// Copyright (c) 2016 Daniel Grunwald // // Permission is hereby granted, free of charge, to any person obtaining a copy of this // software and associated documentation files (the "Software"), to deal in the Software // without restriction, including without limitation the rights to use, copy, modify, merge, // publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons // to whom the Software is furnished to do so, subject to the following conditions: // // The above copyright notice and this permission notice shall be included in all copies or // substantial portions of the Software. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, // INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE // FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER // DEALINGS IN THE SOFTWARE. using System; using System.Collections.Generic; using System.Diagnostics; using ICSharpCode.Decompiler.IL; namespace ICSharpCode.Decompiler.FlowAnalysis { ///

/// Interface for use with DataFlowVisitor. /// /// A mutable container for the state tracked by the data flow analysis. ///

/// /// States must form a join-semilattice: https://en.wikipedia.org/wiki/Semilattice /// /// To handle try{} finally{} properly, states should implement MeetWith() as well, /// and thus should form a lattice. /// /// DataFlowVisitor expects the state to behave like a mutable reference type. /// It might still be a good idea to use a struct to implement it so that .NET uses static dispatch for /// method calls on the type parameter, but that struct must consist only of a readonly field /// referencing some mutable object, to ensure the type parameter behaves as it if was a mutable reference type. /// public interface IDataFlowState where Self : IDataFlowState { ///

/// Gets whether this state is "less than" (or equal to) another state. /// This is the partial order of the semi-lattice. ///

/// /// The exact meaning of this relation is up to the concrete implementation, /// but usually "less than" means "has less information than". /// A given position in the code starts at the "bottom state" (=no information) /// and then adds more information as the analysis progresses. /// After each change to the state, the old state must be less than the new state, /// so that the analysis does not run into an infinite loop. /// The partially ordered set must also have finite height (no infinite ascending chains s1 < s2 < ...), /// to ensure the analysis terminates. /// /// /// The simplest possible non-trivial state, bool isReachable, would implement LessThanOrEqual as: /// return (this.isReachable ? 1 : 0) <= (otherState.isReachable ? 1 : 0); /// Which can be simpified to: /// return !this.isReachable || otherState.isReachable; /// bool LessThanOrEqual(Self otherState); ///

/// Creates a new object with a copy of the state. ///

/// /// Mutating methods such as ReplaceWith or JoinWith modify the contents of a state object. /// Cloning the object allows the analysis to track multiple independent states, /// such as the /// /// /// The simple state "bool isReachable", would implement Clone as: /// return new MyState(this.isReachable); /// Self Clone(); ///

/// Replace the contents of this state object with a copy of those in . ///

/// /// x = x.Clone(); x.ReplaceWith(newContent); /// is equivalent to /// x = newContent.Clone(); /// /// ReplaceWith() is used to avoid allocating new state objects where possible. /// /// /// The simple state "bool isReachable", would implement ReplaceWith as: /// this.isReachable = newContent.isReachable; /// void ReplaceWith(Self newContent); ///

/// Join the incomingState into this state. ///

/// /// Postcondition: old(this).LessThanOrEqual(this) && incomingState.LessThanOrEqual(this) /// This method should set this to the smallest state that is greater than (or equal to) /// both input states. /// /// JoinWith() is used when multiple control flow paths are joined together. /// For example, it is used to combine the thenState with the elseState /// at the end of a if-else construct. /// /// /// The simple state "bool isReachable", would implement JoinWith as: /// this.isReachable |= incomingState.isReachable; /// void JoinWith(Self incomingState); ///

/// A special operation to merge the end-state of the finally-block with the end state of /// a branch leaving the try-block. /// /// If either input state is unreachable, this call must result in an unreachable state. ///

/// /// The simple state "bool isReachable", would implement TriggerFinally as: /// this.isReachable &= finallyState.isReachable; /// void TriggerFinally(Self finallyState); ///

/// Gets whether this is the bottom state. /// /// The bottom state represents that the data flow analysis has not yet /// found a code path from the entry point to this state's position. /// It thus contains no information, and is "less than" all other states. ///

