fix(analysis): detect atomic ref mutations and value-type address flows

- Treat Volatile.Write and Interlocked ref operations as mutations
- Track value-type address loads (ldarga/ldloca/ldflda/ldsflda) in flow/reference analysis

Author: CedaryCat

src/OTAPI.UnifiedServerProcess/Core/Analysis/ParamModificationAnalysis/ParamModificationAnalyzer.cs

@@ -227,6 +227,28 @@ static bool TryAddModifications(Dictionary<string, Dictionary<int, ParameterMuta
                 return result;
             }
 
+            static bool IsAtomicModificationMethod(MethodReference callee) {
+                if (callee.Parameters.Count == 0 || callee.Parameters[0].ParameterType is not ByReferenceType) {
+                    return false;
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Volatile).FullName) {
+                    return callee.Name is "Write";
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Interlocked).FullName) {
+                    return callee.Name is "Exchange"
+                        or "CompareExchange"
+                        or "Increment"
+                        or "Decrement"
+                        or "Add"
+                        or "And"
+                        or "Or";
+                }
+
+                return false;
+            }
+
             void HandleModifyField(Instruction instruction) {
                 FieldReference field = (FieldReference)instruction.Operand;
                 foreach (var path in MonoModCommon.Stack.AnalyzeInstructionArgsSources(method, instruction, jumpSites)) {
@@ -325,6 +347,32 @@ void HandleModifyCollectionElement(ParameterUsageTrack tracedMethodData, MonoMod
                     }
                 }
             }
+            void HandleModifyAtomicOperation(ParameterUsageTrack tracedMethodData, MonoModCommon.Stack.StackTopTypePath[][] loadParamsInEveryPaths) {
+                const int atomicRefParameterIndex = 0;
+
+                foreach (var paramGroup in loadParamsInEveryPaths) {
+                    if (paramGroup.Length <= atomicRefParameterIndex) {
+                        continue;
+                    }
+
+                    var loadModifyingInstance = paramGroup[atomicRefParameterIndex];
+
+                    // If loadModifyingInstance.RealPushValueInstruction is not coming from the Mutations of caller method, skip
+                    if (!tracedMethodData.StackValueTraces.TryGetTrace(ParameterUsageTrack.GenerateStackKey(method, loadModifyingInstance.RealPushValueInstruction), out var tracedStackData)) {
+                        continue;
+                    }
+
+                    foreach (var modifiedParameter in tracedStackData.ReferencedParameters.Values) {
+                        // Ignore the ModificationAccessPath of "this" in constructors, we only care about input parameters.
+                        if (modifiedParameter.TracedParameter.IsParameterThis(method) && method.IsConstructor) {
+                            continue;
+                        }
+                        if (CheckAndAddModifications(modifiedParametersAllMethods, processingMethodId, method, modifiedParameter)) {
+                            hasExternalChange = true;
+                        }
+                    }
+                }
+            }
             void HandleMethodCall(Instruction instruction) {
 
                 MethodReference callee = (MethodReference)instruction.Operand;
@@ -361,6 +409,10 @@ void HandleMethodCall(Instruction instruction) {
                     HandleModifyCollectionElement(tracedMethodData, loadParamsInEveryPaths, instruction);
                     return;
                 }
+                if (IsAtomicModificationMethod(callee)) {
+                    HandleModifyAtomicOperation(tracedMethodData, loadParamsInEveryPaths);
+                    return;
+                }
 
                 //// We assume that if "this" is modified in invocation,
                 //// it's equivalent to Mutations "this" has modified when the delegate is created

src/OTAPI.UnifiedServerProcess/Core/Analysis/ParameterFlowAnalysis/ParameterFlowAnalyzer.cs

@@ -179,9 +179,11 @@ private void ProcessMethod(
                         case Code.Ldarg_3:
                         case Code.Ldarg_S:
                         case Code.Ldarg:
+                            HandleLoadArgument(instruction, false);
+                            break;
                         case Code.Ldarga_S:
                         case Code.Ldarga:
-                            HandleLoadArgument(instruction);
+                            HandleLoadArgument(instruction, true);
                             break;
 
                         case Code.Stloc_0:
@@ -199,14 +201,18 @@ private void ProcessMethod(
                         case Code.Ldloc_3:
                         case Code.Ldloc_S:
                         case Code.Ldloc:
+                            HandleLoadLocal(instruction, false);
+                            break;
                         case Code.Ldloca_S:
                         case Code.Ldloca:
-                            HandleLoadLocal(instruction);
+                            HandleLoadLocal(instruction, true);
                             break;
 
                         case Code.Ldfld:
+                            HandleLoadField(instruction, false);
+                            break;
                         case Code.Ldflda:
-                            HandleLoadField(instruction);
+                            HandleLoadField(instruction, true);
                             break;
 
