Add parameter type signatures for IL and JVM methods (#358)

* Add parameter type signatures for IL methods/calls

Extract and propagate parenthesized parameter type signatures to enable overload-precise identification and matching of methods and unresolved call targets.

- Extractor: ILExtractor now emits il_method_param_signature and il_call_target_param_signature tuples.
- DB schema: Added il_method_param_signature and il_call_target_param_signature to semmlecode.binary.dbscheme.
- QL API/AST: Exposed/getters for param signatures across CilInstructions, IR, InstructionSig, TranslatedElement/Function/Instruction and transform layers so signatures flow through translation.
- Translated implementations: TranslatedCilMethod and relevant translated call/new-object logic return the extracted signatures; non-CIL backends return wildcards where appropriate.
- VulnerableCalls: Expanded the vulnerableCallModel and related predicates to include paramSignature and updated matching logic to accept exact signatures or wildcard '*'.
- Models: Updated example YAML models to include a '*' paramSignature for existing entries.

This change improves precision when matching overloaded methods for analyses such as vulnerable-call detection.

* Add method param signatures and JVM stack metadata

Expose a getParamSignature API on InstructionSig (and the TransformInstruction implementation) to return parenthesized parameter-type signatures (e.g. "(System.String,System.Int32)"). Extend the extraction DB schema with il_method_param_signature and il_call_target_param_signature to enable overload-precise method identification, and add jvm_stack_height and jvm_stack_slot tables to record JVM stack heights and map stack slots to producer instructions to simplify stack-based dataflow analysis.

* Include same-assembly method definitions in vulnerable method closure

For root cause mode analysis, where the vulnerable methods being traced are
defined in the same binary being analyzed (not referenced cross-assembly),
getAVulnerableMethod needs a base case that matches method definitions by
their fully-qualified name and parameter signature.

Previously, only cross-assembly calls via ExternalRefInstruction were matched
as the base case. Intra-assembly calls are handled by the existing transitive
getStaticTarget() clause, but the closure never started because the base case
only found external ref call sites.

The new clause matches methods defined in the current binary against the model,
respecting the paramSignature field (including wildcard '*'). For standard
cross-assembly analysis this is a no-op since the model methods won't be
defined in the binary being analyzed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Sync JVM extractor dbscheme with ql lib

The ql lib dbscheme was updated with il_method_param_signature,
il_call_target_param_signature, jvm_stack_height, and jvm_stack_slot tables
but the JVM extractor's copy was not updated. This causes a schema mismatch
when building a JVM database and then running the binary-ql queries against it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add parameter type signature extraction for JVM bytecode

The CIL extractor already emits il_method_param_signature and
il_call_target_param_signature for overload-precise method matching.
This commit adds the same capability to the JVM bytecode extractor.

JVM extractor changes:
- ParseParamSignature: converts JVM descriptors (e.g. '(Ljava/lang/Object;JJ)V')
  to human-readable signatures (e.g. '(Object,long,long)')
- ExtractMethod: emits il_method_param_signature for method definitions
- ExtractMethodRef: emits il_call_target_param_signature for call sites

QL library changes:
- JvmMethod: add getParamSignature() backed by il_method_param_signature
- JvmInvoke: add getParamSignature() backed by il_call_target_param_signature
- TranslatedJvmInvoke: wire getExternalParamSignature to instr.getParamSignature()
- TranslatedJvmFunction: use method.getParamSignature() instead of wildcard '*'

VulnerableCalls.qll:
- VulnerableMethodCall: handle case where extRef lacks param signature
  (backwards compat for databases built before this change)
- Root cause base case: handle functions with wildcard param signature

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix JVM param signature to use JVM-specific dbscheme table

il_call_target_param_signature references @il_instruction which is incompatible
with JVM's @jvm_instruction type. Add jvm_call_target_param_signature table for
JVM call target signatures and update the extractor and QL to use it.

