Go: implement conservative cross-thread dataflow

smowton · smowton · commit 2abd1f77f401 · 2022-08-10T12:44:12.000+01:00
Steps into captured variables are moved into jumpStep where they always should have been, and the store/load step implementation for channels is completed.

For the time being this takes a very conservative approach to identify channels that are likely connected: if there is exactly one receive site and one send site for a field, the two are presumed connected.
diff --git a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
@@ -166,11 +166,21 @@ module ControlFlow {
       )
     }
 
+    /**
+     * Holds if this node writes `rhs` to `channel`.
+     */
+    predicate writesToChannel(DataFlow::Node channel, DataFlow::Node rhs) {
+      exists(SendStmt send |
+        send.getChannel() = channel.(DataFlow::ExprNode).asExpr() and
+        send.getValue() = rhs.(DataFlow::ExprNode).asExpr()
+      )
+    }
+
     /**
      * Holds if this node sets any field or element of `base` to `rhs`.
      */
     predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
-      writesElement(base, _, rhs) or writesField(base, _, rhs)
+      writesElement(base, _, rhs) or writesField(base, _, rhs) or writesToChannel(base, rhs)
     }
   }
 
diff --git a/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll b/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll
@@ -24,9 +24,7 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
   )
   or
   c instanceof CollectionContent and
-  exists(SendStmt send |
-    send.getChannel() = node2.(ExprNode).asExpr() and send.getValue() = node1.(ExprNode).asExpr()
-  )
+  exists(Write w | w.writesToChannel(node2, node1))
   or
   c instanceof MapKeyContent and
   node2.getType() instanceof MapType and
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -634,9 +634,7 @@ module Public {
     predicate isReceiverOf(MethodDecl m) { parm.isReceiverOf(m) }
   }
 
-  private Node getADirectlyWrittenNode() {
-    exists(Write w | w.writesField(result, _, _) or w.writesElement(result, _, _))
-  }
+  private Node getADirectlyWrittenNode() { exists(Write w | w.writesComponent(result, _)) }
 
   private DataFlow::Node getAccessPathPredecessor(DataFlow::Node node) {
     result = node.(PointerDereferenceNode).getOperand()
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -70,10 +70,7 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
   )
   or
   // SSA -> SSA
-  exists(SsaDefinition pred, SsaDefinition succ |
-    succ.(SsaVariableCapture).getSourceVariable() = pred.(SsaExplicitDefinition).getSourceVariable() or
-    succ.(SsaPseudoDefinition).getAnInput() = pred
-  |
+  exists(SsaDefinition pred, SsaPseudoDefinition succ | succ.getAnInput() = pred |
     nodeFrom = ssaNode(pred) and
     nodeTo = ssaNode(succ)
   )
@@ -90,6 +87,12 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
     any(GlobalFunctionNode fn | fn.getFunction() = nodeTo.asExpr().(FunctionName).getTarget())
 }
 
+pragma[noinline]
+private Field getASparselyUsedChannelTypedField() {
+  result.getType() instanceof ChanType and
+  count(result.getARead()) = 2
+}
+
 /**
  * Holds if data can flow from `node1` to `node2` in a way that loses the
  * calling context. For example, this would happen with flow through a
@@ -102,6 +105,27 @@ predicate jumpStep(Node n1, Node n2) {
     w.writes(v, n1) and
     n2 = v.getARead()
   )
+  or
+  exists(SsaDefinition pred, SsaDefinition succ |
+    succ.(SsaVariableCapture).getSourceVariable() = pred.(SsaExplicitDefinition).getSourceVariable()
+  |
+    n1 = ssaNode(pred) and
+    n2 = ssaNode(succ)
+  )
+  or
+  // If a channel-typed field is referenced exactly once in the context of
+  // a send statement and once in a receive expression, assume the two are linked.
+  exists(
+    Field f, DataFlow::ReadNode recvRead, DataFlow::ReadNode sendRead, RecvExpr re, SendStmt ss
+  |
+    f = getASparselyUsedChannelTypedField() and
+    recvRead = f.getARead() and
+    sendRead = f.getARead() and
+    recvRead.asExpr() = re.getOperand() and
+    sendRead.asExpr() = ss.getChannel() and
+    n1.(DataFlow::PostUpdateNode).getPreUpdateNode() = sendRead and
+    n2 = recvRead
+  )
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -166,11 +166,21 @@ module ControlFlow {`
`166`	`166`	`)`
`167`	`167`	`}`
`168`	`168`
	`169`	`+ /**`
	`170`	+ * Holds if this node writes `rhs` to `channel`.
	`171`	`+ */`
	`172`	`+ predicate writesToChannel(DataFlow::Node channel, DataFlow::Node rhs) {`
	`173`	`+ exists(SendStmt send \|`
	`174`	`+ send.getChannel() = channel.(DataFlow::ExprNode).asExpr() and`
	`175`	`+ send.getValue() = rhs.(DataFlow::ExprNode).asExpr()`
	`176`	`+ )`
	`177`	`+ }`
	`178`	`+`
`169`	`179`	`/**`
`170`	`180`	* Holds if this node sets any field or element of `base` to `rhs`.
`171`	`181`	`*/`
`172`	`182`	`predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {`
`173`		`- writesElement(base, _, rhs) or writesField(base, _, rhs)`
	`183`	`+ writesElement(base, _, rhs) or writesField(base, _, rhs) or writesToChannel(base, rhs)`
`174`	`184`	`}`
`175`	`185`	`}`
`176`	`186`
Original file line number	Diff line number	Diff line change
`@@ -634,9 +634,7 @@ module Public {`
`634`	`634`	`predicate isReceiverOf(MethodDecl m) { parm.isReceiverOf(m) }`
`635`	`635`	`}`
`636`	`636`
`637`		`- private Node getADirectlyWrittenNode() {`
`638`		`- exists(Write w \| w.writesField(result, _, _) or w.writesElement(result, _, _))`
`639`		`- }`
	`637`	`+ private Node getADirectlyWrittenNode() { exists(Write w \| w.writesComponent(result, _)) }`
`640`	`638`
`641`	`639`	`private DataFlow::Node getAccessPathPredecessor(DataFlow::Node node) {`
`642`	`640`	`result = node.(PointerDereferenceNode).getOperand()`