Go: seperate real and synthetic callables

smowton · smowton · commit 4ea4e0dcca0a · 2023-04-12T14:15:54.000+01:00
This means that when a function has a real body and a summary (usually because it has a real definition in source, and implements an interface that has a model), two callables are created and dispatch considers both possible paths.

This specifically overcomes the difficulty with ParameterNodes when the real callable, if any, may or may not define an SsaNode, either because the real parameter is unused or because it is anonymous. Now the synthetic callable will always have parameter nodes, while the real one may or may not depending on whether a definition is present and
whether or not it names or uses its parameter.
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll
@@ -51,6 +51,12 @@ private predicate isConcreteInterfaceCall(DataFlow::Node call, DataFlow::Node re
   isInterfaceCallReceiver(call, recv, _, m) and isConcreteValue(recv)
 }
 
+private Function getRealOrSummarizedFunction(DataFlowCallable c) {
+  result = c.asCallable().asFunction()
+  or
+  result = c.asSummarizedCallable().asFunction()
+}
+
 /**
  * Gets a function that might be called by `call`, where the receiver of `call` has interface type,
  * but its concrete types can be determined by local reasoning.
@@ -59,7 +65,7 @@ private DataFlowCallable getConcreteTarget(DataFlow::CallNode call) {
   exists(string m | isConcreteInterfaceCall(call, _, m) |
     exists(Type concreteReceiverType |
       concreteReceiverType = getConcreteType(getInterfaceCallReceiverSource(call)) and
-      result.asFunction() = concreteReceiverType.getMethod(m)
+      getRealOrSummarizedFunction(result) = concreteReceiverType.getMethod(m)
     )
   )
 }
@@ -78,7 +84,7 @@ private predicate isInterfaceMethodCall(DataFlow::CallNode call) {
 private DataFlowCallable getRestrictedInterfaceTarget(DataFlow::CallNode call) {
   exists(InterfaceType tp, Type recvtp, string m |
     isInterfaceCallReceiver(call, _, tp, m) and
-    result.asFunction() = recvtp.getMethod(m) and
+    getRealOrSummarizedFunction(result) = recvtp.getMethod(m) and
     recvtp.implements(tp)
   )
 }
@@ -93,7 +99,8 @@ DataFlowCallable viableCallable(CallExpr ma) {
     else
       if isInterfaceMethodCall(call)
       then result = getRestrictedInterfaceTarget(call)
-      else result.asCallable() = call.getACalleeIncludingExternals()
+      else
+        [result.asCallable(), result.asSummarizedCallable()] = call.getACalleeIncludingExternals()
   )
 }
 
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -10,14 +10,10 @@ private newtype TNode =
   MkInstructionNode(IR::Instruction insn) or
   MkSsaNode(SsaDefinition ssa) or
   MkGlobalFunctionNode(Function f) or
-  MkSummarizedParameterNode(DataFlowCallable c, int i) {
-    not exists(c.getFuncDef()) and
-    c.asCallable() instanceof SummarizedCallable and
-    (
-      i in [0 .. c.getType().getNumParameter() - 1]
-      or
-      c.asFunction() instanceof Method and i = -1
-    )
+  MkSummarizedParameterNode(SummarizedCallable c, int i) {
+    i in [0 .. c.getType().getNumParameter() - 1]
+    or
+    c.asFunction() instanceof Method and i = -1
   } or
   MkSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
     FlowSummaryImpl::Private::summaryNodeRange(c, state)
@@ -31,12 +27,18 @@ module Private {
   DataFlowCallable nodeGetEnclosingCallable(Node n) {
     result.asCallable() = n.getEnclosingCallable()
     or
-    not exists(n.getEnclosingCallable()) and result.asFileScope() = n.getFile()
+    (n = MkInstructionNode(_) or n = MkSsaNode(_) or n = MkGlobalFunctionNode(_)) and
+    not exists(n.getEnclosingCallable()) and
+    result.asFileScope() = n.getFile()
+    or
+    n = MkSummarizedParameterNode(result.asSummarizedCallable(), _)
+    or
+    n = MkSummaryInternalNode(result.asSummarizedCallable(), _)
   }
 
   /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
   predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-    p.isParameterOf(c.asCallable(), pos)
+    p.isParameterOf(c, pos)
   }
 
   /** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
@@ -115,15 +117,7 @@ module Public {
     ControlFlow::Root getRoot() { none() } // overridden in subclasses
 
