Merge pull request #7337 from michaelnebel/csharp-synthetic-field

C#: Introduce synthetic fields and use them in Task<>.

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

@@ -102,6 +102,11 @@ module AccessPath {
     result = singleton(any(FieldContent c | c.getField() = f.getUnboundDeclaration()))
   }
 
+  /** Gets a singleton synthetic field access path. */
+  AccessPath synthetic(SyntheticField f) {
+    result = singleton(any(SyntheticFieldContent c | c.getField() = f))
+  }
+
   /** Gets an access path representing a property inside a collection. */
   AccessPath properties(Property p) { result = TConsAccessPath(any(ElementContent c), property(p)) }
 }
@@ -1968,9 +1973,7 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow, SystemThreading
     source = TCallableFlowSourceQualifier() and
     sourceAp = AccessPath::empty() and
     sink = TCallableFlowSinkReturn() and
-    sinkAp =
-      AccessPath::field(any(SystemRuntimeCompilerServicesTaskAwaiterStruct s)
-            .getUnderlyingTaskField())
+    sinkAp = AccessPath::synthetic(any(SyntheticTaskAwaiterUnderlyingTaskField s))
     or
     // var awaitable = task.ConfigureAwait(false);  // <-- new ConfiguredTaskAwaitable<>(task, false)
     //                                              //       m_configuredTaskAwaiter = new ConfiguredTaskAwaiter(task, false)
@@ -1982,21 +1985,40 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow, SystemThreading
     sourceAp = AccessPath::empty() and
     sink = TCallableFlowSinkReturn() and
     sinkAp =
-      AccessPath::cons(any(FieldContent fc |
-          fc.getField() =
-            any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct t)
-                .getUnderlyingAwaiterField()
-        ),
-        AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct s
-          ).getUnderlyingTaskField()))
+      AccessPath::cons(any(SyntheticFieldContent sfc |
+          sfc.getField() instanceof SyntheticConfiguredTaskAwaiterField
+        ), AccessPath::synthetic(any(SyntheticConfiguredTaskAwaitableUnderlyingTaskField s)))
   }
 
   override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(FieldContent).getField() =
-      any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct t).getUnderlyingAwaiterField() and
-    tail =
-      AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct s
-        ).getUnderlyingTaskField())
+    head.(SyntheticFieldContent).getField() instanceof SyntheticConfiguredTaskAwaiterField and
+    tail = AccessPath::synthetic(any(SyntheticConfiguredTaskAwaitableUnderlyingTaskField s))
+  }
+}
+
+abstract private class SyntheticTaskField extends SyntheticField {
+  bindingset[this]
+  SyntheticTaskField() { any() }
+
+  override Type getType() { result instanceof SystemThreadingTasksTaskTClass }
+}
+
+private class SyntheticTaskAwaiterUnderlyingTaskField extends SyntheticTaskField {
+  SyntheticTaskAwaiterUnderlyingTaskField() { this = "m_task_task_awaiter" }
+}
+
+private class SyntheticConfiguredTaskAwaitableUnderlyingTaskField extends SyntheticTaskField {
+  SyntheticConfiguredTaskAwaitableUnderlyingTaskField() {
+    this = "m_task_configured_task_awaitable"
+  }
+}
+
+private class SyntheticConfiguredTaskAwaiterField extends SyntheticField {
+  SyntheticConfiguredTaskAwaiterField() { this = "m_configuredTaskAwaiter" }
+
+  override Type getType() {
+    result instanceof
+      SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct
   }
 }
 
@@ -2012,9 +2034,7 @@ private class SystemRuntimeCompilerServicesConfiguredTaskAwaitableTFlow extends
     // var result = awaiter.GetResult();
     c = this.getGetAwaiterMethod() and
     source = TCallableFlowSourceQualifier() and
-    sourceAp =
-      AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct s)
-            .getUnderlyingAwaiterField()) and
+    sourceAp = AccessPath::synthetic(any(SyntheticConfiguredTaskAwaiterField s)) and
     sink = TCallableFlowSinkReturn() and
     sinkAp = AccessPath::empty() and
     preservesValue = true
@@ -2113,14 +2133,15 @@ class SystemRuntimeCompilerServicesTaskAwaiterFlow extends LibraryTypeDataFlow,
     c = this.getGetResultMethod() and
     source = TCallableFlowSourceQualifier() and
     sourceAp =
-      AccessPath::cons(any(FieldContent fc | fc.getField() = this.getUnderlyingTaskField()),
-        AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
+      AccessPath::cons(any(SyntheticFieldContent sfc |
+          sfc.getField() instanceof SyntheticTaskAwaiterUnderlyingTaskField
+        ), AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
     sink = TCallableFlowSinkReturn() and
     sinkAp = AccessPath::empty()
   }
 
   override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(FieldContent).getField() = this.getUnderlyingTaskField() and
+    head.(SyntheticFieldContent).getField() instanceof SyntheticTaskAwaiterUnderlyingTaskField and
     tail = AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())
   }
 }
@@ -2139,14 +2160,16 @@ class SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiter
     c = this.getGetResultMethod() and
     source = TCallableFlowSourceQualifier() and
     sourceAp =
-      AccessPath::cons(any(FieldContent fc | fc.getField() = this.getUnderlyingTaskField()),
-        AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
+      AccessPath::cons(any(SyntheticFieldContent sfc |
+          sfc.getField() instanceof SyntheticConfiguredTaskAwaitableUnderlyingTaskField
+        ), AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
     sink = TCallableFlowSinkReturn() and
     sinkAp = AccessPath::empty()
   }
 
