Merge pull request github#9469 from rdmarsh2/rdmarsh2/swift/dataflow-inout

Swift: Dataflow through inout parameters

Author: MathiasVP

swift/codegen/schema.yml

@@ -1103,6 +1103,7 @@ ConcreteVarDecl:
 
 ParamDecl:
   _extends: VarDecl
+  is_inout: predicate
 
 AssociatedTypeDecl:
   _extends: AbstractTypeParamDecl

swift/extractor/visitors/DeclVisitor.h

@@ -66,6 +66,9 @@ class DeclVisitor : public AstVisitorBase<DeclVisitor> {
   void visitParamDecl(swift::ParamDecl* decl) {
     auto label = dispatcher_.assignNewLabel(decl);
     dispatcher_.emit(ParamDeclsTrap{label});
+    if (decl->isInOut()) {
+      dispatcher_.emit(ParamDeclIsInoutTrap{label});
+    }
     emitVarDecl(decl, label);
   }
 

swift/ql/lib/codeql/swift/controlflow/CfgNodes.qll

@@ -102,3 +102,15 @@ class ExprCfgNode extends AstCfgNode {
   /** Gets the underlying expression. */
   Expr getExpr() { result = e }
 }
+
+class ApplyExprCfgNode extends ExprCfgNode {
+  override ApplyExpr e;
+
+  ExprCfgNode getArgument(int index) {
+    result.getNode().asAstNode() = e.getArgument(index).getExpr()
+  }
+}
+
+class CallExprCfgNode extends ApplyExprCfgNode {
+  override CallExpr e;
+}

swift/ql/lib/codeql/swift/dataflow/Ssa.qll

@@ -71,6 +71,19 @@ module Ssa {
         value.getNode().asAstNode() = var.getParentInitializer()
       )
     }
+
+    cached
+    predicate isInoutDef(ExprCfgNode argument) {
+      exists(
+        CallExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr
+      |
+        this.definesAt(v, bb, blockIndex) and
+        bb.getNode(blockIndex).getNode().asAstNode() = c and
+        c.getArgument(argIndex).getExpr() = argExpr and
+        argExpr = argument.getNode().asAstNode() and
+        argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?
+      )
+    }
   }
 
   cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -3,7 +3,9 @@ private import DataFlowPrivate
 private import DataFlowPublic
 private import codeql.swift.controlflow.ControlFlowGraph
 
-newtype TReturnKind = TNormalReturnKind()
+newtype TReturnKind =
+  TNormalReturnKind() or
+  TParamReturnKind(int i) { exists(ParamDecl param | param.getIndex() = i) }
 
 /**
  * Gets a node that can read the value returned from `call` with return kind
@@ -28,16 +30,33 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
   override string toString() { result = "return" }
 }
 
+/**
+ * A value returned from a callable using an `inout` parameter.
+ */
+class ParamReturnKind extends ReturnKind, TParamReturnKind {
+  int index;
+
+  ParamReturnKind() { this = TParamReturnKind(index) }
+
+  int getIndex() { result = index }
+
+  override string toString() { result = "param(" + index + ")" }
+}
+
 /**
  * A callable. This includes callables from source code, as well as callables
  * defined in library code.
  */
 class DataFlowCallable extends TDataFlowCallable {
+  AbstractFunctionDecl func;
+
+  DataFlowCallable() { this = TDataFlowFunc(func) }
+
   /** Gets a textual representation of this callable. */
-  string toString() { none() }
+  string toString() { result = func.toString() }
 
   /** Gets the location of this callable. */
-  Location getLocation() { none() }
+  Location getLocation() { result = func.getLocation() }
 }
 
 /**
@@ -48,7 +67,7 @@ class DataFlowCall extends ExprNode {
   DataFlowCall() { this.asExpr() instanceof CallExpr }
 
   /** Gets the enclosing callable. */
-  DataFlowCallable getEnclosingCallable() { none() }
+  DataFlowCallable getEnclosingCallable() { result = TDataFlowFunc(this.getCfgNode().getScope()) }
 }
 
 cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -1,6 +1,7 @@
 private import swift
 private import DataFlowPublic
 private import DataFlowDispatch
+private import codeql.swift.controlflow.ControlFlowGraph
 private import codeql.swift.controlflow.CfgNodes
 private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
@@ -20,7 +21,7 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
 }
 
 abstract class NodeImpl extends Node {
-  DataFlowCallable getEnclosingCallable() { none() }
+  abstract DataFlowCallable getEnclosingCallable();
 
   /** Do not call: use `getLocation()` instead. */
   abstract Location getLocationImpl();
@@ -60,7 +61,21 @@ private module Cached {
   cached
   newtype TNode =
     TExprNode(ExprCfgNode e) or
-    TSsaDefinitionNode(Ssa::Definition def)
+    TSsaDefinitionNode(Ssa::Definition def) or
+    TInoutReturnNode(ParamDecl param) { param.isInout() } or
+    TInOutUpdateNode(ParamDecl param, CallExpr call) {
+      param.isInout() and
+      call.getStaticTarget() = param.getDeclaringFunction()
+    }
+
+  private predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
+    def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode()) and
+    (
+      nodeTo instanceof InoutReturnNode
+      implies
+      nodeTo.(InoutReturnNode).getParameter() = def.getSourceVariable()
+    )
+  }
 