/// /// The bottom state is the bottom element in the semi-lattice. /// /// Initially, all code blocks not yet visited by the analysis will be in the bottom state. /// Unreachable code will always remain in the bottom state. /// Some analyses may also use the bottom state for reachable code after it was processed by the analysis. /// For example, in DefiniteAssignmentVisitor the bottom states means /// "either this code is unreachable, or all variables are definitely initialized". /// /// /// The simple state "bool isReachable", would implement IsBottom as: /// return !this.isReachable; /// bool IsBottom { get; } ///

/// Equivalent to this.ReplaceWith(bottomState), but may be implemented more efficiently. ///

/// /// Since the DataFlowVisitor can only create states by cloning from the initial state, /// this method is necessary for the DataFlowVisitor to gain access to the bottom element in /// the first place. /// /// /// The simple state "bool isReachable", would implement ReplaceWithBottom as: /// this.isReachable = false; /// void ReplaceWithBottom(); } ///

/// Generic base class for forward data flow analyses. ///

/// /// The state type used for the data flow analysis. See for details. /// public abstract class DataFlowVisitor : ILVisitor where State : IDataFlowState { // The data flow analysis tracks a 'state'. // There are many states (one per source code position, i.e. ILInstruction), but we don't store all of them. // We only keep track of: // a) the current state in the RDVisitor // This state corresponds to the instruction currently being visited, // and gets mutated as we traverse the ILAst. // b) the input state for each control flow node // These also gets mutated as the analysis learns about new control flow edges. ///

/// The bottom state. /// Must not be mutated. ///

State bottomState; ///

/// Current state. /// /// Caution: any state object assigned to this member gets mutated as the visitor traverses the ILAst! ///

protected State state; ///

/// Combined state of all possible exceptional control flow paths in the current try block. /// Serves as input state for catch blocks. /// /// Caution: any state object assigned to this member gets mutated as the visitor encounters instructions that may throw exceptions! /// /// Within a try block, currentStateOnException == stateOnException[tryBlock.Parent]. ///

/// protected State currentStateOnException; bool initialized; ///

/// Initializes the DataFlowVisitor. /// This method must be called once before any Visit()-methods can be called. /// It must not be called more than once. ///

/// The initial state at the entry point of the analysis. /// /// This is a method instead of a constructor because derived classes might need complex initialization /// before they can construct the initial state. /// protected void Initialize(State initialState) { Debug.Assert(!initialized); initialized = true; this.state = initialState.Clone(); this.bottomState = initialState.Clone(); this.bottomState.ReplaceWithBottom(); Debug.Assert(bottomState.IsBottom); this.stateOnNullableRewrap = bottomState.Clone(); this.currentStateOnException = state.Clone(); } #if DEBUG // For debugging, capture the input + output state at every instruction. readonly Dictionary debugInputState = new Dictionary(); readonly Dictionary debugOutputState = new Dictionary(); void DebugPoint(Dictionary debugDict, ILInstruction inst) { #if DEBUG Debug.Assert(initialized, "Initialize() was not called"); if (debugDict.TryGetValue(inst, out State previousState)) { Debug.Assert(previousState.LessThanOrEqual(state)); previousState.JoinWith(state); } else { // limit the number of tracked instructions to make memory usage in debug builds less horrible if (debugDict.Count < 1000) { debugDict.Add(inst, state.Clone()); } } // currentStateOnException should be all states within the try block joined together // -> state should already have been joined into currentStateOnException. Debug.Assert(state.LessThanOrEqual(currentStateOnException)); #endif } #endif [Conditional("DEBUG")] protected void DebugStartPoint(ILInstruction inst) { #if DEBUG DebugPoint(debugInputState, inst); #endif } [Conditional("DEBUG")] protected void DebugEndPoint(ILInstruction inst) { #if DEBUG DebugPoint(debugOutputState, inst); #endif } ///

