Merge pull request #9469 from rdmarsh2/rdmarsh2/swift/dataflow-inout

MathiasVP · web-flow · commit 6c8982b46e37 · 2022-06-13T18:11:11.000+01:00
Swift: Dataflow through inout parameters
diff --git a/swift/codegen/schema.yml b/swift/codegen/schema.yml
@@ -1103,6 +1103,7 @@ ConcreteVarDecl:
 
 ParamDecl:
   _extends: VarDecl
+  is_inout: predicate
 
 AssociatedTypeDecl:
   _extends: AbstractTypeParamDecl
diff --git a/swift/extractor/visitors/DeclVisitor.h b/swift/extractor/visitors/DeclVisitor.h
@@ -66,6 +66,9 @@ class DeclVisitor : public AstVisitorBase<DeclVisitor> {
   void visitParamDecl(swift::ParamDecl* decl) {
     auto label = dispatcher_.assignNewLabel(decl);
     dispatcher_.emit(ParamDeclsTrap{label});
+    if (decl->isInOut()) {
+      dispatcher_.emit(ParamDeclIsInoutTrap{label});
+    }
     emitVarDecl(decl, label);
   }
 
diff --git a/swift/ql/lib/codeql/swift/controlflow/CfgNodes.qll b/swift/ql/lib/codeql/swift/controlflow/CfgNodes.qll
@@ -102,3 +102,15 @@ class ExprCfgNode extends AstCfgNode {
   /** Gets the underlying expression. */
   Expr getExpr() { result = e }
 }
+
+class ApplyExprCfgNode extends ExprCfgNode {
+  override ApplyExpr e;
+
+  ExprCfgNode getArgument(int index) {
+    result.getNode().asAstNode() = e.getArgument(index).getExpr()
+  }
+}
+
+class CallExprCfgNode extends ApplyExprCfgNode {
+  override CallExpr e;
+}
diff --git a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll
@@ -71,6 +71,19 @@ module Ssa {
         value.getNode().asAstNode() = var.getParentInitializer()
       )
     }
+
+    cached
+    predicate isInoutDef(ExprCfgNode argument) {
+      exists(
+        CallExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr
+      |
+        this.definesAt(v, bb, blockIndex) and
+        bb.getNode(blockIndex).getNode().asAstNode() = c and
+        c.getArgument(argIndex).getExpr() = argExpr and
+        argExpr = argument.getNode().asAstNode() and
+        argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?
+      )
+    }
   }
 
   cached
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll
@@ -3,7 +3,9 @@ private import DataFlowPrivate
 private import DataFlowPublic
 private import codeql.swift.controlflow.ControlFlowGraph
 
-newtype TReturnKind = TNormalReturnKind()
+newtype TReturnKind =
+  TNormalReturnKind() or
+  TParamReturnKind(int i) { exists(ParamDecl param | param.getIndex() = i) }
 
 /**
  * Gets a node that can read the value returned from `call` with return kind
@@ -28,16 +30,33 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
   override string toString() { result = "return" }
 }
 
+/**
+ * A value returned from a callable using an `inout` parameter.
+ */
+class ParamReturnKind extends ReturnKind, TParamReturnKind {
+  int index;
+
+  ParamReturnKind() { this = TParamReturnKind(index) }
+
+  int getIndex() { result = index }
+
+  override string toString() { result = "param(" + index + ")" }
+}
+
 /**
  * A callable. This includes callables from source code, as well as callables
  * defined in library code.
  */
 class DataFlowCallable extends TDataFlowCallable {
+  AbstractFunctionDecl func;
+
+  DataFlowCallable() { this = TDataFlowFunc(func) }
+
   /** Gets a textual representation of this callable. */
-  string toString() { none() }
+  string toString() { result = func.toString() }
 
   /** Gets the location of this callable. */
-  Location getLocation() { none() }
+  Location getLocation() { result = func.getLocation() }
 }
 
 /**
@@ -48,7 +67,7 @@ class DataFlowCall extends ExprNode {
   DataFlowCall() { this.asExpr() instanceof CallExpr }
 