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
     exists(Ssa::Definition def |
@@ -70,14 +85,34 @@ private module Cached {
       or
       // step from def to first read
       nodeFrom.asDefinition() = def and
-      nodeTo.getCfgNode() = def.getAFirstRead()
+      nodeTo.getCfgNode() = def.getAFirstRead() and
+      (
+        nodeTo instanceof InoutReturnNode
+        implies
+        nodeTo.(InoutReturnNode).getParameter() = def.getSourceVariable()
+      )
       or
       // use-use flow
-      def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode())
+      localSsaFlowStepUseUse(def, nodeFrom, nodeTo)
       or
+      //localSsaFlowStepUseUse(def, nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+      //or
       // step from previous read to Phi node
       localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
     )
+    or
+    exists(ParamReturnKind kind, ExprCfgNode arg |
+      arg =
+        nodeFrom
+            .(InOutUpdateNode)
+            .getCall(kind)
+            .getCfgNode()
+            .(CallExprCfgNode)
+            .getArgument(kind.getIndex()) and
+      nodeTo.asDefinition().(Ssa::WriteDefinition).isInoutDef(arg)
+    )
+    or
+    nodeFrom.asExpr() = nodeTo.asExpr().(InOutExpr).getSubExpr()
   }
 
   /**
@@ -172,6 +207,31 @@ private module ReturnNodes {
 
     override ReturnKind getKind() { result instanceof NormalReturnKind }
   }
+
+  class InoutReturnNodeImpl extends ReturnNode, TInoutReturnNode, NodeImpl {
+    ParamDecl param;
+    ControlFlowNode exit;
+
+    InoutReturnNodeImpl() {
+      this = TInoutReturnNode(param) and
+      exit instanceof ExitNode and
+      exit.getScope() = param.getDeclaringFunction()
+    }
+
+    override ReturnKind getKind() { result.(ParamReturnKind).getIndex() = param.getIndex() }
+
+    override ControlFlowNode getCfgNode() { result = exit }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(param.getDeclaringFunction())
+    }
+
+    ParamDecl getParameter() { result = param }
+
+    override Location getLocationImpl() { result = exit.getLocation() }
+
+    override string toStringImpl() { result = param.toString() + "[return]" }
+  }
 }
 
 import ReturnNodes
@@ -188,6 +248,26 @@ private module OutNodes {
       result = this and kind instanceof NormalReturnKind
     }
   }
+
+  class InOutUpdateNode extends OutNode, TInOutUpdateNode, NodeImpl {
+    ParamDecl param;
+    CallExpr call;
+
+    InOutUpdateNode() { this = TInOutUpdateNode(param, call) }
+
+    override DataFlowCall getCall(ReturnKind kind) {
+      result.asExpr() = call and
+      kind.(ParamReturnKind).getIndex() = param.getIndex()
+    }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(this.getCall(_).getCfgNode().getScope())
+    }
+
+    override Location getLocationImpl() { result = call.getLocation() }
+
+    override string toStringImpl() { result = param.toString() }
+  }
 }
 
 import OutNodes

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -81,6 +81,10 @@ class SsaDefinitionNode extends Node, TSsaDefinitionNode {
   override Ssa::Definition asDefinition() { result = def }
 }
 
+class InoutReturnNode extends Node instanceof InoutReturnNodeImpl {
+  ParamDecl getParameter() { result = super.getParameter() }
+}
+
 /**
  * A node associated with an object after an operation that might have
  * changed its state.

swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll

@@ -3,6 +3,7 @@
 private import swift
 private import codeql.swift.controlflow.BasicBlocks as BasicBlocks
 private import codeql.swift.controlflow.ControlFlowGraph
+private import codeql.swift.controlflow.CfgNodes
 
 class BasicBlock = BasicBlocks::BasicBlock;
 
@@ -28,6 +29,14 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     certain = true
   )
   or
+  exists(CallExpr call, Argument arg |
+    arg.getExpr().(InOutExpr).getSubExpr() = v.getAnAccess() and
+    call.getAnArgument() = arg and
+    call.getStaticTarget().getParam(arg.getIndex()).isInout() and
+    bb.getNode(i).getNode().asAstNode() = call and
+    certain = false
+  )
+  or
   v instanceof ParamDecl and
   bb.getNode(i).getNode().asAstNode() = v and
   certain = true
@@ -42,4 +51,12 @@ predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain)
     v = ref.getDecl() and
     certain = true
   )
+  or
+  exists(ExitNode exit, AbstractFunctionDecl func |
+    bb.getNode(i) = exit and
+    v.(ParamDecl).isInout() and
+    func.getAParam() = v and
+    bb.getScope() = func and
+    certain = true
+  )
 }

swift/ql/lib/codeql/swift/elements/decl/ParamDecl.qll

@@ -1,4 +1,10 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.decl.ParamDecl
+private import codeql.swift.elements.decl.AbstractFunctionDecl
 
-class ParamDecl extends ParamDeclBase { }
+class ParamDecl extends ParamDeclBase {
+  /** Gets the function which declares this parameter. */
+  AbstractFunctionDecl getDeclaringFunction() { result.getAParam() = this }
+
+  /** Gets the index of this parameter in its declaring function's parameter list. */
+  int getIndex() { exists(AbstractFunctionDecl func | func.getParam(result) = this) }
+}

swift/ql/lib/codeql/swift/generated/decl/ParamDecl.qll

@@ -3,4 +3,6 @@ import codeql.swift.elements.decl.VarDecl
 
 class ParamDeclBase extends @param_decl, VarDecl {
   override string getAPrimaryQlClass() { result = "ParamDecl" }
+
+  predicate isInout() { param_decl_is_inout(this) }
 }