                         case Code.Stfld:
@@ -255,9 +261,9 @@ void HandleReturnInstruction(Instruction instruction) {
                 }
             }
 
-            void HandleLoadArgument(Instruction instruction) {
+            void HandleLoadArgument(Instruction instruction, bool isAddress) {
                 var parameter = MonoModCommon.IL.GetReferencedParameter(method, instruction);
-                if (parameter.ParameterType.IsTruelyValueType()) return;
+                if (parameter.ParameterType.IsTruelyValueType() && !isAddress) return;
 
                 ParameterTracingChain chain = new ParameterTracingChain(parameter, [], []);
                 var stackKey = ParameterUsageTrack.GenerateStackKey(method, instruction);
@@ -285,9 +291,9 @@ void HandleStoreLocal(Instruction instruction) {
                 }
             }
 
-            void HandleLoadLocal(Instruction instruction) {
+            void HandleLoadLocal(Instruction instruction, bool isAddress) {
                 var variable = MonoModCommon.IL.GetReferencedVariable(method, instruction);
-                if (variable.VariableType.IsTruelyValueType()) return;
+                if (variable.VariableType.IsTruelyValueType() && !isAddress) return;
 
                 if (localTrace.TryGetTrace(variable, out var trace)) {
                     var stackKey = ParameterUsageTrack.GenerateStackKey(method, instruction);
@@ -297,9 +303,9 @@ void HandleLoadLocal(Instruction instruction) {
                 }
             }
 
-            void HandleLoadField(Instruction instruction) {
+            void HandleLoadField(Instruction instruction, bool isAddress) {
                 FieldReference fieldRef = (FieldReference)instruction.Operand;
-                if (fieldRef.FieldType.IsTruelyValueType()) return;
+                if (fieldRef.FieldType.IsTruelyValueType() && !isAddress) return;
 
                 foreach (var path in MonoModCommon.Stack.AnalyzeInstructionArgsSources(method, instruction, jumpSites)) {
                     foreach (var instanceLoad in MonoModCommon.Stack.AnalyzeStackTopTypeAllPaths(method, path.ParametersSources[0].Instructions.Last(), jumpSites)) {

src/OTAPI.UnifiedServerProcess/Core/Analysis/StaticFieldModificationAnalysis/StaticFieldModificationAnalyzer.cs

@@ -123,6 +123,28 @@ static void AddField(Dictionary<string, FieldDefinition> dict, FieldDefinition f
                 dict.TryAdd(field.GetIdentifier(), field);
             }
 
+            static bool IsAtomicModificationMethod(MethodReference callee) {
+                if (callee.Parameters.Count == 0 || callee.Parameters[0].ParameterType is not ByReferenceType) {
+                    return false;
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Volatile).FullName) {
+                    return callee.Name is "Write";
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Interlocked).FullName) {
+                    return callee.Name is "Exchange"
+                        or "CompareExchange"
+                        or "Increment"
+                        or "Decrement"
+                        or "Add"
+                        or "And"
+                        or "Or";
+                }
+
+                return false;
+            }
+
             staticFieldReferenceAnalyzer.AnalyzedMethods.TryGetValue(caller.GetIdentifier(), out StaticFieldUsageTrack? staticFieldReferenceData);
 
             Dictionary<Instruction, List<Instruction>> jumpSites = this.GetMethodJumpSites(caller);
@@ -200,6 +222,9 @@ static void AddField(Dictionary<string, FieldDefinition> dict, FieldDefinition f
                                 // The called method is a collection method
                                 || (resolvedCallee is not null && CollectionElementLayer.IsModificationMethod(typeInheritanceGraph, caller, instruction))
 
+                                // The called method performs atomic modification to the ref target
+                                || IsAtomicModificationMethod(methodRef)
+
                                 // The called method return a reference
                                 || (methodRef.ReturnType is ByReferenceType && methodRef.Name is "get_Item")) {
 

src/OTAPI.UnifiedServerProcess/Core/Analysis/StaticFieldReferenceAnalysis/StaticFieldReferenceAnalyzer.cs

@@ -186,19 +186,25 @@ private void ProcessMethod(
                         case Code.Ldloc_3:
                         case Code.Ldloc_S:
                         case Code.Ldloc:
+                            HandleLoadLocal(instruction, false);
+                            break;
                         case Code.Ldloca_S:
                         case Code.Ldloca:
-                            HandleLoadLocal(instruction);
+                            HandleLoadLocal(instruction, true);
                             break;
 
                         case Code.Ldsfld:
+                            HandleLoadStaticField(instruction, false);
+                            break;
                         case Code.Ldsflda:
-                            HandleLoadStaticField(instruction);
+                            HandleLoadStaticField(instruction, true);
                             break;
 
