Merge pull request #371 from github/hvitved/dataflow/arg-sugar

Data flow: Fix bug for sugared call arguments

Author: hvitved

ruby/ql/lib/codeql/ruby/ast/Method.qll

@@ -4,7 +4,7 @@ private import internal.AST
 private import internal.TreeSitter
 
 /** A callable. */
-class Callable extends Expr, Scope, TCallable {
+class Callable extends StmtSequence, Expr, Scope, TCallable {
   /** Gets the number of parameters of this callable. */
   final int getNumberOfParameters() { result = count(this.getAParameter()) }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -97,15 +97,20 @@ module LocalFlow {
   }
 }
 
-/** An argument of a call (including qualifier arguments). */
-private class Argument extends Expr {
-  private Call call;
+/** An argument of a call (including qualifier arguments, excluding block arguments). */
+private class Argument extends CfgNodes::ExprCfgNode {
+  private CfgNodes::ExprNodes::CallCfgNode call;
   private int arg;
 
-  Argument() { this = call.getArgument(arg) }
+  Argument() {
+    this = call.getArgument(arg) and
+    not this.getExpr() instanceof BlockArgument
+    or
+    this = call.getReceiver() and arg = -1
+  }
 
   /** Holds if this expression is the `i`th argument of `c`. */
-  predicate isArgumentOf(Expr c, int i) { c = call and i = arg }
+  predicate isArgumentOf(CfgNodes::ExprNodes::CallCfgNode c, int i) { c = call and i = arg }
 }
 
 /** A collection of cached types and predicates to be evaluated in the same stage. */
@@ -125,14 +130,7 @@ private module Cached {
     TNormalParameterNode(Parameter p) { not p instanceof BlockParameter } or
     TSelfParameterNode(MethodBase m) or
     TBlockParameterNode(MethodBase m) or
-    TExprPostUpdateNode(CfgNodes::ExprCfgNode n) {
-      exists(AstNode node | node = n.getNode() |
-        node instanceof Argument and
-        not node instanceof BlockArgument
-        or
-        n = any(CfgNodes::ExprNodes::CallCfgNode call).getReceiver()
-      )
-    } or
+    TExprPostUpdateNode(CfgNodes::ExprCfgNode n) { n instanceof Argument } or
     TSummaryNode(
       FlowSummaryImpl::Public::SummarizedCallable c,
       FlowSummaryImpl::Private::SummaryNodeState state
@@ -438,24 +436,18 @@ abstract class ArgumentNode extends Node {
 private module ArgumentNodes {
   /** A data-flow node that represents an explicit call argument. */
   class ExplicitArgumentNode extends ArgumentNode {
-    ExplicitArgumentNode() {
-      this.asExpr().getExpr() instanceof Argument and
-      not this.asExpr().getExpr() instanceof BlockArgument
-    }
+    Argument arg;
+
+    ExplicitArgumentNode() { this.asExpr() = arg }
 
     override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos) {
-      this.asExpr() = call.getArgument(pos)
+      arg.isArgumentOf(call, pos)
     }
   }
 
   /** A data-flow node that represents the `self` argument of a call. */
-  class SelfArgumentNode extends ArgumentNode {
-    SelfArgumentNode() { this.asExpr() = any(CfgNodes::ExprNodes::CallCfgNode call).getReceiver() }
-
-    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos) {
-      this.asExpr() = call.getReceiver() and
-      pos = -1
-    }
+  class SelfArgumentNode extends ExplicitArgumentNode {
+    SelfArgumentNode() { arg.isArgumentOf(_, -1) }
   }
 
   /** A data-flow node that represents a block argument. */
@@ -522,8 +514,8 @@ private module ReturnNodes {
   }
 
   /**
-   * A data-flow node that represents an expression returned by a callable,
-   * either using an explict `return` statement or as the expression of a method body.
+   * A data-flow node that represents an expression explicitly returned by
+   * a callable.
    */
   class ExplicitReturnNode extends ReturningNode, ReturningStatementNode {
     ExplicitReturnNode() {
@@ -539,11 +531,25 @@ private module ReturnNodes {
     }
   }
 
+  pragma[noinline]
+  private AstNode implicitReturn(Callable c, ExprNode n) {
+    exists(CfgNodes::ExprCfgNode en |
+      en = n.getExprNode() and
+      en.getASuccessor().(CfgNodes::AnnotatedExitNode).isNormal() and
+      n.(NodeImpl).getCfgScope() = c and
+      result = en.getExpr()
+    )
+    or
+    result = implicitReturn(c, n).getParent()
+  }
+
+  /**
+   * A data-flow node that represents an expression implicitly returned by
+   * a callable. An implicit return happens when an expression can be the
+   * last thing that is evaluated in the body of the callable.
+   */
   class ExprReturnNode extends ReturningNode, ExprNode {
-    ExprReturnNode() {
-      this.getExprNode().getASuccessor().(CfgNodes::AnnotatedExitNode).isNormal() and
-      this.(NodeImpl).getCfgScope() instanceof Callable
-    }
+    ExprReturnNode() { exists(Callable c | implicitReturn(c, this) = c.getAStmt()) }
 
