C#: Restrict tuple read/store steps to tuple deconstructions/constructions

hvitved · tamasvajk · commit 0698bdd90778 · 2021-03-09T09:14:24.000+01:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -488,13 +488,16 @@ private predicate fieldOrPropertyStore(Expr e, Content c, Expr src, Expr q, bool
     )
     or
     // Tuple element, `(..., src, ...)` `f` is `ItemX` of tuple `q`
-    exists(int i |
-      not (src instanceof LocalVariableDeclExpr or src instanceof VariableWrite) and
-      e = q and
-      src = q.(TupleExpr).getArgument(i) and
-      f = q.getType().(TupleType).getElement(i) and
-      postUpdate = false
-    )
+    e =
+      any(TupleExpr te |
+        exists(int i |
+          e = q and
+          src = te.getArgument(i) and
+          te.isConstruction() and
+          f = q.getType().(TupleType).getElement(i) and
+          postUpdate = false
+        )
+      )
   )
 }
 
@@ -807,24 +810,24 @@ private module Cached {
       or
       // node1 = (..., node2, ...)
       // node1.ItemX flows to node2
-      exists(
-        int i, Ssa::ExplicitDefinition def, AssignableDefinitions::TupleAssignmentDefinition tad,
-        Expr item
-      |
+      exists(TupleExpr te, int i, Expr item |
+        te = node1.asExpr() and
+        not te.isConstruction() and
+        c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
         // node1 = (..., item, ...)
-        node1.asExpr().(TupleExpr).getArgument(i) = item and
-        (
-          // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
-          node2.asExpr().(TupleExpr) = item and hasNodePath(x, node2, node1)
-          or
-          // item = variable in node1 = (..., variable, ...)
+        te.getArgument(i) = item
+      |
+        // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
+        node2.asExpr().(TupleExpr) = item and
+        hasNodePath(x, node2, node1)
+        or
+        // item = variable in node1 = (..., variable, ...)
+        exists(AssignableDefinitions::TupleAssignmentDefinition tad, Ssa::ExplicitDefinition def |
           node2.(SsaDefinitionNode).getDefinition() = def and
           def.getADefinition() = tad and
           tad.getLeaf() = item and
-          hasNodePath(x, node1, any(Node n | n.asExpr() = tad.getAssignment()))
-        ) and
-        c.(FieldContent).getField() =
-          node1.asExpr().getType().(TupleType).getElement(i).getUnboundDeclaration()
+          hasNodePath(x, node1, node2)
+        )
       )
     )
     or
@@ -1770,11 +1773,6 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
     e1 = e2.(TupleExpr).getAnArgument() and
     scope = e2 and
     isSuccessor = true
-    or
-    exactScope = false and
-    e1.(TupleExpr).getParent*() = e2.(AssignExpr).getLValue() and
-    scope = e2 and
-    isSuccessor = true
   }
 
   override predicate candidateDef(
@@ -1796,6 +1794,14 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
       scope = fs.getVariableDeclExpr() and
       exactScope = false
     )
+    or
+    scope =
+      any(AssignExpr ae |
+        ae = defTo.(AssignableDefinitions::TupleAssignmentDefinition).getAssignment() and
+        e = ae.getLValue().getAChildExpr*().(TupleExpr) and
+        exactScope = false and
+        isSuccessor = true
+      )
   }
 }
 
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll b/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
@@ -1035,7 +1035,13 @@ class TupleExpr extends Expr, @tuple_expr {
   Expr getAnArgument() { result = getArgument(_) }
 