/// Derived classes may add to this set of flags to ensure they don't forget to override an interesting method. ///

protected InstructionFlags flagsRequiringManualImpl = InstructionFlags.ControlFlow | InstructionFlags.MayBranch | InstructionFlags.MayUnwrapNull | InstructionFlags.EndPointUnreachable; protected sealed override void Default(ILInstruction inst) { DebugStartPoint(inst); // This method assumes normal control flow and no branches. if ((inst.DirectFlags & flagsRequiringManualImpl) != 0) { throw new NotImplementedException(GetType().Name + " is missing implementation for " + inst.GetType().Name); } // Since this instruction has normal control flow, we can evaluate our children left-to-right. foreach (var child in inst.Children) { child.AcceptVisitor(this); Debug.Assert(state.IsBottom || !child.HasFlag(InstructionFlags.EndPointUnreachable), "Unreachable code must be in the bottom state."); } DebugEndPoint(inst); } ///

/// Handle control flow when the current instruction throws an exception: /// joins the current state into the "exception state" of the current try block. ///

/// /// This should not only be called for instructions that may throw an exception, /// but for all instructions (due to async exceptions like ThreadAbortException)! /// /// To avoid redundant calls, every Visit() call may assume that the current state /// is already propagated, and has to guarantee the same at the end. /// This means this method should be called after every state change. /// Alternatively, derived classes may directly modify both state /// and currentStateOnException, so that a full JoinWith() call /// is not necessary. /// protected void PropagateStateOnException() { currentStateOnException.JoinWith(state); } ///

/// Replace the current state with the bottom state. ///

protected void MarkUnreachable() { state.ReplaceWithBottom(); } ///

/// Holds the state for incoming branches. ///

/// /// Only used for blocks in block containers; not for inline blocks. /// readonly Dictionary stateOnBranch = new Dictionary(); ///

/// Holds the state at the block container end-point. (=state for incoming 'leave' instructions) ///

readonly Dictionary stateOnLeave = new Dictionary(); ///

/// Gets the state object that holds the state for incoming branches to the block. ///

/// /// Returns the a clone of the bottom state on the first call for a given block, /// then returns the same object instance on further calls. /// The caller is expected to mutate the returned state by calling JoinWith(). /// State GetBlockInputState(Block block) { if (stateOnBranch.TryGetValue(block, out State s)) { return s; } else { s = bottomState.Clone(); stateOnBranch.Add(block, s); return s; } } ///

/// For each block container, stores the set of blocks (via Block.ChildIndex) /// that had their incoming state changed and were not processed yet. ///

