Swift: add summary read steps in dataflow

rdmarsh2 · rdmarsh2 · commit 0142309cab4c · 2023-08-04T18:44:42.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -798,6 +798,9 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     subscript.getBase().getType() instanceof ArrayType and
     c.isSingleton(any(Content::ArrayContent ac))
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
+    node2.(FlowSummaryNode).getSummaryNode())
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
@@ -27,6 +27,7 @@ private class CollectionSummaries extends SummaryModelCsv {
         ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint",
         ";Collection;true;popFirst();;;Argument[-1];ReturnValue;taint",
         ";Collection;true;randomElement();;;Argument[-1].SetElement;ReturnValue.OptionalSome;value",
+        ";Collection;true;randomElement();;;Argument[-1].ArrayElement;ReturnValue.OptionalSome;value",
         ";RangeReplaceableCollection;true;append(_:);;;Argument[0];Argument[-1];taint",
         ";RangeReplaceableCollection;true;append(contentsOf:);;;Argument[0];Argument[-1];taint",
         ";RangeReplaceableCollection;true;remove(at:);;;Argument[-1];ReturnValue;taint",
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -336,6 +336,19 @@ edges
 | test.swift:693:5:693:5 | [post] arr6 [Array element] | test.swift:694:15:694:15 | arr6 [Array element] |
 | test.swift:693:17:693:24 | call to source() | test.swift:693:5:693:5 | [post] arr6 [Array element] |
 | test.swift:694:15:694:15 | arr6 [Array element] | test.swift:694:15:694:21 | ...[...] |
+| test.swift:696:16:696:25 | [...] [Array element] | test.swift:697:15:697:15 | arr7 [Array element] |
+| test.swift:696:17:696:24 | call to source() | test.swift:696:16:696:25 | [...] [Array element] |
+| test.swift:697:15:697:15 | arr7 [Array element] | test.swift:697:15:697:34 | call to randomElement() [some:0] |
+| test.swift:697:15:697:34 | call to randomElement() [some:0] | test.swift:697:15:697:35 | ...! |
+| test.swift:703:5:703:5 | [post] set1 [Set element] | test.swift:704:15:704:15 | set1 [Set element] |
+| test.swift:703:17:703:24 | call to source() | test.swift:703:5:703:5 | [post] set1 [Set element] |
+| test.swift:704:15:704:15 | set1 [Set element] | test.swift:704:15:704:34 | call to randomElement() [some:0] |
+| test.swift:704:15:704:34 | call to randomElement() [some:0] | test.swift:704:15:704:35 | ...! |
+| test.swift:706:16:706:30 | call to Set<Element>.init(_:) [Set element] | test.swift:707:15:707:15 | set2 [Set element] |
+| test.swift:706:20:706:29 | [...] [Array element] | test.swift:706:16:706:30 | call to Set<Element>.init(_:) [Set element] |
+| test.swift:706:21:706:28 | call to source() | test.swift:706:20:706:29 | [...] [Array element] |
+| test.swift:707:15:707:15 | set2 [Set element] | test.swift:707:15:707:34 | call to randomElement() [some:0] |
+| test.swift:707:15:707:34 | call to randomElement() [some:0] | test.swift:707:15:707:35 | ...! |
 nodes
 | file://:0:0:0:0 | .a [x] | semmle.label | .a [x] |
 | file://:0:0:0:0 | .str | semmle.label | .str |
@@ -706,6 +719,22 @@ nodes
 | test.swift:693:17:693:24 | call to source() | semmle.label | call to source() |
 | test.swift:694:15:694:15 | arr6 [Array element] | semmle.label | arr6 [Array element] |
 | test.swift:694:15:694:21 | ...[...] | semmle.label | ...[...] |
+| test.swift:696:16:696:25 | [...] [Array element] | semmle.label | [...] [Array element] |
+| test.swift:696:17:696:24 | call to source() | semmle.label | call to source() |
+| test.swift:697:15:697:15 | arr7 [Array element] | semmle.label | arr7 [Array element] |
+| test.swift:697:15:697:34 | call to randomElement() [some:0] | semmle.label | call to randomElement() [some:0] |
+| test.swift:697:15:697:35 | ...! | semmle.label | ...! |
+| test.swift:703:5:703:5 | [post] set1 [Set element] | semmle.label | [post] set1 [Set element] |
+| test.swift:703:17:703:24 | call to source() | semmle.label | call to source() |
+| test.swift:704:15:704:15 | set1 [Set element] | semmle.label | set1 [Set element] |
+| test.swift:704:15:704:34 | call to randomElement() [some:0] | semmle.label | call to randomElement() [some:0] |
+| test.swift:704:15:704:35 | ...! | semmle.label | ...! |
+| test.swift:706:16:706:30 | call to Set<Element>.init(_:) [Set element] | semmle.label | call to Set<Element>.init(_:) [Set element] |
