github
diff --git a/‎swift/codegen/generators/qlgen.py
Lines changed: 5 additions & 1 deletion b/‎swift/codegen/generators/qlgen.py
Lines changed: 5 additions & 1 deletion
diff --git a/‎swift/codegen/schema.yml
Lines changed: 8 additions & 3 deletions b/‎swift/codegen/schema.yml
Lines changed: 8 additions & 3 deletions
diff --git a/‎swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImpl.qll
Lines changed: 17 additions & 9 deletions b/‎swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImpl.qll
Lines changed: 17 additions & 9 deletions
diff --git a/‎swift/ql/lib/codeql/swift/dataflow/Ssa.qll
Lines changed: 2 additions & 2 deletions b/‎swift/ql/lib/codeql/swift/dataflow/Ssa.qll
Lines changed: 2 additions & 2 deletions
diff --git a/‎swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll
Lines changed: 1 addition & 3 deletions b/‎swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll
Lines changed: 1 addition & 3 deletions
diff --git a/‎swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll
Lines changed: 3 additions & 3 deletions b/‎swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll
Lines changed: 3 additions & 3 deletions
diff --git a/‎swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll
Lines changed: 4 additions & 5 deletions b/‎swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll
Lines changed: 4 additions & 5 deletions
diff --git a/‎swift/ql/lib/codeql/swift/elements.qll
Lines changed: 1 addition & 0 deletions b/‎swift/ql/lib/codeql/swift/elements.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎swift/ql/lib/codeql/swift/elements/expr/ApplyExpr.qll
Lines changed: 25 additions & 1 deletion b/‎swift/ql/lib/codeql/swift/elements/expr/ApplyExpr.qll
Lines changed: 25 additions & 1 deletion
diff --git a/‎swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll
Lines changed: 6 additions & 6 deletions b/‎swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll
Lines changed: 6 additions & 6 deletions
@@ -275,21 +275,25 @@ def generate(opts, renderer):
     non_final_ipa_types = []
     constructor_imports = []
     ipa_constructor_imports = []
+    stubs = {}
     for cls in sorted(data.classes.values(), key=lambda cls: (cls.dir, cls.name)):
         ipa_type = get_ql_ipa_class(cls)
         if ipa_type.is_final:
             final_ipa_types.append(ipa_type)
             if ipa_type.has_params:
                 stub_file = stub_out / cls.dir / f"{cls.name}Constructor.qll"
                 if not stub_file.is_file() or _is_generated_stub(stub_file):
-                    renderer.render(ql.Synth.ConstructorStub(ipa_type), stub_file)
+                    # stub rendering must be postponed as we might not have yet all subtracted ipa types in `ipa_type`
+                    stubs[stub_file] = ql.Synth.ConstructorStub(ipa_type)
                 constructor_import = get_import(stub_file, opts.swift_dir)
                 constructor_imports.append(constructor_import)
                 if ipa_type.is_ipa:
                     ipa_constructor_imports.append(constructor_import)
         else:
             non_final_ipa_types.append(ipa_type)
 
+    for stub_file, data in stubs.items():
+        renderer.render(data, stub_file)
     renderer.render(ql.Synth.Types(schema.root_class_name, final_ipa_types, non_final_ipa_types), out / "Synth.qll")
     renderer.render(ql.ImportList(constructor_imports), out / "SynthConstructors.qll")
     renderer.render(ql.ImportList(ipa_constructor_imports), out / "PureSynthConstructors.qll")
 
@@ -419,7 +419,7 @@ DotSyntaxBaseIgnoredExpr:
 DynamicTypeExpr:
   _extends: Expr
   _children:
-    base_expr: Expr
+    base: Expr
 
 EditorPlaceholderExpr:
   _extends: Expr
@@ -492,7 +492,7 @@ LiteralExpr:
 LookupExpr:
   _extends: Expr
   _children:
-    base_expr: Expr
+    base: Expr
   member: Decl?
 