readonly Dictionary> workLists = new Dictionary>(); protected internal override void VisitBlockContainer(BlockContainer container) { DebugStartPoint(container); SortedSet worklist = new SortedSet(); // register work list so that branches within this container can add to it workLists.Add(container, worklist); var stateOnEntry = GetBlockInputState(container.EntryPoint); if (!state.LessThanOrEqual(stateOnEntry)) { // If we have new information for the container's entry point, // add the container entry point to the work list. stateOnEntry.JoinWith(state); worklist.Add(0); } // To handle loops, we need to analyze the loop body before we can know the state for the loop backedge, // but we need to know the input state for the loop body (to which the backedge state contributes) // before we can analyze the loop body. // Solution: we repeat the analysis of the loop body multiple times, until the state no longer changes. // To make it terminate reasonably quickly, we need to process the control flow nodes in the correct order: // reverse post-order. We use a SortedSet for this, and assume that the block indices used in the SortedSet // are ordered appropriately. The caller can use BlockContainer.SortBlocks() for this. while (worklist.Count > 0) { int blockIndex = worklist.Min; worklist.Remove(blockIndex); Block block = container.Blocks[blockIndex]; state.ReplaceWith(stateOnBranch[block]); block.AcceptVisitor(this); } if (stateOnLeave.TryGetValue(container, out State stateOnExit)) { state.ReplaceWith(stateOnExit); } else { MarkUnreachable(); } DebugEndPoint(container); workLists.Remove(container); } readonly List<(IBranchOrLeaveInstruction, State)> branchesTriggeringFinally = new List<(IBranchOrLeaveInstruction, State)>(); protected internal override void VisitBranch(Branch inst) { if (inst.TriggersFinallyBlock) { Debug.Assert(state.LessThanOrEqual(currentStateOnException)); branchesTriggeringFinally.Add((inst, state.Clone())); } else { MergeBranchStateIntoTargetBlock(inst, state); } MarkUnreachable(); } void MergeBranchStateIntoTargetBlock(Branch inst, State branchState) { var targetBlock = inst.TargetBlock; var targetState = GetBlockInputState(targetBlock); if (!branchState.LessThanOrEqual(targetState)) { targetState.JoinWith(branchState); BlockContainer container = (BlockContainer)targetBlock.Parent; if (workLists.TryGetValue(container, out var workList)) { workList.Add(targetBlock.ChildIndex); } else { Debug.Fail("Failed to find target BlockContainer"); } } } protected internal override void VisitLeave(Leave inst) { inst.Value.AcceptVisitor(this); if (inst.TriggersFinallyBlock) { Debug.Assert(state.LessThanOrEqual(currentStateOnException)); branchesTriggeringFinally.Add((inst, state.Clone())); } else { MergeBranchStateIntoStateOnLeave(inst, state); } MarkUnreachable(); } void MergeBranchStateIntoStateOnLeave(Leave inst, State branchState) { if (stateOnLeave.TryGetValue(inst.TargetContainer, out State targetState)) { targetState.JoinWith(branchState); } else { stateOnLeave.Add(inst.TargetContainer, branchState.Clone()); } // Note: We don't have to put the block container onto the work queue, // because it's an ancestor of the Leave instruction, and hence // we are currently somewhere within the VisitBlockContainer() call. } protected internal override void VisitThrow(Throw inst) { inst.Argument.AcceptVisitor(this); MarkUnreachable(); } protected internal override void VisitRethrow(Rethrow inst) { MarkUnreachable(); } protected internal override void VisitInvalidBranch(InvalidBranch inst) { MarkUnreachable(); } ///

/// Stores the stateOnException per try instruction. ///

readonly Dictionary stateOnException = new Dictionary(); ///

/// Visits the TryBlock. /// /// Returns a new State object representing the exceptional control flow transfer out of the try block. ///

protected State HandleTryBlock(TryInstruction inst) { State oldStateOnException = currentStateOnException; if (stateOnException.TryGetValue(inst, out State newStateOnException)) { newStateOnException.JoinWith(state); } else { newStateOnException = state.Clone(); stateOnException.Add(inst, newStateOnException); } currentStateOnException = newStateOnException; inst.TryBlock.AcceptVisitor(this); // swap back to the old object instance currentStateOnException = oldStateOnException; // No matter what kind of try-instruction this is, it's possible // that an async exception is thrown immediately in the handler block, // so propagate the state: oldStateOnException.JoinWith(newStateOnException); // Return a copy, so that the caller mutating the returned state // does not influence the 'stateOnException' dict return newStateOnException.Clone(); } protected internal override void VisitTryCatch(TryCatch inst) { DebugStartPoint(inst); State onException = HandleTryBlock(inst); State endpoint = state.Clone(); foreach (var handler in inst.Handlers) { state.ReplaceWith(onException); BeginTryCatchHandler(handler); handler.Filter.AcceptVisitor(this); // if the filter return false, any mutations done by the filter // will be visible by the remaining handlers // (but it's also possible that the filter didn't get executed at all // because the exception type doesn't match) onException.JoinWith(state); handler.Body.AcceptVisitor(this); endpoint.JoinWith(state); } state = endpoint; DebugEndPoint(inst); } protected virtual void BeginTryCatchHandler(TryCatchHandler inst) { } ///

/// TryCatchHandler is handled directly in VisitTryCatch ///

protected internal override sealed void VisitTryCatchHandler(TryCatchHandler inst) { throw new NotSupportedException(); } protected internal override void VisitTryFinally(TryFinally inst) { DebugStartPoint(inst); int branchesTriggeringFinallyOldCount = branchesTriggeringFinally.Count; // At first, handle 'try { .. } finally { .. }' like 'try { .. } catch {} .. if (?) rethrow; }' State onException = HandleTryBlock(inst); State onSuccess = state.Clone(); state.JoinWith(onException); inst.FinallyBlock.AcceptVisitor(this); //PropagateStateOnException(); // rethrow the exception after the finally block -- should be redundant Debug.Assert(state.LessThanOrEqual(currentStateOnException)); ProcessBranchesLeavingTryFinally(inst, branchesTriggeringFinallyOldCount); // Use TriggerFinally() to ensure points after the try-finally are reachable only if both the // try and the finally endpoints are reachable. onSuccess.TriggerFinally(state); state = onSuccess; DebugEndPoint(inst); } ///

