Swift: add flow through inout parameters

Author: rdmarsh2

swift/ql/lib/codeql/swift/dataflow/Ssa.qll

@@ -71,6 +71,18 @@ module Ssa {
         value.getNode().asAstNode() = var.getParentInitializer()
       )
     }
+
+    cached predicate isInoutDef(ExprCfgNode argument) {
+      exists(
+        CallExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr
+      |
+        this.definesAt(v, bb, blockIndex) and
+        bb.getNode(blockIndex).getNode().asAstNode() = c and
+        c.getArgument(argIndex).getExpr() = argExpr and
+        argExpr = argument.getNode().asAstNode() and
+        argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?
+      )
+    }
   }
 
   cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -2,7 +2,9 @@ private import swift
 private import DataFlowPrivate
 private import DataFlowPublic
 
-newtype TReturnKind = TNormalReturnKind()
+newtype TReturnKind =
+  TNormalReturnKind() or
+  TParamReturnKind(int i) { exists(ParamDecl param | param.getIndex() = i) }
 
 /**
  * Gets a node that can read the value returned from `call` with return kind
@@ -27,16 +29,36 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
   override string toString() { result = "return" }
 }
 
+/**
+ * A value returned from a callable using an `inout` parameter.
+ */
+class ParamReturnKind extends ReturnKind, TParamReturnKind {
+  int index;
+
+  ParamReturnKind() { this = TParamReturnKind(index) }
+
+  int getIndex() {
+    result = index
+  }
+
+  override string toString() { result = "param(" + index + ")" }
+}
+
 /**
  * A callable. This includes callables from source code, as well as callables
  * defined in library code.
  */
 class DataFlowCallable extends TDataFlowCallable {
+  AbstractFunctionDecl func;
+
+  DataFlowCallable() {
+    this = TDataFlowFunc(func)
+  }
   /** Gets a textual representation of this callable. */
-  string toString() { none() }
+  string toString() { result = func.toString() }
 
   /** Gets the location of this callable. */
-  Location getLocation() { none() }
+  Location getLocation() { result = func.getLocation() }
 }
 
 /**
@@ -47,7 +69,7 @@ class DataFlowCall extends ExprNode {
   DataFlowCall() { this.asExpr() instanceof CallExpr }
 
   /** Gets the enclosing callable. */
-  DataFlowCallable getEnclosingCallable() { none() }
+  DataFlowCallable getEnclosingCallable() { result = TDataFlowFunc(this.getCfgNode().getScope()) }
 }
 
 cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -1,6 +1,7 @@
 private import swift
 private import DataFlowPublic
 private import DataFlowDispatch
+private import codeql.swift.controlflow.ControlFlowGraph
 private import codeql.swift.controlflow.CfgNodes
 private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
@@ -20,7 +21,7 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
 }
 
 abstract class NodeImpl extends Node {
-  DataFlowCallable getEnclosingCallable() { none() }
+  abstract DataFlowCallable getEnclosingCallable();
 
   /** Do not call: use `getLocation()` instead. */
   abstract Location getLocationImpl();
@@ -60,7 +61,20 @@ private module Cached {
   cached
   newtype TNode =
     TExprNode(ExprCfgNode e) or
-    TSsaDefinitionNode(Ssa::Definition def)
+    TSsaDefinitionNode(Ssa::Definition def) or
+    TInoutReturnNode(ParamDecl param, ControlFlowNode exit) {
+      param.isInout() and
+      exit.getScope() = param.getDeclaringFunction() and
+      exit.getNode().asAstNode() instanceof ReturnStmt
+    } or
+    TInOutUpdateNode(ParamDecl param, CallExpr call) {
+      param.isInout() and
+      call.getStaticTarget() = param.getDeclaringFunction()
+    }
+
+  private predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
+    def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode())
+  }
 
