Merge pull request #7321 from hvitved/csharp/cil/unique-type

hvitved · web-flow · commit cf42427f5428 · 2021-12-10T09:58:06.000+01:00
C#: Avoid CIL instructions with multiple types
diff --git a/csharp/ql/lib/semmle/code/cil/CallableReturns.qll b/csharp/ql/lib/semmle/code/cil/CallableReturns.qll
@@ -25,7 +25,7 @@ private module Cached {
   cached
   predicate alwaysThrowsException(Method m, Type t) {
     alwaysThrowsMethod(m) and
-    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExpr().getType())
+    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExceptionType())
   }
 }
 
diff --git a/csharp/ql/lib/semmle/code/cil/ConsistencyChecks.qll b/csharp/ql/lib/semmle/code/cil/ConsistencyChecks.qll
@@ -612,7 +612,7 @@ class ExprMissingType extends InstructionViolation {
     not instruction instanceof Opcodes::Ldvirtftn and
     not instruction instanceof Opcodes::Arglist and
     not instruction instanceof Opcodes::Refanytype and
-    instruction.getPushCount() = 1 and
+    instruction.getPushCount() >= 1 and
     count(instruction.getType()) != 1
   }
 
diff --git a/csharp/ql/lib/semmle/code/cil/ControlFlow.qll b/csharp/ql/lib/semmle/code/cil/ControlFlow.qll
@@ -56,6 +56,32 @@ class ControlFlowNode extends @cil_controlflow_node {
     )
   }
 
+  /**
+   * Gets the type of the `i`th operand. Unlike `getOperand(i).getType()`, this
+   * predicate takes into account when there are multiple possible operands with
+   * different types.
+   */
+  Type getOperandType(int i) {
+    strictcount(this.getOperand(i)) = 1 and
+    result = this.getOperand(i).getType()
+    or
+    strictcount(this.getOperand(i)) = 2 and
+    exists(ControlFlowNode op1, ControlFlowNode op2, Type t2 |
+      op1 = this.getOperand(i) and
+      op2 = this.getOperand(i) and
+      op1 != op2 and
+      result = op1.getType() and
+      t2 = op2.getType()
+    |
+      result = t2
+      or
+      result.(PrimitiveType).getUnderlyingType().getConversionIndex() >
+        t2.(PrimitiveType).getUnderlyingType().getConversionIndex()
+      or
+      op2 instanceof NullLiteral
+    )
+  }
+
   /** Gets an operand of this instruction, if any. */
   ControlFlowNode getAnOperand() { result = this.getOperand(_) }
 
@@ -102,7 +128,12 @@ class ControlFlowNode extends @cil_controlflow_node {
   /** Gets the method containing this control flow node. */
   MethodImplementation getImplementation() { none() }
 
-  /** Gets the type of the item pushed onto the stack, if any. */
+  /**
+   * Gets the type of the item pushed onto the stack, if any.
+   *
+   * If called via `ControlFlowNode::getOperand(i).getType()`, consider using
+   * `ControlFlowNode::getOperandType(i)` instead.
+   */
   cached
   Type getType() { none() }
 
diff --git a/csharp/ql/lib/semmle/code/cil/InstructionGroups.qll b/csharp/ql/lib/semmle/code/cil/InstructionGroups.qll
@@ -73,8 +73,8 @@ class ComparisonOperation extends BinaryExpr, @cil_comparison_operation {
 class BinaryArithmeticExpr extends BinaryExpr, @cil_binary_arithmetic_operation {
   override Type getType() {
     exists(Type t0, Type t1 |
-      t0 = this.getOperand(0).getType().getUnderlyingType() and
-      t1 = this.getOperand(1).getType().getUnderlyingType()
+      t0 = this.getOperandType(0).getUnderlyingType() and
+      t1 = this.getOperandType(1).getUnderlyingType()
     |
       t0 = t1 and result = t0
       or
@@ -242,6 +242,9 @@ class Return extends Instruction, @cil_ret {
 class Throw extends Instruction, DotNet::Throw, @cil_throw_any {
   override Expr getExpr() { result = this.getOperand(0) }
 
