Merge pull request github#12549 from hvitved/ruby/ssa-write-access

Ruby: `Ssa::WriteDefinition::getWriteAccess` should return a CFG node

Author: hvitved

ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll

@@ -756,16 +756,30 @@ module ExprNodes {
 
     override VariableAccess e;
 
-    final override VariableAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+    override VariableAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+
+    /** Gets the variable that is being accessed. */
+    Variable getVariable() { result = this.getExpr().getVariable() }
   }
 
   /** A control-flow node that wraps a `VariableReadAccess` AST expression. */
-  class VariableReadAccessCfgNode extends ExprCfgNode {
+  class VariableReadAccessCfgNode extends VariableAccessCfgNode {
     override string getAPrimaryQlClass() { result = "VariableReadAccessCfgNode" }
 
     override VariableReadAccess e;
 
-    final override VariableReadAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+    override VariableReadAccess getExpr() { result = VariableAccessCfgNode.super.getExpr() }
+  }
+
+  /** A control-flow node that wraps a `LocalVariableReadAccess` AST expression. */
+  class LocalVariableReadAccessCfgNode extends VariableReadAccessCfgNode {
+    override string getAPrimaryQlClass() { result = "LocalVariableReadAccessCfgNode" }
+
+    override LocalVariableReadAccess e;
+
+    final override LocalVariableReadAccess getExpr() { result = super.getExpr() }
+
+    final override LocalVariable getVariable() { result = super.getVariable() }
   }
 
   private class InstanceVariableAccessMapping extends ExprChildMapping, InstanceVariableAccess {
@@ -791,21 +805,57 @@ module ExprNodes {
   }
 
   /** A control-flow node that wraps a `SelfVariableAccess` AST expression. */
-  class SelfVariableAccessCfgNode extends ExprCfgNode {
+  class SelfVariableAccessCfgNode extends VariableAccessCfgNode {
     final override string getAPrimaryQlClass() { result = "SelfVariableAccessCfgNode" }
 
     override SelfVariableAccessMapping e;
 
-    override SelfVariableAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+    override SelfVariableAccess getExpr() { result = VariableAccessCfgNode.super.getExpr() }
+  }
+
+  private class VariableWriteAccessChildMapping extends ExprChildMapping, VariableWriteAccess {
+    override predicate relevantChild(AstNode n) { this.isExplicitWrite(n) }
   }
 
   /** A control-flow node that wraps a `VariableWriteAccess` AST expression. */
-  class VariableWriteAccessCfgNode extends ExprCfgNode {
+  class VariableWriteAccessCfgNode extends VariableAccessCfgNode {
+    /**
+     * Holds if this access is a write access belonging to the explicit
+     * assignment `assignment`. For example, in
+     *
+     * ```rb
+     * a = foo
+     * ```
+     *
+     * both `a` is write accesses belonging to the assignment `a = foo`.
+     */
+    predicate isExplicitWrite(AssignExprCfgNode assignment) { this = assignment.getLhs() }
+
+    /**
+     * Holds if this access is a write access belonging to an implicit assignment.
+     */
+    predicate isImplicitWrite() { e.isImplicitWrite() }
+
     override string getAPrimaryQlClass() { result = "VariableWriteAccessCfgNode" }
 
-    override VariableWriteAccess e;
+    override VariableWriteAccessChildMapping e;
+
+    override VariableWriteAccess getExpr() { result = VariableAccessCfgNode.super.getExpr() }
+  }
+
+  private class LocalVariableWriteAccessChildMapping extends VariableWriteAccessChildMapping,
+    LocalVariableWriteAccess
+  { }
+
+  /** A control-flow node that wraps a `LocalVariableWriteAccess` AST expression. */
+  class LocalVariableWriteAccessCfgNode extends VariableWriteAccessCfgNode {
+    override string getAPrimaryQlClass() { result = "LocalVariableWriteAccessCfgNode" }
+
+    override LocalVariableWriteAccessChildMapping e;
+
+    final override LocalVariableWriteAccess getExpr() { result = super.getExpr() }
 
-    final override VariableWriteAccess getExpr() { result = ExprCfgNode.super.getExpr() }
+    final override LocalVariable getVariable() { result = super.getVariable() }
   }
 
   /** A control-flow node that wraps a `ConstantReadAccess` AST expression. */

ruby/ql/lib/codeql/ruby/dataflow/SSA.qll

@@ -178,6 +178,9 @@ module Ssa {
 
     /** Gets the location of this SSA definition. */
     Location getLocation() { result = this.getControlFlowNode().getLocation() }
+
+    /** Gets the scope of this SSA definition. */
+    CfgScope getScope() { result = this.getBasicBlock().getScope() }
   }
 