 MakeTemporarilyEscapableExpr:
@@ -835,7 +835,7 @@ PrefixUnaryExpr:
 SelfApplyExpr:
   _extends: ApplyExpr
   _children:
-    base_expr: Expr
+    base: Expr
 
 ArrayExpr:
   _extends: CollectionExpr
@@ -990,6 +990,11 @@ MemberRefExpr:
   has_direct_to_implementation_semantics: predicate
   has_ordinary_semantics: predicate
 
+MethodRefExpr:
+  _extends: LookupExpr
+  _synth:
+    from: DotSyntaxCallExpr
+
 SubscriptExpr:
   _extends:
     - LookupExpr
 
@@ -1206,13 +1206,13 @@ module Exprs {
     override SubscriptExpr ast;
 
     final override predicate propagatesAbnormal(ControlFlowElement child) {
-      child.asAstNode() = ast.getBaseExpr().getFullyConverted()
+      child.asAstNode() = ast.getBase().getFullyConverted()
       or
       child.asAstNode() = ast.getAnArgument().getExpr().getFullyConverted()
     }
 
     final override predicate first(ControlFlowElement first) {
-      astFirst(ast.getBaseExpr().getFullyConverted(), first)
+      astFirst(ast.getBase().getFullyConverted(), first)
     }
 
     final override predicate last(ControlFlowElement last, Completion c) {
@@ -1230,7 +1230,7 @@ module Exprs {
     }
 
     override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-      astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and
+      astLast(ast.getBase().getFullyConverted(), pred, c) and
       c instanceof NormalCompletion and
       astFirst(ast.getFirstArgument().getExpr().getFullyConverted(), succ)
       or
@@ -1296,7 +1296,7 @@ module Exprs {
     override DynamicTypeExpr ast;
 
     final override ControlFlowElement getChildElement(int i) {
-      result.asAstNode() = ast.getBaseExpr().getFullyConverted() and i = 0
+      result.asAstNode() = ast.getBase().getFullyConverted() and i = 0
     }
   }
 
@@ -1427,6 +1427,14 @@ module Exprs {
     }
   }
 
+  class MethodRefExprTree extends AstStandardPreOrderTree {
+    override MethodRefExpr ast;
+
+    override ControlFlowElement getChildElement(int i) {
+      i = 0 and result.asAstNode() = ast.getBase().getFullyConverted()
+    }
+  }
+
   module MemberRefs {
     /**
      * The control-flow of a member reference expression.
@@ -1439,11 +1447,11 @@ module Exprs {
       override MemberRefExpr ast;
 
       final override predicate propagatesAbnormal(ControlFlowElement child) {
-        child.asAstNode() = ast.getBaseExpr().getFullyConverted()
+        child.asAstNode() = ast.getBase().getFullyConverted()
       }
 
       final override predicate first(ControlFlowElement first) {
-        astFirst(ast.getBaseExpr().getFullyConverted(), first)
+        astFirst(ast.getBase().getFullyConverted(), first)
       }
     }
 
@@ -1459,7 +1467,7 @@ module Exprs {
       }
 
       override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-        astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and
+        astLast(ast.getBase().getFullyConverted(), pred, c) and
         c instanceof NormalCompletion and
         succ.asAstNode() = ast
       }
@@ -1489,7 +1497,7 @@ module Exprs {
       }
 
       override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-        astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and
+        astLast(ast.getBase().getFullyConverted(), pred, c) and
         c instanceof NormalCompletion and
         succ.asAstNode() = ast
       }
@@ -1510,7 +1518,7 @@ module Exprs {
       }
 
       override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-        astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and
+        astLast(ast.getBase().getFullyConverted(), pred, c) and
         c instanceof NormalCompletion and
         isPropertyGetterElement(succ, accessor, ast)
       }
 
@@ -86,11 +86,11 @@ module Ssa {
     predicate isInoutDef(ExprCfgNode argument) {
       // TODO: This should probably not be only `ExprCfgNode`s.
       exists(
-        ApplyExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr
+        ApplyExpr c, BasicBlock bb, int blockIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr
       |
         this.definesAt(v, bb, blockIndex) and
         bb.getNode(blockIndex).getNode().asAstNode() = c and
-        c.getArgument(argIndex).getExpr() = argExpr and
+        [c.getAnArgument().getExpr(), c.getQualifier()] = argExpr and
         argExpr = argument.getNode().asAstNode() and
         argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?
       )
 
@@ -154,9 +154,7 @@ class InterpretNode extends TInterpretNode {
   DataFlowCallable asCallable() { result.getUnderlyingCallable() = this.asElement() }
 
