Data flow: Rework reverse flow through parameters

Author: hvitved

Diff for: csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll

@@ -7,7 +7,27 @@ private import codeql.dataflow.DataFlow
 
 module Private {
   import DataFlowPrivate
-  import DataFlowDispatch
+  private import DataFlowDispatch as DataFlowDispatch
+
+  class DataFlowCall = DataFlowDispatch::DataFlowCall;
+
+  class DataFlowCallable = DataFlowDispatch::DataFlowCallable;
+
+  predicate viableCallable = DataFlowDispatch::viableCallable/1;
+
+  class ReturnKind = DataFlowDispatch::ReturnKind;
+
+  class ParameterPosition = DataFlowDispatch::ParameterPosition;
+
+  class ArgumentPosition = DataFlowDispatch::ArgumentPosition;
+
+  predicate parameterMatch = DataFlowDispatch::parameterMatch/2;
+
+  predicate mayBenefitFromCallContext = DataFlowDispatch::mayBenefitFromCallContext/1;
+
+  predicate viableImplInCallContext = DataFlowDispatch::viableImplInCallContext/2;
+
+  predicate getAnOutNode = DataFlowDispatch::getAnOutNode/2;
 }
 
 module Public {

Diff for: csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -1,7 +1,7 @@
 private import csharp
 private import DataFlowPublic
 private import DataFlowDispatch
-private import DataFlowImplCommon
+private import DataFlowImplCommon as DataFlowImplCommon
 private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
@@ -61,7 +61,7 @@ abstract class NodeImpl extends Node {
 
   /** Gets the type of this node used for type pruning. */
   DataFlowType getDataFlowType() {
-    forceCachingInSameStage() and
+    DataFlowImplCommon::forceCachingInSameStage() and
     exists(Type t0 | result.asGvnType() = Gvn::getGlobalValueNumber(t0) |
       t0 = this.getType()
       or
@@ -102,20 +102,20 @@ private class ExprNodeImpl extends ExprNode, NodeImpl {
   }
 
   override Type getTypeImpl() {
-    forceCachingInSameStage() and
+    DataFlowImplCommon::forceCachingInSameStage() and
     result = this.getExpr().getType()
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNodeImpl() {
-    forceCachingInSameStage() and this = TExprNode(result)
+    DataFlowImplCommon::forceCachingInSameStage() and this = TExprNode(result)
   }
 
   override Location getLocationImpl() {
-    forceCachingInSameStage() and result = this.getExpr().getLocation()
+    DataFlowImplCommon::forceCachingInSameStage() and result = this.getExpr().getLocation()
   }
 
   override string toStringImpl() {
-    forceCachingInSameStage() and
+    DataFlowImplCommon::forceCachingInSameStage() and
     result = this.getControlFlowNodeImpl().toString()
   }
 }
@@ -2897,7 +2897,7 @@ private predicate viableConstantBooleanParamArg(
   ParameterNode paramNode, boolean b, DataFlowCall call
 ) {
   exists(ConstantBooleanArgumentNode arg |
-    viableParamArg(call, paramNode, arg) and
+    DataFlowImplCommon::viableParamArg(call, paramNode, arg) and
     b = arg.getBooleanValue()
   )
 }
@@ -3046,7 +3046,7 @@ class DataFlowSecondLevelScope = Unit;
  */
 predicate allowParameterReturnInSelf(ParameterNode p) {
   exists(DataFlowCallable c, ParameterPosition pos |
-    parameterNode(p, c, pos) and
+    DataFlowImplCommon::parameterNode(p, c, pos) and
     FlowSummaryImpl::Private::summaryAllowParameterReturnInSelf(c.asSummarizedCallable(), pos)
   )
   or

Diff for: csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -12,6 +12,7 @@ private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import semmle.code.csharp.Unification
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 
 module Input implements InputSig<Location, DataFlowImplSpecific::CsharpDataFlow> {
   class SummarizedCallableBase = UnboundCallable;

Diff for: csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -6,7 +6,7 @@
 
 import Expr
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
-private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
+private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.csharp.dispatch.Dispatch
 
 /**
@@ -528,7 +528,7 @@ class DelegateLikeCall extends Call, DelegateLikeCall_ {
   final override Callable getARuntimeTarget() {
     exists(ExplicitDelegateLikeDataFlowCall call |
       this = call.getCall() and
-      result = viableCallableLambda(call, _).asCallable(_)
+      result = DataFlowImplCommon::viableCallableLambda(call, _).asCallable(_)
     )
   }
 

