C# IR: Fix Load inconsistencies, in, out, ref

AndreiDiaconu1 · AndreiDiaconu1 · commit aef26cc534d8 · 2019-09-19T10:31:23.000+01:00
Fixed a bug where assignments of the form `Object obj1 = obj2` would not generate a load instruction for `obj2` (see `raw_ir.expected`).
Added an extra `Load` for object creations that involve structs. This is because the variable that represents the struct should hold the actual struct, not a reference to it.
Refactored the piece of code that decided if a particular expr needs a load instruction and improved the code sharing between `TranslatedExpr.qll` and `TranslatedElement.qll` by creating 2 predicates that tell if a certain expr does or does not need a load.
Added support for `in`, `out` and `ref` parameters.
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -174,6 +174,58 @@ private predicate usedAsCondition(Expr expr) {
   )
 }
 
+/**
+ * Holds if we should have a `Load` instruction for `expr` when generating the IR.
+ */
+predicate needsLoad(Expr expr) {
+  expr instanceof AssignableRead
+  or
+  // We need an extra load for the `PointerIndirectionExpr`
+  expr instanceof PointerIndirectionExpr and
+  // If the dereferencing happens on the lhs of an
+  // assignment we shouldn't have a load instruction
+  not exists(Assignment a | a.getLValue() = expr)
+}
+
+/**
+ * Holds if we should ignore the `Load` instruction for `expr` when generating IR.
+ */
+predicate ignoreLoad(Expr expr) {
+  // No load needed for an array access
+  expr.getParent() instanceof ArrayAccess
+  or
+  // No load is needed for the lvalue in an assignment such as:
+  // Eg. `Object obj = oldObj`;
+  expr.getParent().(Assignment).getLValue() = expr and
+  expr.getType() instanceof RefType
+  or
+  // Since the loads for a crement operation is handled by the translation
+  // of the operation, we ignore the load here
+  expr.getParent() instanceof MutatorOperation
+  or
+  // The `&` operator does not need a load, since the
+  // address is the final value of the expression
+  expr.getParent() instanceof AddressOfExpr
+  or
+  // If expr is a variable access used as the qualifier for a field access and
+  // its target variable is a value type variable,
+  // ignore the load since the address of a variable that is a value type is
+  // given by a single `VariableAddress` instruction.
+  expr.getParent().(FieldAccess).getQualifier() = expr and
+  expr.(VariableAccess).getType().isValueType() and
+  not (
+    expr.(VariableAccess).getTarget().(Parameter).isOutOrRef() or
+    expr.(VariableAccess).getTarget().(Parameter).isIn()
+  )
+  or
+  // If expr is passed as an `out,`ref` or `in` argument,
+  // no load should take place since we pass the address, not the 
+  // value of the variable
+  expr.(AssignableAccess).isOutOrRefArgument()
+  or
+  expr.(AssignableAccess).isInArgument()
+}
+
 newtype TTranslatedElement =
   // An expression that is not being consumed as a condition
   TTranslatedValueExpr(Expr expr) {
@@ -189,17 +241,9 @@ newtype TTranslatedElement =
   // A separate element to handle the lvalue-to-rvalue conversion step of an
   // expression.
   TTranslatedLoad(Expr expr) {
-    // TODO: Revisit and make sure Loads are only used when needed
     not ignoreExpr(expr) and
-    expr instanceof AssignableRead and
-    not expr.getParent() instanceof ArrayAccess and
-    not (
-      expr.getParent() instanceof Assignment and
-      expr.getType() instanceof RefType
-    ) and
-    // Ignore loads for reads in `++` and `--` since their
-    // translated elements handle them
-    not expr.getParent() instanceof MutatorOperation
+    not ignoreLoad(expr) and
+    needsLoad(expr)
   } or
   // An expression most naturally translated as control flow.
   TTranslatedNativeCondition(Expr expr) {
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -92,20 +92,12 @@ abstract class TranslatedCoreExpr extends TranslatedExpr {
    * then a load.
    */
   final override predicate producesExprResult() {
-    // Reads need loads
-    not expr instanceof AssignableRead
+    // If the expr needs a load, its translation does not produce the final value.
+    not needsLoad(expr)
     or
-    // No load needed for an array access
-    expr.getParent() instanceof ArrayAccess
-    or
-    // No load is needed for `RefTypes` in assignments
-    // Eg. `Object obj = oldObj`;
-    expr.getParent() instanceof Assignment and
-    expr.getType() instanceof RefType
-    or
-    // Since the loads for a crement operation is handled by the
-    // expression itself, we ignore the default load
-    expr.getParent() instanceof MutatorOperation
+    // If we're supposed to ignore the load on this expression, then this
+    // expression produces the final value.
+    ignoreLoad(expr)
   }
 