   /** Gets the target of this call, if any. */
-  AbstractFunctionDecl getCallTarget() {
-    result = this.asCall().asCall().getFunction().(ApplyExpr).getStaticTarget()
-  }
+  AbstractFunctionDecl getCallTarget() { result = this.asCall().asCall().getStaticTarget() }
 
   /** Gets a textual representation of this node. */
   string toString() {
 
@@ -29,9 +29,9 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     certain = true
   )
   or
-  exists(ApplyExpr call, Argument arg |
-    arg.getExpr().(InOutExpr).getSubExpr() = v.getAnAccess() and
-    call.getAnArgument() = arg and
+  exists(ApplyExpr call, InOutExpr expr |
+    expr = [call.getAnArgument().getExpr(), call.getQualifier()] and
+    expr.getSubExpr() = v.getAnAccess() and
     bb.getNode(i).getNode().asAstNode() = call and
     certain = false
   )
 
@@ -28,11 +28,10 @@ private module Cached {
     // appendInterpolation(&$interpolated, n)
     // appendLiteral(&$interpolated, " years old.")
     // ```
-    exists(ApplyExpr apply1, ApplyExpr apply2, ExprCfgNode e |
-      nodeFrom.asExpr() = [apply1, apply2].getAnArgument().getExpr() and
-      apply1.getFunction() = apply2 and
-      apply2.getStaticTarget().getName() = ["appendLiteral(_:)", "appendInterpolation(_:)"] and
-      e.getExpr() = apply2.getAnArgument().getExpr() and
+    exists(ApplyExpr apply, ExprCfgNode e |
+      nodeFrom.asExpr() = [apply.getAnArgument().getExpr(), apply.getQualifier()] and
+      apply.getStaticTarget().getName() = ["appendLiteral(_:)", "appendInterpolation(_:)"] and
+      e.getExpr() = [apply.getAnArgument().getExpr(), apply.getQualifier()] and
       nodeTo.asDefinition().(Ssa::WriteDefinition).isInoutDef(e)
     )
     or
 
@@ -137,6 +137,7 @@ import codeql.swift.elements.expr.MagicIdentifierLiteralExpr
 import codeql.swift.elements.expr.MakeTemporarilyEscapableExpr
 import codeql.swift.elements.expr.MemberRefExpr
 import codeql.swift.elements.expr.MetatypeConversionExpr
+import codeql.swift.elements.expr.MethodRefExpr
 import codeql.swift.elements.expr.NilLiteralExpr
 import codeql.swift.elements.expr.NumberLiteralExpr
 import codeql.swift.elements.expr.ObjCSelectorExpr
 
@@ -1,9 +1,23 @@
 private import codeql.swift.generated.expr.ApplyExpr
 private import codeql.swift.elements.decl.AbstractFunctionDecl
 private import codeql.swift.elements.expr.DeclRefExpr
+private import codeql.swift.elements.expr.MethodRefExpr
+private import codeql.swift.elements.expr.ConstructorRefCallExpr
 
 class ApplyExpr extends ApplyExprBase {
-  AbstractFunctionDecl getStaticTarget() { result = this.getFunction().(DeclRefExpr).getDecl() }
+  AbstractFunctionDecl getStaticTarget() {
+    exists(Expr f |
+      f = this.getFunction() and
+      (
+        result = f.(DeclRefExpr).getDecl()
+        or
+        result = f.(ConstructorRefCallExpr).getFunction().(DeclRefExpr).getDecl()
+      )
+    )
+  }
+
+  /** Gets the method qualifier, if this is applying a method */
+  Expr getQualifier() { none() }
 
   override string toString() {
     result = "call to " + this.getStaticTarget().toString()
@@ -12,3 +26,13 @@ class ApplyExpr extends ApplyExprBase {
     result = "call to ..."
   }
 }
+
+class MethodApplyExpr extends ApplyExpr {
+  private MethodRefExpr method;
+
+  MethodApplyExpr() { method = this.getFunction() }
+
+  override AbstractFunctionDecl getStaticTarget() { result = method.getMethod() }
+
+  override Expr getQualifier() { result = method.getBase() }
+}
@@ -48,7 +48,7 @@ class BinaryArithmeticOperation extends BinaryExpr {
  * ```
  */
 class AddExpr extends BinaryExpr {
-  AddExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "+(_:_:)" }
+  AddExpr() { this.getStaticTarget().getName() = "+(_:_:)" }
 }
 
 /**
@@ -58,7 +58,7 @@ class AddExpr extends BinaryExpr {
  * ```
  */
 class SubExpr extends BinaryExpr {
-  SubExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "-(_:_:)" }
+  SubExpr() { this.getStaticTarget().getName() = "-(_:_:)" }
 }
 
