codeql/csharp/ql/src/semmle/code/cil/ControlFlow.qll at c812d4e4e81b1e64146e242563a9f545ab2453de · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
/**
 * Provides classes for control flow.
 */

private import CIL

/** A node in the control flow graph. */
class ControlFlowNode extends @cil_controlflow_node {
  /** Gets a textual representation of this control flow node. */
  string toString() { none() }

  /** Gets the location of this control flow node. */
  Location getLocation() { none() }

  /**
   * Gets the number of items this node pushes onto the stack.
   * This value is either 0 or 1, except for the instruction `dup`
   * which pushes 2 values onto the stack.
   */
  int getPushCount() { result = 0 }

  /** Gets the number of items this node pops from the stack. */
  int getPopCount() { result = 0 }

  /** Gets a successor of this node, if any. */
  final Instruction getASuccessor() { result = getASuccessorType(_) }

  /** Gets a true successor of this node, if any. */
  final Instruction getTrueSuccessor() { result = getASuccessorType(any(TrueFlow f)) }

  /** Gets a false successor of this node, if any. */
  final Instruction getFalseSuccessor() { result = getASuccessorType(any(FalseFlow f)) }

  /** Gets a successor to this node, of type `type`, if any. */
  cached
  Instruction getASuccessorType(FlowType t) { none() }

  /** Gets a predecessor of this node, if any. */
  ControlFlowNode getAPredecessor() { result.getASuccessor() = this }

  /**
   * Gets an instruction that supplies the `i`th operand to this instruction.
   * Note that this can be multi-valued.
   */
  cached
  ControlFlowNode getOperand(int i) {
    // Immediate predecessor pushes the operand
    i in [0 .. this.getPopCount() - 1] and
    result = this.getAPredecessor() and
    i < result.getPushCount()
    or
    // Transitive predecessor pushes the operand
    exists(ControlFlowNode mid, int pushes | this.getOperandRec(mid, i, pushes) |
      pushes - mid.getStackDelta() < result.getPushCount() and
      result = mid.getAPredecessor()
    )
  }

  /** Gets an operand of this instruction, if any. */
  ControlFlowNode getAnOperand() { result = getOperand(_) }

  /** Gets an expression that consumes the output of this instruction on the stack. */
  Instruction getParentExpr() { this = result.getAnOperand() }

  /**
   * Holds if `pred` is a transitive predecessor of this instruction, this
   * instruction pops operand `i`, `pushes` additional pushes are required
   * for operand `i` at node `pred`, and no instruction between (and including)
   * `pred` and this instruction is a push for operand `i`.
   */
  private predicate getOperandRec(ControlFlowNode pred, int i, int pushes) {
    // Invariant: no node is a push for operand `i`
    pushes >= pred.getPushCount() and
    (
      i in [0 .. this.getPopCount() - 1] and
      pred = this.getAPredecessor() and
      pushes = i
      or
      exists(ControlFlowNode mid, int pushes0 | this.getOperandRec(mid, i, pushes0) |
        pushes = pushes0 - mid.getStackDelta() and
        // This is a guard to prevent ill formed programs
        // and other logic errors going into an infinite loop.
        pushes <= this.getImplementation().getStackSize() and
        pred = mid.getAPredecessor()
      )
    )
  }

  private int getStackDelta() { result = getPushCount() - getPopCount() }

  /** Gets the stack size before this instruction. */
  int getStackSizeBefore() { result = getAPredecessor().getStackSizeAfter() }

  /** Gets the stack size after this instruction. */
  final int getStackSizeAfter() {
    // This is a guard to prevent ill formed programs
    // and other logic errors going into an infinite loop.
    result in [0 .. getImplementation().getStackSize()] and
    result = getStackSizeBefore() + getStackDelta()
  }

  /** Gets the method containing this control flow node. */
  MethodImplementation getImplementation() { none() }

  /** Gets the type of the item pushed onto the stack, if any. */
  cached
  Type getType() { none() }

  /** Holds if this control flow node has more than one predecessor. */
  predicate isJoin() { strictcount(this.getAPredecessor()) > 1 }

  /** Holds if this control flow node has more than one successor. */
  predicate isBranch() { strictcount(this.getASuccessor()) > 1 }
}

/**
 * A control flow entry point. Either a method (`MethodImplementation`) or a handler (`Handler`).
 *
 * Handlers are control flow nodes because they push the handled exception onto the stack.
 */
class EntryPoint extends ControlFlowNode, @cil_entry_point {
  override int getStackSizeBefore() { result = 0 }
}

private newtype TFlowType =
  TNormalFlow() or
  TTrueFlow() or
  TFalseFlow()

/** A type of control flow. Either normal flow (`NormalFlow`), true flow (`TrueFlow`) or false flow (`FalseFlow`). */
abstract class FlowType extends TFlowType {
  abstract string toString();
}

/** Normal control flow. */
class NormalFlow extends FlowType, TNormalFlow {
  override string toString() { result = "" }
}

/** True control flow. */
class TrueFlow extends FlowType, TTrueFlow {
  override string toString() { result = "true" }
}

/** False control flow. */
class FalseFlow extends FlowType, TFalseFlow {
  override string toString() { result = "false" }
}