Swift: Don't assume we know the call target statically in 'TInOutUpdateNode'.

MathiasVP · MathiasVP · commit 52b78b6e68fd · 2022-08-04T21:57:04.000+01:00
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -65,10 +65,7 @@ private module Cached {
     TExprNode(CfgNode n, Expr e) { hasExprNode(n, e) } or
     TSsaDefinitionNode(Ssa::Definition def) or
     TInoutReturnNode(ParamDecl param) { param.isInout() } or
-    TInOutUpdateNode(ParamDecl param, CallExpr call) {
-      param.isInout() and
-      call.getStaticTarget() = param.getDeclaringFunction()
-    } or
+    TInOutUpdateNode(Argument arg) { arg.getExpr() instanceof InOutExpr } or
     TSummaryNode(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state)
 
   private predicate hasExprNode(CfgNode n, Expr e) {
@@ -281,23 +278,22 @@ private module OutNodes {
   }
 
   class InOutUpdateNode extends OutNode, TInOutUpdateNode, NodeImpl {
-    ParamDecl param;
-    CallExpr call;
+    Argument arg;
 
-    InOutUpdateNode() { this = TInOutUpdateNode(param, call) }
+    InOutUpdateNode() { this = TInOutUpdateNode(arg) }
 
     override DataFlowCall getCall(ReturnKind kind) {
-      result.asCall().getExpr() = call and
-      kind.(ParamReturnKind).getIndex() = param.getIndex()
+      result.asCall().getExpr() = arg.getApplyExpr() and
+      kind.(ParamReturnKind).getIndex() = arg.getIndex()
     }
 
     override DataFlowCallable getEnclosingCallable() {
       result = this.getCall(_).getEnclosingCallable()
     }
 
-    override Location getLocationImpl() { result = call.getLocation() }
+    override Location getLocationImpl() { result = arg.getLocation() }
 
-    override string toStringImpl() { result = param.toString() }
+    override string toStringImpl() { result = arg.toString() }
   }
 }
 
diff --git a/swift/ql/lib/codeql/swift/elements/expr/Argument.qll b/swift/ql/lib/codeql/swift/elements/expr/Argument.qll
@@ -5,4 +5,6 @@ class Argument extends ArgumentBase {
   override string toString() { result = this.getLabel() + ": " + this.getExpr().toString() }
 