   /** Gets the enclosing callable. */
-  DataFlowCallable getEnclosingCallable() { none() }
+  DataFlowCallable getEnclosingCallable() { result = TDataFlowFunc(this.getCfgNode().getScope()) }
 }
 
 cached
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -1,6 +1,7 @@
 private import swift
 private import DataFlowPublic
 private import DataFlowDispatch
+private import codeql.swift.controlflow.ControlFlowGraph
 private import codeql.swift.controlflow.CfgNodes
 private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
@@ -20,7 +21,7 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
 }
 
 abstract class NodeImpl extends Node {
-  DataFlowCallable getEnclosingCallable() { none() }
+  abstract DataFlowCallable getEnclosingCallable();
 
   /** Do not call: use `getLocation()` instead. */
   abstract Location getLocationImpl();
@@ -60,7 +61,21 @@ private module Cached {
   cached
   newtype TNode =
     TExprNode(ExprCfgNode e) or
-    TSsaDefinitionNode(Ssa::Definition def)
+    TSsaDefinitionNode(Ssa::Definition def) or
+    TInoutReturnNode(ParamDecl param) { param.isInout() } or
+    TInOutUpdateNode(ParamDecl param, CallExpr call) {
+      param.isInout() and
+      call.getStaticTarget() = param.getDeclaringFunction()
+    }
+
+  private predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
+    def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode()) and
+    (
+      nodeTo instanceof InoutReturnNode
+      implies
+      nodeTo.(InoutReturnNode).getParameter() = def.getSourceVariable()
+    )
+  }
 
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
     exists(Ssa::Definition def |
@@ -70,14 +85,34 @@ private module Cached {
       or
       // step from def to first read
       nodeFrom.asDefinition() = def and
-      nodeTo.getCfgNode() = def.getAFirstRead()
+      nodeTo.getCfgNode() = def.getAFirstRead() and
+      (
+        nodeTo instanceof InoutReturnNode
+        implies
+        nodeTo.(InoutReturnNode).getParameter() = def.getSourceVariable()
+      )
       or
       // use-use flow
-      def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode())
+      localSsaFlowStepUseUse(def, nodeFrom, nodeTo)
       or
+      //localSsaFlowStepUseUse(def, nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+      //or
       // step from previous read to Phi node
       localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
     )
+    or
+    exists(ParamReturnKind kind, ExprCfgNode arg |
+      arg =
+        nodeFrom
+            .(InOutUpdateNode)
+            .getCall(kind)
+            .getCfgNode()
+            .(CallExprCfgNode)
+            .getArgument(kind.getIndex()) and
+      nodeTo.asDefinition().(Ssa::WriteDefinition).isInoutDef(arg)
+    )
+    or
+    nodeFrom.asExpr() = nodeTo.asExpr().(InOutExpr).getSubExpr()
   }
 
   /**
@@ -172,6 +207,31 @@ private module ReturnNodes {
 
     override ReturnKind getKind() { result instanceof NormalReturnKind }
   }
+
+  class InoutReturnNodeImpl extends ReturnNode, TInoutReturnNode, NodeImpl {
+    ParamDecl param;
+    ControlFlowNode exit;
+
+    InoutReturnNodeImpl() {
+      this = TInoutReturnNode(param) and
+      exit instanceof ExitNode and
+      exit.getScope() = param.getDeclaringFunction()
+    }
+
+    override ReturnKind getKind() { result.(ParamReturnKind).getIndex() = param.getIndex() }
+
+    override ControlFlowNode getCfgNode() { result = exit }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(param.getDeclaringFunction())
+    }
+
+    ParamDecl getParameter() { result = param }
+
+    override Location getLocationImpl() { result = exit.getLocation() }
+
+    override string toStringImpl() { result = param.toString() + "[return]" }
+  }
 }
 
