Swift: fix a bunch of MISSING dataflow test cases

Optional content flow through constructors remains.

Author: d10c

swift/ql/lib/codeql/swift/dataflow/Ssa.qll

@@ -38,9 +38,9 @@ module Ssa {
       // if let x5 = optional { ... }
       // guard let x6 = optional else { ... }
       // ```
-      exists(Pattern pattern |
+      exists(NamedPattern pattern |
         bb.getNode(i).getNode().asAstNode() = pattern and
-        v.getParentPattern() = pattern and
+        v = pattern.getVarDecl() and
         certain = true
       )
       or
@@ -153,14 +153,10 @@ module Ssa {
         value.getNode().asAstNode() = a.getSource()
       )
       or
-      exists(
-        VarDecl var, SsaInput::BasicBlock bb, int blockIndex, PatternBindingDecl pbd, Expr init
-      |
-        this.definesAt(var, bb, blockIndex) and
-        pbd.getAPattern() = bb.getNode(blockIndex).getNode().asAstNode() and
-        init = var.getParentInitializer()
-      |
-        value.getAst() = init
+      exists(SsaInput::BasicBlock bb, int blockIndex, NamedPattern np |
+        this.definesAt(_, bb, blockIndex) and
+        np = bb.getNode(blockIndex).getNode().asAstNode() and
+        value.getNode().asAstNode() = np
       )
       or
       exists(SsaInput::BasicBlock bb, int blockIndex, ConditionElement ce, Expr init |

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -184,6 +184,16 @@ private module Cached {
       nodeFrom.asExpr() = ie.getBranch(_)
     )
     or
+    // flow from Expr to Pattern
+    exists(Expr e, Pattern p |
+      nodeFrom.asExpr() = e and
+      nodeTo.asPattern() = p and
+      p.getImmediateMatchingExpr() = e
+    )
+    or
+    // flow from Pattern to an identity-preserving sub-Pattern:
+    nodeFrom.asPattern() = nodeTo.asPattern().getIdentityPreservingEnclosingPattern()
+    or
     // flow through a flow summary (extension of `SummaryModelCsv`)
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
   }
@@ -580,6 +590,13 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(any(Content::EnumContent ec | ec.getParam() = enum.getElement().getParam(pos)))
   )
   or
+  // creation of an optional via implicit conversion
+  exists(InjectIntoOptionalExpr e, OptionalSomeDecl someDecl |
+    e.convertsFrom(node1.asExpr()) and
+    node2 = node1 and // HACK: we should ideally have a separate Node case for the (hidden) InjectIntoOptionalExpr
+    c.isSingleton(any(Content::EnumContent ec | ec.getParam() = someDecl.getParam(0)))
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
 }
 
@@ -602,18 +619,32 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
   )
   or
   // read of an enum member via `case let .variant(v1, v2)` pattern matching
-  exists(Expr enumExpr, ParamDecl enumParam, VarDecl boundVar |
-    node1.asExpr() = enumExpr and
-    node2.asDefinition().getSourceVariable() = boundVar and
+  exists(EnumElementPattern enumPat, ParamDecl enumParam, Pattern subPat |
+    node1.asPattern() = enumPat and
+    node2.asPattern() = subPat and
     c.isSingleton(any(Content::EnumContent ec | ec.getParam() = enumParam))
   |
-    exists(EnumElementPattern enumPat, NamedPattern namePat, int idx |
-      enumPat.getMatchingExpr() = enumExpr and
+    exists(int idx |
       enumPat.getElement().getParam(idx) = enumParam and
-      namePat.getImmediateIdentityPreservingEnclosingPattern*() = enumPat.getSubPattern(idx) and
-      namePat.getVarDecl() = boundVar
+      enumPat.getSubPattern(idx) = subPat
     )
   )
+  or
+  // read of a tuple member via `case let (v1, v2)` pattern matching
+  exists(TuplePattern tupPat, int idx, Pattern subPat |
+    node1.asPattern() = tupPat and
+    node2.asPattern() = subPat and
+    c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = idx))
+  |
+    tupPat.getElement(idx) = subPat
+  )
+  or
+  // read of an optional .some member via `let x: T = y: T?` pattern matching
+  exists(OptionalSomePattern pat, OptionalSomeDecl someDecl |
+    node1.asPattern() = pat and
+    node2.asPattern() = pat.getSubPattern() and
+    c.isSingleton(any(Content::EnumContent ec | ec.getParam() = someDecl.getParam(0)))
+  )
 }
 
 /**
@@ -631,6 +662,20 @@ predicate clearsContent(Node n, ContentSet c) {
  */
 predicate expectsContent(Node n, ContentSet c) { none() }
 
+/**
+ * The global singleton `Optional.some` enum element.
+ */
+private class OptionalSomeDecl extends EnumElementDecl {
+  OptionalSomeDecl() {
+    exists(EnumDecl enum |
+      this.getName() = "some" and
+      this.getDeclaringDecl() = enum and
+      enum.getName() = "Optional" and
+      enum.getModule().getName() = "Swift"
+    )
+  }
+}
+
 private newtype TDataFlowType = TODO_DataFlowType()
 
 class DataFlowType extends TDataFlowType {

swift/ql/lib/codeql/swift/elements/pattern/Pattern.qll

@@ -20,12 +20,12 @@ private import codeql.swift.generated.ParentChild
 
 class Pattern extends Generated::Pattern {
   /**
-   * Gets the expression that this pattern is matched against, if any.
+   * Gets the expression that this top-level pattern is matched against, if any.
    *
    * For example, in `switch e { case p: ... }`, the pattern `p`
-   * is matched against the expression `e`.
+   * is immediately matched against the expression `e`.
    */
-  Expr getMatchingExpr() {
+  Expr getImmediateMatchingExpr() {
     exists(ConditionElement c |
       c.getPattern() = this and
       result = c.getInitializer()
@@ -40,6 +40,18 @@ class Pattern extends Generated::Pattern {
       v.getPattern(i) = this and
       result = v.getInit(i)
     )
+  }
+
+  /**
+   * Gets the expression that this pattern is matched against, if any.
+   * The expression and the pattern need not be top-level children of
+   * a pattern-matching construct, but they must match each other syntactically.
+   *
+   * For example, in `switch .some(e) { case let .some(p): ... }`, the pattern `p`
+   * is matched against the expression `e`.
+   */
+  Expr getMatchingExpr() {
+    result = this.getImmediateMatchingExpr()
     or
     exists(Pattern p | p.getMatchingExpr() = result |
       this = p.(IsPattern).getSubPattern()