/// Process branches leaving the try-finally, /// * Calls TriggerFinally() on each branchesTriggeringFinally /// * Removes entries from branchesTriggeringFinally if they won't trigger additional finally blocks. /// * After all finallies are applied, the branch state is merged into the target block. ///

void ProcessBranchesLeavingTryFinally(TryFinally tryFinally, int branchesTriggeringFinallyOldCount) { int outPos = branchesTriggeringFinallyOldCount; for (int i = branchesTriggeringFinallyOldCount; i < branchesTriggeringFinally.Count; ++i) { var (branch, stateOnBranch) = branchesTriggeringFinally[i]; Debug.Assert(((ILInstruction)branch).IsDescendantOf(tryFinally)); Debug.Assert(tryFinally.IsDescendantOf(branch.TargetContainer)); stateOnBranch.TriggerFinally(state); bool triggersAnotherFinally = Branch.GetExecutesFinallyBlock(tryFinally, branch.TargetContainer); if (triggersAnotherFinally) { branchesTriggeringFinally[outPos++] = (branch, stateOnBranch); } else { // Merge state into target block. if (branch is Leave leave) { MergeBranchStateIntoStateOnLeave((Leave)branch, stateOnBranch); } else { MergeBranchStateIntoTargetBlock((Branch)branch, stateOnBranch); } } } branchesTriggeringFinally.RemoveRange(outPos, branchesTriggeringFinally.Count - outPos); } protected internal override void VisitTryFault(TryFault inst) { DebugStartPoint(inst); // try-fault executes fault block if an exception occurs in try, // and always rethrows the exception at the end. State onException = HandleTryBlock(inst); State onSuccess = state; state = onException; inst.FaultBlock.AcceptVisitor(this); //PropagateStateOnException(); // rethrow the exception after the fault block Debug.Assert(state.LessThanOrEqual(currentStateOnException)); // try-fault exits normally only if no exception occurred state = onSuccess; DebugEndPoint(inst); } protected internal override void VisitIfInstruction(IfInstruction inst) { DebugStartPoint(inst); var (beforeThen, beforeElse) = EvaluateCondition(inst.Condition); state = beforeThen; inst.TrueInst.AcceptVisitor(this); State afterTrueState = state; state = beforeElse; inst.FalseInst.AcceptVisitor(this); state.JoinWith(afterTrueState); DebugEndPoint(inst); } ///

/// Evaluates the condition of an if. ///

/// /// A pair of: /// * The state after the condition evaluates to true /// * The state after the condition evaluates to false /// /// /// this.state is invalid after this function was called, and must be overwritten /// with one of the return values. /// (State OnTrue, State OnFalse) EvaluateCondition(ILInstruction inst) { if (inst is IfInstruction ifInst) { // 'if (a?b:c)' or similar. // This also includes conditions that are logic.not, logic.and, logic.or. DebugStartPoint(ifInst); var (beforeThen, beforeElse) = EvaluateCondition(ifInst.Condition); state = beforeThen; var (afterThenTrue, afterThenFalse) = EvaluateCondition(ifInst.TrueInst); state = beforeElse; var (afterElseTrue, afterElseFalse) = EvaluateCondition(ifInst.FalseInst); var onTrue = afterThenTrue; onTrue.JoinWith(afterElseTrue); var onFalse = afterThenFalse; onFalse.JoinWith(afterElseFalse); DebugEndPoint(ifInst); return (onTrue, onFalse); } else if (inst is LdcI4 constant) { if (constant.Value == 0) { return (bottomState.Clone(), state); } else { return (state, bottomState.Clone()); } } else if (inst is MatchInstruction match) { return EvaluateMatch(match); } else { // other kind of condition inst.AcceptVisitor(this); return (state, state.Clone()); } } protected internal override void VisitMatchInstruction(MatchInstruction inst) { var (onTrue, onFalse) = EvaluateMatch(inst); state = onTrue; state.JoinWith(onFalse); } ///

