Ruby: store a ContentSet on type tracker instances

Author: asgerf

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -378,12 +378,16 @@ private module Cached {
   }
 
   cached
-  newtype TContentSet =
+  newtype TOptionalContentSet =
     TSingletonContent(Content c) or
     TAnyElementContent() or
     TElementLowerBoundContent(int lower) {
       FlowSummaryImplSpecific::ParsePositions::isParsedElementLowerBoundPosition(_, lower)
-    }
+    } or
+    TNoContentSet()
+
+  cached
+  class TContentSet = TSingletonContent or TAnyElementContent or TElementLowerBoundContent;
 
   cached
   newtype TOptionalContent =

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -347,13 +347,23 @@ module Content {
   NoContent noContent() { any() }
 }
 
+class OptionalContentSet extends TOptionalContentSet {
+  /** Gets a textual representation of this content set. */
+  string toString() {
+    result = "no content" // overridden in `ContentSet`
+  }
+
+  /** Holds if this is the special "no content set" value. */
+  predicate isNoContentSet() { this instanceof TNoContentSet }
+}
+
 /**
  * An entity that represents a set of `Content`s.
  *
  * The set may be interpreted differently depending on whether it is
  * stored into (`getAStoreContent`) or read from (`getAReadContent`).
  */
-class ContentSet extends TContentSet {
+class ContentSet extends OptionalContentSet, TContentSet {
   /** Holds if this content set is the singleton `{c}`. */
   predicate isSingleton(Content c) { this = TSingletonContent(c) }
 
@@ -366,8 +376,7 @@ class ContentSet extends TContentSet {
    */
   predicate isElementLowerBound(int lower) { this = TElementLowerBoundContent(lower) }
 
-  /** Gets a textual representation of this content set. */
-  string toString() {
+  override string toString() {
     exists(Content c |
       this.isSingleton(c) and
       result = c.toString()

ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll

@@ -18,65 +18,71 @@ private module Cached {
 
   pragma[nomagic]
   private TypeTracker noContentTypeTracker(boolean hasCall) {
-    result = MkTypeTracker(hasCall, noContent())
+    result = MkTypeTracker(hasCall, noContentSet())
   }
 
   /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */
   cached
   TypeTracker append(TypeTracker tt, StepSummary step) {
-    exists(Boolean hasCall, OptionalTypeTrackerContent currentContent |
-      tt = MkTypeTracker(hasCall, currentContent)
+    exists(Boolean hasCall, OptionalTypeTrackerContentSet currentContents |
+      tt = MkTypeTracker(hasCall, currentContents)
     |
       step = LevelStep() and result = tt
       or
-      step = CallStep() and result = MkTypeTracker(true, currentContent)
+      step = CallStep() and result = MkTypeTracker(true, currentContents)
       or
       step = ReturnStep() and hasCall = false and result = tt
       or
       step = JumpStep() and
-      result = MkTypeTracker(false, currentContent)
+      result = MkTypeTracker(false, currentContents)
     )
     or
-    exists(TypeTrackerContentSet contents, boolean hasCall |
-      step = LoadStep(pragma[only_bind_into](contents)) and
-      tt = MkTypeTracker(hasCall, contents.getAReadContent()) and
-      result = noContentTypeTracker(hasCall)
+    exists(TypeTrackerContentSet storeContents, boolean hasCall |
+      exists(TypeTrackerContentSet loadContents |
+        step = LoadStep(pragma[only_bind_into](loadContents)) and
+        tt = MkTypeTracker(hasCall, storeContents) and
+        storeContents.getAStoreContent() = loadContents.getAReadContent() and
+        result = noContentTypeTracker(hasCall)
+      )
       or
-      step = StoreStep(pragma[only_bind_into](contents)) and
+      step = StoreStep(pragma[only_bind_into](storeContents)) and
       tt = noContentTypeTracker(hasCall) and
-      result = MkTypeTracker(hasCall, contents.getAStoreContent())
+      result = MkTypeTracker(hasCall, storeContents)
     )
   }
 
   pragma[nomagic]
   private TypeBackTracker noContentTypeBackTracker(boolean hasReturn) {
-    result = MkTypeBackTracker(hasReturn, noContent())
+    result = MkTypeBackTracker(hasReturn, noContentSet())
   }
 
