C#: Avoid CIL instructions with multiple types

Author: hvitved

csharp/ql/lib/semmle/code/cil/ControlFlow.qll

@@ -56,6 +56,32 @@ class ControlFlowNode extends @cil_controlflow_node {
     )
   }
 
+  /**
+   * Gets the type of the `i`th operand. Unlike `getOperand(i).getType()`, this
+   * predicate takes into account when there are multiple possible operands with
+   * different types.
+   */
+  Type getOperandType(int i) {
+    strictcount(this.getOperand(i)) = 1 and
+    result = this.getOperand(i).getType()
+    or
+    strictcount(this.getOperand(i)) = 2 and
+    exists(ControlFlowNode op1, ControlFlowNode op2, Type t2 |
+      op1 = this.getOperand(i) and
+      op2 = this.getOperand(i) and
+      op1 != op2 and
+      result = op1.getType() and
+      t2 = op2.getType()
+    |
+      result = t2
+      or
+      result.(PrimitiveType).getUnderlyingType().getConversionIndex() >
+        t2.(PrimitiveType).getUnderlyingType().getConversionIndex()
+      or
+      op2 instanceof NullLiteral
+    )
+  }
+
   /** Gets an operand of this instruction, if any. */
   ControlFlowNode getAnOperand() { result = this.getOperand(_) }
 

csharp/ql/lib/semmle/code/cil/InstructionGroups.qll

@@ -73,8 +73,8 @@ class ComparisonOperation extends BinaryExpr, @cil_comparison_operation {
 class BinaryArithmeticExpr extends BinaryExpr, @cil_binary_arithmetic_operation {
   override Type getType() {
     exists(Type t0, Type t1 |
-      t0 = this.getOperand(0).getType().getUnderlyingType() and
-      t1 = this.getOperand(1).getType().getUnderlyingType()
+      t0 = this.getOperandType(0).getUnderlyingType() and
+      t1 = this.getOperandType(1).getUnderlyingType()
     |
       t0 = t1 and result = t0
       or

csharp/ql/lib/semmle/code/cil/Instructions.qll

@@ -199,9 +199,9 @@ module Opcodes {
     override string getOpcodeName() { result = "neg" }
 
     override NumericType getType() {
-      result = this.getOperand().getType()
+      result = this.getOperandType(0)
       or
-      this.getOperand().getType() instanceof Enum and result instanceof IntType
+      this.getOperandType(0) instanceof Enum and result instanceof IntType
     }
   }
 
@@ -260,7 +260,7 @@ module Opcodes {
 
     override int getPushCount() { result = 2 } // This is the only instruction that pushes 2 items
 
-    override Type getType() { result = this.getOperand(0).getType() }
+    override Type getType() { result = this.getOperandType(0) }
   }
 
   /** A `ret` instruction. */
@@ -887,7 +887,7 @@ module Opcodes {
   class Ldelem_ref extends ReadArrayElement, @cil_ldelem_ref {
     override string getOpcodeName() { result = "ldelem.ref" }
 
-    override Type getType() { result = this.getArray().getType() }
+    override Type getType() { result = this.getOperandType(1) }
   }
 
   /** An `ldelema` instruction. */