 import ReturnNodes
@@ -188,6 +248,26 @@ private module OutNodes {
       result = this and kind instanceof NormalReturnKind
     }
   }
+
+  class InOutUpdateNode extends OutNode, TInOutUpdateNode, NodeImpl {
+    ParamDecl param;
+    CallExpr call;
+
+    InOutUpdateNode() { this = TInOutUpdateNode(param, call) }
+
+    override DataFlowCall getCall(ReturnKind kind) {
+      result.asExpr() = call and
+      kind.(ParamReturnKind).getIndex() = param.getIndex()
+    }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(this.getCall(_).getCfgNode().getScope())
+    }
+
+    override Location getLocationImpl() { result = call.getLocation() }
+
+    override string toStringImpl() { result = param.toString() }
+  }
 }
 
 import OutNodes
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll
@@ -81,6 +81,10 @@ class SsaDefinitionNode extends Node, TSsaDefinitionNode {
   override Ssa::Definition asDefinition() { result = def }
 }
 
+class InoutReturnNode extends Node instanceof InoutReturnNodeImpl {
+  ParamDecl getParameter() { result = super.getParameter() }
+}
+
 /**
  * A node associated with an object after an operation that might have
  * changed its state.
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll b/swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll
@@ -3,6 +3,7 @@
 private import swift
 private import codeql.swift.controlflow.BasicBlocks as BasicBlocks
 private import codeql.swift.controlflow.ControlFlowGraph
+private import codeql.swift.controlflow.CfgNodes
 
 class BasicBlock = BasicBlocks::BasicBlock;
 
@@ -28,6 +29,14 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     certain = true
   )
   or
+  exists(CallExpr call, Argument arg |
+    arg.getExpr().(InOutExpr).getSubExpr() = v.getAnAccess() and
+    call.getAnArgument() = arg and
+    call.getStaticTarget().getParam(arg.getIndex()).isInout() and
+    bb.getNode(i).getNode().asAstNode() = call and
+    certain = false
+  )
+  or
   v instanceof ParamDecl and
   bb.getNode(i).getNode().asAstNode() = v and
   certain = true
@@ -42,4 +51,12 @@ predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain)
     v = ref.getDecl() and
     certain = true
   )
+  or
+  exists(ExitNode exit, AbstractFunctionDecl func |
+    bb.getNode(i) = exit and
+    v.(ParamDecl).isInout() and
+    func.getAParam() = v and
+    bb.getScope() = func and
+    certain = true
+  )
 }
diff --git a/swift/ql/lib/codeql/swift/elements/decl/ParamDecl.qll b/swift/ql/lib/codeql/swift/elements/decl/ParamDecl.qll
@@ -1,4 +1,10 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.decl.ParamDecl
+private import codeql.swift.elements.decl.AbstractFunctionDecl
 
-class ParamDecl extends ParamDeclBase { }
+class ParamDecl extends ParamDeclBase {
+  /** Gets the function which declares this parameter. */
+  AbstractFunctionDecl getDeclaringFunction() { result.getAParam() = this }
+
+  /** Gets the index of this parameter in its declaring function's parameter list. */
+  int getIndex() { exists(AbstractFunctionDecl func | func.getParam(result) = this) }
+}
diff --git a/swift/ql/lib/codeql/swift/generated/decl/ParamDecl.qll b/swift/ql/lib/codeql/swift/generated/decl/ParamDecl.qll
@@ -3,4 +3,6 @@ import codeql.swift.elements.decl.VarDecl
 
 class ParamDeclBase extends @param_decl, VarDecl {
   override string getAPrimaryQlClass() { result = "ParamDecl" }
+
+  predicate isInout() { param_decl_is_inout(this) }
 }
diff --git a/swift/ql/lib/swift.dbscheme b/swift/ql/lib/swift.dbscheme
@@ -2062,6 +2062,11 @@ param_decls(
   unique int id: @param_decl
 );
 