+  /** Gets the type of the exception being thrown. */
+  Type getExceptionType() { result = this.getOperandType(0) }
+
   override predicate canFlowNext() { none() }
 }
 
diff --git a/csharp/ql/lib/semmle/code/cil/Instructions.qll b/csharp/ql/lib/semmle/code/cil/Instructions.qll
@@ -199,9 +199,9 @@ module Opcodes {
     override string getOpcodeName() { result = "neg" }
 
     override NumericType getType() {
-      result = this.getOperand().getType()
+      result = this.getOperandType(0)
       or
-      this.getOperand().getType() instanceof Enum and result instanceof IntType
+      this.getOperandType(0) instanceof Enum and result instanceof IntType
     }
   }
 
@@ -260,7 +260,7 @@ module Opcodes {
 
     override int getPushCount() { result = 2 } // This is the only instruction that pushes 2 items
 
-    override Type getType() { result = this.getOperand(0).getType() }
+    override Type getType() { result = this.getOperandType(0) }
   }
 
   /** A `ret` instruction. */
@@ -887,7 +887,7 @@ module Opcodes {
   class Ldelem_ref extends ReadArrayElement, @cil_ldelem_ref {
     override string getOpcodeName() { result = "ldelem.ref" }
 
-    override Type getType() { result = this.getArray().getType() }
+    override Type getType() { result = this.getOperandType(1) }
   }
 
   /** An `ldelema` instruction. */
diff --git a/csharp/ql/test/library-tests/cil/consistency/consistency.expected b/csharp/ql/test/library-tests/cil/consistency/consistency.expected

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ private module Cached {`
`25`	`25`	`cached`
`26`	`26`	`predicate alwaysThrowsException(Method m, Type t) {`
`27`	`27`	`alwaysThrowsMethod(m) and`
`28`		`- forex(Throw ex \| ex = m.getImplementation().getAnInstruction() \| t = ex.getExpr().getType())`
	`28`	`+ forex(Throw ex \| ex = m.getImplementation().getAnInstruction() \| t = ex.getExceptionType())`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`
Original file line number	Diff line number	Diff line change
`@@ -612,7 +612,7 @@ class ExprMissingType extends InstructionViolation {`
`612`	`612`	`not instruction instanceof Opcodes::Ldvirtftn and`
`613`	`613`	`not instruction instanceof Opcodes::Arglist and`
`614`	`614`	`not instruction instanceof Opcodes::Refanytype and`
`615`		`- instruction.getPushCount() = 1 and`
	`615`	`+ instruction.getPushCount() >= 1 and`
`616`	`616`	`count(instruction.getType()) != 1`
`617`	`617`	`}`
`618`	`618`
Original file line number	Diff line number	Diff line change
`@@ -199,9 +199,9 @@ module Opcodes {`
`199`	`199`	`override string getOpcodeName() { result = "neg" }`
`200`	`200`
`201`	`201`	`override NumericType getType() {`
`202`		`- result = this.getOperand().getType()`
	`202`	`+ result = this.getOperandType(0)`
`203`	`203`	`or`
`204`		`- this.getOperand().getType() instanceof Enum and result instanceof IntType`
	`204`	`+ this.getOperandType(0) instanceof Enum and result instanceof IntType`
`205`	`205`	`}`
`206`	`206`	`}`
`207`	`207`
`@@ -260,7 +260,7 @@ module Opcodes {`
`260`	`260`
`261`	`261`	`override int getPushCount() { result = 2 } // This is the only instruction that pushes 2 items`
`262`	`262`
`263`		`- override Type getType() { result = this.getOperand(0).getType() }`
	`263`	`+ override Type getType() { result = this.getOperandType(0) }`
`264`	`264`	`}`
`265`	`265`
`266`	`266`	/** A `ret` instruction. */
`@@ -887,7 +887,7 @@ module Opcodes {`
`887`	`887`	`class Ldelem_ref extends ReadArrayElement, @cil_ldelem_ref {`
`888`	`888`	`override string getOpcodeName() { result = "ldelem.ref" }`
`889`	`889`
`890`		`- override Type getType() { result = this.getArray().getType() }`
	`890`	`+ override Type getType() { result = this.getOperandType(1) }`
`891`	`891`	`}`
`892`	`892`
`893`	`893`	/** An `ldelema` instruction. */