Merge pull request github#12413 from geoffw0/ptrout2

Swift: Permit data flow from all generic arguments

Author: geoffw0

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -211,9 +211,7 @@ private module Cached {
 private predicate modifiable(Argument arg) {
   arg.getExpr() instanceof InOutExpr
   or
-  arg.getExpr().getType() instanceof NominalType
-  or
-  arg.getExpr().getType() instanceof PointerType
+  arg.getExpr().getType() instanceof NominalOrBoundGenericNominalType
 }
 
 predicate modifiableParam(ParamDecl param) {

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll

@@ -5,22 +5,6 @@
 
 import swift
 
-/**
- * A type that is used as a pointer in Swift, such as `UnsafePointer`,
- * `UnsafeBufferPointer` and similar types.
- */
-class PointerType extends Type {
-  PointerType() {
-    this instanceof UnsafeTypedPointerType or
-    this instanceof UnsafeRawPointerType or
-    this instanceof OpaquePointerType or
-    this instanceof AutoreleasingUnsafeMutablePointerType or
-    this instanceof UnmanagedType or
-    this instanceof CVaListPointerType or
-    this instanceof ManagedBufferPointerType
-  }
-}
-
 /**
  * A Swift unsafe typed pointer type such as `UnsafePointer`,
  * `UnsafeMutablePointer` or `UnsafeBufferPointer`.

swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift

@@ -99,3 +99,31 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {
   sink(arg: ptr.pointee) // $ MISSING: tainted=87
   sink(arg: ptr)
 }
+
+// ---
+
+struct MyPointerContainer {
+  var ptr: UnsafeMutablePointer<String>
+}
+
+struct MyGenericPointerContainer<T> {
+  var ptr: UnsafeMutablePointer<T>
+}
+
+func writePointerContainer(mpc: MyPointerContainer) {
+  mpc.ptr.pointee = sourceString()
+  sink(arg: mpc.ptr.pointee) // $ tainted=114
+}
+
+func writeGenericPointerContainer<T>(mgpc: MyGenericPointerContainer<T>) {
+  mgpc.ptr.pointee = sourceString() as! T
+  sink(arg: mgpc.ptr.pointee) // $ tainted=119
+}
+
+func testWritingPointerContainersInCalls(mpc: MyPointerContainer, mgpc: MyGenericPointerContainer<Int>) {
+  writePointerContainer(mpc: mpc)
+  sink(arg: mpc.ptr.pointee) // $ tainted=114
+
+  writeGenericPointerContainer(mgpc: mgpc)
+  sink(arg: mgpc.ptr.pointee) // $ tainted=119
+}

swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.expected

@@ -1,14 +1,14 @@
-| pointers.swift:2:8:2:8 | self | AutoreleasingUnsafeMutablePointer<Pointee> | AutoreleasingUnsafeMutablePointerType, PointerType |
-| pointers.swift:14:6:14:6 | p1 | UnsafePointer<Int> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:15:6:15:6 | p2 | UnsafeMutablePointer<UInt8> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:16:6:16:6 | p3 | UnsafeBufferPointer<String> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:17:6:17:6 | p4 | UnsafeMutableBufferPointer<MyClass> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:18:6:18:6 | p5 | UnsafeRawPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:19:6:19:6 | p6 | UnsafeMutableRawPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:20:6:20:6 | p7 | UnsafeRawBufferPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:21:6:21:6 | p8 | UnsafeMutableRawBufferPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:23:6:23:6 | op | OpaquePointer | OpaquePointerType, PointerType |
-| pointers.swift:24:6:24:6 | aump | AutoreleasingUnsafeMutablePointer<UInt8> | AutoreleasingUnsafeMutablePointerType, PointerType |
-| pointers.swift:25:6:25:6 | um | Unmanaged<MyClass> | PointerType, UnmanagedType |
-| pointers.swift:26:6:26:6 | cvlp | CVaListPointer | CVaListPointerType, PointerType |
-| pointers.swift:28:6:28:6 | mbp | ManagedBufferPointer<Int, MyClass> | ManagedBufferPointerType, PointerType |
+| pointers.swift:2:8:2:8 | self | AutoreleasingUnsafeMutablePointer<Pointee> | AutoreleasingUnsafeMutablePointerType |
+| pointers.swift:14:6:14:6 | p1 | UnsafePointer<Int> | UnsafeTypedPointerType |
+| pointers.swift:15:6:15:6 | p2 | UnsafeMutablePointer<UInt8> | UnsafeTypedPointerType |
+| pointers.swift:16:6:16:6 | p3 | UnsafeBufferPointer<String> | UnsafeTypedPointerType |
+| pointers.swift:17:6:17:6 | p4 | UnsafeMutableBufferPointer<MyClass> | UnsafeTypedPointerType |
+| pointers.swift:18:6:18:6 | p5 | UnsafeRawPointer | UnsafeRawPointerType |
+| pointers.swift:19:6:19:6 | p6 | UnsafeMutableRawPointer | UnsafeRawPointerType |
+| pointers.swift:20:6:20:6 | p7 | UnsafeRawBufferPointer | UnsafeRawPointerType |
+| pointers.swift:21:6:21:6 | p8 | UnsafeMutableRawBufferPointer | UnsafeRawPointerType |
+| pointers.swift:23:6:23:6 | op | OpaquePointer | OpaquePointerType |
+| pointers.swift:24:6:24:6 | aump | AutoreleasingUnsafeMutablePointer<UInt8> | AutoreleasingUnsafeMutablePointerType |
+| pointers.swift:25:6:25:6 | um | Unmanaged<MyClass> | UnmanagedType |
+| pointers.swift:26:6:26:6 | cvlp | CVaListPointer | CVaListPointerType |
+| pointers.swift:28:6:28:6 | mbp | ManagedBufferPointer<Int, MyClass> | ManagedBufferPointerType |

swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.ql

@@ -2,8 +2,6 @@ import swift
 import codeql.swift.frameworks.StandardLibrary.PointerTypes
 
 string describe(Type t) {
-  t instanceof PointerType and result = "PointerType"
-  or
   t instanceof BuiltinRawPointerType and result = "BuiltinRawPointerType"
   or
   t instanceof UnsafeTypedPointerType and result = "UnsafeTypedPointerType"