+#keyset[id]
+param_decl_is_inout(
+  int id: @param_decl ref
+);
+
 associated_type_decls(
   unique int id: @associated_type_decl
 );
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -12,6 +12,23 @@ edges
 | test.swift:29:26:29:29 | y :  | test.swift:31:15:31:15 | y |
 | test.swift:35:12:35:19 | call to source :  | test.swift:39:15:39:29 | call to callee_source |
 | test.swift:43:19:43:26 | call to source :  | test.swift:50:15:50:15 | t |
+| test.swift:53:1:56:1 | arg[return] :  | test.swift:61:5:61:24 | arg :  |
+| test.swift:54:11:54:18 | call to source :  | test.swift:53:1:56:1 | arg[return] :  |
+| test.swift:61:5:61:24 | arg :  | test.swift:62:15:62:15 | x |
+| test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  |
+| test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  |
+| test.swift:73:18:73:25 | call to source :  | test.swift:75:21:75:22 | &... :  |
+| test.swift:75:5:75:33 | arg2 :  | test.swift:77:15:77:15 | y |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:75:5:75:33 | arg2 :  |
+| test.swift:80:1:82:1 | arg[return] :  | test.swift:97:9:97:41 | arg :  |
+| test.swift:81:11:81:18 | call to source :  | test.swift:80:1:82:1 | arg[return] :  |
+| test.swift:84:1:91:1 | arg[return] :  | test.swift:104:9:104:54 | arg :  |
+| test.swift:86:15:86:22 | call to source :  | test.swift:84:1:91:1 | arg[return] :  |
+| test.swift:89:15:89:22 | call to source :  | test.swift:84:1:91:1 | arg[return] :  |
+| test.swift:97:9:97:41 | arg :  | test.swift:98:19:98:19 | x |
+| test.swift:104:9:104:54 | arg :  | test.swift:105:19:105:19 | x |
 nodes
 | test.swift:6:19:6:26 | call to source :  | semmle.label | call to source :  |
 | test.swift:7:15:7:15 | t1 | semmle.label | t1 |
@@ -33,12 +50,41 @@ nodes
 | test.swift:39:15:39:29 | call to callee_source | semmle.label | call to callee_source |
 | test.swift:43:19:43:26 | call to source :  | semmle.label | call to source :  |
 | test.swift:50:15:50:15 | t | semmle.label | t |
+| test.swift:53:1:56:1 | arg[return] :  | semmle.label | arg[return] :  |
+| test.swift:54:11:54:18 | call to source :  | semmle.label | call to source :  |
+| test.swift:61:5:61:24 | arg :  | semmle.label | arg :  |
+| test.swift:62:15:62:15 | x | semmle.label | x |
+| test.swift:65:1:70:1 | arg2[return] :  | semmle.label | arg2[return] :  |
+| test.swift:65:16:65:28 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:65:16:65:28 | WriteDef :  | semmle.label | arg1 :  |
+| test.swift:65:16:65:28 | arg1 :  | semmle.label | WriteDef :  |
+| test.swift:65:16:65:28 | arg1 :  | semmle.label | arg1 :  |
+| test.swift:73:18:73:25 | call to source :  | semmle.label | call to source :  |
+| test.swift:75:5:75:33 | arg2 :  | semmle.label | arg2 :  |
+| test.swift:75:21:75:22 | &... :  | semmle.label | &... :  |
+| test.swift:77:15:77:15 | y | semmle.label | y |
+| test.swift:80:1:82:1 | arg[return] :  | semmle.label | arg[return] :  |
+| test.swift:81:11:81:18 | call to source :  | semmle.label | call to source :  |
+| test.swift:84:1:91:1 | arg[return] :  | semmle.label | arg[return] :  |
+| test.swift:86:15:86:22 | call to source :  | semmle.label | call to source :  |
+| test.swift:89:15:89:22 | call to source :  | semmle.label | call to source :  |
+| test.swift:97:9:97:41 | arg :  | semmle.label | arg :  |
+| test.swift:98:19:98:19 | x | semmle.label | x |
+| test.swift:104:9:104:54 | arg :  | semmle.label | arg :  |
+| test.swift:105:19:105:19 | x | semmle.label | x |
 subpaths
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
 #select