   /**
@@ -771,16 +763,63 @@ abstract class TranslatedVariableAccess extends TranslatedNonConstantExpr {
     result = getTranslatedExpr(expr.(QualifiableExpr).getQualifier())
   }
 
-  override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) }
+  override Instruction getResult() {
+    if this.needsExtraLoad()
+    then result = this.getInstruction(LoadTag())
+    else result = this.getInstruction(AddressTag())
+  }
+
+  override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue
+  ) {
+    this.needsExtraLoad() and
+    tag = LoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = this.getResultType() and
+    isLValue = false
+  }
 
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this) and
+    tag = AddressTag() and
+    (
+      if this.needsExtraLoad()
+      then result = this.getInstruction(LoadTag())
+      else result = this.getParent().getChildSuccessor(this)
+    ) and
     kind instanceof GotoEdge
+    or
+    this.needsExtraLoad() and
+    tag = LoadTag() and
+    kind instanceof GotoEdge and
+    result = this.getParent().getChildSuccessor(this)
+  }
+
+  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    this.needsExtraLoad() and
+    tag = LoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = this.getInstruction(AddressTag())
+      or
+      operandTag instanceof LoadOperandTag and
+      result = this.getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    )
   }
 
   final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getQualifier() and result = this.getInstruction(OnlyInstructionTag())
+    child = this.getQualifier() and result = this.getInstruction(AddressTag())
+  }
+
+  /**
+   * Some variable accesses need an extra load, eg. ref parameters,
+   * out parameters
+   */
+  final predicate needsExtraLoad() {
+    (
+      expr.getTarget().(Parameter).isOutOrRef() or
+      expr.getTarget().(Parameter).isIn()
+    ) and
+    (expr.getParent() instanceof FieldAccess implies expr.getType().isRefType())
   }
 }
 
@@ -801,22 +840,26 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess {
   override Instruction getFirstInstruction() {
     if exists(this.getQualifier())
     then result = this.getQualifier().getFirstInstruction()
-    else result = this.getInstruction(OnlyInstructionTag())
+    else result = this.getInstruction(AddressTag())
   }
 
-  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { none() }
+  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { 
+    result = TranslatedVariableAccess.super.getInstructionOperand(tag, operandTag)
+  }
 
   override predicate hasInstruction(
     Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue
   ) {
-    tag = OnlyInstructionTag() and
+    TranslatedVariableAccess.super.hasInstruction(opcode, tag, resultType, isLValue)
+    or
+    tag = AddressTag() and
     opcode instanceof Opcode::VariableAddress and
     resultType = this.getResultType() and
     isLValue = true
   }
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
+    tag = AddressTag() and
     result = getIRUserVariable(expr.getEnclosingCallable(), expr.getTarget())
   }
 }
@@ -831,11 +874,13 @@ class TranslatedFieldAccess extends TranslatedVariableAccess {
     else
       // it means that the access is part of an `ObjectInitializer` expression
       // so the instructions for the qualifier have been generated previously.
-      result = this.getInstruction(OnlyInstructionTag())
+      result = this.getInstruction(AddressTag())
   }
 
   override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
+    result = TranslatedVariableAccess.super.getInstructionOperand(tag, operandTag)
+    or
+    tag = AddressTag() and
     operandTag instanceof UnaryOperandTag and
     // A normal field access always has a qualifier
     if exists(this.getQualifier())
@@ -851,14 +896,14 @@ class TranslatedFieldAccess extends TranslatedVariableAccess {
   override predicate hasInstruction(
     Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue
   ) {
-    tag = OnlyInstructionTag() and
+    tag = AddressTag() and
     opcode instanceof Opcode::FieldAddress and
     resultType = this.getResultType() and
     isLValue = true
   }
 
