caseStmt |
-//      caseStmt = stmt.getACase() and
-//      kind = getCaseEdge(caseStmt) and
-//      result = getTranslatedStmt(caseStmt).getFirstInstruction()
-//    )
-//  }
-//
-//  override Instruction getChildSuccessor(TranslatedElement child) {
-//    child = getExpr() and result = getInstruction(SwitchBranchTag()) or
-//    child = getBody() and result = getParent().getChildSuccessor(this)
-//  }
-//}
+class TranslatedSwitchStmt extends TranslatedStmt {
+  override SwitchStmt stmt;
+
+  private TranslatedExpr getSwitchExpr() {
+    result = getTranslatedExpr(stmt.getExpr())
+  }
+
+  override Instruction getFirstInstruction() {
+    result = getSwitchExpr().getFirstInstruction()
+  }
+
+  override TranslatedElement getChild(int id) {
+    if (id = -1) then
+        result = getTranslatedExpr(stmt.getChild(0))
+    else if (id = 0) then
+        result = getTranslatedStmt(stmt.getChild(0))
+    else
+        result = getTranslatedStmt(stmt.getChild(id))
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag,
+    Type resultType, boolean isLValue) {
+    tag = SwitchBranchTag() and
+    opcode instanceof Opcode::Switch and
+    resultType instanceof VoidType and
+    isLValue = false
+  }
+
+  override Instruction getInstructionOperand(InstructionTag tag,
+      OperandTag operandTag) {
+    tag = SwitchBranchTag() and
+    operandTag instanceof ConditionOperandTag and
+    result = getSwitchExpr().getResult()
+  }
+
+  private EdgeKind getCaseEdge(CaseStmt caseStmt) {
+    if caseStmt instanceof DefaultCase then 
+      result instanceof DefaultEdge
+    else
+      exists(CaseEdge edge |
+        result = edge and
+        hasCaseEdge(caseStmt, edge.getMinValue(), edge.getMinValue())
+      ) 
+  }
+  
+  override Instruction getInstructionSuccessor(InstructionTag tag,
+    EdgeKind kind) {
+    tag = SwitchBranchTag() and
+    exists(CaseStmt caseStmt |
+      caseStmt = stmt.getACase() and
+      kind = getCaseEdge(caseStmt) and
+      result = getTranslatedStmt(caseStmt).getFirstInstruction()
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getSwitchExpr() and result = getInstruction(SwitchBranchTag()) or
+    exists(int index, int numStmts |
+      numStmts = count(stmt.getAChild()) and
+      child = getTranslatedStmt(stmt.getChild(index)) and
+      if index = (numStmts - 1) then
+        result = getParent().getChildSuccessor(this)
+      else
+        result = getTranslatedStmt(stmt.getChild(index + 1)).getFirstInstruction()
+    )
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll b/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll
@@ -1,4 +1,5 @@
 private import csharp as CSharp
+private import IRUtilities
 
 class Function = CSharp::Callable;
 class Location = CSharp::Location;
@@ -62,8 +63,10 @@ string getIdentityString(Function func) {
 }
 
 predicate hasCaseEdge(string minValue, string maxValue) {
-  // TODO: Need to handle `switch` statements that switch on an integer.
-  none()
+  // TODO: Need to handle pattern matching
+  exists(CSharp :: CaseStmt cst |
+    hasCaseEdge(cst, minValue, maxValue)
+  )
 }
 
 predicate hasPositionalArgIndex(int argIndex) {
diff --git a/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll b/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll
@@ -1,6 +1,4 @@
-import csharp
-
-// TODO: CHECK IF TALKING ABOUT POINTERS HERE MAKES SENSE
+private import csharp
 
 /**
  * Given a type, get the type that would result by applying "pointer decay".
@@ -36,3 +34,8 @@ Type getVariableType(Variable v) {
     )
   )
 }
+
+predicate hasCaseEdge(CaseStmt caseStmt, string minValue, string maxValue) {
+  minValue = caseStmt.getPattern().getValue() and
+  maxValue = minValue
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,4 @@`
`1`		`-import csharp`
`2`		`-`
`3`		`-// TODO: CHECK IF TALKING ABOUT POINTERS HERE MAKES SENSE`
	`1`	`+private import csharp`
`4`	`2`
`5`	`3`	`/**`
`6`	`4`	`* Given a type, get the type that would result by applying "pointer decay".`
`@@ -36,3 +34,8 @@ Type getVariableType(Variable v) {`
`36`	`34`	`)`
`37`	`35`	`)`
`38`	`36`	`}`
	`37`	`+`
	`38`	`+predicate hasCaseEdge(CaseStmt caseStmt, string minValue, string maxValue) {`
	`39`	`+ minValue = caseStmt.getPattern().getValue() and`
	`40`	`+ maxValue = minValue`
	`41`	`+}`