Skip to content

Go/feature/shared ssa library #19011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 24 commits into
base: main
Choose a base branch
from
Draft

Go/feature/shared ssa library #19011

wants to merge 24 commits into from

Conversation

owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Mar 13, 2025
edited
Loading

This is based on #14751, which switches to use-use flow without adopting the shared SSA library.

This is not quite finished. So far it instantiates the shared SSA library and bases the existing SSA classes on it. There are a small number of test changes in the last commit, which I want to either fix or understand before moving on to the next stage. This is most obvious in go/ql/test/library-tests/semmle/go/dataflow/SSA/SsaDefinition.expected, where we lose two SSA definitions. It looks like we fail to read from a captured variable back into the corresponding variable in the declaring container after a call. I actually think what's happening is that the write in the closure is being pruned because it doesn't seem to flow to a read. The go logic that we're replacing does this pruning as liveAfterDef(bb, i, v) or v.isCaptured(), which protects captured variables from being pruned.

The next steps, once that is sorted out, is using the predicates provided by the shared SSA library, e.g. I think it would give us the first use, adjacent use, and localFlowStep predicates. After that, we also have to implement proper post-update nodes.

owen-mc and others added 22 commits March 6, 2025 12:49
@owen-mc
Switch to use-use dataflow. This will make post-update nodes easy to …
8d844e8 
…implement.

Queries / tests that required changes:
* The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow
* The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer
* The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one.
@owen-mc
Add missing QLDoc
06404d8
@owen-mc
Clean up code in basicLocalFlowStep
d8002a0 
No changes in functionality.
@owen-mc
Include first step from SsaVariableCapture
1904daf 
Without this change the test
go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.qlref
was failing.
@owen-mc
Adjust SafeFormatArgumentSanitizer to use-use flow
9d88795 
Make it sanitize the result of the call rather than the input, so that
further uses of the input are still tainted. This means that it catches
things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))`
where the argument to the LoggerCall contains a StringFormatCall, but
it misses things like `log.Printf("user %q logged in.\n", username)`. So
we extract the logic into a predicate and apply it as a condition in the
sink as well.

The downside of this approach is that if there are two tainted inputs
and only one has a safe format argument then we still sanitize the
result. Hopefully this is rare.
@owen-mc
Test result that was missing is now found
f67555a
@owen-mc
Expected changes in dataflow edges
03204cf
@owen-mc
f extra edge
487dba3
@owen-mc
Line numbers change because 3 lines were added
c040c9a
@owen-mc
Changes in edges in .expected files
8b6a173
@owen-mc
Extra edge to captured variable
ef9f740
@owen-mc
Fix Allocation Size Overflow for use-use flow
ad0b836 
We have an operator expression like `x * 5`. We want to follow where the
value of the operator expression goes. We used to follow local flow from
an operand, but now there is flow from that operand to the next use of
the variable. The fix is to explicitly start local flow from the
operator expression.

There are also some expected edge changes due to use-use flow.
@owen-mc
Expected test changes (odd because post update nodes are still at the…
68128b3 
… def)
@smowton @owen-mc
Optimise join order for varBlockReaches
818ebea
@owen-mc
Fix IncorrectIntegerConversion for use-use flow
6c863c6 
We were assuming that `sink` only had one successor, the TypeCastNode, but it
can now have an adjacent use as well.
@owen-mc
accept edge changes
5a09b15
@owen-mc
Accept fixed test result
7f5e973
@owen-mc
Make insecure randomness test more realistic
c308978
@owen-mc
Fix TypeAssertionCheck to not block successor flow
a3dbc5e 
By moving it from the expression evaluation to the type assertion
evaluation we don't block flow to successor uses of the same variable.
@owen-mc
Improve SSA tests for variables in closures
635b722
@owen-mc
Invoke SsaImplCommon::Make
a15ab99
@owen-mc
Refactor: reorder parameters of SsaDefinition.definesAt
5bc4ccf 
Match the order used in the shared SSA library
@github-actions github-actions bot added the Go label Mar 13, 2025
@owen-mc owen-mc force-pushed the go/feature/shared-ssa-library branch from efc9483 to d98a669 Compare March 14, 2025 22:46
@owen-mc owen-mc force-pushed the go/feature/shared-ssa-library branch from d98a669 to d49f05f Compare March 15, 2025 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@owen-mc @smowton