Diff for: csharp/ql/test/TestUtilities/InlineFlowTest.qll

@@ -12,7 +12,9 @@ private import internal.InlineExpectationsTestImpl
 
 private module FlowTestImpl implements InputSig<Location, CsharpDataFlow> {
   predicate defaultSource(DataFlow::Node source) {
-    source.asExpr().(MethodCall).getTarget().getUndecoratedName() = ["Source", "Taint"]
+    source.asExpr().(MethodCall).getTarget().getUndecoratedName() = ["Source", "Taint"] //and
+    // source.getLocation().getStartLine() = 23 and
+    // source.getLocation().getFile().getBaseName() = "G.cs"
   }
 
   predicate defaultSink(DataFlow::Node sink) {

Diff for: csharp/ql/test/library-tests/dataflow/constructors/ConstructorFlow.expected

@@ -1,13 +1,15 @@
 models
 edges
-| Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | Constructors.cs:9:27:9:41 | object creation of type C_no_ctor : C_no_ctor [field s1] : Object | provenance |  |
+| Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | Constructors.cs:5:24:5:25 | this access [Reverse] : C_no_ctor [field s1] : Object | provenance |  |
+| Constructors.cs:5:24:5:25 | this access [Reverse] : C_no_ctor [field s1] : Object | Constructors.cs:9:27:9:41 | object creation of type C_no_ctor : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:9:23:9:23 | access to local variable c : C_no_ctor [field s1] : Object | Constructors.cs:10:13:10:13 | access to local variable c : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:9:27:9:41 | object creation of type C_no_ctor : C_no_ctor [field s1] : Object | Constructors.cs:9:23:9:23 | access to local variable c : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:10:13:10:13 | access to local variable c : C_no_ctor [field s1] : Object | Constructors.cs:13:21:13:22 | this : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:13:21:13:22 | this : C_no_ctor [field s1] : Object | Constructors.cs:15:18:15:19 | this access : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:15:18:15:19 | this access : C_no_ctor [field s1] : Object | Constructors.cs:15:18:15:19 | access to field s1 | provenance |  |
-| Constructors.cs:21:24:21:25 | [post] this access : C_with_ctor [field s1] : Object | Constructors.cs:29:16:29:26 | this [Return] : C_with_ctor [field s1] : Object | provenance |  |
+| Constructors.cs:21:24:21:25 | [post] this access : C_with_ctor [field s1] : Object | Constructors.cs:21:24:21:25 | this access [Reverse] : C_with_ctor [field s1] : Object | provenance |  |
+| Constructors.cs:21:24:21:25 | this access [Reverse] : C_with_ctor [field s1] : Object | Constructors.cs:29:16:29:26 | this [Return] : C_with_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | Constructors.cs:21:24:21:25 | [post] this access : C_with_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:25:25:25:25 | access to local variable c : C_with_ctor [field s1] : Object | Constructors.cs:26:13:26:13 | access to local variable c : C_with_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:25:29:25:45 | object creation of type C_with_ctor : C_with_ctor [field s1] : Object | Constructors.cs:25:25:25:25 | access to local variable c : C_with_ctor [field s1] : Object | provenance |  |
@@ -16,13 +18,15 @@ edges
 | Constructors.cs:31:21:31:22 | this : C_with_ctor [field s1] : Object | Constructors.cs:33:18:33:19 | this access : C_with_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:33:18:33:19 | this access : C_with_ctor [field s1] : Object | Constructors.cs:33:18:33:19 | access to field s1 | provenance |  |
 | Constructors.cs:41:26:41:26 | o : Object | Constructors.cs:41:38:41:38 | access to parameter o : Object | provenance |  |
-| Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | Constructors.cs:41:16:41:17 | this [Return] : C1 [field Obj] : Object | provenance |  |
+| Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | Constructors.cs:41:32:41:34 | this access [Reverse] : C1 [field Obj] : Object | provenance |  |
+| Constructors.cs:41:32:41:34 | this access [Reverse] : C1 [field Obj] : Object | Constructors.cs:41:16:41:17 | this [Return] : C1 [field Obj] : Object | provenance |  |
 | Constructors.cs:41:38:41:38 | access to parameter o : Object | Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | provenance |  |
 | Constructors.cs:44:28:44:35 | o21param : Object | Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | provenance |  |
 | Constructors.cs:44:28:44:35 | o21param : Object | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | provenance |  |
 | Constructors.cs:44:45:44:52 | o22param : Object | Constructors.cs:44:18:44:19 | this [Return] : C2 [parameter o22param] : Object | provenance |  |
-| Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | Constructors.cs:44:18:44:19 | this [Return] : C2 [field Obj21] : Object | provenance |  |
+| Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | Constructors.cs:46:23:46:27 | this access [Reverse] : C2 [field Obj21] : Object | provenance |  |
 | Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | provenance |  |
+| Constructors.cs:46:23:46:27 | this access [Reverse] : C2 [field Obj21] : Object | Constructors.cs:44:18:44:19 | this [Return] : C2 [field Obj21] : Object | provenance |  |
 | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | provenance |  |
 | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | provenance |  |
 | Constructors.cs:50:32:50:36 | this : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | this access : C2 [field Obj21] : Object | provenance |  |
@@ -85,9 +89,12 @@ edges
 | Constructors.cs:113:14:113:15 | access to local variable c3 : C3 [parameter o31param] : Object | Constructors.cs:113:14:113:21 | access to property Obj31 | provenance |  |
 | Constructors.cs:121:26:121:28 | oc1 : Object | Constructors.cs:123:20:123:22 | access to parameter oc1 : Object | provenance |  |
 | Constructors.cs:121:38:121:40 | oc2 : Object | Constructors.cs:124:20:124:22 | access to parameter oc2 : Object | provenance |  |
-| Constructors.cs:123:13:123:16 | [post] this access : C4 [property Obj1] : Object | Constructors.cs:121:16:121:17 | this [Return] : C4 [property Obj1] : Object | provenance |  |
+| Constructors.cs:123:13:123:16 | [post] this access : C4 [property Obj1] : Object | Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj1] : Object | provenance |  |
+| Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj1] : Object | Constructors.cs:121:16:121:17 | this [Return] : C4 [property Obj1] : Object | provenance |  |
+| Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj2] : Object | Constructors.cs:121:16:121:17 | this [Return] : C4 [property Obj2] : Object | provenance |  |
 | Constructors.cs:123:20:123:22 | access to parameter oc1 : Object | Constructors.cs:123:13:123:16 | [post] this access : C4 [property Obj1] : Object | provenance |  |
-| Constructors.cs:124:13:124:16 | [post] this access : C4 [property Obj2] : Object | Constructors.cs:121:16:121:17 | this [Return] : C4 [property Obj2] : Object | provenance |  |
+| Constructors.cs:124:13:124:16 | [post] this access : C4 [property Obj2] : Object | Constructors.cs:124:13:124:16 | this access [Reverse] : C4 [property Obj2] : Object | provenance |  |
+| Constructors.cs:124:13:124:16 | this access [Reverse] : C4 [property Obj2] : Object | Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj2] : Object | provenance |  |
 | Constructors.cs:124:20:124:22 | access to parameter oc2 : Object | Constructors.cs:124:13:124:16 | [post] this access : C4 [property Obj2] : Object | provenance |  |
 | Constructors.cs:130:13:130:14 | access to local variable o1 : Object | Constructors.cs:132:25:132:26 | access to local variable o1 : Object | provenance |  |
 | Constructors.cs:130:18:130:34 | call to method Source<Object> : Object | Constructors.cs:130:13:130:14 | access to local variable o1 : Object | provenance |  |
@@ -121,6 +128,7 @@ edges
 | Constructors.cs:145:14:145:15 | access to local variable r1 : R1 [property Obj2] : Object | Constructors.cs:145:14:145:20 | access to property Obj2 | provenance |  |
 nodes
 | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | semmle.label | [post] this access : C_no_ctor [field s1] : Object |
+| Constructors.cs:5:24:5:25 | this access [Reverse] : C_no_ctor [field s1] : Object | semmle.label | this access [Reverse] : C_no_ctor [field s1] : Object |
 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Constructors.cs:9:23:9:23 | access to local variable c : C_no_ctor [field s1] : Object | semmle.label | access to local variable c : C_no_ctor [field s1] : Object |
 | Constructors.cs:9:27:9:41 | object creation of type C_no_ctor : C_no_ctor [field s1] : Object | semmle.label | object creation of type C_no_ctor : C_no_ctor [field s1] : Object |
@@ -129,6 +137,7 @@ nodes
 | Constructors.cs:15:18:15:19 | access to field s1 | semmle.label | access to field s1 |
 | Constructors.cs:15:18:15:19 | this access : C_no_ctor [field s1] : Object | semmle.label | this access : C_no_ctor [field s1] : Object |
 | Constructors.cs:21:24:21:25 | [post] this access : C_with_ctor [field s1] : Object | semmle.label | [post] this access : C_with_ctor [field s1] : Object |
+| Constructors.cs:21:24:21:25 | this access [Reverse] : C_with_ctor [field s1] : Object | semmle.label | this access [Reverse] : C_with_ctor [field s1] : Object |
 | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Constructors.cs:25:25:25:25 | access to local variable c : C_with_ctor [field s1] : Object | semmle.label | access to local variable c : C_with_ctor [field s1] : Object |
 | Constructors.cs:25:29:25:45 | object creation of type C_with_ctor : C_with_ctor [field s1] : Object | semmle.label | object creation of type C_with_ctor : C_with_ctor [field s1] : Object |
@@ -140,13 +149,15 @@ nodes
 | Constructors.cs:41:16:41:17 | this [Return] : C1 [field Obj] : Object | semmle.label | this [Return] : C1 [field Obj] : Object |
 | Constructors.cs:41:26:41:26 | o : Object | semmle.label | o : Object |
 | Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | semmle.label | [post] this access : C1 [field Obj] : Object |
+| Constructors.cs:41:32:41:34 | this access [Reverse] : C1 [field Obj] : Object | semmle.label | this access [Reverse] : C1 [field Obj] : Object |
 | Constructors.cs:41:38:41:38 | access to parameter o : Object | semmle.label | access to parameter o : Object |
 | Constructors.cs:44:18:44:19 | this [Return] : C2 [field Obj21] : Object | semmle.label | this [Return] : C2 [field Obj21] : Object |
 | Constructors.cs:44:18:44:19 | this [Return] : C2 [parameter o22param] : Object | semmle.label | this [Return] : C2 [parameter o22param] : Object |
 | Constructors.cs:44:28:44:35 | o21param : Object | semmle.label | o21param : Object |
 | Constructors.cs:44:45:44:52 | o22param : Object | semmle.label | o22param : Object |
 | Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | semmle.label | [post] this access : C2 [field Obj21] : Object |
 | Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | semmle.label | this access : C2 [parameter o21param] : Object |
+| Constructors.cs:46:23:46:27 | this access [Reverse] : C2 [field Obj21] : Object | semmle.label | this access [Reverse] : C2 [field Obj21] : Object |
 | Constructors.cs:46:31:46:38 | access to parameter o21param : Object | semmle.label | access to parameter o21param : Object |
 | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | semmle.label | access to parameter o22param : Object |
 | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | semmle.label | this : C2 [parameter o22param] : Object |
@@ -213,8 +224,11 @@ nodes
 | Constructors.cs:121:26:121:28 | oc1 : Object | semmle.label | oc1 : Object |
 | Constructors.cs:121:38:121:40 | oc2 : Object | semmle.label | oc2 : Object |
 | Constructors.cs:123:13:123:16 | [post] this access : C4 [property Obj1] : Object | semmle.label | [post] this access : C4 [property Obj1] : Object |
+| Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj1] : Object | semmle.label | this access [Reverse] : C4 [property Obj1] : Object |
+| Constructors.cs:123:13:123:16 | this access [Reverse] : C4 [property Obj2] : Object | semmle.label | this access [Reverse] : C4 [property Obj2] : Object |
 | Constructors.cs:123:20:123:22 | access to parameter oc1 : Object | semmle.label | access to parameter oc1 : Object |
 | Constructors.cs:124:13:124:16 | [post] this access : C4 [property Obj2] : Object | semmle.label | [post] this access : C4 [property Obj2] : Object |
+| Constructors.cs:124:13:124:16 | this access [Reverse] : C4 [property Obj2] : Object | semmle.label | this access [Reverse] : C4 [property Obj2] : Object |
 | Constructors.cs:124:20:124:22 | access to parameter oc2 : Object | semmle.label | access to parameter oc2 : Object |
 | Constructors.cs:130:13:130:14 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
 | Constructors.cs:130:18:130:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |

Diff for: csharp/ql/test/library-tests/dataflow/delegates/DelegateFlow.ql

@@ -1,16 +1,16 @@
 import csharp
-import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
+import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 
 query predicate delegateCall(DelegateLikeCall dc, Callable c) { c = dc.getARuntimeTarget() }
 
-private class LocatableDataFlowCallOption extends DataFlowCallOption {
+private class LocatableDataFlowCallOption extends DataFlowImplCommon::DataFlowCallOption {
   Location getLocation() {
-    this = TDataFlowCallNone() and
+    this = DataFlowImplCommon::TDataFlowCallNone() and
     result instanceof EmptyLocation
     or
     exists(DataFlowCall call |
-      this = TDataFlowCallSome(call) and
+      this = DataFlowImplCommon::TDataFlowCallSome(call) and
       result = call.getLocation()
     )
   }
@@ -30,5 +30,5 @@ private class LocatableDataFlowCall extends TDataFlowCall {
 query predicate viableLambda(
   LocatableDataFlowCall call, LocatableDataFlowCallOption lastCall, DataFlowCallable target
 ) {
-  target = viableCallableLambda(call, lastCall)
+  target = DataFlowImplCommon::viableCallableLambda(call, lastCall)
 }