   /** Gets the summary resulting from prepending `step` to this type-tracking summary. */
   cached
   TypeBackTracker prepend(TypeBackTracker tbt, StepSummary step) {
-    exists(Boolean hasReturn, OptionalTypeTrackerContent content |
-      tbt = MkTypeBackTracker(hasReturn, content)
+    exists(Boolean hasReturn, OptionalTypeTrackerContentSet contents |
+      tbt = MkTypeBackTracker(hasReturn, contents)
     |
       step = LevelStep() and result = tbt
       or
       step = CallStep() and hasReturn = false and result = tbt
       or
-      step = ReturnStep() and result = MkTypeBackTracker(true, content)
+      step = ReturnStep() and result = MkTypeBackTracker(true, contents)
       or
       step = JumpStep() and
-      result = MkTypeBackTracker(false, content)
+      result = MkTypeBackTracker(false, contents)
     )
     or
-    exists(TypeTrackerContentSet contents, boolean hasReturn |
-      step = StoreStep(pragma[only_bind_into](contents)) and
-      tbt = MkTypeBackTracker(hasReturn, contents.getAReadContent()) and
-      result = noContentTypeBackTracker(hasReturn)
+    exists(TypeTrackerContentSet loadContents, boolean hasReturn |
+      exists(TypeTrackerContentSet storeContents |
+        step = StoreStep(pragma[only_bind_into](storeContents)) and
+        tbt = MkTypeBackTracker(hasReturn, loadContents) and
+        storeContents.getAStoreContent() = loadContents.getAReadContent() and
+        result = noContentTypeBackTracker(hasReturn)
+      )
       or
-      step = LoadStep(pragma[only_bind_into](contents)) and
+      step = LoadStep(pragma[only_bind_into](loadContents)) and
       tbt = noContentTypeBackTracker(hasReturn) and
-      result = MkTypeBackTracker(hasReturn, contents.getAStoreContent())
+      result = MkTypeBackTracker(hasReturn, loadContents)
     )
   }
 
@@ -216,7 +222,8 @@ module StepSummary {
   }
 }
 
-private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContent content)
+private newtype TTypeTracker =
+  MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContentSet contents)
 
 /**
  * A summary of the steps needed to track a value to a given dataflow node.
@@ -247,9 +254,9 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalTypeTracke
  */
 class TypeTracker extends TTypeTracker {
   Boolean hasCall;
-  OptionalTypeTrackerContent content;
+  OptionalTypeTrackerContentSet contents;
 
-  TypeTracker() { this = MkTypeTracker(hasCall, content) }
+  TypeTracker() { this = MkTypeTracker(hasCall, contents) }
 
   /** Gets the summary resulting from appending `step` to this type-tracking summary. */
   TypeTracker append(StepSummary step) { result = append(this, step) }
@@ -259,8 +266,8 @@ class TypeTracker extends TTypeTracker {
     exists(string withCall, string withContent |
       (if hasCall = true then withCall = "with" else withCall = "without") and
       (
-        if content != noContent()
-        then withContent = " with content " + content
+        if contents != noContentSet()
+        then withContent = " with content " + contents
         else withContent = ""
       ) and
       result = "type tracker " + withCall + " call steps" + withContent
@@ -270,26 +277,26 @@ class TypeTracker extends TTypeTracker {
   /**
    * Holds if this is the starting point of type tracking.
    */
-  predicate start() { hasCall = false and content = noContent() }
+  predicate start() { hasCall = false and contents = noContentSet() }
 
   /**
    * Holds if this is the starting point of type tracking, and the value starts in the content named `contentName`.
    * The type tracking only ends after the content has been loaded.
    */
-  predicate startInContent(TypeTrackerContent contentName) {
-    hasCall = false and content = contentName
+  predicate startInContent(TypeTrackerContentSet contentName) {
+    hasCall = false and contents = contentName
   }
 
   /**
    * Holds if this is the starting point of type tracking
    * when tracking a parameter into a call, but not out of it.
    */
-  predicate call() { hasCall = true and content = noContent() }
+  predicate call() { hasCall = true and contents = noContentSet() }
 
   /**
    * Holds if this is the end point of type tracking.
    */
-  predicate end() { content = noContent() }
+  predicate end() { contents = noContentSet() }
 
   /**
    * INTERNAL. DO NOT USE.
@@ -303,15 +310,15 @@ class TypeTracker extends TTypeTracker {
    *
    * Gets the content associated with this type tracker.
    */
-  OptionalTypeTrackerContent getContent() { result = content }
+  OptionalTypeTrackerContentSet getContent() { result = contents }
 