   int getIndex() { any(ApplyExpr apply).getArgument(result) = this }
+
+  ApplyExpr getApplyExpr() { result.getAnArgument() = this }
 }
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -12,23 +12,23 @@ edges
 | test.swift:29:26:29:29 | y :  | test.swift:31:15:31:15 | y |
 | test.swift:35:12:35:19 | call to source() :  | test.swift:39:15:39:29 | call to callee_source() |
 | test.swift:43:19:43:26 | call to source() :  | test.swift:50:15:50:15 | t |
-| test.swift:53:1:56:1 | arg[return] :  | test.swift:61:5:61:24 | arg :  |
+| test.swift:53:1:56:1 | arg[return] :  | test.swift:61:17:61:23 | arg: &... :  |
 | test.swift:54:11:54:18 | call to source() :  | test.swift:53:1:56:1 | arg[return] :  |
-| test.swift:61:5:61:24 | arg :  | test.swift:62:15:62:15 | x |
+| test.swift:61:17:61:23 | arg: &... :  | test.swift:62:15:62:15 | x |
 | test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  |
 | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  |
 | test.swift:73:18:73:25 | call to source() :  | test.swift:75:21:75:22 | &... :  |
-| test.swift:75:5:75:33 | arg2 :  | test.swift:77:15:77:15 | y |
 | test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  |
 | test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  |
-| test.swift:75:21:75:22 | &... :  | test.swift:75:5:75:33 | arg2 :  |
-| test.swift:80:1:82:1 | arg[return] :  | test.swift:97:9:97:41 | arg :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:75:25:75:32 | arg2: &... :  |
+| test.swift:75:25:75:32 | arg2: &... :  | test.swift:77:15:77:15 | y |
+| test.swift:80:1:82:1 | arg[return] :  | test.swift:97:34:97:40 | arg: &... :  |
 | test.swift:81:11:81:18 | call to source() :  | test.swift:80:1:82:1 | arg[return] :  |
-| test.swift:84:1:91:1 | arg[return] :  | test.swift:104:9:104:54 | arg :  |
+| test.swift:84:1:91:1 | arg[return] :  | test.swift:104:35:104:41 | arg: &... :  |
 | test.swift:86:15:86:22 | call to source() :  | test.swift:84:1:91:1 | arg[return] :  |
 | test.swift:89:15:89:22 | call to source() :  | test.swift:84:1:91:1 | arg[return] :  |
-| test.swift:97:9:97:41 | arg :  | test.swift:98:19:98:19 | x |
-| test.swift:104:9:104:54 | arg :  | test.swift:105:19:105:19 | x |
+| test.swift:97:34:97:40 | arg: &... :  | test.swift:98:19:98:19 | x |
+| test.swift:104:35:104:41 | arg: &... :  | test.swift:105:19:105:19 | x |
 | test.swift:109:9:109:14 | WriteDef :  | test.swift:110:12:110:12 | arg :  |
 | test.swift:109:9:109:14 | arg :  | test.swift:110:12:110:12 | arg :  |
 | test.swift:113:14:113:19 | WriteDef :  | test.swift:114:19:114:19 | arg :  |
@@ -88,25 +88,25 @@ nodes
 | test.swift:50:15:50:15 | t | semmle.label | t |
 | test.swift:53:1:56:1 | arg[return] :  | semmle.label | arg[return] :  |
 | test.swift:54:11:54:18 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:61:5:61:24 | arg :  | semmle.label | arg :  |
+| test.swift:61:17:61:23 | arg: &... :  | semmle.label | arg: &... :  |
 | test.swift:62:15:62:15 | x | semmle.label | x |
 | test.swift:65:1:70:1 | arg2[return] :  | semmle.label | arg2[return] :  |
 | test.swift:65:16:65:28 | WriteDef :  | semmle.label | WriteDef :  |
 | test.swift:65:16:65:28 | WriteDef :  | semmle.label | arg1 :  |
 | test.swift:65:16:65:28 | arg1 :  | semmle.label | WriteDef :  |
 | test.swift:65:16:65:28 | arg1 :  | semmle.label | arg1 :  |
 | test.swift:73:18:73:25 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:75:5:75:33 | arg2 :  | semmle.label | arg2 :  |
 | test.swift:75:21:75:22 | &... :  | semmle.label | &... :  |
+| test.swift:75:25:75:32 | arg2: &... :  | semmle.label | arg2: &... :  |
 | test.swift:77:15:77:15 | y | semmle.label | y |
 | test.swift:80:1:82:1 | arg[return] :  | semmle.label | arg[return] :  |
 | test.swift:81:11:81:18 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:84:1:91:1 | arg[return] :  | semmle.label | arg[return] :  |
 | test.swift:86:15:86:22 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:89:15:89:22 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:97:9:97:41 | arg :  | semmle.label | arg :  |
+| test.swift:97:34:97:40 | arg: &... :  | semmle.label | arg: &... :  |