   override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(FieldContent).getField() = this.getUnderlyingTaskField() and
+    head.(SyntheticFieldContent).getField() instanceof
+      SyntheticConfiguredTaskAwaitableUnderlyingTaskField and
     tail = AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())
   }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -759,7 +759,8 @@ private module Cached {
   newtype TContent =
     TFieldContent(Field f) { f.isUnboundDeclaration() } or
     TPropertyContent(Property p) { p.isUnboundDeclaration() } or
-    TElementContent()
+    TElementContent() or
+    TSyntheticFieldContent(SyntheticField f)
 
   pragma[nomagic]
   private predicate commonSubTypeGeneral(DataFlowTypeOrUnifiable t1, RelevantDataFlowType t2) {
@@ -2038,3 +2039,12 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 predicate allowParameterReturnInSelf(ParameterNode p) {
   FlowSummaryImpl::Private::summaryAllowParameterReturnInSelf(p)
 }
+
+/** A synthetic field. */
+abstract class SyntheticField extends string {
+  bindingset[this]
+  SyntheticField() { any() }
+
+  /** Gets the type of this synthetic field. */
+  Type getType() { result instanceof ObjectType }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll

@@ -224,6 +224,18 @@ class FieldContent extends Content, TFieldContent {
   deprecated override Gvn::GvnType getType() { result = Gvn::getGlobalValueNumber(f.getType()) }
 }
 
+/** A reference to a synthetic field. */
+class SyntheticFieldContent extends Content, TSyntheticFieldContent {
+  private SyntheticField f;
+
+  SyntheticFieldContent() { this = TSyntheticFieldContent(f) }
+
+  /** Gets the underlying synthetic field. */
+  SyntheticField getField() { result = f }
+
+  override string toString() { result = "synthetic " + f.toString() }
+}
+
 /** A reference to a property. */
 class PropertyContent extends Content, TPropertyContent {
   private Property p;

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -29,6 +29,8 @@ DataFlowType getContentType(Content c) {
     or
     t = c.(PropertyContent).getProperty().getType()
     or
+    t = c.(SyntheticFieldContent).getField().getType()
+    or
     c instanceof ElementContent and
     t instanceof ObjectType // we don't know what the actual element type is
   )
@@ -134,6 +136,11 @@ SummaryComponent interpretComponentSpecific(string c) {
     c.regexpCapture("Property\\[(.+)\\]", 1) = p.getQualifiedName() and
     result = SummaryComponent::content(any(PropertyContent pc | pc.getProperty() = p))
   )
+  or
+  exists(SyntheticField f |
+    c.regexpCapture("SyntheticField\\[(.+)\\]", 1) = f and
+    result = SummaryComponent::content(any(SyntheticFieldContent sfc | sfc.getField() = f))
+  )
 }
 
 /** Gets the textual representation of the content in the format used for flow summaries. */
@@ -143,6 +150,8 @@ private string getContentSpecificCsv(Content c) {
   exists(Field f | c = TFieldContent(f) and result = "Field[" + f.getQualifiedName() + "]")
   or
   exists(Property p | c = TPropertyContent(p) and result = "Property[" + p.getQualifiedName() + "]")
+  or
+  exists(SyntheticField f | c = TSyntheticFieldContent(f) and result = "SyntheticField[" + f + "]")
 }
 
 /** Gets the textual representation of a summary component in the format used for flow summaries. */

csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected

@@ -253,11 +253,11 @@ edges
 | GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | GlobalDataFlow.cs:201:22:201:32 | access to property OutProperty : String |
 | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> [property Result] : String | GlobalDataFlow.cs:475:25:475:28 | access to local variable task [property Result] : String |
 | GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> [property Result] : String |
-| GlobalDataFlow.cs:475:25:475:28 | access to local variable task [property Result] : String | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [field m_configuredTaskAwaiter, field m_task, property Result] : String |
-| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [field m_configuredTaskAwaiter, field m_task, property Result] : String | GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [field m_configuredTaskAwaiter, field m_task, property Result] : String |
-| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [field m_configuredTaskAwaiter, field m_task, property Result] : String | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [field m_task, property Result] : String |
-| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [field m_task, property Result] : String | GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [field m_task, property Result] : String |
-| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [field m_task, property Result] : String | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String |
+| GlobalDataFlow.cs:475:25:475:28 | access to local variable task [property Result] : String | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String |
 | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
 | GlobalDataFlow.cs:483:53:483:55 | arg : String | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String |
 | GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
@@ -513,10 +513,10 @@ nodes
 | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> [property Result] : String | semmle.label | call to method Run<String> [property Result] : String |
 | GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | semmle.label | "taint source" : String |
 | GlobalDataFlow.cs:475:25:475:28 | access to local variable task [property Result] : String | semmle.label | access to local variable task [property Result] : String |
-| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [field m_configuredTaskAwaiter, field m_task, property Result] : String | semmle.label | call to method ConfigureAwait [field m_configuredTaskAwaiter, field m_task, property Result] : String |
-| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [field m_configuredTaskAwaiter, field m_task, property Result] : String | semmle.label | access to local variable awaitable [field m_configuredTaskAwaiter, field m_task, property Result] : String |
-| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [field m_task, property Result] : String | semmle.label | call to method GetAwaiter [field m_task, property Result] : String |
-| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [field m_task, property Result] : String | semmle.label | access to local variable awaiter [field m_task, property Result] : String |
+| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method ConfigureAwait [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaitable [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method GetAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
+| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
 | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | semmle.label | call to method GetResult : String |
 | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | semmle.label | access to local variable sink45 |
 | GlobalDataFlow.cs:483:53:483:55 | arg : String | semmle.label | arg : String |