   /**
@@ -189,7 +192,7 @@ module Ssa {
    * ```
    */
   class WriteDefinition extends Definition, SsaImpl::WriteDefinition {
-    private VariableWriteAccess write;
+    private VariableWriteAccessCfgNode write;
 
     WriteDefinition() {
       exists(BasicBlock bb, int i, Variable v |
@@ -199,7 +202,7 @@ module Ssa {
     }
 
     /** Gets the underlying write access. */
-    final VariableWriteAccess getWriteAccess() { result = write }
+    final VariableWriteAccessCfgNode getWriteAccess() { result = write }
 
     /**
      * Holds if this SSA definition represents a direct assignment of `value`
@@ -289,7 +292,7 @@ module Ssa {
       )
     }
 
-    final override string toString() { result = "<captured> " + this.getSourceVariable() }
+    final override string toString() { result = "<captured entry> " + this.getSourceVariable() }
 
     override Location getLocation() { result = this.getBasicBlock().getLocation() }
   }
@@ -342,7 +345,7 @@ module Ssa {
      */
     final Definition getPriorDefinition() { result = SsaImpl::uncertainWriteDefinitionInput(this) }
 
-    override string toString() { result = this.getControlFlowNode().toString() }
+    override string toString() { result = "<captured exit> " + this.getSourceVariable() }
   }
 
   /**

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -250,7 +250,8 @@ private predicate selfInToplevel(SelfVariable self, Module m) {
 private predicate asModulePattern(SsaDefinitionExtNode def, Module m) {
   exists(AsPattern ap |
     m = resolveConstantReadAccess(ap.getPattern()) and
-    def.getDefinitionExt().(Ssa::WriteDefinition).getWriteAccess() = ap.getVariableAccess()
+    def.getDefinitionExt().(Ssa::WriteDefinition).getWriteAccess().getNode() =
+      ap.getVariableAccess()
   )
 }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll

@@ -89,20 +89,20 @@ predicate uninitializedWrite(Cfg::EntryBasicBlock bb, int i, LocalVariable v) {
 /** Holds if `bb` contains a captured read of variable `v`. */
 pragma[noinline]
 private predicate hasCapturedVariableRead(Cfg::BasicBlock bb, LocalVariable v) {
-  exists(LocalVariableReadAccess read |
-    read = bb.getANode().getNode() and
-    read.isCapturedAccess() and
+  exists(LocalVariableReadAccessCfgNode read |
+    read = bb.getANode() and
+    read.getExpr().isCapturedAccess() and
     read.getVariable() = v
   )
 }
 
 /** Holds if `bb` contains a captured write to variable `v`. */
 pragma[noinline]
 private predicate writesCapturedVariable(Cfg::BasicBlock bb, LocalVariable v) {
-  exists(LocalVariableWriteAccess write |
-    write = bb.getANode().getNode() and
-    write.isCapturedAccess() and
-    write.getVariable() = v
+  exists(LocalVariableWriteAccessCfgNode write |
+    write = bb.getANode() and
+    write.getVariable() = v and
+    v.isCaptured()
   )
 }
 
@@ -137,9 +137,9 @@ private predicate namespaceSelfExitRead(Cfg::AnnotatedExitBasicBlock bb, int i,
  */
 pragma[noinline]
 private predicate hasCapturedRead(Variable v, Cfg::CfgScope scope) {
-  any(LocalVariableReadAccess read |
-    read.getVariable() = v and scope = read.getCfgScope().getOuterCfgScope*()
-  ).isCapturedAccess()
+  any(LocalVariableReadAccessCfgNode read |
+    read.getVariable() = v and scope = read.getScope().getOuterCfgScope*()
+  ).getExpr().isCapturedAccess()
 }
 
 /**
@@ -153,11 +153,13 @@ private predicate variableWriteInOuterScope(Cfg::BasicBlock bb, LocalVariable v,
 }
 
 pragma[noinline]
-private predicate hasVariableWriteWithCapturedRead(
+private predicate proceedsVariableWriteWithCapturedRead(
   Cfg::BasicBlock bb, LocalVariable v, Cfg::CfgScope scope
 ) {
   hasCapturedRead(v, scope) and
   variableWriteInOuterScope(bb, v, scope)
+  or
+  proceedsVariableWriteWithCapturedRead(bb.getAPredecessor(), v, scope)
 }
 
