Swift: flow into callees via params

Author: rdmarsh2

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -94,6 +94,13 @@ class ParameterPosition extends TParameterPosition {
   string toString() { none() }
 }
 
+class PositionalParameterPosition extends ParameterPosition, TPositionalParameter {
+  int getIndex() {
+    this = TPositionalParameter(result)
+  }
+}
+
+
 /** An argument position. */
 class ArgumentPosition extends TArgumentPosition {
   /** Gets a textual representation of this position. */
@@ -108,4 +115,9 @@ class PositionalArgumentPosition extends ArgumentPosition, TPositionalArgument {
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { none() }
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
+  ppos instanceof TThisParameter and
+  apos instanceof TThisArgument
+  or
+  ppos.(PositionalParameterPosition).getIndex() = apos.(PositionalArgumentPosition).getIndex()
+}

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowPublic
 private import DataFlowDispatch
 private import codeql.swift.controlflow.CfgNodes
 private import codeql.swift.dataflow.Ssa
+private import codeql.swift.controlflow.BasicBlocks
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -51,7 +52,6 @@ private module Cached {
   cached
   newtype TNode =
     TExprNode(ExprCfgNode e) or
-    TNormalParameterNode(ParamDecl p) or
     TSsaDefinitionNode(Ssa::Definition def)
 
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
@@ -99,10 +99,15 @@ private module ParameterNodes {
     predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { none() }
   }
 
-  class NormalParameterNode extends ParameterNodeImpl, TNormalParameterNode {
+  class NormalParameterNode extends ParameterNodeImpl, SsaDefinitionNode {
     ParamDecl param;
 
-    NormalParameterNode() { this = TNormalParameterNode(param) }
+    NormalParameterNode() {
+      exists(BasicBlock bb, int i |
+        super.asDefinition().definesAt(param, bb, i) and
+        bb.getNode(i).getNode().asAstNode() = param
+      )
+    }
 
     override Location getLocationImpl() { result = param.getLocation() }
 
@@ -115,6 +120,8 @@ private module ParameterNodes {
         pos = TPositionalParameter(index)
       )
     }
+
+    override DataFlowCallable getEnclosingCallable() { isParameterOf(result, _) }
   }
 }
 

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -69,7 +69,7 @@ class ExprNode extends Node, TExprNode {
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNode extends Node, TNormalParameterNode instanceof ParameterNodeImpl { }
+class ParameterNode extends Node, SsaDefinitionNode instanceof ParameterNodeImpl { }
 
 /**
  */

swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll

@@ -27,6 +27,10 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     v.getParentPattern() = pattern and
     certain = true
   )
+  or
+  v instanceof ParamDecl and
+  bb.getNode(i).getNode().asAstNode() = v and
+  certain = true
 }
 
 private predicate isLValue(DeclRefExpr ref) { any(AssignExpr assign).getDest() = ref }

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -2,13 +2,24 @@ edges
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:7:15:7:15 | DeclRefExpr |
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:9:15:9:15 | DeclRefExpr |
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:10:15:10:15 | DeclRefExpr |
+| test.swift:25:20:25:27 | CallExpr :  | test.swift:28:18:28:21 | ParamDecl :  |
+| test.swift:25:20:25:27 | CallExpr :  | test.swift:28:18:28:21 | WriteDef :  |
+| test.swift:28:18:28:21 | ParamDecl :  | test.swift:29:15:29:15 | DeclRefExpr |
+| test.swift:28:18:28:21 | WriteDef :  | test.swift:29:15:29:15 | DeclRefExpr |
 nodes
 | test.swift:6:19:6:26 | CallExpr :  | semmle.label | CallExpr :  |
 | test.swift:7:15:7:15 | DeclRefExpr | semmle.label | DeclRefExpr |
 | test.swift:9:15:9:15 | DeclRefExpr | semmle.label | DeclRefExpr |
 | test.swift:10:15:10:15 | DeclRefExpr | semmle.label | DeclRefExpr |
+| test.swift:25:20:25:27 | CallExpr :  | semmle.label | CallExpr :  |
+| test.swift:28:18:28:21 | ParamDecl :  | semmle.label | ParamDecl :  |
+| test.swift:28:18:28:21 | ParamDecl :  | semmle.label | WriteDef :  |
+| test.swift:28:18:28:21 | WriteDef :  | semmle.label | ParamDecl :  |
+| test.swift:28:18:28:21 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:29:15:29:15 | DeclRefExpr | semmle.label | DeclRefExpr |
 subpaths
 #select
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:7:15:7:15 | DeclRefExpr |
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:9:15:9:15 | DeclRefExpr |
 | test.swift:6:19:6:26 | CallExpr :  | test.swift:10:15:10:15 | DeclRefExpr |
+| test.swift:25:20:25:27 | CallExpr :  | test.swift:29:15:29:15 | DeclRefExpr |

swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected

@@ -13,3 +13,5 @@
 | test.swift:17:10:17:10 | IntegerLiteralExpr | test.swift:17:5:17:10 | WriteDef |
 | test.swift:19:14:19:14 | DeclRefExpr | test.swift:19:9:19:14 | WriteDef |
 | test.swift:19:14:19:14 | DeclRefExpr | test.swift:19:14:19:14 | DeclRefExpr |
+| test.swift:28:18:28:21 | ParamDecl | test.swift:29:15:29:15 | DeclRefExpr |
+| test.swift:28:18:28:21 | WriteDef | test.swift:29:15:29:15 | DeclRefExpr |