Also sync all extractor dbschemes (JVM and CIL) with the canonical ql/lib copy.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: gfs

binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs

@@ -111,6 +111,11 @@ private void ExtractMethod(MethodDefinition method, int typeId) {
     // Write access flags
     trap.WriteTuple("cil_method_access_flags", methodId, (int)method.Attributes);
 
+    // Write parameter type signature for overload-precise identification
+    var methodParamTypes = string.Join(",",
+        method.Parameters.Select(p => p.ParameterType.FullName.Replace('/', '.')));
+    trap.WriteTuple("il_method_param_signature", methodId, $"({methodParamTypes})");
+
     if (method.HasBody) {
       ExtractMethodBody(method, methodId);
     }
@@ -182,6 +187,10 @@ private void ExtractMethodBody(MethodDefinition method, int methodId) {
         var targetMethodName = $"{declaringTypeName}.{methodRef.Name}";
         trap.WriteTuple("il_call_target_unresolved", instrId, targetMethodName);
         trap.WriteTuple("il_number_of_arguments", instrId, methodRef.Parameters.Count);
+        // Emit parameter type signature for overload-precise matching
+        var paramTypes = string.Join(",",
+            methodRef.Parameters.Select(p => p.ParameterType.FullName.Replace('/', '.')));
+        trap.WriteTuple("il_call_target_param_signature", instrId, $"({paramTypes})");
         if(methodRef.MethodReturnType.ReturnType.MetadataType is not Mono.Cecil.MetadataType.Void) {
           trap.WriteTuple("il_call_has_return_value", instrId);
         }

binary/extractor/cil/semmlecode.binary.dbscheme

@@ -2467,6 +2467,28 @@ il_call_target_unresolved(
   string target_method_name: string ref
 );
 
+/**
+ * Parameter type signature for method definitions.
+ * The param_signature is a parenthesized, comma-separated list of fully-qualified
+ * parameter type names, e.g. "(System.String,System.Int32)" or "()" for no parameters.
+ * This enables overload-precise identification of methods during export.
+ */
+il_method_param_signature(
+  int method: @method ref,
+  string param_signature: string ref
+);
+
+/**
+ * Parameter type signature for unresolved method call targets.
+ * The param_signature is a parenthesized, comma-separated list of fully-qualified
+ * parameter type names, e.g. "(System.String,System.Int32)" or "()" for no parameters.
+ * This enables overload-precise matching of call targets.
+ */
+il_call_target_param_signature(
+  int instruction: @il_instruction ref,
+  string param_signature: string ref
+);
+
 il_field_operand(
   int instruction: @il_instruction ref,
   string declaring_type_name: string ref,
@@ -2990,3 +3012,13 @@ jvm_stack_slot(
   int slot: int ref,
   int producer_id: @jvm_instruction ref
 );
+
+/**
+ * Parameter type signature for JVM method call targets.
+ * The param_signature is a parenthesized, comma-separated list of human-readable
+ * parameter type names, e.g. "(Object,long,long)" or "()" for no parameters.
+ */
+jvm_call_target_param_signature(
+  int instruction: @jvm_instruction ref,
+  string param_signature: string ref
+);

binary/extractor/jvm/Semmle.Extraction.Java.ByteCode/JvmExtractor.cs

@@ -142,6 +142,10 @@ private void ExtractMethod(Method method, int typeId, ClassFile classFile, strin
         // Extract access flags as raw bitmask
         trap.WriteTuple("jvm_method_access_flags", methodId, (int)method.AccessFlags);
 
+        // Write parameter type signature for overload-precise identification
+        var descriptorUtf8ForSig = classFile.Constants.Get(method.Descriptor);
+        trap.WriteTuple("il_method_param_signature", methodId, ParseParamSignature(descriptorUtf8ForSig.Value));
+
         // Check if this is a static method (for parameter indexing)
         bool isStatic = (method.AccessFlags & AccessFlag.Static) != 0;
 
@@ -647,6 +651,12 @@ private void ExtractMethodRef(Instruction instr, int instrId, ClassFile classFil
             int paramCount = CountParameters(descriptor);
             trap.WriteTuple("jvm_number_of_arguments", instrId, paramCount);
 
+            // Write parameter type signature for overload-precise matching
+            if (!string.IsNullOrEmpty(descriptor))
+            {
+                trap.WriteTuple("jvm_call_target_param_signature", instrId, ParseParamSignature(descriptor));
+            }
+
             if (!IsVoidReturn(descriptor))
             {
                 trap.WriteTuple("jvm_call_has_return_value", instrId);
@@ -782,6 +792,66 @@ private static int CountParameters(string descriptor)
         return count;
     }
 