 /**
@@ -166,7 +168,7 @@ private predicate hasVariableWriteWithCapturedRead(
  */
 private predicate capturedCallRead(CallCfgNode call, Cfg::BasicBlock bb, int i, LocalVariable v) {
   exists(Cfg::CfgScope scope |
-    hasVariableWriteWithCapturedRead(bb.getAPredecessor*(), v, scope) and
+    proceedsVariableWriteWithCapturedRead(bb, v, scope) and
     call = bb.getNode(i)
   |
     // If the read happens inside a block, we restrict to the call that
@@ -191,9 +193,9 @@ private predicate variableReadActual(Cfg::BasicBlock bb, int i, LocalVariable v)
  */
 pragma[noinline]
 private predicate hasCapturedWrite(Variable v, Cfg::CfgScope scope) {
-  any(LocalVariableWriteAccess write |
-    write.getVariable() = v and scope = write.getCfgScope().getOuterCfgScope*()
-  ).isCapturedAccess()
+  any(LocalVariableWriteAccessCfgNode write |
+    write.getVariable() = v and scope = write.getScope().getOuterCfgScope*()
+  ).getExpr().isCapturedAccess()
 }
 
 /**
@@ -339,11 +341,11 @@ private module Cached {
    */
   cached
   predicate variableWriteActual(
-    Cfg::BasicBlock bb, int i, LocalVariable v, VariableWriteAccess write
+    Cfg::BasicBlock bb, int i, LocalVariable v, VariableWriteAccessCfgNode write
   ) {
-    exists(AstNode n |
+    exists(Cfg::CfgNode n |
       write.getVariable() = v and
-      n = bb.getNode(i).getNode()
+      n = bb.getNode(i)
     |
       write.isExplicitWrite(n)
       or

ruby/ql/src/experimental/performance/UseDetect.ql

@@ -11,6 +11,7 @@
 // This is an implementation of the Rubocop rule
 // https://github.com/rubocop/rubocop-performance/blob/master/lib/rubocop/cop/performance/detect.rb
 import codeql.ruby.AST
+import codeql.ruby.CFG
 import codeql.ruby.dataflow.SSA
 
 /** A call that extracts the first or last element of a list. */
@@ -41,12 +42,12 @@ class EndCall extends MethodCall {
 }
 
 Expr getUniqueRead(Expr e) {
-  exists(AssignExpr ae |
-    e = ae.getRightOperand() and
-    forex(Ssa::WriteDefinition def | def.getWriteAccess() = ae.getLeftOperand() |
+  forex(CfgNode eNode | eNode.getNode() = e |
+    exists(Ssa::WriteDefinition def |
+      def.assigns(eNode) and
       strictcount(def.getARead()) = 1 and
       not def = any(Ssa::PhiNode phi).getAnInput() and
-      def.getARead() = result.getAControlFlowNode()
+      def.getARead().getNode() = result
     )
   )
 }

ruby/ql/src/queries/analysis/Definitions.ql

@@ -48,7 +48,7 @@ newtype DefLoc =
   /** A local variable. */
   LocalVariableLoc(VariableReadAccess read, VariableWriteAccess write) {
     exists(Ssa::WriteDefinition w |
-      write = w.getWriteAccess() and
+      write = w.getWriteAccess().getNode() and
       read = w.getARead().getExpr() and
       not read.isSynthesized()
     )

ruby/ql/src/queries/variables/DeadStoreOfLocal.ql

@@ -24,5 +24,5 @@ from RelevantLocalVariableWriteAccess write, LocalVariable v
 where
   v = write.getVariable() and
   exists(write.getAControlFlowNode()) and
-  not exists(Ssa::WriteDefinition def | def.getWriteAccess() = write)
+  not exists(Ssa::WriteDefinition def | def.getWriteAccess().getNode() = write)
 select write, "This assignment to $@ is useless, since its value is never read.", v, v.getName()

ruby/ql/src/queries/variables/UnusedParameter.ql

@@ -23,5 +23,5 @@ class RelevantParameterVariable extends LocalVariable {
 }
 
 from RelevantParameterVariable v
-where not exists(Ssa::WriteDefinition def | def.getWriteAccess() = v.getDefiningAccess())
+where not exists(Ssa::WriteDefinition def | def.getWriteAccess().getNode() = v.getDefiningAccess())
 select v, "The parameter '" + v.getName() + "' is never used."

ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected

@@ -2425,7 +2425,7 @@
 | local_dataflow.rb:9:9:9:15 | call to [] | local_dataflow.rb:9:1:9:15 | ... = ... |
 | local_dataflow.rb:9:9:9:15 | call to [] | local_dataflow.rb:9:1:9:15 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | ... = ... | local_dataflow.rb:12:5:12:5 | x |
-| local_dataflow.rb:10:5:13:3 | <captured> self | local_dataflow.rb:11:1:11:2 | self |
+| local_dataflow.rb:10:5:13:3 | <captured entry> self | local_dataflow.rb:11:1:11:2 | self |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | __synth__0__1 |
@@ -2464,7 +2464,7 @@
 | local_dataflow.rb:45:10:45:10 | 6 | local_dataflow.rb:45:3:45:10 | return |
 | local_dataflow.rb:49:1:53:3 | [post] self | local_dataflow.rb:55:1:55:14 | self |
 | local_dataflow.rb:49:1:53:3 | self | local_dataflow.rb:55:1:55:14 | self |
-| local_dataflow.rb:49:3:53:3 | <captured> x | local_dataflow.rb:50:18:50:18 | x |
+| local_dataflow.rb:49:3:53:3 | <captured entry> x | local_dataflow.rb:50:18:50:18 | x |
 | local_dataflow.rb:50:8:50:13 | "next" | local_dataflow.rb:50:3:50:13 | next |
 | local_dataflow.rb:50:18:50:18 | [post] x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:51:20:51:20 | x |
@@ -2631,7 +2631,7 @@
 | local_dataflow.rb:118:3:118:11 | [post] self | local_dataflow.rb:119:3:119:31 | self |
 | local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap |
 | local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self |
-| local_dataflow.rb:118:17:118:31 | <captured> self | local_dataflow.rb:118:23:118:29 | self |
+| local_dataflow.rb:118:17:118:31 | <captured entry> self | local_dataflow.rb:118:23:118:29 | self |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x |
 | local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self |
@@ -2645,7 +2645,7 @@
 | local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup |
 | local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap |
 | local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup |
-| local_dataflow.rb:123:26:123:45 | <captured> self | local_dataflow.rb:123:32:123:43 | self |
+| local_dataflow.rb:123:26:123:45 | <captured entry> self | local_dataflow.rb:123:32:123:43 | self |
 | local_dataflow.rb:126:1:128:3 | self (use) | local_dataflow.rb:127:3:127:8 | self |
 | local_dataflow.rb:126:1:128:3 | self in use | local_dataflow.rb:126:1:128:3 | self (use) |
 | local_dataflow.rb:130:1:150:3 | self (use_use_madness) | local_dataflow.rb:132:6:132:11 | self |

ruby/ql/test/library-tests/dataflow/local/TaintStep.expected

@@ -2858,7 +2858,7 @@
 | local_dataflow.rb:9:9:9:15 | call to [] | local_dataflow.rb:9:1:9:15 | ... = ... |
 | local_dataflow.rb:9:9:9:15 | call to [] | local_dataflow.rb:9:1:9:15 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | ... = ... | local_dataflow.rb:12:5:12:5 | x |
-| local_dataflow.rb:10:5:13:3 | <captured> self | local_dataflow.rb:11:1:11:2 | self |
+| local_dataflow.rb:10:5:13:3 | <captured entry> self | local_dataflow.rb:11:1:11:2 | self |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | ... = ... |
 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | __synth__0__1 |
@@ -2903,7 +2903,7 @@
 | local_dataflow.rb:45:10:45:10 | 6 | local_dataflow.rb:45:3:45:10 | return |
 | local_dataflow.rb:49:1:53:3 | [post] self | local_dataflow.rb:55:1:55:14 | self |
 | local_dataflow.rb:49:1:53:3 | self | local_dataflow.rb:55:1:55:14 | self |
-| local_dataflow.rb:49:3:53:3 | <captured> x | local_dataflow.rb:50:18:50:18 | x |
+| local_dataflow.rb:49:3:53:3 | <captured entry> x | local_dataflow.rb:50:18:50:18 | x |
 | local_dataflow.rb:50:8:50:13 | "next" | local_dataflow.rb:50:3:50:13 | next |
 | local_dataflow.rb:50:18:50:18 | [post] x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:50:18:50:22 | ... < ... |
@@ -3086,7 +3086,7 @@
 | local_dataflow.rb:118:3:118:11 | [post] self | local_dataflow.rb:119:3:119:31 | self |
 | local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap |
 | local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self |
-| local_dataflow.rb:118:17:118:31 | <captured> self | local_dataflow.rb:118:23:118:29 | self |
+| local_dataflow.rb:118:17:118:31 | <captured entry> self | local_dataflow.rb:118:23:118:29 | self |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x |
 | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x |
 | local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self |
@@ -3100,7 +3100,7 @@
 | local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup |
 | local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap |
 | local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup |
-| local_dataflow.rb:123:26:123:45 | <captured> self | local_dataflow.rb:123:32:123:43 | self |
+| local_dataflow.rb:123:26:123:45 | <captured entry> self | local_dataflow.rb:123:32:123:43 | self |
 | local_dataflow.rb:126:1:128:3 | self (use) | local_dataflow.rb:127:3:127:8 | self |
 | local_dataflow.rb:126:1:128:3 | self in use | local_dataflow.rb:126:1:128:3 | self (use) |
 | local_dataflow.rb:130:1:150:3 | self (use_use_madness) | local_dataflow.rb:132:6:132:11 | self |