C#: Add support for flow through side-effects on static fields

hvitved · hvitved · commit 1bcac50db124 · 2024-08-12T10:01:51.000+02:00
diff --git a/csharp/ql/lib/change-notes/2024-05-23-static-field-side-effect.md b/csharp/ql/lib/change-notes/2024-05-23-static-field-side-effect.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -2095,9 +2095,11 @@ predicate jumpStep(Node pred, Node succ) {
     f.getAnAssignedValue() = pred.asExpr() and
     succ = TFlowInsensitiveFieldNode(f)
     or
-    exists(FieldOrPropertyRead fr |
+    exists(FieldOrPropertyRead fr | f.getAnAccess() = fr |
+      fr = pred.(PostUpdateNode).getPreUpdateNode().asExpr() and
+      succ = TFlowInsensitiveFieldNode(f)
+      or
       pred = TFlowInsensitiveFieldNode(f) and
-      f.getAnAccess() = fr and
       fr = succ.asExpr() and
       fr.hasNonlocalValue()
     )
diff --git a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
@@ -1152,6 +1152,16 @@ edges
 | J.cs:125:14:125:14 | access to local variable a : Int32[] [element] : Int32 | J.cs:125:14:125:17 | access to array element : Int32 | provenance |  |
 | J.cs:125:14:125:17 | access to array element : Int32 | J.cs:125:14:125:17 | (...) ... | provenance |  |
 | J.cs:125:14:125:17 | access to array element : Int32 | J.cs:125:14:125:17 | (...) ... | provenance |  |
+| K.cs:7:13:7:13 | access to local variable o : String | K.cs:8:22:8:22 | access to local variable o : String | provenance |  |
+| K.cs:7:13:7:13 | access to local variable o : String | K.cs:8:22:8:22 | access to local variable o : String | provenance |  |
+| K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:7:13:7:13 | access to local variable o : String | provenance |  |
+| K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:7:13:7:13 | access to local variable o : String | provenance |  |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:22:8:22 | access to local variable o : String | K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:22:8:22 | access to local variable o : String | K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | K.cs:13:14:13:23 | access to array element | provenance |  |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | K.cs:13:14:13:23 | access to array element | provenance |  |
 nodes
 | A.cs:5:13:5:13 | access to local variable c : C | semmle.label | access to local variable c : C |
 | A.cs:5:13:5:13 | access to local variable c : C | semmle.label | access to local variable c : C |
@@ -2393,6 +2403,18 @@ nodes
 | J.cs:125:14:125:17 | (...) ... | semmle.label | (...) ... |
 | J.cs:125:14:125:17 | access to array element : Int32 | semmle.label | access to array element : Int32 |
 | J.cs:125:14:125:17 | access to array element : Int32 | semmle.label | access to array element : Int32 |
+| K.cs:7:13:7:13 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:7:13:7:13 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:7:17:7:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| K.cs:7:17:7:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | semmle.label | [post] access to field Strings : String[] [element] : String |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | semmle.label | [post] access to field Strings : String[] [element] : String |
+| K.cs:8:22:8:22 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:8:22:8:22 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | semmle.label | access to field Strings : String[] [element] : String |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | semmle.label | access to field Strings : String[] [element] : String |
+| K.cs:13:14:13:23 | access to array element | semmle.label | access to array element |
+| K.cs:13:14:13:23 | access to array element | semmle.label | access to array element |
 subpaths
 | A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C | A.cs:149:20:149:27 | object creation of type B : B [field c] : C | A.cs:6:17:6:25 | call to method Make : B [field c] : C |
 | A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C | A.cs:149:20:149:27 | object creation of type B : B [field c] : C | A.cs:6:17:6:25 | call to method Make : B [field c] : C |
@@ -2647,3 +2669,5 @@ subpaths
 | J.cs:107:14:107:17 | access to property Y | J.cs:105:32:105:48 | call to method Source<Object> : Object | J.cs:107:14:107:17 | access to property Y | $@ | J.cs:105:32:105:48 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | J.cs:125:14:125:17 | (...) ... | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | J.cs:125:14:125:17 | (...) ... | $@ | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | call to method Source<Int32> : Int32 |
 | J.cs:125:14:125:17 | (...) ... | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | J.cs:125:14:125:17 | (...) ... | $@ | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | call to method Source<Int32> : Int32 |
+| K.cs:13:14:13:23 | access to array element | K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:13:14:13:23 | access to array element | $@ | K.cs:7:17:7:33 | call to method Source<String> : String | call to method Source<String> : String |
+| K.cs:13:14:13:23 | access to array element | K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:13:14:13:23 | access to array element | $@ | K.cs:7:17:7:33 | call to method Source<String> : String | call to method Source<String> : String |
diff --git a/csharp/ql/test/library-tests/dataflow/fields/K.cs b/csharp/ql/test/library-tests/dataflow/fields/K.cs
@@ -10,7 +10,7 @@ private void M1()
 
     private void M2()
     {
-        Sink(Strings[0]); // $ MISSING: hasValueFlow=1
+        Sink(Strings[0]); // $ hasValueFlow=1
     }
 
     public static void Sink(object o) { }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: majorAnalysis
 +---
 +* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ private void M1()`
`10`	`10`
`11`	`11`	`private void M2()`
`12`	`12`	`{`
`13`		`- Sink(Strings[0]); // $ MISSING: hasValueFlow=1`
	`13`	`+ Sink(Strings[0]); // $ hasValueFlow=1`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`public static void Sink(object o) { }`