Merge pull request #1898 from AndreiDiaconu1/ircsharp-collections

C# IR: Object creation refactor and collection initializers

Author: hvitved

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -4,6 +4,7 @@ private import semmle.code.csharp.ir.implementation.internal.OperandTag
 private import InstructionTag
 private import TranslatedElement
 private import TranslatedExpr
+private import TranslatedInitialization
 private import semmle.code.csharp.ir.Util
 private import semmle.code.csharp.ir.implementation.raw.internal.common.TranslatedCallBase
 private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language
@@ -50,7 +51,13 @@ class TranslatedFunctionCall extends TranslatedNonConstantExpr, TranslatedCall {
     result = getTranslatedExpr(expr.(QualifiableExpr).getQualifier())
   }
 
-  override Instruction getQualifierResult() { result = this.getQualifier().getResult() }
+  override Instruction getQualifierResult() {
+    // since `ElementInitializer`s do not have a qualifier, the qualifier's result is retrieved
+    // from the enclosing initialization context
+    if expr.getParent() instanceof CollectionInitializer
+    then result = getTranslatedExpr(expr.getParent()).(InitializationContext).getTargetAddress()
+    else result = this.getQualifier().getResult()
+  }
 
   override Type getCallResultType() { result = expr.getTarget().getReturnType() }
 

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -169,6 +169,11 @@ newtype TTranslatedElement =
     not isNativeCondition(expr) and
     not isFlexibleCondition(expr)
   } or
+  // A creation expression
+  TTranslatedCreationExpr(Expr expr) {
+    not ignoreExpr(expr) and
+    (expr instanceof ObjectCreation or expr instanceof DelegateCreation)
+  } or
   // A separate element to handle the lvalue-to-rvalue conversion step of an
   // expression.
   TTranslatedLoad(Expr expr) {
@@ -219,32 +224,21 @@ newtype TTranslatedElement =
       // we deal with all the types of initialization separately.
       // First only simple local variable initialization (ie. `int x = 0`)
       exists(LocalVariableDeclAndInitExpr lvInit |
-        lvInit.getInitializer() = expr and
-        not expr instanceof ArrayCreation and
-        not expr instanceof ObjectCreation and
-        not expr instanceof DelegateCreation
+        lvInit.getInitializer() = expr
       )
       or
       // Then treat more complex ones
-      expr instanceof ObjectCreation
-      or
-      expr instanceof DelegateCreation
-      or
       expr instanceof ArrayInitializer
       or
       expr instanceof ObjectInitializer
       or
-      expr = any(ThrowExpr throw).getExpr()
+      expr = any(ThrowElement throwElement).getExpr()
       or
       expr = any(CollectionInitializer colInit).getAnElementInitializer()
       or
       expr = any(ReturnStmt returnStmt).getExpr()
       or
       expr = any(ArrayInitializer arrInit).getAnElement()
-      or
-      expr = any(LambdaExpr lambda).getSourceDeclaration()
-      or
-      expr = any(AnonymousMethodExpr anonMethExpr).getSourceDeclaration()
     )
   } or
   // The initialization of an array element via a member of an initializer list.

csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -24,7 +24,11 @@ private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language
  */
 TranslatedExpr getTranslatedExpr(Expr expr) {
   result.getExpr() = expr and
-  result.producesExprResult()
+  result.producesExprResult() and
+  // When a constructor call is needed, we fetch it manually.
+  // This is because of how we translate object creations: the translated expression
+  // and the translated constructor call are attached to the same element.
+  (expr instanceof ObjectCreation implies not result instanceof TranslatedConstructorCall)
 }
 
 /**
@@ -481,11 +485,7 @@ class TranslatedObjectInitializerExpr extends TranslatedNonConstantExpr, Initial
   }
 
   override TranslatedElement getChild(int id) {
-    exists(AssignExpr assign |
-      result = getTranslatedExpr(expr.getChild(id)) and
-      expr.getAChild() = assign and
-      assign.getIndex() = id
-    )
+    result = getTranslatedExpr(expr.getMemberInitializer(id))
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
@@ -499,9 +499,57 @@ class TranslatedObjectInitializerExpr extends TranslatedNonConstantExpr, Initial
     )
   }
 
