C#: add store step for return statements inside async methods

Author: tamasvajk

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -632,6 +632,9 @@ private module Cached {
     TYieldReturnNode(ControlFlow::Nodes::ElementNode cfn) {
       any(Callable c).canYieldReturn(cfn.getElement())
     } or
+    TAsyncReturnNode(ControlFlow::Nodes::ElementNode cfn) {
+      any(Callable c | c.(Modifiable).isAsync()).canReturn(cfn.getElement())
+    } or
     TImplicitCapturedArgumentNode(ControlFlow::Nodes::ElementNode cfn, LocalScopeVariable v) {
       exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowIn(_, cfn, _) |
         v = def.getSourceVariable().getAssignable()
@@ -783,6 +786,12 @@ private module Cached {
       c instanceof ElementContent
     )
     or
+    exists(Expr e |
+      e = node1.asExpr() and
+      node2.(AsyncReturnNode).getReturnStmt().getExpr() = e and
+      c = getResultContent()
+    )
+    or
     FlowSummaryImpl::Private::storeStep(node1, c, node2)
   }
 
@@ -962,6 +971,8 @@ private module Cached {
     or
     n instanceof YieldReturnNode
     or
+    n instanceof AsyncReturnNode
+    or
     n instanceof ImplicitCapturedArgumentNode
     or
     n instanceof MallocNode
@@ -1397,6 +1408,30 @@ private module ReturnNodes {
     override string toStringImpl() { result = yrs.toString() }
   }
 
+  /**
+   * A synthesized `return` node for returned expressions inside `async` methods.
+   */
+  class AsyncReturnNode extends ReturnNode, NodeImpl, TAsyncReturnNode {
+    private ControlFlow::Nodes::ElementNode cfn;
+    private ReturnStmt rs;
+
+    AsyncReturnNode() { this = TAsyncReturnNode(cfn) and rs.getExpr().getAControlFlowNode() = cfn }
+
+    ReturnStmt getReturnStmt() { result = rs }
+
+    override NormalReturnKind getKind() { any() }
+
+    override Callable getEnclosingCallableImpl() { result = rs.getEnclosingCallable() }
+
+    override Type getTypeImpl() { result = rs.getEnclosingCallable().getReturnType() }
+
+    override ControlFlow::Node getControlFlowNodeImpl() { result = cfn }
+
+    override Location getLocationImpl() { result = rs.getLocation() }
+
+    override string toStringImpl() { result = rs.toString() }
+  }
+
   /**
    * The value of a captured variable as an implicit return from a call, viewed
    * as a node in a data flow graph.

csharp/ql/test/library-tests/dataflow/async/Async.cs

@@ -8,7 +8,7 @@ private void Sink(string s)
 
     public void TestNonAwait(string input)
     {
-        Sink(Return(input)); // True positive
+        Sink(Return(input));
     }
 
     private string Return(string x)
@@ -18,18 +18,18 @@ private string Return(string x)
 
     public async Task TestAwait1(string input)
     {
-        Sink(await ReturnAwait(input)); // False negative
+        Sink(await ReturnAwait(input));
     }
 
     public async Task TestAwait2(string input)
     {
         var x = await ReturnAwait(input);
-        Sink(x); // False negative
+        Sink(x);
     }
 
     public void TestAwait3(string input)
     {
-        Sink(ReturnAwait(input).Result); // False negative
+        Sink(ReturnAwait(input).Result);
     }
 
     private async Task<string> ReturnAwait(string x)
@@ -40,7 +40,7 @@ private async Task<string> ReturnAwait(string x)
 
     public void TestTask(string input)
     {
-        Sink(ReturnTask(input).Result); // True positive
+        Sink(ReturnTask(input).Result);
     }
 
     private Task<string> ReturnTask(string x)