   override Field getInstructionField(InstructionTag tag) {
-    tag = OnlyInstructionTag() and
+    tag = AddressTag() and
     result = expr.getTarget()
   }
 }
@@ -1992,35 +2037,75 @@ abstract class TranslatedCreation extends TranslatedCoreExpr, TTranslatedCreatio
     opcode instanceof Opcode::NewObj and
     resultType = expr.getType() and
     isLValue = false
+    or
+    this.needsLoad() and
+    tag = LoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = expr.getType() and
+    isLValue = false
   }
 
   final override Instruction getFirstInstruction() { result = this.getInstruction(NewObjTag()) }
 
-  override Instruction getResult() { result = getInstruction(NewObjTag()) }
+  override Instruction getResult() {
+    if not this.needsLoad()
+    then result = this.getInstruction(NewObjTag())
+    else result = this.getInstruction(LoadTag())
+  }
 
   override Instruction getReceiver() { result = getInstruction(NewObjTag()) }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
     tag = NewObjTag() and
     result = this.getConstructorCall().getFirstInstruction()
+    or
+    this.needsLoad() and
+    kind instanceof GotoEdge and
+    tag = LoadTag() and
+    result = this.getParent().getChildSuccessor(this)
+  }
+
+  override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    this.needsLoad() and
+    tag = LoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = this.getInstruction(NewObjTag())
+      or
+      operandTag instanceof LoadOperandTag and
+      result = this.getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    )
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
     (
       child = this.getConstructorCall() and
       if exists(this.getInitializerExpr())
       then result = this.getInitializerExpr().getFirstInstruction()
-      else result = this.getParent().getChildSuccessor(this)
+      else result = getLoadOrChildSuccessor()
     )
     or
     child = this.getInitializerExpr() and
-    result = this.getParent().getChildSuccessor(this)
+    result = getLoadOrChildSuccessor()
+  }
+
+  private Instruction getLoadOrChildSuccessor() {
+    if not this.needsLoad()
+    then result = this.getParent().getChildSuccessor(this)
+    else result = this.getInstruction(LoadTag())
   }
 
   abstract TranslatedElement getConstructorCall();
 
   abstract TranslatedExpr getInitializerExpr();
+
+  /**
+   * If the newly allocated object is a value type, then we need
+   * to load the newly allocated object before storing it in the variable,
+   * since `NewObj` returns an address.
+   */
+  abstract predicate needsLoad();
 }
 
 /**
@@ -2037,6 +2122,8 @@ class TranslatedObjectCreation extends TranslatedCreation {
     // also return `this`).
     result.getAST() = this.getAST()
   }
+
+  override predicate needsLoad() { expr.getObjectType().isValueType() }
 }
 
 /**
@@ -2050,4 +2137,6 @@ class TranslatedDelegateCreation extends TranslatedCreation {
   override TranslatedElement getConstructorCall() {
     result = DelegateElements::getConstructor(expr)
   }
+
+  override predicate needsLoad() { none() }
 }
diff --git a/csharp/ql/test/library-tests/ir/ir/inoutref.cs b/csharp/ql/test/library-tests/ir/ir/inoutref.cs
@@ -0,0 +1,38 @@
+class MyClass {
+    public int fld;
+}
+
+struct MyStruct {
+    public int fld;
+}
+
+class InOutRef
+{
+    static void set(ref MyClass o1, MyClass o2)
+    {   
+        o1 = o2;
+    }
+
+    static void F(ref int a, ref MyStruct b, in MyStruct b1, ref MyClass c, in MyClass c1) 
+    {
+        b.fld = 0;
+        a = b.fld;
+
+        c.fld = 10;
+        a = c.fld;
+
+        b = b1;
+
+        set(ref c, c1);
+    }
+
+    static void Main() 
+    {
+        int a = 0;
+        MyStruct b = new MyStruct();
+        MyClass c = new MyClass();
+        F(ref a, ref b, in b, ref c, in c);
+
+        int x = b.fld;
+    }
+}
diff --git a/csharp/ql/test/library-tests/ir/ir/raw_ir.expected b/csharp/ql/test/library-tests/ir/ir/raw_ir.expected