 /**
@@ -68,7 +68,7 @@ class SubExpr extends BinaryExpr {
  * ```
  */
 class MulExpr extends BinaryExpr {
-  MulExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "*(_:_:)" }
+  MulExpr() { this.getStaticTarget().getName() = "*(_:_:)" }
 }
 
 /**
@@ -78,7 +78,7 @@ class MulExpr extends BinaryExpr {
  * ```
  */
 class DivExpr extends BinaryExpr {
-  DivExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "/(_:_:)" }
+  DivExpr() { this.getStaticTarget().getName() = "/(_:_:)" }
 }
 
 /**
@@ -88,7 +88,7 @@ class DivExpr extends BinaryExpr {
  * ```
  */
 class RemExpr extends BinaryExpr {
-  RemExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "%(_:_:)" }
+  RemExpr() { this.getStaticTarget().getName() = "%(_:_:)" }
 }
 
 /**
@@ -108,5 +108,5 @@ class UnaryArithmeticOperation extends PrefixUnaryExpr {
  * ```
  */
 class UnaryMinusExpr extends PrefixUnaryExpr {
-  UnaryMinusExpr() { this.getFunction().(DotSyntaxCallExpr).getStaticTarget().getName() = "-(_:)" }
+  UnaryMinusExpr() { this.getStaticTarget().getName() = "-(_:)" }
 }
Original file line number	Diff line number	Diff line change
`@@ -1206,13 +1206,13 @@ module Exprs {`
`1206`	`1206`	`override SubscriptExpr ast;`
`1207`	`1207`
`1208`	`1208`	`final override predicate propagatesAbnormal(ControlFlowElement child) {`
`1209`		`- child.asAstNode() = ast.getBaseExpr().getFullyConverted()`
	`1209`	`+ child.asAstNode() = ast.getBase().getFullyConverted()`
`1210`	`1210`	`or`
`1211`	`1211`	`child.asAstNode() = ast.getAnArgument().getExpr().getFullyConverted()`
`1212`	`1212`	`}`
`1213`	`1213`
`1214`	`1214`	`final override predicate first(ControlFlowElement first) {`
`1215`		`- astFirst(ast.getBaseExpr().getFullyConverted(), first)`
	`1215`	`+ astFirst(ast.getBase().getFullyConverted(), first)`
`1216`	`1216`	`}`
`1217`	`1217`
`1218`	`1218`	`final override predicate last(ControlFlowElement last, Completion c) {`
`@@ -1230,7 +1230,7 @@ module Exprs {`
`1230`	`1230`	`}`
`1231`	`1231`
`1232`	`1232`	`override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {`
`1233`		`- astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and`
	`1233`	`+ astLast(ast.getBase().getFullyConverted(), pred, c) and`
`1234`	`1234`	`c instanceof NormalCompletion and`
`1235`	`1235`	`astFirst(ast.getFirstArgument().getExpr().getFullyConverted(), succ)`
`1236`	`1236`	`or`
`@@ -1296,7 +1296,7 @@ module Exprs {`
`1296`	`1296`	`override DynamicTypeExpr ast;`
`1297`	`1297`
`1298`	`1298`	`final override ControlFlowElement getChildElement(int i) {`
`1299`		`- result.asAstNode() = ast.getBaseExpr().getFullyConverted() and i = 0`
	`1299`	`+ result.asAstNode() = ast.getBase().getFullyConverted() and i = 0`
`1300`	`1300`	`}`
`1301`	`1301`	`}`
`1302`	`1302`
`@@ -1427,6 +1427,14 @@ module Exprs {`
`1427`	`1427`	`}`
`1428`	`1428`	`}`
`1429`	`1429`
	`1430`	`+ class MethodRefExprTree extends AstStandardPreOrderTree {`
	`1431`	`+ override MethodRefExpr ast;`
	`1432`	`+`
	`1433`	`+ override ControlFlowElement getChildElement(int i) {`
	`1434`	`+ i = 0 and result.asAstNode() = ast.getBase().getFullyConverted()`
	`1435`	`+ }`
	`1436`	`+ }`
	`1437`	`+`
`1430`	`1438`	`module MemberRefs {`
`1431`	`1439`	`/**`
`1432`	`1440`	`* The control-flow of a member reference expression.`
`@@ -1439,11 +1447,11 @@ module Exprs {`