-  override Instruction getTargetAddress() { result = this.getParent().getInstruction(NewObjTag()) }
+  override Instruction getTargetAddress() {
+    // The target address is the address of the newly allocated object,
+    // which can be retrieved from the parent `TranslatedObjectCreation`.
+    result = this.getParent().getInstruction(NewObjTag())
+  }
+
+  override Type getTargetType() {
+    result = this.getParent().getInstruction(NewObjTag()).getResultType()
+  }
+}
+
+class TranslatedCollectionInitializer extends TranslatedNonConstantExpr, InitializationContext {
+  override CollectionInitializer expr;
+
+  override Instruction getResult() { none() }
+
+  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
+
+  override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue
+  ) {
+    none()
+  }
+
+  override TranslatedElement getChild(int id) {
+    result = getTranslatedExpr(expr.getElementInitializer(id))
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    exists(int index |
+      child = this.getChild(index) and
+      (
+        result = this.getChild(index + 1).getFirstInstruction()
+        or
+        not exists(this.getChild(index + 1)) and
+        result = this.getParent().getChildSuccessor(this)
+      )
+    )
+  }
+
+  override Instruction getTargetAddress() {
+    // The target address is the address of the newly allocated object,
+    // which can be retrieved from the parent `TranslatedObjectCreation`.
+    result = this.getParent().getInstruction(NewObjTag())
+  }
 
-  override Type getTargetType() { none() }
+  override Type getTargetType() {
+    result = this.getParent().getInstruction(NewObjTag()).getResultType()
+  }
 }
 
 /**
@@ -1918,3 +1966,88 @@ class TranslatedDelegateCall extends TranslatedNonConstantExpr {
     result = DelegateElements::getInvoke(expr)
   }
 }
+
+/**
+ * Represents the IR translation of creation expression. Can be the translation of an
+ * `ObjectCreation` or a `DelegateCreation`.
+ * The `NewObj` instruction denotes the fact that during initialization a new
+ * object is allocated, which is then initialized by the constructor.
+ */
+abstract class TranslatedCreation extends TranslatedCoreExpr, TTranslatedCreationExpr,
+  ConstructorCallContext {
+  TranslatedCreation() { this = TTranslatedCreationExpr(expr) }
+
+  override TranslatedElement getChild(int id) {
+    id = 0 and result = this.getConstructorCall()
+    or
+    id = 1 and result = this.getInitializerExpr()
+  }
+
+  override predicate hasInstruction(
+    Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue
+  ) {
+    // Instruction that allocated space for a new object,
+    // and returns its address
+    tag = NewObjTag() and
+    opcode instanceof Opcode::NewObj and
+    resultType = expr.getType() and
+    isLValue = false
+  }
+
+  final override Instruction getFirstInstruction() { result = this.getInstruction(NewObjTag()) }
+
+  override Instruction getResult() { result = getInstruction(NewObjTag()) }
+
+  override Instruction getReceiver() { result = getInstruction(NewObjTag()) }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    kind instanceof GotoEdge and
+    tag = NewObjTag() and
+    result = this.getConstructorCall().getFirstInstruction()
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    (
+      child = this.getConstructorCall() and
+      if exists(this.getInitializerExpr())
+      then result = this.getInitializerExpr().getFirstInstruction()
+      else result = this.getParent().getChildSuccessor(this)
+    )
+    or
+    child = this.getInitializerExpr() and
+    result = this.getParent().getChildSuccessor(this)
+  }
+
+  abstract TranslatedElement getConstructorCall();
+
+  abstract TranslatedExpr getInitializerExpr();
+}
+
+/**
+ * Represents the IR translation of an `ObjectCreation`.
+ */
+class TranslatedObjectCreation extends TranslatedCreation {
+  override ObjectCreation expr;
+
+  override TranslatedExpr getInitializerExpr() { result = getTranslatedExpr(expr.getInitializer()) }
+
+  override TranslatedConstructorCall getConstructorCall() {
+    // Since calls are also expressions, we can't
+    // use the predicate getTranslatedExpr (since that would
+    // also return `this`).
+    result.getAST() = this.getAST()
+  }
+}
+
+/**
+ * Represents the IR translation of a `DelegateCreation`.
+ */
+class TranslatedDelegateCreation extends TranslatedCreation {
+  override DelegateCreation expr;
+
+  override TranslatedExpr getInitializerExpr() { none() }
+
+  override TranslatedElement getConstructorCall() {
+    result = DelegateElements::getConstructor(expr)
+  }
+}