PS: Add initial parameter definitions.

MathiasVP · MathiasVP · commit a6a157a476a6 · 2024-09-16T13:33:56.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/VariableExpression.qll b/powershell/ql/lib/semmle/code/powershell/VariableExpression.qll
@@ -34,18 +34,24 @@ class VarAccess extends @variable_expression, Expr {
   Variable getVariable() { result.getAnAccess() = this }
 }
 
-private predicate isVariableWriteAccess(Expr e) {
-  e = any(AssignStmt assign).getLeftHandSide()
+private predicate isExplicitVariableWriteAccess(Expr e, AssignStmt assign) {
+  e = assign.getLeftHandSide()
   or
-  e = any(ConvertExpr convert | isVariableWriteAccess(convert)).getExpr()
+  e = any(ConvertExpr convert | isExplicitVariableWriteAccess(convert, assign)).getExpr()
   or
-  e = any(ArrayLiteral array | isVariableWriteAccess(array)).getAnElement()
+  e = any(ArrayLiteral array | isExplicitVariableWriteAccess(array, assign)).getAnElement()
 }
 
+private predicate isImplicitVariableWriteAccess(Expr e) { none() }
+
 class VarReadAccess extends VarAccess {
   VarReadAccess() { not this instanceof VarWriteAccess }
 }
 
 class VarWriteAccess extends VarAccess {
-  VarWriteAccess() { isVariableWriteAccess(this) }
+  VarWriteAccess() { isExplicitVariableWriteAccess(this, _) or isImplicitVariableWriteAccess(this) }
+
+  predicate isExplicit(AssignStmt assign) { isExplicitVariableWriteAccess(this, assign) }
+
+  predicate isImplicit() { isImplicitVariableWriteAccess(this) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -163,6 +163,8 @@ module ExprNodes {
     predicate isExplicitWrite(StmtNodes::AssignStmtCfgNode assignment) {
       this = assignment.getLeftHandSide()
     }
+
+    predicate isImplicitWrite() { e.isImplicit() }
   }
 }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/Ssa.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/Ssa.qll
@@ -103,6 +103,21 @@ module Ssa {
     final override Location getLocation() { result = write.getLocation() }
   }
 
+  class ParameterDefinition extends Definition, SsaImpl::WriteDefinition {
+    private Variable v;
+
+    ParameterDefinition() {
+      exists(BasicBlock bb, int i |
+        this.definesAt(v, bb, i) and
+        SsaImpl::parameterWrite(bb, i, v)
+      )
+    }
+
+    final override string toString() { result = "<parameter> " + v }
+
+    final override Location getLocation() { result = v.getLocation() }
+  }
+
   /**
    * An SSA definition inserted at the beginning of a scope to represent an
    * uninitialized local variable.
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/SsaImpl.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/SsaImpl.qll
@@ -29,6 +29,8 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
     (
       uninitializedWrite(bb, i, v)
       or
+      parameterWrite(bb, i, v)
+      or
       variableWriteActual(bb, i, v, _)
     ) and
     certain = true
@@ -58,6 +60,39 @@ predicate uninitializedWrite(Cfg::EntryBasicBlock bb, int i, LocalVariable v) {
   i = -1
 }
 
+/**
+ * Gets index of `p` in a version of the enclosing function where the parameter
+ * list is reversed.
+ *
+ * For example, given
+ * ```ps
+ * function f($a, $b) { ... }
+ * ```
+ * the inverted index of `$a` is 1, and the inverted index of `$b` is 0.
+ */
+private int getInvertedIndex(Parameter p) {
+  exists(int i |
+    p.getIndex() = i or
+    p.hasParameterBlock(_, i)
+  |
+    result = p.getFunction().getNumberOfParameters() - i - 1
+  )
+}
+
+/**
+ * Holds if the the SSA definition of `p` should be placed at index `i` in
+ * block `bb`. Note that the index may be negative.
+ */
+predicate parameterWrite(Cfg::EntryBasicBlock bb, int i, Parameter p) {
+  exists(Function f |
+    f.getEntryBasicBlock() = bb and
+    p.getFunction() = f and
+    // If the enclosing function has 2 parameters we map the index of parameter
+    // 0 to -2, the index of parameter 1 to -1.
+    i = -getInvertedIndex(p) - 1
+  )
+}
+
 /** Holds if `v` is read at index `i` in basic block `bb`. */
 private predicate variableReadActual(Cfg::BasicBlock bb, int i, LocalScopeVariable v) {
   exists(VarReadAccess read |
@@ -159,6 +194,9 @@ private module Cached {
       n = bb.getNode(i)
     |
       write.isExplicitWrite(n)
+      or
+      write.isImplicitWrite() and
+      n = write
     )
   }
 
@@ -281,19 +319,20 @@ class PhiReadNode extends DefinitionExt, Impl::PhiReadNode {
   override Location getLocation() { result = Impl::PhiReadNode.super.getLocation() }
 }
 
-abstract class NormalParameter extends Parameter { }
-
 /** Gets the SSA definition node corresponding to parameter `p`. */
 pragma[nomagic]
 DefinitionExt getParameterDef(Parameter p) {
-  none() // TODO
+  exists(Cfg::EntryBasicBlock bb, int i |
+    parameterWrite(bb, i, p) and
+    result.definesAt(p, bb, i, _)
+  )
 }
 
-private newtype TParameterExt = TNormalParameter(NormalParameter p)
+private newtype TParameterExt = TNormalParameter(Parameter p)
 
 /** A normal parameter or an implicit `self` parameter. */
 class ParameterExt extends TParameterExt {
-  NormalParameter asParameter() { this = TNormalParameter(result) }
+  Parameter asParameter() { this = TNormalParameter(result) }
 
   predicate isInitializedBy(WriteDefinition def) { def = getParameterDef(this.asParameter()) }
 

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ module ExprNodes {`
`163`	`163`	`predicate isExplicitWrite(StmtNodes::AssignStmtCfgNode assignment) {`
`164`	`164`	`this = assignment.getLeftHandSide()`
`165`	`165`	`}`
	`166`	`+`
	`167`	`+ predicate isImplicitWrite() { e.isImplicit() }`
`166`	`168`	`}`
`167`	`169`	`}`
`168`	`170`