csharp/ql/test/library-tests/dataflow/async/Async.expected

@@ -3,6 +3,20 @@ edges
 | Async.cs:11:21:11:25 | access to parameter input : String | Async.cs:11:14:11:26 | call to method Return |
 | Async.cs:14:34:14:34 | x : String | Async.cs:16:16:16:16 | access to parameter x : String |
 | Async.cs:16:16:16:16 | access to parameter x : String | Async.cs:11:14:11:26 | call to method Return |
+| Async.cs:19:41:19:45 | input : String | Async.cs:21:32:21:36 | access to parameter input : String |
+| Async.cs:21:20:21:37 | call to method ReturnAwait [Result] : String | Async.cs:21:14:21:37 | await ... |
+| Async.cs:21:32:21:36 | access to parameter input : String | Async.cs:21:20:21:37 | call to method ReturnAwait [Result] : String |
+| Async.cs:24:41:24:45 | input : String | Async.cs:26:35:26:39 | access to parameter input : String |
+| Async.cs:26:17:26:40 | await ... : String | Async.cs:27:14:27:14 | access to local variable x |
+| Async.cs:26:23:26:40 | call to method ReturnAwait [Result] : String | Async.cs:26:17:26:40 | await ... : String |
+| Async.cs:26:35:26:39 | access to parameter input : String | Async.cs:26:23:26:40 | call to method ReturnAwait [Result] : String |
+| Async.cs:30:35:30:39 | input : String | Async.cs:32:26:32:30 | access to parameter input : String |
+| Async.cs:32:14:32:31 | call to method ReturnAwait [Result] : String | Async.cs:32:14:32:38 | access to property Result |
+| Async.cs:32:26:32:30 | access to parameter input : String | Async.cs:32:14:32:31 | call to method ReturnAwait [Result] : String |
+| Async.cs:35:51:35:51 | x : String | Async.cs:38:16:38:16 | access to parameter x : String |
+| Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:21:20:21:37 | call to method ReturnAwait [Result] : String |
+| Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:26:23:26:40 | call to method ReturnAwait [Result] : String |
+| Async.cs:38:16:38:16 | access to parameter x : String | Async.cs:32:14:32:31 | call to method ReturnAwait [Result] : String |
 | Async.cs:41:33:41:37 | input : String | Async.cs:43:25:43:29 | access to parameter input : String |
 | Async.cs:43:14:43:30 | call to method ReturnTask [Result] : String | Async.cs:43:14:43:37 | access to property Result |
 | Async.cs:43:25:43:29 | access to parameter input : String | Async.cs:43:14:43:30 | call to method ReturnTask [Result] : String |
@@ -15,6 +29,21 @@ nodes
 | Async.cs:11:21:11:25 | access to parameter input : String | semmle.label | access to parameter input : String |
 | Async.cs:14:34:14:34 | x : String | semmle.label | x : String |
 | Async.cs:16:16:16:16 | access to parameter x : String | semmle.label | access to parameter x : String |
+| Async.cs:19:41:19:45 | input : String | semmle.label | input : String |
+| Async.cs:21:14:21:37 | await ... | semmle.label | await ... |
+| Async.cs:21:20:21:37 | call to method ReturnAwait [Result] : String | semmle.label | call to method ReturnAwait [Result] : String |
+| Async.cs:21:32:21:36 | access to parameter input : String | semmle.label | access to parameter input : String |
+| Async.cs:24:41:24:45 | input : String | semmle.label | input : String |
+| Async.cs:26:17:26:40 | await ... : String | semmle.label | await ... : String |
+| Async.cs:26:23:26:40 | call to method ReturnAwait [Result] : String | semmle.label | call to method ReturnAwait [Result] : String |
+| Async.cs:26:35:26:39 | access to parameter input : String | semmle.label | access to parameter input : String |
+| Async.cs:27:14:27:14 | access to local variable x | semmle.label | access to local variable x |
+| Async.cs:30:35:30:39 | input : String | semmle.label | input : String |
+| Async.cs:32:14:32:31 | call to method ReturnAwait [Result] : String | semmle.label | call to method ReturnAwait [Result] : String |
+| Async.cs:32:14:32:38 | access to property Result | semmle.label | access to property Result |
+| Async.cs:32:26:32:30 | access to parameter input : String | semmle.label | access to parameter input : String |
+| Async.cs:35:51:35:51 | x : String | semmle.label | x : String |
+| Async.cs:38:16:38:16 | access to parameter x : String | semmle.label | access to parameter x : String |
 | Async.cs:41:33:41:37 | input : String | semmle.label | input : String |
 | Async.cs:43:14:43:30 | call to method ReturnTask [Result] : String | semmle.label | call to method ReturnTask [Result] : String |
 | Async.cs:43:14:43:37 | access to property Result | semmle.label | access to property Result |
@@ -25,5 +54,11 @@ nodes
 #select
 | Async.cs:11:14:11:26 | call to method Return | Async.cs:9:37:9:41 | input : String | Async.cs:11:14:11:26 | call to method Return | $@ flows to here and is used. | Async.cs:9:37:9:41 | input | User-provided value |
 | Async.cs:11:14:11:26 | call to method Return | Async.cs:14:34:14:34 | x : String | Async.cs:11:14:11:26 | call to method Return | $@ flows to here and is used. | Async.cs:14:34:14:34 | x | User-provided value |
+| Async.cs:21:14:21:37 | await ... | Async.cs:19:41:19:45 | input : String | Async.cs:21:14:21:37 | await ... | $@ flows to here and is used. | Async.cs:19:41:19:45 | input | User-provided value |
+| Async.cs:21:14:21:37 | await ... | Async.cs:35:51:35:51 | x : String | Async.cs:21:14:21:37 | await ... | $@ flows to here and is used. | Async.cs:35:51:35:51 | x | User-provided value |
+| Async.cs:27:14:27:14 | access to local variable x | Async.cs:24:41:24:45 | input : String | Async.cs:27:14:27:14 | access to local variable x | $@ flows to here and is used. | Async.cs:24:41:24:45 | input | User-provided value |
+| Async.cs:27:14:27:14 | access to local variable x | Async.cs:35:51:35:51 | x : String | Async.cs:27:14:27:14 | access to local variable x | $@ flows to here and is used. | Async.cs:35:51:35:51 | x | User-provided value |
+| Async.cs:32:14:32:38 | access to property Result | Async.cs:30:35:30:39 | input : String | Async.cs:32:14:32:38 | access to property Result | $@ flows to here and is used. | Async.cs:30:35:30:39 | input | User-provided value |
+| Async.cs:32:14:32:38 | access to property Result | Async.cs:35:51:35:51 | x : String | Async.cs:32:14:32:38 | access to property Result | $@ flows to here and is used. | Async.cs:35:51:35:51 | x | User-provided value |
 | Async.cs:43:14:43:37 | access to property Result | Async.cs:41:33:41:37 | input : String | Async.cs:43:14:43:37 | access to property Result | $@ flows to here and is used. | Async.cs:41:33:41:37 | input | User-provided value |
 | Async.cs:43:14:43:37 | access to property Result | Async.cs:46:44:46:44 | x : String | Async.cs:43:14:43:37 | access to property Result | $@ flows to here and is used. | Async.cs:46:44:46:44 | x | User-provided value |