C#: Introduce ParameterPosition and ArgumentPosition

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -2,7 +2,11 @@
 
 import csharp
 private import internal.FlowSummaryImpl as Impl
-private import internal.DataFlowDispatch
+private import internal.DataFlowDispatch as DataFlowDispatch
+
+class ParameterPosition = DataFlowDispatch::ParameterPosition;
+
+class ArgumentPosition = DataFlowDispatch::ArgumentPosition;
 
 // import all instances below
 private module Summaries {
@@ -14,7 +18,27 @@ class SummaryComponent = Impl::Public::SummaryComponent;
 
 /** Provides predicates for constructing summary components. */
 module SummaryComponent {
-  import Impl::Public::SummaryComponent
+  private import Impl::Public::SummaryComponent as SummaryComponentInternal
+
+  predicate content = SummaryComponentInternal::content/1;
+
+  /** Gets a summary component for parameter `i`. */
+  SummaryComponent parameter(int i) {
+    exists(ArgumentPosition pos |
+      result = SummaryComponentInternal::parameter(pos) and
+      i = pos.getPosition()
+    )
+  }
+
+  /** Gets a summary component for argument `i`. */
+  SummaryComponent argument(int i) {
+    exists(ParameterPosition pos |
+      result = SummaryComponentInternal::argument(pos) and
+      i = pos.getPosition()
+    )
+  }
+
+  predicate return = SummaryComponentInternal::return/1;
 
   /** Gets a summary component that represents a qualifier. */
   SummaryComponent qualifier() { result = argument(-1) }
@@ -33,14 +57,14 @@ module SummaryComponent {
   }
 
   /** Gets a summary component that represents the return value of a call. */
-  SummaryComponent return() { result = return(any(NormalReturnKind rk)) }
+  SummaryComponent return() { result = return(any(DataFlowDispatch::NormalReturnKind rk)) }
 
   /** Gets a summary component that represents a jump to `c`. */
   SummaryComponent jump(Callable c) {
     result =
-      return(any(JumpReturnKind jrk |
+      return(any(DataFlowDispatch::JumpReturnKind jrk |
           jrk.getTarget() = c.getUnboundDeclaration() and
-          jrk.getTargetReturnKind() instanceof NormalReturnKind
+          jrk.getTargetReturnKind() instanceof DataFlowDispatch::NormalReturnKind
         ))
   }
 }
@@ -49,7 +73,16 @@ class SummaryComponentStack = Impl::Public::SummaryComponentStack;
 
 /** Provides predicates for constructing stacks of summary components. */
 module SummaryComponentStack {
-  import Impl::Public::SummaryComponentStack
+  private import Impl::Public::SummaryComponentStack as SummaryComponentStackInternal
+
+  predicate singleton = SummaryComponentStackInternal::singleton/1;
+
+  predicate push = SummaryComponentStackInternal::push/2;
+
+  /** Gets a singleton stack for argument `i`. */
+  SummaryComponentStack argument(int i) { result = singleton(SummaryComponent::argument(i)) }
+
+  predicate return = SummaryComponentStackInternal::return/1;
 
   /** Gets a singleton stack representing a qualifier. */
   SummaryComponentStack qualifier() { result = singleton(SummaryComponent::qualifier()) }
@@ -84,12 +117,12 @@ private class SummarizedCallableDefaultClearsContent extends Impl::Public::Summa
   }
 
   // By default, we assume that all stores into arguments are definite
-  override predicate clearsContent(int i, DataFlow::Content content) {
+  override predicate clearsContent(ParameterPosition pos, DataFlow::Content content) {
     exists(SummaryComponentStack output |
       this.propagatesFlow(_, output, _) and
       output.drop(_) =
         SummaryComponentStack::push(SummaryComponent::content(content),
-          SummaryComponentStack::argument(i)) and
+          SummaryComponentStack::argument(pos.getPosition())) and
       not content instanceof DataFlow::ElementContent
     )
   }

csharp/ql/lib/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

@@ -465,10 +465,10 @@ private module FrameworkDataFlowAdaptor {
       )
     }
 
-    override predicate clearsContent(int i, Content content) {
+    override predicate clearsContent(ParameterPosition pos, Content content) {
       exists(SummaryComponentStack input |
         ltdf.clearsContent(toCallableFlowSource(input), content, this) and
-        input = SummaryComponentStack::singleton(SummaryComponent::argument(i))
+        input = SummaryComponentStack::argument(pos.getPosition())
       )
     }
   }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -5,15 +5,15 @@ private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.csharp.dataflow.FlowSummary
+private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
 private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.dispatch.RuntimeCallable
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
 private predicate summarizedCallable(DataFlowCallable c) {
-  c instanceof SummarizedCallable
+  c instanceof FlowSummary::SummarizedCallable
   or
   FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
   or
@@ -108,13 +108,27 @@ private module Cached {
       // No need to include calls that are compiled from source
       not call.getImplementation().getMethod().compiledFromSource()
     } or
-    TSummaryCall(SummarizedCallable c, Node receiver) {
+    TSummaryCall(FlowSummary::SummarizedCallable c, Node receiver) {
       FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
     }
 
   /** Gets a viable run-time target for the call `call`. */
   cached
   DataFlowCallable viableCallable(DataFlowCall call) { result = call.getARuntimeTarget() }
+
+  private int parameterPosition() {
+    result =
+      [
+        -1, any(Parameter p).getPosition(),
+        ImplicitCapturedParameterNodeImpl::getParameterPosition(_)
+      ]
+  }
+
+  cached
+  newtype TParameterPosition = MkParameterPosition(int i) { i = parameterPosition() }
+
+  cached
+  newtype TArgumentPosition = MkArgumentPosition(int i) { i = parameterPosition() }
 }
 
 import Cached
@@ -388,7 +402,7 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
  * the method `Select`.
  */
 class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
-  private SummarizedCallable c;
+  private FlowSummary::SummarizedCallable c;
   private Node receiver;
 
   SummaryCall() { this = TSummaryCall(c, receiver) }
@@ -410,3 +424,37 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
 
   override Location getLocation() { result = c.getLocation() }
 }
+
+/** A parameter position represented by an integer. */
+class ParameterPosition extends MkParameterPosition {
+  private int i;
+
+  ParameterPosition() { this = MkParameterPosition(i) }
+
+  /** Gets the underlying integer. */
+  int getPosition() { result = i }
+
+  /** Gets a textual representation of this position. */
+  string toString() { result = i.toString() }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends MkArgumentPosition {
+  private int i;
+
+  ArgumentPosition() { this = MkArgumentPosition(i) }
+
+  /** Gets the underlying integer. */
+  int getPosition() { result = i }
+
+  /** Gets a textual representation of this position. */
+  string toString() { result = i.toString() }
+}
+
+/** Holds if arguments at position `apos` match parameters at position `ppos`. */
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
+  exists(int i |
+    ppos = MkParameterPosition(i) and
+    apos = MkArgumentPosition(i)
+  )
+}