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
     exists(Ssa::Definition def |
@@ -73,11 +87,26 @@ private module Cached {
       nodeTo.getCfgNode() = def.getAFirstRead()
       or
       // use-use flow
-      def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode())
+      localSsaFlowStepUseUse(def, nodeFrom, nodeTo)
       or
+      //localSsaFlowStepUseUse(def, nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+      //or
       // step from previous read to Phi node
       localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
     )
+    or
+    exists(ParamReturnKind kind, ExprCfgNode arg |
+      arg =
+        nodeFrom
+            .(InOutUpdateNode)
+            .getCall(kind)
+            .getCfgNode()
+            .(CallExprCfgNode)
+            .getArgument(kind.getIndex()) and
+      nodeTo.asDefinition().(Ssa::WriteDefinition).isInoutDef(arg)
+    )
+    or
+    nodeFrom.asExpr() = nodeTo.asExpr().(InOutExpr).getSubExpr()
   }
 
   /**
@@ -172,6 +201,27 @@ private module ReturnNodes {
 
     override ReturnKind getKind() { result instanceof NormalReturnKind }
   }
+
+  class InoutReturnNodeImpl extends ReturnNode, TInoutReturnNode, NodeImpl {
+    ParamDecl param;
+    ControlFlowNode exit;
+
+    InoutReturnNodeImpl() { this = TInoutReturnNode(param, exit) }
+
+    override ReturnKind getKind() { result.(ParamReturnKind).getIndex() = param.getIndex() }
+
+    override ControlFlowNode getCfgNode() { result = exit }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(param.getDeclaringFunction())
+    }
+
+    ParamDecl getParameter() { result = param }
+
+    override Location getLocationImpl() { result = exit.getLocation() }
+
+    override string toStringImpl() { result = param.toString() + "[return]" }
+  }
 }
 
 import ReturnNodes
@@ -188,6 +238,26 @@ private module OutNodes {
       result = this and kind instanceof NormalReturnKind
     }
   }
+
+  class InOutUpdateNode extends OutNode, TInOutUpdateNode, NodeImpl {
+    ParamDecl param;
+    CallExpr call;
+
+    InOutUpdateNode() { this = TInOutUpdateNode(param, call) }
+
+    override DataFlowCall getCall(ReturnKind kind) {
+      result.asExpr() = call and
+      kind.(ParamReturnKind).getIndex() = param.getIndex()
+    }
+
+    override DataFlowCallable getEnclosingCallable() {
+      result = TDataFlowFunc(getCall(_).getCfgNode().getScope())
+    }
+
+    override Location getLocationImpl() { result = call.getLocation() }
+
+    override string toStringImpl() { result = param.toString() }
+  }
 }
 
 import OutNodes

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -81,6 +81,12 @@ class SsaDefinitionNode extends Node, TSsaDefinitionNode {
   override Ssa::Definition asDefinition() { result = def }
 }
 
+class InoutReturnNode extends Node instanceof InoutReturnNodeImpl {
+
+  ParamDecl getParameter() { result = super.getParameter() }
+
+}
+
 /**
  * A node associated with an object after an operation that might have
  * changed its state.

swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll

@@ -28,6 +28,14 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     certain = true
   )
   or
+  exists(CallExpr call, Argument arg |
+    arg.getExpr().(InOutExpr).getSubExpr() = v.getAnAccess() and
+    call.getAnArgument() = arg and
+    call.getStaticTarget().getParam(arg.getIndex()).isInout() and
+    bb.getNode(i).getNode().asAstNode() = call and
+    certain = false
+  )
+  or
   v instanceof ParamDecl and
   bb.getNode(i).getNode().asAstNode() = v and
   certain = true
@@ -42,4 +50,12 @@ predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain)
     v = ref.getDecl() and
     certain = true
   )
+  or
+  exists(ReturnStmt return, AbstractFunctionDecl func |
+    bb.getNode(i).getNode().asAstNode() = return and
+    v.(ParamDecl).isInout() and
+    func.getAParam() = v and
+    bb.getScope() = func and
+    certain = true
+  )
 }

