Swift: add DataFlow::Content for arrays

Author: rdmarsh2

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -8,6 +8,7 @@ private import codeql.swift.controlflow.BasicBlocks
 private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.swift.frameworks.StandardLibrary.PointerTypes
+private import codeql.swift.frameworks.StandardLibrary.ArrayType
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -245,7 +246,8 @@ private module Cached {
   newtype TContent =
     TFieldContent(FieldDecl f) or
     TTupleContent(int index) { exists(any(TupleExpr te).getElement(index)) } or
-    TEnumContent(ParamDecl f) { exists(EnumElementDecl d | d.getAParam() = f) }
+    TEnumContent(ParamDecl f) { exists(EnumElementDecl d | d.getAParam() = f) } or
+    TArrayContent()
 }
 
 /**
@@ -689,6 +691,19 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     node2 = node1 and // TODO: again, we should ideally have a separate Node case here, and not reuse the CallExpr
     c instanceof OptionalSomeContentSet and
     init.isFailable()
+  ) or
+  // creation of an array `[v1,v2]`
+  exists(ArrayExpr arr |
+    node1.asExpr() = arr.getAnElement() and
+    node2.asExpr() = arr and
+    c.isSingleton(any(Content::ArrayContent ac))
+  ) or
+  // array assignment `a[n] = x`
+  exists(AssignExpr assign, SubscriptExpr subscript |
+    node1.asExpr() = assign.getSource() and
+    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = subscript.getBase() and
+    subscript = assign.getDest() and
+    subscript.getBase().getType().(InOutType).getObjectType() instanceof ArrayType
   )
   or
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
@@ -754,6 +769,14 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     not exists(component.getNextComponent()) and
     node2.(KeyPathReturnNodeImpl).getKeyPathExpr() = component.getKeyPathExpr()
   )
+  or
+  // read of an array member via subscript operator
+  exists(SubscriptExpr subscript |
+    subscript.getBase() = node1.asExpr() and
+    subscript = node2.asExpr() and
+    subscript.getBase().getType().(InOutType).getObjectType() instanceof ArrayType and
+    c.isSingleton(any(Content::ArrayContent ac))
+  )
 }
 
 /**

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -206,6 +206,10 @@ module Content {
       exists(EnumElementDecl d, int pos | d.getParam(pos) = p | result = d.toString() + ":" + pos)
     }
   }
+
+  class ArrayContent extends Content, TArrayContent {
+    override string toString() { result = "Array element"}
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/ArrayType.qll

@@ -0,0 +1,7 @@
+import swift
+
+class ArrayType extends BoundGenericType {
+    ArrayType() {
+        this.getName().matches("Array<%")
+    }
+}

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -274,6 +274,12 @@ edges
 | test.swift:628:9:628:16 | call to source() | test.swift:631:15:631:15 | x |
 | test.swift:630:10:630:11 | &... | test.swift:630:14:630:15 | [post] &... |
 | test.swift:630:14:630:15 | [post] &... | test.swift:632:15:632:15 | y |
+| test.swift:638:5:638:5 | [post] &... [Array element] | test.swift:639:15:639:15 | &... [Array element] |
+| test.swift:638:15:638:22 | call to source() | test.swift:638:5:638:5 | [post] &... [Array element] |
+| test.swift:639:15:639:15 | &... [Array element] | test.swift:639:15:639:21 | ...[...] |
+| test.swift:641:16:641:25 | [...] [Array element] | test.swift:642:15:642:15 | &... [Array element] |
+| test.swift:641:17:641:24 | call to source() | test.swift:641:16:641:25 | [...] [Array element] |
+| test.swift:642:15:642:15 | &... [Array element] | test.swift:642:15:642:21 | ...[...] |
 nodes
 | file://:0:0:0:0 | .a [x] | semmle.label | .a [x] |
 | file://:0:0:0:0 | .str | semmle.label | .str |
@@ -574,6 +580,14 @@ nodes
 | test.swift:630:14:630:15 | [post] &... | semmle.label | [post] &... |
 | test.swift:631:15:631:15 | x | semmle.label | x |
 | test.swift:632:15:632:15 | y | semmle.label | y |
+| test.swift:638:5:638:5 | [post] &... [Array element] | semmle.label | [post] &... [Array element] |
+| test.swift:638:15:638:22 | call to source() | semmle.label | call to source() |
+| test.swift:639:15:639:15 | &... [Array element] | semmle.label | &... [Array element] |
+| test.swift:639:15:639:21 | ...[...] | semmle.label | ...[...] |
+| test.swift:641:16:641:25 | [...] [Array element] | semmle.label | [...] [Array element] |
+| test.swift:641:17:641:24 | call to source() | semmle.label | call to source() |
+| test.swift:642:15:642:15 | &... [Array element] | semmle.label | &... [Array element] |
+| test.swift:642:15:642:21 | ...[...] | semmle.label | ...[...] |
 subpaths
 | test.swift:75:21:75:22 | &... | test.swift:65:16:65:28 | arg1 | test.swift:65:1:70:1 | arg2[return] | test.swift:75:31:75:32 | [post] &... |
 | test.swift:114:19:114:19 | arg | test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg | test.swift:114:12:114:22 | call to ... |
@@ -688,3 +702,5 @@ subpaths
 | test.swift:626:15:626:15 | y | test.swift:618:13:618:20 | call to source() | test.swift:626:15:626:15 | y | result |
 | test.swift:631:15:631:15 | x | test.swift:628:9:628:16 | call to source() | test.swift:631:15:631:15 | x | result |
 | test.swift:632:15:632:15 | y | test.swift:628:9:628:16 | call to source() | test.swift:632:15:632:15 | y | result |
+| test.swift:639:15:639:21 | ...[...] | test.swift:638:15:638:22 | call to source() | test.swift:639:15:639:21 | ...[...] | result |
+| test.swift:642:15:642:21 | ...[...] | test.swift:641:17:641:24 | call to source() | test.swift:642:15:642:21 | ...[...] | result |

swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected

@@ -685,3 +685,17 @@
 | test.swift:630:14:630:15 | &... | test.swift:632:15:632:15 | y |
 | test.swift:630:14:630:15 | [post] &... | test.swift:632:15:632:15 | y |
 | test.swift:630:15:630:15 | y | test.swift:630:14:630:15 | &... |
+| test.swift:636:9:636:9 | SSA def(arr1) | test.swift:637:15:637:15 | arr1 |
+| test.swift:636:9:636:9 | arr1 | test.swift:636:9:636:9 | SSA def(arr1) |
+| test.swift:636:16:636:22 | [...] | test.swift:636:9:636:9 | arr1 |
+| test.swift:637:15:637:15 | &... | test.swift:638:5:638:5 | arr1 |
+| test.swift:637:15:637:15 | [post] &... | test.swift:638:5:638:5 | arr1 |
+| test.swift:637:15:637:15 | arr1 | test.swift:637:15:637:15 | &... |
+| test.swift:638:5:638:5 | &... | test.swift:639:15:639:15 | arr1 |
+| test.swift:638:5:638:5 | [post] &... | test.swift:639:15:639:15 | arr1 |
+| test.swift:638:5:638:5 | arr1 | test.swift:638:5:638:5 | &... |
+| test.swift:639:15:639:15 | arr1 | test.swift:639:15:639:15 | &... |
+| test.swift:641:9:641:9 | SSA def(arr2) | test.swift:642:15:642:15 | arr2 |
+| test.swift:641:9:641:9 | arr2 | test.swift:641:9:641:9 | SSA def(arr2) |
+| test.swift:641:16:641:25 | [...] | test.swift:641:9:641:9 | arr2 |
+| test.swift:642:15:642:15 | arr2 | test.swift:642:15:642:15 | &... |

swift/ql/test/library-tests/dataflow/dataflow/test.swift

@@ -1,5 +1,5 @@
 func source() -> Int { return 0; }
-func sink(arg: Int) {}
+func sink<T>(arg: T) {}
 
 func intraprocedural_with_local_flow() -> Void {
     var t2: Int
@@ -631,3 +631,18 @@ func testSwap() {
     sink(arg: x) // $ SPURIOUS: flow=628
     sink(arg: y) // $ flow=628
 }
+
+func testArray() {
+    var arr1 = [1,2,3]
+    sink(arg: arr1[0])
+    arr1[1] = source()
+    sink(arg: arr1[0]) // $ flow=638
+    sink(arg: arr1)
+
+    var arr2 = [source()]
+    sink(arg: arr2[0]) // $ flow=642
+
+    var matrix = [[source()]]
+    sink(arg: matrix[0])
+    sink(arg: matrix[0][0]) // $ flow=645
+}