-| test.swift:6:19:6:26 | call to source :  | test.swift:7:15:7:15 | t1 |
-| test.swift:6:19:6:26 | call to source :  | test.swift:9:15:9:15 | t1 |
-| test.swift:6:19:6:26 | call to source :  | test.swift:10:15:10:15 | t2 |
-| test.swift:25:20:25:27 | call to source :  | test.swift:30:15:30:15 | x |
-| test.swift:26:26:26:33 | call to source :  | test.swift:31:15:31:15 | y |
-| test.swift:35:12:35:19 | call to source :  | test.swift:39:15:39:29 | call to callee_source |
-| test.swift:43:19:43:26 | call to source :  | test.swift:50:15:50:15 | t |
+| test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source :  | test.swift:7:15:7:15 | t1 | result |
+| test.swift:9:15:9:15 | t1 | test.swift:6:19:6:26 | call to source :  | test.swift:9:15:9:15 | t1 | result |
+| test.swift:10:15:10:15 | t2 | test.swift:6:19:6:26 | call to source :  | test.swift:10:15:10:15 | t2 | result |
+| test.swift:30:15:30:15 | x | test.swift:25:20:25:27 | call to source :  | test.swift:30:15:30:15 | x | result |
+| test.swift:31:15:31:15 | y | test.swift:26:26:26:33 | call to source :  | test.swift:31:15:31:15 | y | result |
+| test.swift:39:15:39:29 | call to callee_source | test.swift:35:12:35:19 | call to source :  | test.swift:39:15:39:29 | call to callee_source | result |
+| test.swift:50:15:50:15 | t | test.swift:43:19:43:26 | call to source :  | test.swift:50:15:50:15 | t | result |
+| test.swift:62:15:62:15 | x | test.swift:54:11:54:18 | call to source :  | test.swift:62:15:62:15 | x | result |
+| test.swift:77:15:77:15 | y | test.swift:73:18:73:25 | call to source :  | test.swift:77:15:77:15 | y | result |
+| test.swift:98:19:98:19 | x | test.swift:81:11:81:18 | call to source :  | test.swift:98:19:98:19 | x | result |
+| test.swift:105:19:105:19 | x | test.swift:86:15:86:22 | call to source :  | test.swift:105:19:105:19 | x | result |
+| test.swift:105:19:105:19 | x | test.swift:89:15:89:22 | call to source :  | test.swift:105:19:105:19 | x | result |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.ql b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.ql
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,9 @@ class DeclVisitor : public AstVisitorBase<DeclVisitor> {`
`66`	`66`	`void visitParamDecl(swift::ParamDecl* decl) {`
`67`	`67`	`auto label = dispatcher_.assignNewLabel(decl);`
`68`	`68`	`dispatcher_.emit(ParamDeclsTrap{label});`
	`69`	`+ if (decl->isInOut()) {`
	`70`	`+ dispatcher_.emit(ParamDeclIsInoutTrap{label});`
	`71`	`+ }`
`69`	`72`	`emitVarDecl(decl, label);`
`70`	`73`	`}`
`71`	`74`
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,19 @@ module Ssa {`
`71`	`71`	`value.getNode().asAstNode() = var.getParentInitializer()`
`72`	`72`	`)`
`73`	`73`	`}`
	`74`	`+`
	`75`	`+ cached`
	`76`	`+ predicate isInoutDef(ExprCfgNode argument) {`
	`77`	`+ exists(`
	`78`	`+ CallExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr`
	`79`	`+ \|`
	`80`	`+ this.definesAt(v, bb, blockIndex) and`
	`81`	`+ bb.getNode(blockIndex).getNode().asAstNode() = c and`
	`82`	`+ c.getArgument(argIndex).getExpr() = argExpr and`
	`83`	`+ argExpr = argument.getNode().asAstNode() and`
	`84`	`+ argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?`
	`85`	`+ )`
	`86`	`+ }`
`74`	`87`	`}`
`75`	`88`
`76`	`89`	`cached`
Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,6 @@ import codeql.swift.elements.decl.VarDecl`
`3`	`3`
`4`	`4`	`class ParamDeclBase extends @param_decl, VarDecl {`
`5`	`5`	`override string getAPrimaryQlClass() { result = "ParamDecl" }`
	`6`	`+`
	`7`	`+ predicate isInout() { param_decl_is_inout(this) }`
`6`	`8`	`}`