   /** Holds if this tuple is a read access. */
-  predicate isReadAccess() { not this = getAnAssignOrForeachChild() }
+  deprecated predicate isReadAccess() { not this = getAnAssignOrForeachChild() }
+
+  /** Holds if this expression is a tuple construction. */
+  predicate isConstruction() {
+    not this = getAnAssignOrForeachChild() and
+    not this instanceof PatternExpr
+  }
 
   override string getAPrimaryQlClass() { result = "TupleExpr" }
 }
diff --git a/csharp/ql/test/library-tests/csharp7/TupleAccess.expected b/csharp/ql/test/library-tests/csharp7/TupleAccess.expected
@@ -1,45 +1,45 @@
-| CSharp7.cs:66:16:66:27 | (..., ...) | read |
-| CSharp7.cs:71:9:71:22 | (..., ...) | write |
-| CSharp7.cs:73:9:73:14 | (..., ...) | write |
-| CSharp7.cs:75:9:75:23 | (..., ...) | write |
-| CSharp7.cs:75:27:75:35 | (..., ...) | read |
-| CSharp7.cs:76:9:76:14 | (..., ...) | write |
-| CSharp7.cs:76:18:76:23 | (..., ...) | write |
-| CSharp7.cs:76:27:76:32 | (..., ...) | read |
-| CSharp7.cs:77:9:77:31 | (..., ...) | write |
-| CSharp7.cs:77:17:77:30 | (..., ...) | write |
-| CSharp7.cs:77:35:77:40 | (..., ...) | read |
-| CSharp7.cs:78:9:78:19 | (..., ...) | write |
-| CSharp7.cs:78:13:78:18 | (..., ...) | write |
-| CSharp7.cs:78:23:78:33 | (..., ...) | read |
-| CSharp7.cs:78:27:78:32 | (..., ...) | read |
-| CSharp7.cs:79:9:79:18 | (..., ...) | write |
-| CSharp7.cs:79:22:79:28 | (..., ...) | read |
-| CSharp7.cs:84:16:84:24 | (..., ...) | read |
-| CSharp7.cs:89:18:89:34 | (..., ...) | read |
-| CSharp7.cs:90:9:90:24 | (..., ...) | write |
-| CSharp7.cs:97:18:97:38 | (..., ...) | read |
-| CSharp7.cs:98:18:98:43 | (..., ...) | read |
-| CSharp7.cs:98:22:98:42 | (..., ...) | read |
-| CSharp7.cs:103:18:103:42 | (..., ...) | read |
-| CSharp7.cs:104:18:104:47 | (..., ...) | read |
-| CSharp7.cs:104:22:104:46 | (..., ...) | read |
-| CSharp7.cs:109:9:109:24 | (..., ...) | write |
-| CSharp7.cs:109:28:109:46 | (..., ...) | read |
-| CSharp7.cs:109:40:109:45 | (..., ...) | read |
-| CSharp7.cs:112:9:112:22 | (..., ...) | write |
-| CSharp7.cs:112:14:112:21 | (..., ...) | write |
-| CSharp7.cs:112:26:112:33 | (..., ...) | read |
-| CSharp7.cs:114:9:114:34 | (..., ...) | write |
-| CSharp7.cs:114:18:114:33 | (..., ...) | write |
-| CSharp7.cs:114:38:114:45 | (..., ...) | write |
-| CSharp7.cs:114:49:114:67 | (..., ...) | read |
-| CSharp7.cs:114:61:114:66 | (..., ...) | read |
-| CSharp7.cs:218:16:218:23 | (..., ...) | read |
-| CSharp7.cs:224:9:224:14 | (..., ...) | write |
-| CSharp7.cs:225:9:225:18 | (..., ...) | write |
-| CSharp7.cs:226:9:226:18 | (..., ...) | write |
-| CSharp7.cs:285:40:285:61 | (..., ...) | read |
-| CSharp7.cs:287:18:287:34 | (..., ...) | write |