/// Evaluates a match instruction. ///

/// /// A pair of: /// * The state after the pattern matches /// * The state after the pattern fails to match /// /// /// this.state is invalid after this function was called, and must be overwritten /// with one of the return values. /// (State OnTrue, State OnFalse) EvaluateMatch(MatchInstruction inst) { DebugStartPoint(inst); inst.TestedOperand.AcceptVisitor(this); State onFalse = state.Clone(); if (!inst.CheckNotNull && !inst.CheckType) { onFalse.ReplaceWithBottom(); } HandleMatchStore(inst); foreach (var subPattern in inst.SubPatterns) { var (subTrue, subFalse) = EvaluateCondition(subPattern); onFalse.JoinWith(subFalse); state = subTrue; } DebugEndPoint(inst); return (state, onFalse); } protected abstract void HandleMatchStore(MatchInstruction inst); protected internal override void VisitNullCoalescingInstruction(NullCoalescingInstruction inst) { HandleBinaryWithOptionalEvaluation(inst, inst.ValueInst, inst.FallbackInst); } protected internal override void VisitDynamicLogicOperatorInstruction(DynamicLogicOperatorInstruction inst) { HandleBinaryWithOptionalEvaluation(inst, inst.Left, inst.Right); } protected internal override void VisitUserDefinedLogicOperator(UserDefinedLogicOperator inst) { HandleBinaryWithOptionalEvaluation(inst, inst.Left, inst.Right); } void HandleBinaryWithOptionalEvaluation(ILInstruction parent, ILInstruction left, ILInstruction right) { DebugStartPoint(parent); left.AcceptVisitor(this); State branchState = state.Clone(); right.AcceptVisitor(this); state.JoinWith(branchState); DebugEndPoint(parent); } State stateOnNullableRewrap; protected internal override void VisitNullableRewrap(NullableRewrap inst) { DebugStartPoint(inst); var oldState = stateOnNullableRewrap.Clone(); stateOnNullableRewrap.ReplaceWithBottom(); inst.Argument.AcceptVisitor(this); // Join incoming control flow from the NullableUnwraps. state.JoinWith(stateOnNullableRewrap); stateOnNullableRewrap = oldState; DebugEndPoint(inst); } protected internal override void VisitNullableUnwrap(NullableUnwrap inst) { DebugStartPoint(inst); inst.Argument.AcceptVisitor(this); // Conditional control flow edge to the surrounding NullableRewrap. stateOnNullableRewrap.JoinWith(state); DebugEndPoint(inst); } protected internal override void VisitSwitchInstruction(SwitchInstruction inst) { DebugStartPoint(inst); inst.Value.AcceptVisitor(this); State beforeSections = state.Clone(); inst.Sections[0].AcceptVisitor(this); State afterSections = state.Clone(); for (int i = 1; i < inst.Sections.Count; ++i) { state.ReplaceWith(beforeSections); inst.Sections[i].AcceptVisitor(this); afterSections.JoinWith(state); } state = afterSections; DebugEndPoint(inst); } protected internal override void VisitYieldReturn(YieldReturn inst) { DebugStartPoint(inst); inst.Value.AcceptVisitor(this); DebugEndPoint(inst); } protected internal override void VisitUsingInstruction(UsingInstruction inst) { DebugStartPoint(inst); inst.ResourceExpression.AcceptVisitor(this); inst.Body.AcceptVisitor(this); DebugEndPoint(inst); } protected internal override void VisitLockInstruction(LockInstruction inst) { DebugStartPoint(inst); inst.OnExpression.AcceptVisitor(this); inst.Body.AcceptVisitor(this); DebugEndPoint(inst); } protected internal override void VisitILFunction(ILFunction function) { throw new NotImplementedException(); } } }