Merge pull request github#9291 from MathiasVP/swift-ipa-the-cfg

Swift: CFG for property reads and writes

Author: MathiasVP

swift/ql/lib/codeql/swift/controlflow/BasicBlocks.qll

@@ -3,6 +3,7 @@
 private import swift
 private import ControlFlowGraph
 private import internal.ControlFlowGraphImpl
+private import internal.ControlFlowElements
 private import CfgNodes
 private import SuccessorTypes
 
@@ -198,8 +199,18 @@ private module JoinBlockPredecessors {
 
   private predicate idOf(AstNode x, int y) = equivalenceRelation(id/2)(x, y)
 
+  private AstNode projctToAst(ControlFlowElement n) {
+    result = n.asAstNode()
+    or
+    isPropertyGetterElement(n, _, result)
+    or
+    isPropertySetterElement(n, _, result)
+    or
+    isPropertyObserverElement(n, _, result)
+  }
+
   int getId(JoinBlockPredecessor jbp) {
-    idOf(jbp.getFirstNode().(AstCfgNode).getNode(), result)
+    idOf(projctToAst(jbp.getFirstNode().(AstCfgNode).getNode()), result)
     or
     idOf(jbp.(EntryBasicBlock).getScope(), result)
   }

swift/ql/lib/codeql/swift/controlflow/CfgNodes.qll

@@ -4,6 +4,7 @@ private import swift
 private import BasicBlocks
 private import ControlFlowGraph
 private import internal.ControlFlowGraphImpl
+private import internal.ControlFlowElements
 private import internal.Splitting
 
 /** An entry node for a given scope. */
@@ -66,11 +67,11 @@ class ExitNode extends ControlFlowNode, TExitNode {
  */
 class AstCfgNode extends ControlFlowNode, TElementNode {
   private Splits splits;
-  private AstNode n;
+  private ControlFlowElement n;
 
   AstCfgNode() { this = TElementNode(_, n, splits) }
 
-  final override AstNode getNode() { result = n }
+  final override ControlFlowElement getNode() { result = n }
 
   override Location getLocation() { result = n.getLocation() }
 
@@ -96,7 +97,7 @@ class AstCfgNode extends ControlFlowNode, TElementNode {
 class ExprCfgNode extends AstCfgNode {
   Expr e;
 
-  ExprCfgNode() { e = this.getNode() }
+  ExprCfgNode() { e = this.getNode().asAstNode() }
 
   /** Gets the underlying expression. */
   Expr getExpr() { result = e }

swift/ql/lib/codeql/swift/controlflow/ControlFlowGraph.qll

@@ -6,13 +6,14 @@ private import SuccessorTypes
 private import internal.ControlFlowGraphImpl
 private import internal.Completion
 private import internal.Scope
+private import internal.ControlFlowElements
 
 /** An AST node with an associated control-flow graph. */
 class CfgScope extends Scope instanceof CfgScope::Range_ {
   /** Gets the CFG scope that this scope is nested under, if any. */
   final CfgScope getOuterCfgScope() {
-    exists(AstNode parent |
-      parent = getParent(this) and
+    exists(ControlFlowElement parent |
+      parent.asAstNode() = getParentOfAst(this) and
       result = getCfgScope(parent)
     )
   }
@@ -31,7 +32,7 @@ class ControlFlowNode extends TCfgNode {
   string toString() { none() }
 
   /** Gets the AST node that this node corresponds to, if any. */
-  AstNode getNode() { none() }
+  ControlFlowElement getNode() { none() }
 
   /** Gets the location of this control flow node. */
   Location getLocation() { none() }

swift/ql/lib/codeql/swift/controlflow/internal/AstControlFlowTrees.qll

@@ -0,0 +1,40 @@
+private import swift
+private import Completion
+private import ControlFlowGraphImplShared
+private import ControlFlowElements
+
+abstract class AstControlFlowTree extends ControlFlowTree {
+  AstNode ast;
+
+  AstControlFlowTree() { ast = this.asAstNode() }
+
+  AstNode getAst() { result = ast }
+}
+
+/**
+ * Holds if `first` is the first element executed within control flow
+ * element `cft`.
+ */
+predicate astFirst(AstNode cft, ControlFlowElement first) {
+  first(any(ControlFlowTree tree | cft = tree.asAstNode()), first)
+}
+
+/**
+ * Holds if `last` with completion `c` is a potential last element executed
+ * within control flow element `cft`.
+ */
+predicate astLast(AstNode cft, ControlFlowElement last, Completion c) {
+  last(any(ControlFlowTree tree | cft = tree.asAstNode()), last, c)
+}
+
+abstract class AstPreOrderTree extends AstControlFlowTree, PreOrderTree { }
+
+abstract class AstPostOrderTree extends AstControlFlowTree, PostOrderTree { }
+
+abstract class AstStandardTree extends AstControlFlowTree, StandardTree { }
+
+abstract class AstStandardPreOrderTree extends AstStandardTree, StandardPreOrderTree { }
+
+abstract class AstStandardPostOrderTree extends AstStandardTree, StandardPostOrderTree { }
+
+abstract class AstLeafTree extends AstPreOrderTree, AstPostOrderTree, LeafTree { }

swift/ql/lib/codeql/swift/controlflow/internal/Completion.qll

@@ -6,6 +6,7 @@
 
 private import swift
 private import codeql.swift.controlflow.ControlFlowGraph
+private import ControlFlowElements
 private import ControlFlowGraphImpl
 private import SuccessorTypes
 
@@ -41,8 +42,8 @@ private predicate completionIsValidForStmt(Stmt stmt, Completion c) {
 
