Add PostUpdateNodes for derferenced expressions on an access path to a field- or element-write

smowton · smowton · commit 650bc1d38f63 · 2020-09-11T10:46:58.000+01:00
diff --git a/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll b/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll
@@ -420,11 +420,14 @@ private Node getADirectlyWrittenNode() {
   exists(Write w | w.writesField(result, _, _) or w.writesElement(result, _, _))
 }
 
-private Node getAWrittenNode() {
-  result = getADirectlyWrittenNode() or
-  result = getADirectlyWrittenNode().(ComponentReadNode).getBase+()
+private DataFlow::Node getAccessPathPredecessor(DataFlow::Node node) {
+  result = node.(PointerDereferenceNode).getOperand()
+  or
+  result = node.(ComponentReadNode).getBase()
 }
 
+private Node getAWrittenNode() { result = getAccessPathPredecessor*(getADirectlyWrittenNode()) }
+
 /**
  * A node associated with an object after an operation that might have
  * changed its state.
@@ -448,11 +451,7 @@ class PostUpdateNode extends Node {
       or
       preupd = any(PointerDereferenceNode deref).getOperand()
       or
-      exists(Node written | written = getAWrittenNode() |
-        preupd = written
-        or
-        preupd = written.(PointerDereferenceNode).getOperand()
-      )
+      preupd = getAWrittenNode()
       or
       preupd instanceof ArgumentNode and
       mutableType(preupd.getType())
diff --git a/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected b/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected
@@ -0,0 +1,15 @@
+| test.go:19:2:19:2 | definition of a |
+| test.go:20:11:20:14 | &... |
+| test.go:20:12:20:14 | selection of b |
+| test.go:21:2:21:5 | selection of bs |
+| test.go:21:2:21:8 | index expression |
+| test.go:21:17:21:20 | &... |
+| test.go:21:18:21:20 | struct literal |
+| test.go:22:2:22:5 | selection of bs |
+| test.go:22:2:22:8 | index expression |
+| test.go:22:2:22:13 | implicit dereference |
+| test.go:22:2:22:13 | selection of cptr |
+| test.go:23:2:23:7 | implicit dereference |
+| test.go:23:2:23:7 | selection of bptr |
+| test.go:23:2:23:12 | implicit dereference |
+| test.go:23:2:23:12 | selection of cptr |
diff --git a/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.go b/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.go
@@ -0,0 +1,25 @@
+package a
+
+type C struct {
+	field int
+}
+
+type B struct {
+	cptr *C
+}
+
+type A struct {
+	b    B
+	bptr *B
+	bs   [5]B
+}
+
+func f() {
+
+	a := A{}
+	a.bptr = &a.b
+	a.bs[3].cptr = &C{}
+	a.bs[3].cptr.field = 100
+	a.bptr.cptr.field = 101
+
+}
diff --git a/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.ql b/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.ql
@@ -0,0 +1,4 @@
+import go
+
+from DataFlow::PostUpdateNode pun
+select pun