+    /// <summary>
+    /// Converts a JVM method descriptor to a parenthesized, comma-separated
+    /// parameter type signature, e.g. "(Ljava/lang/Object;JJ)V" becomes
+    /// "(Object,long,long)".
+    /// </summary>
+    private static string ParseParamSignature(string descriptor)
+    {
+        if (!descriptor.StartsWith("("))
+            return "(*)";
+
+        int closeParenIdx = descriptor.IndexOf(')');
+        if (closeParenIdx < 0)
+            return "(*)";
+
+        var paramPart = descriptor.Substring(1, closeParenIdx - 1);
+        var types = new System.Collections.Generic.List<string>();
+        int i = 0;
+        while (i < paramPart.Length)
+        {
+            int arrayDims = 0;
+            while (i < paramPart.Length && paramPart[i] == '[')
+            {
+                arrayDims++;
+                i++;
+            }
+
+            if (i >= paramPart.Length)
+                break;
+
+            string baseType;
+            char c = paramPart[i];
+            switch (c)
+            {
+                case 'B': baseType = "byte"; i++; break;
+                case 'C': baseType = "char"; i++; break;
+                case 'D': baseType = "double"; i++; break;
+                case 'F': baseType = "float"; i++; break;
+                case 'I': baseType = "int"; i++; break;
+                case 'J': baseType = "long"; i++; break;
+                case 'S': baseType = "short"; i++; break;
+                case 'Z': baseType = "boolean"; i++; break;
+                case 'L':
+                    int semiIdx = paramPart.IndexOf(';', i);
+                    if (semiIdx < 0) semiIdx = paramPart.Length;
+                    // Extract class name, convert / to ., strip leading L
+                    baseType = paramPart.Substring(i + 1, semiIdx - i - 1).Replace('/', '.');
+                    i = semiIdx + 1;
+                    break;
+                default:
+                    baseType = "?";
+                    i++;
+                    break;
+            }
+
+            types.Add(baseType + new string('[', arrayDims) + new string(']', arrayDims));
+        }
+
+        return "(" + string.Join(",", types) + ")";
+    }
+
     private static bool IsVoidReturn(string descriptor)
     {
         return descriptor.EndsWith(")V");

binary/extractor/jvm/semmlecode.binary.dbscheme

@@ -2467,6 +2467,28 @@ il_call_target_unresolved(
   string target_method_name: string ref
 );
 
+/**
+ * Parameter type signature for method definitions.
+ * The param_signature is a parenthesized, comma-separated list of fully-qualified
+ * parameter type names, e.g. "(System.String,System.Int32)" or "()" for no parameters.
+ * This enables overload-precise identification of methods during export.
+ */
+il_method_param_signature(
+  int method: @method ref,
+  string param_signature: string ref
+);
+
+/**
+ * Parameter type signature for unresolved method call targets.
+ * The param_signature is a parenthesized, comma-separated list of fully-qualified
+ * parameter type names, e.g. "(System.String,System.Int32)" or "()" for no parameters.
+ * This enables overload-precise matching of call targets.
+ */
+il_call_target_param_signature(
+  int instruction: @il_instruction ref,
+  string param_signature: string ref
+);
+
 il_field_operand(
   int instruction: @il_instruction ref,
   string declaring_type_name: string ref,
@@ -2966,3 +2988,37 @@ jvm_method_access_flags(
   unique int method: @method ref,
   int flags: int ref
 );
+
+/**
+ * Stack height at entry to a JVM instruction.
+ * This is computed by abstract interpretation during extraction.
+ */
+jvm_stack_height(
+  unique int instr: @jvm_instruction ref,
+  int height: int ref
+);
+
+/**
+ * Maps a stack slot at a specific instruction to the instruction that produced the value.
+ * slot 0 is the top of the stack, slot 1 is below that, etc.
+ * producer_id is the instruction ID that pushed this value onto the stack.
+ * 
+ * This allows QL to determine data flow through the operand stack without
+ * expensive recursive CFG traversal.
+ */
+#keyset[instr, slot]
+jvm_stack_slot(
+  int instr: @jvm_instruction ref,
+  int slot: int ref,
+  int producer_id: @jvm_instruction ref
+);
+
+/**
+ * Parameter type signature for JVM method call targets.
+ * The param_signature is a parenthesized, comma-separated list of human-readable
+ * parameter type names, e.g. "(Object,long,long)" or "()" for no parameters.
+ */
+jvm_call_target_param_signature(
+  int instruction: @jvm_instruction ref,
+  string param_signature: string ref
+);

binary/ql/lib/semmle/code/binary/ast/internal/CilInstructions.qll

@@ -141,6 +141,9 @@ class CilMethod extends @method {
     result.getIndex() = i
   }
 