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -12,6 +12,20 @@ edges
 | test.swift:29:26:29:29 | y :  | test.swift:31:15:31:15 | y |
 | test.swift:35:12:35:19 | call to source :  | test.swift:39:15:39:29 | call to callee_source |
 | test.swift:43:19:43:26 | call to source :  | test.swift:50:15:50:15 | t |
+| test.swift:54:11:54:18 | call to source :  | test.swift:55:5:55:5 | arg[return] :  |
+| test.swift:55:5:55:5 | arg[return] :  | test.swift:61:5:61:24 | arg :  |
+| test.swift:61:5:61:24 | arg :  | test.swift:62:15:62:15 | x |
+| test.swift:65:16:65:28 | WriteDef :  | test.swift:69:5:69:5 | arg1[return] :  |
+| test.swift:65:16:65:28 | WriteDef :  | test.swift:69:5:69:5 | arg2[return] :  |
+| test.swift:65:16:65:28 | arg1 :  | test.swift:69:5:69:5 | arg1[return] :  |
+| test.swift:65:16:65:28 | arg1 :  | test.swift:69:5:69:5 | arg2[return] :  |
+| test.swift:73:18:73:25 | call to source :  | test.swift:75:21:75:22 | &... :  |
+| test.swift:75:5:75:33 | arg1 :  | test.swift:76:15:76:15 | x |
+| test.swift:75:5:75:33 | arg2 :  | test.swift:77:15:77:15 | y |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:75:5:75:33 | arg1 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:75:5:75:33 | arg2 :  |
 nodes
 | test.swift:6:19:6:26 | call to source :  | semmle.label | call to source :  |
 | test.swift:7:15:7:15 | t1 | semmle.label | t1 |
@@ -33,7 +47,27 @@ nodes
 | test.swift:39:15:39:29 | call to callee_source | semmle.label | call to callee_source |
 | test.swift:43:19:43:26 | call to source :  | semmle.label | call to source :  |
 | test.swift:50:15:50:15 | t | semmle.label | t |
+| test.swift:54:11:54:18 | call to source :  | semmle.label | call to source :  |
+| test.swift:55:5:55:5 | arg[return] :  | semmle.label | arg[return] :  |
+| test.swift:61:5:61:24 | arg :  | semmle.label | arg :  |
+| test.swift:62:15:62:15 | x | semmle.label | x |
+| test.swift:65:16:65:28 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:65:16:65:28 | WriteDef :  | semmle.label | arg1 :  |
+| test.swift:65:16:65:28 | arg1 :  | semmle.label | WriteDef :  |
+| test.swift:65:16:65:28 | arg1 :  | semmle.label | arg1 :  |
+| test.swift:69:5:69:5 | arg1[return] :  | semmle.label | arg1[return] :  |
+| test.swift:69:5:69:5 | arg2[return] :  | semmle.label | arg2[return] :  |
+| test.swift:73:18:73:25 | call to source :  | semmle.label | call to source :  |
+| test.swift:75:5:75:33 | arg1 :  | semmle.label | arg1 :  |
+| test.swift:75:5:75:33 | arg2 :  | semmle.label | arg2 :  |
+| test.swift:75:21:75:22 | &... :  | semmle.label | &... :  |
+| test.swift:76:15:76:15 | x | semmle.label | x |
+| test.swift:77:15:77:15 | y | semmle.label | y |
 subpaths
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:69:5:69:5 | arg1[return] :  | test.swift:75:5:75:33 | arg1 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:69:5:69:5 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:69:5:69:5 | arg1[return] :  | test.swift:75:5:75:33 | arg1 :  |
+| test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:69:5:69:5 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
 #select
 | test.swift:6:19:6:26 | call to source :  | test.swift:7:15:7:15 | t1 |
 | test.swift:6:19:6:26 | call to source :  | test.swift:9:15:9:15 | t1 |
@@ -42,3 +76,6 @@ subpaths
 | test.swift:26:26:26:33 | call to source :  | test.swift:31:15:31:15 | y |
 | test.swift:35:12:35:19 | call to source :  | test.swift:39:15:39:29 | call to callee_source |
 | test.swift:43:19:43:26 | call to source :  | test.swift:50:15:50:15 | t |
+| test.swift:54:11:54:18 | call to source :  | test.swift:62:15:62:15 | x |
+| test.swift:73:18:73:25 | call to source :  | test.swift:76:15:76:15 | x |
+| test.swift:73:18:73:25 | call to source :  | test.swift:77:15:77:15 | y |

swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected

@@ -23,7 +23,33 @@
 | test.swift:48:9:48:13 | WriteDef | test.swift:50:5:50:5 | Phi |
 | test.swift:48:13:48:13 | 1 | test.swift:48:9:48:13 | WriteDef |
 | test.swift:50:5:50:5 | Phi | test.swift:50:15:50:15 | t |
-| test.swift:58:9:58:12 | WriteDef | test.swift:59:15:59:15 | x |
-| test.swift:58:18:58:18 | 0 | test.swift:58:9:58:12 | WriteDef |
-| test.swift:59:15:59:15 | x | test.swift:60:23:60:23 | x |
-| test.swift:60:23:60:23 | x | test.swift:61:15:61:15 | x |
+| test.swift:54:5:54:18 | WriteDef | test.swift:55:5:55:5 | arg[return] |
+| test.swift:54:11:54:18 | call to source | test.swift:54:5:54:18 | WriteDef |
+| test.swift:59:9:59:12 | WriteDef | test.swift:60:15:60:15 | x |
+| test.swift:59:18:59:18 | 0 | test.swift:59:9:59:12 | WriteDef |
+| test.swift:60:15:60:15 | x | test.swift:61:23:61:23 | x |
+| test.swift:61:5:61:24 | WriteDef | test.swift:62:15:62:15 | x |
+| test.swift:61:5:61:24 | arg | test.swift:61:5:61:24 | WriteDef |
+| test.swift:61:23:61:23 | x | test.swift:61:22:61:23 | &... |
+| test.swift:65:16:65:28 | WriteDef | test.swift:66:21:66:21 | arg1 |
+| test.swift:65:16:65:28 | arg1 | test.swift:66:21:66:21 | arg1 |
+| test.swift:65:33:65:45 | WriteDef | test.swift:67:12:67:12 | arg2 |
+| test.swift:65:33:65:45 | arg2 | test.swift:67:12:67:12 | arg2 |
+| test.swift:66:9:66:15 | WriteDef | test.swift:68:12:68:12 | temp |
+| test.swift:66:21:66:21 | arg1 | test.swift:66:9:66:15 | WriteDef |
+| test.swift:67:5:67:12 | WriteDef | test.swift:69:5:69:5 | arg1[return] |
+| test.swift:67:5:67:12 | WriteDef | test.swift:69:5:69:5 | arg2[return] |
+| test.swift:67:12:67:12 | arg2 | test.swift:67:5:67:12 | WriteDef |
+| test.swift:68:5:68:12 | WriteDef | test.swift:69:5:69:5 | arg1[return] |
+| test.swift:68:5:68:12 | WriteDef | test.swift:69:5:69:5 | arg2[return] |
+| test.swift:68:12:68:12 | temp | test.swift:68:5:68:12 | WriteDef |
+| test.swift:73:9:73:12 | WriteDef | test.swift:75:22:75:22 | x |
+| test.swift:73:18:73:25 | call to source | test.swift:73:9:73:12 | WriteDef |
+| test.swift:74:9:74:12 | WriteDef | test.swift:75:32:75:32 | y |
+| test.swift:74:18:74:18 | 0 | test.swift:74:9:74:12 | WriteDef |
+| test.swift:75:5:75:33 | WriteDef | test.swift:76:15:76:15 | x |
+| test.swift:75:5:75:33 | WriteDef | test.swift:77:15:77:15 | y |
+| test.swift:75:5:75:33 | arg1 | test.swift:75:5:75:33 | WriteDef |
+| test.swift:75:5:75:33 | arg2 | test.swift:75:5:75:33 | WriteDef |
+| test.swift:75:22:75:22 | x | test.swift:75:21:75:22 | &... |
+| test.swift:75:32:75:32 | y | test.swift:75:31:75:32 | &... |

swift/ql/test/library-tests/dataflow/dataflow/test.swift

@@ -52,11 +52,27 @@ func branching(b: Bool) -> Void {
 
 func inoutSource(arg: inout Int) -> Void {
     arg = source()
+    return
 }
 
 func inoutUser() {
     var x: Int = 0
     sink(arg: x)
     inoutSource(arg: &x)
     sink(arg: x)
+}
+
+func inoutSwap(arg1: inout Int, arg2: inout Int) -> Void {
+    var temp: Int = arg1
+    arg1 = arg2
+    arg2 = temp
+    return
+}
+
+func swapUser() {
+    var x: Int = source()
+    var y: Int = 0
+    inoutSwap(arg1: &x, arg2: &y)
+    sink(arg: x)
+    sink(arg: y)
 }