                         case Code.Ldfld:
+                            HandleLoadField(instruction, false);
+                            break;
                         case Code.Ldflda:
-                            HandleLoadField(instruction);
+                            HandleLoadField(instruction, true);
                             break;
 
                         case Code.Stfld:
@@ -247,10 +253,10 @@ void HandleReturnInstruction(Instruction instruction) {
                 }
             }
 
-            void HandleLoadStaticField(Instruction instruction) {
+            void HandleLoadStaticField(Instruction instruction, bool isAddress) {
                 var fieldDef = ((FieldReference)instruction.Operand).TryResolve();
                 if (fieldDef is null) return;
-                if (fieldDef.FieldType.IsTruelyValueType()) return;
+                if (fieldDef.FieldType.IsTruelyValueType() && !isAddress) return;
 
                 var stackKey = StaticFieldUsageTrack.GenerateStackKey(method, instruction);
 
@@ -277,9 +283,9 @@ void HandleStoreLocal(Instruction instruction) {
                 }
             }
 
-            void HandleLoadLocal(Instruction instruction) {
+            void HandleLoadLocal(Instruction instruction, bool isAddress) {
                 var variable = MonoModCommon.IL.GetReferencedVariable(method, instruction);
-                if (variable.VariableType.IsTruelyValueType()) return;
+                if (variable.VariableType.IsTruelyValueType() && !isAddress) return;
 
                 // If loading a traced variable to the stack, then we need to update the stack trace
                 if (localTrace.TryGetTrace(variable, out var trace)) {
@@ -290,9 +296,9 @@ void HandleLoadLocal(Instruction instruction) {
                 }
             }
 
-            void HandleLoadField(Instruction instruction) {
+            void HandleLoadField(Instruction instruction, bool isAddress) {
                 FieldReference fieldRef = (FieldReference)instruction.Operand;
-                if (fieldRef.FieldType.IsTruelyValueType()) return;
+                if (fieldRef.FieldType.IsTruelyValueType() && !isAddress) return;
 
                 foreach (var path in MonoModCommon.Stack.AnalyzeInstructionArgsSources(method, instruction, jumpSites)) {
                     foreach (var instanceLoad in MonoModCommon.Stack.AnalyzeStackTopTypeAllPaths(method, path.ParametersSources[0].Instructions.Last(), jumpSites)) {

src/OTAPI.UnifiedServerProcess/Core/Patching/FieldFilterPatching/InitialFieldModificationProcessor.cs

@@ -150,6 +150,28 @@ void AddFieldModification(MethodDefinition method, Dictionary<string, HashSet<In
                 }
             }
 
+            static bool IsAtomicModificationMethod(MethodReference callee) {
+                if (callee.Parameters.Count == 0 || callee.Parameters[0].ParameterType is not ByReferenceType) {
+                    return false;
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Volatile).FullName) {
+                    return callee.Name is "Write";
+                }
+
+                if (callee.DeclaringType.FullName == typeof(System.Threading.Interlocked).FullName) {
+                    return callee.Name is "Exchange"
+                        or "CompareExchange"
+                        or "Increment"
+                        or "Decrement"
+                        or "Add"
+                        or "And"
+                        or "Or";
+                }
+
+                return false;
+            }
+
             foreach (Instruction? instruction in method.Body.Instructions) {
 
                 switch (instruction.OpCode.Code) {
@@ -226,6 +248,9 @@ void AddFieldModification(MethodDefinition method, Dictionary<string, HashSet<In
                                 // The called method is a collection method
                                 || (resolvedCallee is not null && CollectionElementLayer.IsModificationMethod(typeInheritanceGraph, method, instruction))
 
+                                // The called method performs atomic modification to the ref target
+                                || IsAtomicModificationMethod(calleeRef)
+
                                 // The called method return a reference
                                 || (calleeRef.ReturnType is ByReferenceType && calleeRef.Name is "get_Item")) {
 

src/OTAPI.UnifiedServerProcess/OTAPI.UnifiedServerProcess.csproj

@@ -21,7 +21,7 @@
 	<ItemGroup>
 	  <PackageReference Include="OTAPI.Upcoming" Version="3.3.7-mf-a807e26.13" />
 	  <PackageReference Include="MonoMod.RuntimeDetour.HookGen" Version="22.7.31.1" />
-		<PackageReference Include="ModFramework.Modules.CSharp" Version="1.1.15-a807e26.13" />
+		<PackageReference Include="ModFramework.Modules.CSharp" Version="1.1.15-mf-a807e26.13" />
 	</ItemGroup>
 
 	<ItemGroup>