+  /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+  string getParamSignature() { il_method_param_signature(this, result) }
+
   CilType getDeclaringType() { methods(this, _, _, result) }
 
   Location getLocation() { none() } // TODO: Extract
@@ -430,6 +433,9 @@ abstract class CilCallOrNewObject extends CilInstruction {
   final int getNumberOfArguments() { il_number_of_arguments(this, result) }
 
   final string getExternalName() { il_call_target_unresolved(this, result) }
+
+  /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+  final string getParamSignature() { il_call_target_param_signature(this, result) }
 }
 
 abstract class CilCall extends CilCallOrNewObject {

binary/ql/lib/semmle/code/binary/ast/internal/JvmInstructions.qll

@@ -64,6 +64,9 @@ class JvmMethod extends @method {
 
   private string getSignature() { methods(this, _, result, _) }
 
+  /** Gets the parenthesized parameter type signature, e.g. `(Object,long,long)`. */
+  string getParamSignature() { il_method_param_signature(this, result) }
+
   predicate isVoid() { this.getSignature().matches("%)V") }
 
   JvmInstruction getAnInstruction() { jvm_instruction_method(result, this) }
@@ -1209,6 +1212,8 @@ class JvmPutfield extends @jvm_putfield, JvmFieldStore { }
 abstract class JvmInvoke extends JvmInstruction {
   string getCallTarget() { jvm_call_target_unresolved(this, result) }
 
+  string getParamSignature() { jvm_call_target_param_signature(this, result) }
+
   int getNumberOfArguments() { jvm_number_of_arguments(this, result) }
 
   predicate hasReturnValue() { jvm_call_has_return_value(this) }

binary/ql/lib/semmle/code/binary/ast/ir/IR.qll

@@ -25,6 +25,9 @@ private module FinalInstruction {
 
     predicate isPublic() { super.isPublic() }
 
+    /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+    string getParamSignature() { result = super.getParamSignature() }
+
     /**
      * Gets the fully qualified name of this method in the format:
      * "Namespace.ClassName.MethodName".
@@ -302,6 +305,9 @@ private module FinalInstruction {
   class ExternalRefInstruction extends Instruction instanceof Instruction::ExternalRefInstruction {
     string getExternalName() { result = super.getExternalName() }
 
+    /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+    string getExternalParamSignature() { result = super.getExternalParamSignature() }
+
     cached
     predicate hasFullyQualifiedName(string namespace, string className, string methodName) {
       exists(string s, string r |

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Function.qll

@@ -25,5 +25,8 @@ class Function extends TFunction {
 
   predicate isPublic() { f.isPublic() }
 
+  /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+  string getParamSignature() { result = f.getParamSignature() }
+
   Type getDeclaringType() { result.getAFunction() = this }
 }

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/Instruction.qll

@@ -176,6 +176,9 @@ class ExternalRefInstruction extends Instruction {
 
   string getExternalName() { result = te.getExternalName(tag) }
 
+  /** Gets the parenthesized parameter type signature, e.g. `(System.String,System.Int32)`. */
+  string getExternalParamSignature() { result = te.getExternalParamSignature(tag) }
+
   final override string getImmediateValue() { result = this.getExternalName() }
 }
 

binary/ql/lib/semmle/code/binary/ast/ir/internal/Instruction0/TranslatedElement.qll

@@ -263,6 +263,12 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   string getExternalName(InstructionTag tag) { none() }
 
+  /**
+   * Gets the parameter type signature for an external call with the given tag, e.g.
+   * `(System.String,System.Int32)`. This `tag` must refer to an `ExternalRef` instruction.
+   */
+  string getExternalParamSignature(InstructionTag tag) { none() }
+
   /**
    * Gets the name of the field referenced by an instruction with the given tag. This `tag` must refer to
    * a `FieldAddress` instruction (that is, an instruction for which