 | test.swift:98:19:98:19 | x | semmle.label | x |
-| test.swift:104:9:104:54 | arg :  | semmle.label | arg :  |
+| test.swift:104:35:104:41 | arg: &... :  | semmle.label | arg: &... :  |
 | test.swift:105:19:105:19 | x | semmle.label | x |
 | test.swift:109:9:109:14 | WriteDef :  | semmle.label | WriteDef :  |
 | test.swift:109:9:109:14 | WriteDef :  | semmle.label | arg :  |
@@ -155,8 +155,8 @@ nodes
 | test.swift:157:16:157:23 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:159:16:159:29 | call to ... :  | semmle.label | call to ... :  |
 subpaths
-| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
-| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:25:75:32 | arg2: &... :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:25:75:32 | arg2: &... :  |
 | test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | WriteDef :  | test.swift:110:12:110:12 | arg :  | test.swift:114:12:114:22 | call to ... :  |
 | test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | arg :  | test.swift:110:12:110:12 | arg :  | test.swift:114:12:114:22 | call to ... :  |
 | test.swift:114:19:114:19 | arg :  | test.swift:123:10:123:13 | WriteDef :  | test.swift:124:16:124:16 | i :  | test.swift:114:12:114:22 | call to ... :  |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -29,7 +29,7 @@
 | test.swift:59:18:59:18 | 0 | test.swift:59:9:59:12 | WriteDef |
 | test.swift:60:15:60:15 | x | test.swift:61:23:61:23 | x |
 | test.swift:61:5:61:24 | WriteDef | test.swift:62:15:62:15 | x |
-| test.swift:61:5:61:24 | arg | test.swift:61:5:61:24 | WriteDef |
+| test.swift:61:17:61:23 | arg: &... | test.swift:61:5:61:24 | WriteDef |
 | test.swift:61:23:61:23 | x | test.swift:61:22:61:23 | &... |
 | test.swift:65:16:65:28 | WriteDef | test.swift:66:21:66:21 | arg1 |
 | test.swift:65:16:65:28 | arg1 | test.swift:66:21:66:21 | arg1 |
@@ -47,9 +47,9 @@
 | test.swift:74:18:74:18 | 0 | test.swift:74:9:74:12 | WriteDef |
 | test.swift:75:5:75:33 | WriteDef | test.swift:76:15:76:15 | x |
 | test.swift:75:5:75:33 | WriteDef | test.swift:77:15:77:15 | y |
-| test.swift:75:5:75:33 | arg1 | test.swift:75:5:75:33 | WriteDef |
-| test.swift:75:5:75:33 | arg2 | test.swift:75:5:75:33 | WriteDef |
+| test.swift:75:15:75:22 | arg1: &... | test.swift:75:5:75:33 | WriteDef |
 | test.swift:75:22:75:22 | x | test.swift:75:21:75:22 | &... |
+| test.swift:75:25:75:32 | arg2: &... | test.swift:75:5:75:33 | WriteDef |
 | test.swift:75:32:75:32 | y | test.swift:75:31:75:32 | &... |
 | test.swift:81:5:81:18 | WriteDef | test.swift:80:1:82:1 | arg[return] |
 | test.swift:81:11:81:18 | call to source() | test.swift:81:5:81:18 | WriteDef |
@@ -66,13 +66,13 @@
 | test.swift:95:22:95:22 | 0 | test.swift:95:13:95:16 | WriteDef |
 | test.swift:96:19:96:19 | x | test.swift:97:40:97:40 | x |
 | test.swift:97:9:97:41 | WriteDef | test.swift:98:19:98:19 | x |
-| test.swift:97:9:97:41 | arg | test.swift:97:9:97:41 | WriteDef |
+| test.swift:97:34:97:40 | arg: &... | test.swift:97:9:97:41 | WriteDef |
 | test.swift:97:40:97:40 | x | test.swift:97:39:97:40 | &... |
 | test.swift:102:13:102:16 | WriteDef | test.swift:103:19:103:19 | x |
 | test.swift:102:22:102:22 | 0 | test.swift:102:13:102:16 | WriteDef |
 | test.swift:103:19:103:19 | x | test.swift:104:41:104:41 | x |
 | test.swift:104:9:104:54 | WriteDef | test.swift:105:19:105:19 | x |
-| test.swift:104:9:104:54 | arg | test.swift:104:9:104:54 | WriteDef |
+| test.swift:104:35:104:41 | arg: &... | test.swift:104:9:104:54 | WriteDef |
 | test.swift:104:41:104:41 | x | test.swift:104:40:104:41 | &... |
 | test.swift:109:9:109:14 | WriteDef | test.swift:110:12:110:12 | arg |
 | test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg |

Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,6 @@ class Argument extends ArgumentBase {`
`5`	`5`	`override string toString() { result = this.getLabel() + ": " + this.getExpr().toString() }`
`6`	`6`
`7`	`7`	`int getIndex() { any(ApplyExpr apply).getArgument(result) = this }`
	`8`	`+`
	`9`	`+ ApplyExpr getApplyExpr() { result.getAnArgument() = this }`
`8`	`10`	`}`