     /** INTERNAL: Use `getRoot()` instead. */
-    Callable getEnclosingCallable() {
-      result.getFuncDef() = this.getRoot()
-      or
-      exists(DataFlowCallable dfc | result = dfc.asCallable() |
-        this = MkSummarizedParameterNode(dfc, _)
-        or
-        this = MkSummaryInternalNode(dfc.asCallable(), _)
-      )
-    }
+    Callable getEnclosingCallable() { result.getFuncDef() = this.getRoot() }
 
     /** Gets the type of this node. */
     Type getType() { none() } // overridden in subclasses
@@ -577,20 +571,18 @@ module Public {
   /** A representation of a parameter initialization. */
   abstract class ParameterNode extends DataFlow::Node {
     /** Holds if this node initializes the `i`th parameter of `c`. */
-    abstract predicate isParameterOf(Callable c, int i);
+    abstract predicate isParameterOf(DataFlowCallable c, int i);
   }
 
   /**
    * A summary node which represents a parameter in a function which doesn't
    * already have a parameter nodes.
    */
   class SummarizedParameterNode extends ParameterNode, MkSummarizedParameterNode {
-    Callable c;
+    SummarizedCallable c;
     int i;
 
-    SummarizedParameterNode() {
-      this = MkSummarizedParameterNode(any(DataFlowCallable dfc | c = dfc.asCallable()), i)
-    }
+    SummarizedParameterNode() { this = MkSummarizedParameterNode(c, i) }
 
     // There are no AST representations of summarized parameter nodes
     override ControlFlow::Root getRoot() { none() }
@@ -603,7 +595,9 @@ module Public {
       i = -1 and result = c.asFunction().(Method).getReceiverType()
     }
 
-    override predicate isParameterOf(Callable call, int idx) { c = call and i = idx }
+    override predicate isParameterOf(DataFlowCallable call, int idx) {
+      c = call.asSummarizedCallable() and i = idx
+    }
 
     override string toString() { result = "parameter " + i + " of " + c.toString() }
 
@@ -622,7 +616,9 @@ module Public {
     /** Gets the parameter this node initializes. */
     override Parameter asParameter() { result = parm }
 
-    override predicate isParameterOf(Callable c, int i) { parm.isParameterOf(c.getFuncDef(), i) }
+    override predicate isParameterOf(DataFlowCallable c, int i) {
+      parm.isParameterOf(c.asCallable().getFuncDef(), i)
+    }
   }
 
   /** A representation of a receiver initialization. */
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowImplCommon
 private import ContainerFlow
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.go.dataflow.FlowSummary as FlowSummary
 private import codeql.util.Unit
 import DataFlowNodes::Private
 
@@ -237,31 +238,31 @@ class DataFlowLocation = Location;
 
 private newtype TDataFlowCallable =
   TCallable(Callable c) or
-  TFileScope(File f)
+  TFileScope(File f) or
+  TSummarizedCallable(FlowSummary::SummarizedCallable c)
 
 class DataFlowCallable extends TDataFlowCallable {
   Callable asCallable() { this = TCallable(result) }
 
   File asFileScope() { this = TFileScope(result) }
 
-  FuncDef getFuncDef() { result = this.asCallable().getFuncDef() }
+  FlowSummary::SummarizedCallable asSummarizedCallable() { this = TSummarizedCallable(result) }
 
-  Function asFunction() { result = this.asCallable().asFunction() }
-
-  FuncLit asFuncLit() { result = this.asCallable().asFuncLit() }
-
-  SignatureType getType() { result = this.asCallable().getType() }
+  SignatureType getType() { result = [this.asCallable(), this.asSummarizedCallable()].getType() }
 
   string toString() {
     result = this.asCallable().toString() or
-    result = "File scope: " + this.asFileScope().toString()
+    result = "File scope: " + this.asFileScope().toString() or
+    result = "Summary: " + this.asSummarizedCallable().toString()
   }
 
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.asCallable().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
-    this.asFileScope().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    this.asFileScope().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) or
+    this.asSummarizedCallable()
+        .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 }
 
@@ -281,6 +282,7 @@ class DataFlowCall extends Expr {
 
   /** Gets the enclosing callable of this call. */
   DataFlowCallable getEnclosingCallable() {
+    // NB. At present calls cannot occur inside summarized callables-- this will change if we implement advanced lambda support.
     result.asCallable().getFuncDef() = this.getEnclosingFunction()
     or
     not exists(this.getEnclosingFunction()) and result.asFileScope() = this.getFile()
diff --git a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -17,7 +17,7 @@ private module FlowSummaries {
 
 class SummarizedCallableBase = Callable;
 
