Tuple data flow: take cfg reachability into account

tamasvajk · tamasvajk · commit b05199dccf0e · 2021-03-09T09:14:23.000+01:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -804,27 +804,28 @@ private module Cached {
       hasNodePath(x, node1, node2) and
       node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
       c = getResultContent()
-    )
-    or
-    // node1 = (..., node2, ...)
-    // node1.ItemX flows to node2
-    exists(
-      int i, Ssa::ExplicitDefinition def, AssignableDefinitions::TupleAssignmentDefinition tad,
-      Expr item
-    |
-      // node1 = (..., item, ...)
-      node1.asExpr().(TupleExpr).getArgument(i) = item and
-      (
-        // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
-        node2.asExpr() instanceof TupleExpr and node2.asExpr() = item
-        or
-        // item = variable in node1 = (..., variable, ...)
-        node2.(SsaDefinitionNode).getDefinition() = def and
-        def.getADefinition() = tad and
-        tad.getLeaf() = item
-      ) and
-      c.(FieldContent).getField() =
-        node1.asExpr().getType().(TupleType).getElement(i).getUnboundDeclaration()
+      or
+      // node1 = (..., node2, ...)
+      // node1.ItemX flows to node2
+      exists(
+        int i, Ssa::ExplicitDefinition def, AssignableDefinitions::TupleAssignmentDefinition tad,
+        Expr item
+      |
+        // node1 = (..., item, ...)
+        node1.asExpr().(TupleExpr).getArgument(i) = item and
+        (
+          // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
+          node2.asExpr().(TupleExpr) = item and hasNodePath(x, node2, node1)
+          or
+          // item = variable in node1 = (..., variable, ...)
+          node2.(SsaDefinitionNode).getDefinition() = def and
+          def.getADefinition() = tad and
+          tad.getLeaf() = item and
+          hasNodePath(x, node1, any(Node n | n.asExpr() = tad.getAssignment()))
+        ) and
+        c.(FieldContent).getField() =
+          node1.asExpr().getType().(TupleType).getElement(i).getUnboundDeclaration()
+      )
     )
     or
     FlowSummaryImpl::Private::readStep(node1, c, node2)
@@ -1764,6 +1765,16 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
     e1 = e2.(AwaitExpr).getExpr() and
     scope = e2 and
     isSuccessor = true
+    or
+    exactScope = false and
+    e1 = e2.(TupleExpr).getAnArgument() and
+    scope = e2 and
+    isSuccessor = true
+    or
+    exactScope = false and
+    e1.(TupleExpr).getParent*() = e2.(AssignExpr).getLValue() and
+    scope = e2 and
+    isSuccessor = true
   }
 
   override predicate candidateDef(
