Ensure pattern-case and binding-instanceof are covered in all of type, dispatch and object flow

smowton · smowton · commit fa09be045921 · 2023-11-30T11:24:02.000Z
diff --git a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
@@ -116,6 +116,22 @@ private predicate step(TypeFlowNode n1, TypeFlowNode n2) {
   n2.asSsa().(BaseSsaUpdate).getDefiningExpr().(VariableAssign).getSource() = n1.asExpr()
   or
   n2.asSsa().(BaseSsaImplicitInit).captures(n1.asSsa())
+  or
+  exists(PatternCase pc, LocalVariableDeclExpr patternVar |
+    patternVar = pc.getPattern().asBindingPattern() and
+    n2.asSsa().(BaseSsaUpdate).getDefiningExpr() = patternVar and
+    (
+      pc.getSwitch().getExpr() = n1.asExpr()
+      or
+      pc.getSwitchExpr().getExpr() = n1.asExpr()
+    )
+  )
+  or
+  exists(InstanceOfExpr ioe, LocalVariableDeclExpr patternVar |
+    patternVar = ioe.getPattern().asBindingPattern() and
+    n2.asSsa().(BaseSsaUpdate).getDefiningExpr() = patternVar and
+    ioe.getExpr() = n1.asExpr()
+  )
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll b/java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll
@@ -167,6 +167,20 @@ private module TypeTrackingSteps {
       def.(BaseSsaUpdate).getDefiningExpr().(VariableAssign).getSource() = n1.asExpr()
       or
       def.(BaseSsaImplicitInit).isParameterDefinition(n1.asParameter())
+      or
+      exists(PatternCase pc |
+        pc.getPattern().asBindingPattern() = def.(BaseSsaUpdate).getDefiningExpr() and
+        (
+          pc.getSwitch().getExpr() = n1.asExpr()
+          or
+          pc.getSwitchExpr().getExpr() = n1.asExpr()
+        )
+      )
+      or
+      exists(InstanceOfExpr ioe |
+        ioe.getPattern().asBindingPattern() = def.(BaseSsaUpdate).getDefiningExpr() and
+        ioe.getExpr() = n1.asExpr()
+      )
     |
       v.getAnUltimateDefinition() = def and
       v.getAUse() = n2.asExpr()
diff --git a/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll b/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll
@@ -89,6 +89,11 @@ private predicate step(Node n1, Node n2) {
         pc.getSwitchExpr().getExpr() = n1.asExpr()
       )
     )
+    or
+    exists(InstanceOfExpr ioe |
+      ioe.getPattern().asBindingPattern() = def.(BaseSsaUpdate).getDefiningExpr() and
+      ioe.getExpr() = n1.asExpr()
+    )
   |
     v.getAnUltimateDefinition() = def and
     v.getAUse() = n2.asExpr()

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,11 @@ private predicate step(Node n1, Node n2) {`
`89`	`89`	`pc.getSwitchExpr().getExpr() = n1.asExpr()`
`90`	`90`	`)`
`91`	`91`	`)`
	`92`	`+ or`
	`93`	`+ exists(InstanceOfExpr ioe \|`
	`94`	`+ ioe.getPattern().asBindingPattern() = def.(BaseSsaUpdate).getDefiningExpr() and`
	`95`	`+ ioe.getExpr() = n1.asExpr()`
	`96`	`+ )`
`92`	`97`	`\|`
`93`	`98`	`v.getAnUltimateDefinition() = def and`
`94`	`99`	`v.getAUse() = n2.asExpr()`