+| test.swift:706:20:706:29 | [...] [Array element] | semmle.label | [...] [Array element] |
+| test.swift:706:21:706:28 | call to source() | semmle.label | call to source() |
+| test.swift:707:15:707:15 | set2 [Set element] | semmle.label | set2 [Set element] |
+| test.swift:707:15:707:34 | call to randomElement() [some:0] | semmle.label | call to randomElement() [some:0] |
+| test.swift:707:15:707:35 | ...! | semmle.label | ...! |
 subpaths
 | test.swift:75:22:75:22 | x | test.swift:65:16:65:28 | arg1 | test.swift:65:1:70:1 | arg2[return] | test.swift:75:32:75:32 | [post] y |
 | test.swift:114:19:114:19 | arg | test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg | test.swift:114:12:114:22 | call to ... |
@@ -835,3 +864,6 @@ subpaths
 | test.swift:678:15:678:26 | ...[...] | test.swift:676:20:676:27 | call to source() | test.swift:678:15:678:26 | ...[...] | result |
 | test.swift:682:15:682:27 | ...[...] | test.swift:681:21:681:28 | call to source() | test.swift:682:15:682:27 | ...[...] | result |
 | test.swift:694:15:694:21 | ...[...] | test.swift:693:17:693:24 | call to source() | test.swift:694:15:694:21 | ...[...] | result |
+| test.swift:697:15:697:35 | ...! | test.swift:696:17:696:24 | call to source() | test.swift:697:15:697:35 | ...! | result |
+| test.swift:704:15:704:35 | ...! | test.swift:703:17:703:24 | call to source() | test.swift:704:15:704:35 | ...! | result |
+| test.swift:707:15:707:35 | ...! | test.swift:706:21:706:28 | call to source() | test.swift:707:15:707:35 | ...! | result |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -811,3 +811,22 @@
 | test.swift:693:5:693:5 | arr6 | test.swift:693:5:693:5 | &... |
 | test.swift:694:15:694:15 | [post] arr6 | test.swift:694:15:694:15 | &... |
 | test.swift:694:15:694:15 | arr6 | test.swift:694:15:694:15 | &... |
+| test.swift:696:9:696:9 | SSA def(arr7) | test.swift:697:15:697:15 | arr7 |
+| test.swift:696:9:696:9 | arr7 | test.swift:696:9:696:9 | SSA def(arr7) |
+| test.swift:696:16:696:25 | [...] | test.swift:696:9:696:9 | arr7 |
+| test.swift:697:15:697:34 | call to randomElement() | test.swift:697:15:697:35 | ...! |
+| test.swift:701:9:701:9 | SSA def(set1) | test.swift:702:15:702:15 | set1 |
+| test.swift:701:9:701:9 | set1 | test.swift:701:9:701:9 | SSA def(set1) |
+| test.swift:701:9:701:15 | ... as ... | test.swift:701:9:701:9 | set1 |
+| test.swift:701:21:701:27 | [...] | test.swift:701:9:701:15 | ... as ... |
+| test.swift:702:15:702:15 | [post] set1 | test.swift:703:5:703:5 | set1 |
+| test.swift:702:15:702:15 | set1 | test.swift:703:5:703:5 | set1 |
+| test.swift:702:15:702:34 | call to randomElement() | test.swift:702:15:702:35 | ...! |
+| test.swift:703:5:703:5 | &... | test.swift:704:15:704:15 | set1 |
+| test.swift:703:5:703:5 | [post] set1 | test.swift:703:5:703:5 | &... |
+| test.swift:703:5:703:5 | set1 | test.swift:703:5:703:5 | &... |
+| test.swift:704:15:704:34 | call to randomElement() | test.swift:704:15:704:35 | ...! |
+| test.swift:706:9:706:9 | SSA def(set2) | test.swift:707:15:707:15 | set2 |
+| test.swift:706:9:706:9 | set2 | test.swift:706:9:706:9 | SSA def(set2) |
+| test.swift:706:16:706:30 | call to Set<Element>.init(_:) | test.swift:706:9:706:9 | set2 |
+| test.swift:707:15:707:34 | call to randomElement() | test.swift:707:15:707:35 | ...! |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -692,14 +692,17 @@ func testArray() {
     var arr6 = [1,2,3]
     arr6.insert(source(), at: 2)
     sink(arg: arr6[0]) // $ flow=693
+
+    var arr7 = [source()]
+    sink(arg: arr7.randomElement()!) // $ flow=696
 }
 
 func testSetCollections() {
     var set1: Set = [1,2,3]
     sink(arg: set1.randomElement()!)
     set1.insert(source())
-    sink(arg: set1.randomElement()!) // $ MISSING: flow=700
+    sink(arg: set1.randomElement()!) // $flow=703
 
     let set2 = Set([source()])
-    sink(arg: set2.randomElement()!) // $ MISSING: flow=703
+    sink(arg: set2.randomElement()!) // $ flow=706
 }

Original file line number	Diff line number	Diff line change
`@@ -798,6 +798,9 @@ predicate readStep(Node node1, ContentSet c, Node node2) {`
`798`	`798`	`subscript.getBase().getType() instanceof ArrayType and`
`799`	`799`	`c.isSingleton(any(Content::ArrayContent ac))`
`800`	`800`	`)`
	`801`	`+ or`
	`802`	`+ FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,`
	`803`	`+ node2.(FlowSummaryNode).getSummaryNode())`
`801`	`804`	`}`
`802`	`805`
`803`	`806`	`/**`