-DataFlowCallable inject(SummarizedCallable c) { result.asCallable() = c }
+DataFlowCallable inject(SummarizedCallable c) { result.asSummarizedCallable() = c }
 
 /** Gets the parameter position of the instance parameter. */
 ArgumentPosition callbackSelfParameterPosition() { result = -1 }
@@ -189,9 +189,7 @@ class InterpretNode extends TInterpretNode {
 
   /** Gets the callable that this node corresponds to, if any. */
   DataFlowCallable asCallable() {
-    result.asFunction() = this.asElement().asEntity()
-    or
-    result.asFuncLit() = this.asElement().asAstNode()
+    result.asSummarizedCallable().asFunction() = this.asElement().asEntity()
   }
 
   /** Gets the target of this call, if any. */
diff --git a/go/ql/lib/semmle/go/frameworks/Twirp.qll b/go/ql/lib/semmle/go/frameworks/Twirp.qll
@@ -165,8 +165,8 @@ module Twirp {
    */
   class Request extends UntrustedFlowSource::Range instanceof DataFlow::ParameterNode {
     Request() {
-      exists(Callable c, ServiceHandler handler | c.asFunction() = handler |
-        this.isParameterOf(c, 1) and
+      exists(FuncDef c, ServiceHandler handler | handler.getFuncDecl() = c |
+        this.asParameter().isParameterOf(c, 1) and
         handler.getParameterType(0).hasQualifiedName("context", "Context") and
         this.getType().(PointerType).getBaseType() instanceof ProtobufMessageType
       )

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,12 @@ private predicate isConcreteInterfaceCall(DataFlow::Node call, DataFlow::Node re`
`51`	`51`	`isInterfaceCallReceiver(call, recv, _, m) and isConcreteValue(recv)`
`52`	`52`	`}`
`53`	`53`
	`54`	`+private Function getRealOrSummarizedFunction(DataFlowCallable c) {`
	`55`	`+ result = c.asCallable().asFunction()`
	`56`	`+ or`
	`57`	`+ result = c.asSummarizedCallable().asFunction()`
	`58`	`+}`
	`59`	`+`
`54`	`60`	`/**`
`55`	`61`	* Gets a function that might be called by `call`, where the receiver of `call` has interface type,
`56`	`62`	`* but its concrete types can be determined by local reasoning.`
`@@ -59,7 +65,7 @@ private DataFlowCallable getConcreteTarget(DataFlow::CallNode call) {`
`59`	`65`	`exists(string m \| isConcreteInterfaceCall(call, _, m) \|`
`60`	`66`	`exists(Type concreteReceiverType \|`
`61`	`67`	`concreteReceiverType = getConcreteType(getInterfaceCallReceiverSource(call)) and`
`62`		`- result.asFunction() = concreteReceiverType.getMethod(m)`
	`68`	`+ getRealOrSummarizedFunction(result) = concreteReceiverType.getMethod(m)`
`63`	`69`	`)`
`64`	`70`	`)`
`65`	`71`	`}`
`@@ -78,7 +84,7 @@ private predicate isInterfaceMethodCall(DataFlow::CallNode call) {`
`78`	`84`	`private DataFlowCallable getRestrictedInterfaceTarget(DataFlow::CallNode call) {`
`79`	`85`	`exists(InterfaceType tp, Type recvtp, string m \|`
`80`	`86`	`isInterfaceCallReceiver(call, _, tp, m) and`
`81`		`- result.asFunction() = recvtp.getMethod(m) and`
	`87`	`+ getRealOrSummarizedFunction(result) = recvtp.getMethod(m) and`
`82`	`88`	`recvtp.implements(tp)`
`83`	`89`	`)`
`84`	`90`	`}`
`@@ -93,7 +99,8 @@ DataFlowCallable viableCallable(CallExpr ma) {`
`93`	`99`	`else`
`94`	`100`	`if isInterfaceMethodCall(call)`
`95`	`101`	`then result = getRestrictedInterfaceTarget(call)`
`96`		`- else result.asCallable() = call.getACalleeIncludingExternals()`
	`102`	`+ else`
	`103`	`+ [result.asCallable(), result.asSummarizedCallable()] = call.getACalleeIncludingExternals()`
`97`	`104`	`)`
`98`	`105`	`}`
`99`	`106`