-| CSharp7.cs:289:18:289:31 | (..., ...) | write |
-| CSharp7.cs:291:18:291:27 | (..., ...) | write |
+| CSharp7.cs:66:16:66:27 | (..., ...) | construct |
+| CSharp7.cs:71:9:71:22 | (..., ...) | deconstruct |
+| CSharp7.cs:73:9:73:14 | (..., ...) | deconstruct |
+| CSharp7.cs:75:9:75:23 | (..., ...) | deconstruct |
+| CSharp7.cs:75:27:75:35 | (..., ...) | construct |
+| CSharp7.cs:76:9:76:14 | (..., ...) | deconstruct |
+| CSharp7.cs:76:18:76:23 | (..., ...) | deconstruct |
+| CSharp7.cs:76:27:76:32 | (..., ...) | construct |
+| CSharp7.cs:77:9:77:31 | (..., ...) | deconstruct |
+| CSharp7.cs:77:17:77:30 | (..., ...) | deconstruct |
+| CSharp7.cs:77:35:77:40 | (..., ...) | construct |
+| CSharp7.cs:78:9:78:19 | (..., ...) | deconstruct |
+| CSharp7.cs:78:13:78:18 | (..., ...) | deconstruct |
+| CSharp7.cs:78:23:78:33 | (..., ...) | construct |
+| CSharp7.cs:78:27:78:32 | (..., ...) | construct |
+| CSharp7.cs:79:9:79:18 | (..., ...) | deconstruct |
+| CSharp7.cs:79:22:79:28 | (..., ...) | construct |
+| CSharp7.cs:84:16:84:24 | (..., ...) | construct |
+| CSharp7.cs:89:18:89:34 | (..., ...) | construct |
+| CSharp7.cs:90:9:90:24 | (..., ...) | deconstruct |
+| CSharp7.cs:97:18:97:38 | (..., ...) | construct |
+| CSharp7.cs:98:18:98:43 | (..., ...) | construct |
+| CSharp7.cs:98:22:98:42 | (..., ...) | construct |
+| CSharp7.cs:103:18:103:42 | (..., ...) | construct |
+| CSharp7.cs:104:18:104:47 | (..., ...) | construct |
+| CSharp7.cs:104:22:104:46 | (..., ...) | construct |
+| CSharp7.cs:109:9:109:24 | (..., ...) | deconstruct |
+| CSharp7.cs:109:28:109:46 | (..., ...) | construct |
+| CSharp7.cs:109:40:109:45 | (..., ...) | construct |
+| CSharp7.cs:112:9:112:22 | (..., ...) | deconstruct |
+| CSharp7.cs:112:14:112:21 | (..., ...) | deconstruct |
+| CSharp7.cs:112:26:112:33 | (..., ...) | construct |
+| CSharp7.cs:114:9:114:34 | (..., ...) | deconstruct |
+| CSharp7.cs:114:18:114:33 | (..., ...) | deconstruct |
+| CSharp7.cs:114:38:114:45 | (..., ...) | deconstruct |
+| CSharp7.cs:114:49:114:67 | (..., ...) | construct |
+| CSharp7.cs:114:61:114:66 | (..., ...) | construct |
+| CSharp7.cs:218:16:218:23 | (..., ...) | construct |
+| CSharp7.cs:224:9:224:14 | (..., ...) | deconstruct |
+| CSharp7.cs:225:9:225:18 | (..., ...) | deconstruct |
+| CSharp7.cs:226:9:226:18 | (..., ...) | deconstruct |
+| CSharp7.cs:285:40:285:61 | (..., ...) | construct |
+| CSharp7.cs:287:18:287:34 | (..., ...) | deconstruct |
+| CSharp7.cs:289:18:289:31 | (..., ...) | deconstruct |
+| CSharp7.cs:291:18:291:27 | (..., ...) | deconstruct |
diff --git a/csharp/ql/test/library-tests/csharp7/TupleAccess.ql b/csharp/ql/test/library-tests/csharp7/TupleAccess.ql
@@ -1,5 +1,5 @@
 import csharp
 