 /** A completion of a statement or an expression. */
 abstract class Completion extends TCompletion {
-  private predicate isValidForSpecific(AstNode n) {
-    completionIsValidForStmt(n, this)
+  private predicate isValidForSpecific(ControlFlowElement n) {
+    completionIsValidForStmt(n.asAstNode(), this)
     or
     mustHaveBooleanCompletion(n) and
     (
@@ -52,22 +53,24 @@ abstract class Completion extends TCompletion {
       this = TBooleanCompletion(_)
     )
     or
-    mustHaveMatchingCompletion(n) and
+    mustHaveMatchingCompletion(n.asAstNode()) and
     (
-      exists(boolean value | isMatchingConstant(n, value) | this = TMatchingCompletion(value))
+      exists(boolean value | isMatchingConstant(n.asAstNode(), value) |
+        this = TMatchingCompletion(value)
+      )
       or
-      not isMatchingConstant(n, _) and
+      not isMatchingConstant(n.asAstNode(), _) and
       this = TMatchingCompletion(_)
     )
     or
-    mustHaveThrowCompletion(n, this)
+    mustHaveThrowCompletion(n.asAstNode(), this)
   }
 
   /** Holds if this completion is valid for node `n`. */
-  predicate isValidFor(AstNode n) {
+  predicate isValidFor(ControlFlowElement n) {
     this.isValidForSpecific(n)
     or
-    mayHaveThrowCompletion(n, this)
+    mayHaveThrowCompletion(n.asAstNode(), this)
     or
     not any(Completion c).isValidForSpecific(n) and
     this = TSimpleCompletion()
@@ -87,25 +90,35 @@ abstract class Completion extends TCompletion {
 }
 
 /** Holds if node `n` has the Boolean constant value `value`. */
-private predicate isBooleanConstant(AstNode n, boolean value) {
+private predicate isBooleanConstant(ControlFlowElement n, boolean value) {
   mustHaveBooleanCompletion(n) and
-  value = n.(BooleanLiteralExpr).getValue()
+  value = n.asAstNode().(BooleanLiteralExpr).getValue()
   or
   // Boolean consants hidden inside conversions are also
   // constants that resolve to the same value.
-  isBooleanConstant(n.getResolveStep(), value)
+  exists(ControlFlowElement parent |
+    parent.asAstNode() = n.asAstNode().getResolveStep() and
+    isBooleanConstant(parent, value)
+  )
 }
 
 /**
  * Holds if a normal completion of `n` must be a Boolean completion.
  */
-private predicate mustHaveBooleanCompletion(AstNode n) { inBooleanContext(n) }
+private predicate mustHaveBooleanCompletion(ControlFlowElement n) { inBooleanContext(n) }
 
 /**
  * Holds if `n` is used in a Boolean context. That is, the value
  * that `n` evaluates to determines a true/false branch successor.
  */
-private predicate inBooleanContext(AstNode n) {
+private predicate inBooleanContext(ControlFlowElement n) {
+  astInBooleanContext(n.asAstNode()) or
+  astInBooleanContext(n.(PropertyGetterElement).getRef()) or
+  astInBooleanContext(n.(PropertySetterElement).getAssignExpr()) or
+  astInBooleanContext(n.(PropertyObserverElement).getAssignExpr())
+}
+
+private predicate astInBooleanContext(AstNode n) {
   n = any(ConditionElement condElem).getFullyUnresolved()
   or
   n = any(StmtCondition stmtCond).getFullyUnresolved()
@@ -115,30 +128,30 @@ private predicate inBooleanContext(AstNode n) {
   exists(LogicalAndExpr parent |
     n = parent.getLeftOperand().getFullyConverted()
     or
-    inBooleanContext(parent) and
+    astInBooleanContext(parent) and
     n = parent.getRightOperand().getFullyConverted()
   )
   or
   exists(LogicalOrExpr parent |
     n = parent.getLeftOperand().getFullyConverted()
     or
-    inBooleanContext(parent) and
+    astInBooleanContext(parent) and
     n = parent.getRightOperand().getFullyConverted()
   )
   or
-  n = any(NotExpr parent | inBooleanContext(parent)).getOperand().getFullyConverted()
+  n = any(NotExpr parent | astInBooleanContext(parent)).getOperand().getFullyConverted()
   or
   exists(IfExpr ifExpr |
     ifExpr.getCondition().getFullyConverted() = n
     or
-    inBooleanContext(ifExpr) and
+    astInBooleanContext(ifExpr) and
     n = ifExpr.getBranch(_).getFullyConverted()
   )
   or
   exists(ForEachStmt foreach | n = foreach.getWhere().getFullyConverted())
   or
   exists(Exprs::Conversions::ConversionOrIdentityTree parent |
-    inBooleanContext(parent) and
+    astInBooleanContext(parent.getAst()) and
     parent.convertsFrom(n)
   )
 }
@@ -477,3 +490,18 @@ class ThrowCompletion extends TThrowCompletion, Completion {
 
   override string toString() { result = "throw" }
 }
+
+/**
+ * Hold if `c` represents normal evaluation of a statement or an
+ * expression.
+ */
+predicate completionIsNormal(Completion c) { c instanceof NormalCompletion }
+
+/**
+ * Hold if `c` represents simple (normal) evaluation of a statement or an
+ * expression.
+ */
+predicate completionIsSimple(Completion c) { c instanceof SimpleCompletion }
+
+/** Holds if `c` is a valid completion for `e`. */
+predicate completionIsValidFor(Completion c, ControlFlowElement e) { c.isValidFor(e) }