     override ReturnKind getKind() { result instanceof NormalReturnKind }
   }

ruby/ql/test/library-tests/dataflow/local/Nodes.expected

@@ -0,0 +1,40 @@
+ret
+| local_dataflow.rb:6:3:6:14 | ... = ... |
+| local_dataflow.rb:32:14:32:21 | "method" |
+| local_dataflow.rb:36:6:36:13 | return |
+| local_dataflow.rb:38:3:38:13 | "reachable" |
+| local_dataflow.rb:43:6:43:13 | return |
+| local_dataflow.rb:45:3:45:10 | return |
+| local_dataflow.rb:50:3:50:13 | next |
+| local_dataflow.rb:51:3:51:15 | break |
+| local_dataflow.rb:52:3:52:10 | "normal" |
+arg
+| local_dataflow.rb:3:8:3:10 | self | local_dataflow.rb:3:8:3:10 | call to p | -1 |
+| local_dataflow.rb:3:10:3:10 | a | local_dataflow.rb:3:8:3:10 | call to p | 0 |
+| local_dataflow.rb:6:8:6:8 | a | local_dataflow.rb:6:10:6:11 | ... + ... | -1 |
+| local_dataflow.rb:6:13:6:13 | b | local_dataflow.rb:6:10:6:11 | ... + ... | 0 |
+| local_dataflow.rb:9:9:9:15 | Array | local_dataflow.rb:9:9:9:15 | call to [] | -1 |
+| local_dataflow.rb:9:10:9:10 | 1 | local_dataflow.rb:9:9:9:15 | call to [] | 0 |
+| local_dataflow.rb:9:12:9:12 | 2 | local_dataflow.rb:9:9:9:15 | call to [] | 1 |
+| local_dataflow.rb:9:14:9:14 | 3 | local_dataflow.rb:9:9:9:15 | call to [] | 2 |
+| local_dataflow.rb:11:1:11:2 | self | local_dataflow.rb:11:1:11:2 | call to do | -1 |
+| local_dataflow.rb:12:3:12:5 | self | local_dataflow.rb:12:3:12:5 | call to p | -1 |
+| local_dataflow.rb:12:5:12:5 | x | local_dataflow.rb:12:3:12:5 | call to p | 0 |
+| local_dataflow.rb:20:6:20:6 | x | local_dataflow.rb:20:6:20:10 | ... > ... | -1 |
+| local_dataflow.rb:20:10:20:10 | 1 | local_dataflow.rb:20:6:20:10 | ... > ... | 0 |
+| local_dataflow.rb:35:6:35:6 | x | local_dataflow.rb:35:6:35:11 | ... == ... | -1 |
+| local_dataflow.rb:35:11:35:11 | 4 | local_dataflow.rb:35:6:35:11 | ... == ... | 0 |
+| local_dataflow.rb:42:6:42:6 | x | local_dataflow.rb:42:6:42:11 | ... == ... | -1 |
+| local_dataflow.rb:42:11:42:11 | 4 | local_dataflow.rb:42:6:42:11 | ... == ... | 0 |
+| local_dataflow.rb:49:1:53:3 | self | local_dataflow.rb:49:1:53:3 | call to m | -1 |
+| local_dataflow.rb:49:3:53:3 | do ... end | local_dataflow.rb:49:1:53:3 | call to m | -2 |
+| local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:50:18:50:22 | ... < ... | -1 |
+| local_dataflow.rb:50:22:50:22 | 4 | local_dataflow.rb:50:18:50:22 | ... < ... | 0 |
+| local_dataflow.rb:51:20:51:20 | x | local_dataflow.rb:51:20:51:24 | ... < ... | -1 |
+| local_dataflow.rb:51:24:51:24 | 9 | local_dataflow.rb:51:20:51:24 | ... < ... | 0 |
+| local_dataflow.rb:55:1:55:14 | self | local_dataflow.rb:55:1:55:14 | call to foo | -1 |
+| local_dataflow.rb:55:5:55:13 | Array | local_dataflow.rb:55:5:55:13 | call to [] | -1 |
+| local_dataflow.rb:55:5:55:13 | call to [] | local_dataflow.rb:55:1:55:14 | call to foo | 0 |
+| local_dataflow.rb:55:6:55:6 | 1 | local_dataflow.rb:55:5:55:13 | call to [] | 0 |
+| local_dataflow.rb:55:9:55:9 | 2 | local_dataflow.rb:55:5:55:13 | call to [] | 1 |
+| local_dataflow.rb:55:12:55:12 | 3 | local_dataflow.rb:55:5:55:13 | call to [] | 2 |

ruby/ql/test/library-tests/dataflow/local/Nodes.ql

@@ -0,0 +1,7 @@
+import ruby
+import codeql.ruby.dataflow.internal.DataFlowPrivate
+import codeql.ruby.dataflow.internal.DataFlowDispatch
+
+query predicate ret(ReturningNode node) { any() }
+
+query predicate arg(ArgumentNode n, DataFlowCall call, int pos) { n.argumentOf(call, pos) }

ruby/ql/test/library-tests/dataflow/local/ReturnNodes.expected

@@ -51,3 +51,8 @@ def m x
   break "break" if x < 9
   "normal"
 end
+
+foo([1, 2, 3])
+
+def foo x
+end