`1439`	`1447`	`override MemberRefExpr ast;`
`1440`	`1448`
`1441`	`1449`	`final override predicate propagatesAbnormal(ControlFlowElement child) {`
`1442`		`- child.asAstNode() = ast.getBaseExpr().getFullyConverted()`
	`1450`	`+ child.asAstNode() = ast.getBase().getFullyConverted()`
`1443`	`1451`	`}`
`1444`	`1452`
`1445`	`1453`	`final override predicate first(ControlFlowElement first) {`
`1446`		`- astFirst(ast.getBaseExpr().getFullyConverted(), first)`
	`1454`	`+ astFirst(ast.getBase().getFullyConverted(), first)`
`1447`	`1455`	`}`
`1448`	`1456`	`}`
`1449`	`1457`
`@@ -1459,7 +1467,7 @@ module Exprs {`
`1459`	`1467`	`}`
`1460`	`1468`
`1461`	`1469`	`override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {`
`1462`		`- astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and`
	`1470`	`+ astLast(ast.getBase().getFullyConverted(), pred, c) and`
`1463`	`1471`	`c instanceof NormalCompletion and`
`1464`	`1472`	`succ.asAstNode() = ast`
`1465`	`1473`	`}`
`@@ -1489,7 +1497,7 @@ module Exprs {`
`1489`	`1497`	`}`
`1490`	`1498`
`1491`	`1499`	`override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {`
`1492`		`- astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and`
	`1500`	`+ astLast(ast.getBase().getFullyConverted(), pred, c) and`
`1493`	`1501`	`c instanceof NormalCompletion and`
`1494`	`1502`	`succ.asAstNode() = ast`
`1495`	`1503`	`}`
`@@ -1510,7 +1518,7 @@ module Exprs {`
`1510`	`1518`	`}`
`1511`	`1519`
`1512`	`1520`	`override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {`
`1513`		`- astLast(ast.getBaseExpr().getFullyConverted(), pred, c) and`
	`1521`	`+ astLast(ast.getBase().getFullyConverted(), pred, c) and`
`1514`	`1522`	`c instanceof NormalCompletion and`
`1515`	`1523`	`isPropertyGetterElement(succ, accessor, ast)`
`1516`	`1524`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,11 +86,11 @@ module Ssa {`
`86`	`86`	`predicate isInoutDef(ExprCfgNode argument) {`
`87`	`87`	// TODO: This should probably not be only `ExprCfgNode`s.
`88`	`88`	`exists(`
`89`		`- ApplyExpr c, BasicBlock bb, int blockIndex, int argIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr`
	`89`	`+ ApplyExpr c, BasicBlock bb, int blockIndex, VarDecl v, InOutExpr argExpr // TODO: use CFG node for assignment expr`
`90`	`90`	`\|`
`91`	`91`	`this.definesAt(v, bb, blockIndex) and`
`92`	`92`	`bb.getNode(blockIndex).getNode().asAstNode() = c and`
`93`		`- c.getArgument(argIndex).getExpr() = argExpr and`
	`93`	`+ [c.getAnArgument().getExpr(), c.getQualifier()] = argExpr and`
`94`	`94`	`argExpr = argument.getNode().asAstNode() and`
`95`	`95`	`argExpr.getSubExpr() = v.getAnAccess() // TODO: fields?`
`96`	`96`	`)`
Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,9 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)`
`29`	`29`	`certain = true`
`30`	`30`	`)`
`31`	`31`	`or`
`32`		`- exists(ApplyExpr call, Argument arg \|`
`33`		`- arg.getExpr().(InOutExpr).getSubExpr() = v.getAnAccess() and`
`34`		`- call.getAnArgument() = arg and`
	`32`	`+ exists(ApplyExpr call, InOutExpr expr \|`
	`33`	`+ expr = [call.getAnArgument().getExpr(), call.getQualifier()] and`
	`34`	`+ expr.getSubExpr() = v.getAnAccess() and`
`35`	`35`	`bb.getNode(i).getNode().asAstNode() = call and`
`36`	`36`	`certain = false`
`37`	`37`	`)`