 from TupleExpr e, string access
-where if e.isReadAccess() then access = "read" else access = "write"
+where if e.isConstruction() then access = "construct" else access = "deconstruct"
 select e, access
diff --git a/csharp/ql/test/library-tests/dataflow/tuples/Tuples.expected b/csharp/ql/test/library-tests/dataflow/tuples/Tuples.expected
@@ -4,7 +4,6 @@ edges
 | Tuples.cs:7:17:7:56 | (..., ...) [Item1] : String | Tuples.cs:18:9:18:22 | (..., ...) [Item1] : String |
 | Tuples.cs:7:17:7:56 | (..., ...) [Item1] : String | Tuples.cs:23:14:23:14 | access to local variable x [Item1] : String |
 | Tuples.cs:7:17:7:56 | (..., ...) [Item1] : String | Tuples.cs:24:14:24:14 | access to local variable x [Item1] : String |
-| Tuples.cs:7:17:7:56 | (..., ...) [Item2, Item2] : String | Tuples.cs:7:37:7:55 | (..., ...) [Item2] : String |
 | Tuples.cs:7:17:7:56 | (..., ...) [Item2, Item2] : String | Tuples.cs:8:9:8:23 | (..., ...) [Item2, Item2] : String |
 | Tuples.cs:7:17:7:56 | (..., ...) [Item2, Item2] : String | Tuples.cs:13:9:13:19 | (..., ...) [Item2, Item2] : String |
 | Tuples.cs:7:17:7:56 | (..., ...) [Item2, Item2] : String | Tuples.cs:18:9:18:22 | (..., ...) [Item2, Item2] : String |
@@ -14,15 +13,13 @@ edges
 | Tuples.cs:7:41:7:54 | "taint source" : String | Tuples.cs:7:37:7:55 | (..., ...) [Item2] : String |
 | Tuples.cs:8:9:8:23 | (..., ...) [Item1] : String | Tuples.cs:8:9:8:27 | SSA def(a) : String |
 | Tuples.cs:8:9:8:23 | (..., ...) [Item2, Item2] : String | Tuples.cs:8:9:8:23 | (..., ...) [Item2] : String |
-| Tuples.cs:8:9:8:23 | (..., ...) [Item2] : String | Tuples.cs:8:9:8:23 | (..., ...) [Item2, Item2] : String |
 | Tuples.cs:8:9:8:23 | (..., ...) [Item2] : String | Tuples.cs:8:9:8:27 | SSA def(c) : String |
 | Tuples.cs:8:9:8:27 | SSA def(a) : String | Tuples.cs:9:14:9:14 | access to local variable a |
 | Tuples.cs:8:9:8:27 | SSA def(c) : String | Tuples.cs:11:14:11:14 | access to local variable c |
 | Tuples.cs:13:9:13:19 | (..., ...) [Item1] : String | Tuples.cs:13:9:13:23 | SSA def(a) : String |
 | Tuples.cs:13:9:13:19 | (..., ...) [Item2, Item2] : String | Tuples.cs:13:13:13:18 | (..., ...) [Item2] : String |
 | Tuples.cs:13:9:13:23 | SSA def(a) : String | Tuples.cs:14:14:14:14 | access to local variable a |
 | Tuples.cs:13:9:13:23 | SSA def(c) : String | Tuples.cs:16:14:16:14 | access to local variable c |
-| Tuples.cs:13:13:13:18 | (..., ...) [Item2] : String | Tuples.cs:13:9:13:19 | (..., ...) [Item2, Item2] : String |
 | Tuples.cs:13:13:13:18 | (..., ...) [Item2] : String | Tuples.cs:13:9:13:23 | SSA def(c) : String |
 | Tuples.cs:18:9:18:22 | (..., ...) [Item1] : String | Tuples.cs:18:9:18:26 | SSA def(p) : String |
 | Tuples.cs:18:9:18:22 | (..., ...) [Item2, Item2] : String | Tuples.cs:18:9:18:26 | SSA def(q) [Item2] : String |