   /**
    * Gets a type tracker that starts where this one has left off to allow continued
    * tracking.
    *
    * This predicate is only defined if the type is not associated to a piece of content.
    */
-  TypeTracker continue() { content = noContent() and result = this }
+  TypeTracker continue() { contents = noContentSet() and result = this }
 
   /**
    * Gets the summary that corresponds to having taken a forwards
@@ -370,7 +377,7 @@ module TypeTracker {
 }
 
 private newtype TTypeBackTracker =
-  MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContent content)
+  MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContentSet contents)
 
 /**
  * A summary of the steps needed to back-track a use of a value to a given dataflow node.
@@ -404,9 +411,9 @@ private newtype TTypeBackTracker =
  */
 class TypeBackTracker extends TTypeBackTracker {
   Boolean hasReturn;
-  OptionalTypeTrackerContent content;
+  OptionalTypeTrackerContentSet contents;
 
-  TypeBackTracker() { this = MkTypeBackTracker(hasReturn, content) }
+  TypeBackTracker() { this = MkTypeBackTracker(hasReturn, contents) }
 
   /** Gets the summary resulting from prepending `step` to this type-tracking summary. */
   TypeBackTracker prepend(StepSummary step) { result = prepend(this, step) }
@@ -416,8 +423,8 @@ class TypeBackTracker extends TTypeBackTracker {
     exists(string withReturn, string withContent |
       (if hasReturn = true then withReturn = "with" else withReturn = "without") and
       (
-        if content != noContent()
-        then withContent = " with content " + content
+        if contents != noContentSet()
+        then withContent = " with content " + contents
         else withContent = ""
       ) and
       result = "type back-tracker " + withReturn + " return steps" + withContent
@@ -427,12 +434,12 @@ class TypeBackTracker extends TTypeBackTracker {
   /**
    * Holds if this is the starting point of type tracking.
    */
-  predicate start() { hasReturn = false and content = noContent() }
+  predicate start() { hasReturn = false and contents = noContentSet() }
 
   /**
    * Holds if this is the end point of type tracking.
    */
-  predicate end() { content = noContent() }
+  predicate end() { contents = noContentSet() }
 
   /**
    * INTERNAL. DO NOT USE.
@@ -447,7 +454,7 @@ class TypeBackTracker extends TTypeBackTracker {
    *
    * This predicate is only defined if the type has not been tracked into a piece of content.
    */
-  TypeBackTracker continue() { content = noContent() and result = this }
+  TypeBackTracker continue() { contents = noContentSet() and result = this }
 
   /**
    * Gets the summary that corresponds to having taken a backwards
@@ -504,7 +511,7 @@ class TypeBackTracker extends TTypeBackTracker {
    * also flow to `sink`.
    */
   TypeTracker getACompatibleTypeTracker() {
-    exists(boolean hasCall | result = MkTypeTracker(hasCall, content) |
+    exists(boolean hasCall | result = MkTypeTracker(hasCall, contents) |
       hasCall = false or this.hasReturn() = false
     )
   }

ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll

@@ -24,7 +24,10 @@ class TypeTrackerContent = DataFlowPublic::Content;
 
 class TypeTrackerContentSet = DataFlowPublic::ContentSet;
 
-predicate noContent = DataFlowPublic::Content::noContent/0;
+class OptionalTypeTrackerContentSet = DataFlowPublic::OptionalContentSet;
+
+/** Gets the "no content set" value to use for a type tracker not inside any content. */
+OptionalTypeTrackerContentSet noContentSet() { result.isNoContentSet() }
 
 /** Holds if there is a simple local flow step from `nodeFrom` to `nodeTo` */
 predicate simpleLocalFlowStep = DataFlowPrivate::localFlowStepTypeTracker/2;

ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected

@@ -552,19 +552,4 @@ trackEnd
 | type_tracker.rb:44:5:44:13 | ...[...] | type_tracker.rb:34:1:45:3 | return return in throughArray |
 | type_tracker.rb:44:5:44:13 | ...[...] | type_tracker.rb:44:5:44:13 | ...[...] |
 forwardButNoBackwardFlow
-| type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:15:42:15 | 1 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:15:42:15 | 1 | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:17:42:17 | 2 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:17:42:17 | 2 | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:19:42:19 | 3 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:19:42:19 | 3 | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:21:42:21 | 4 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:21:42:21 | 4 | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:23:42:23 | 5 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:23:42:23 | 5 | type_tracker.rb:44:5:44:13 | ...[...] |
-| type_tracker.rb:42:25:42:25 | 6 | type_tracker.rb:34:1:45:3 | return return in throughArray |
-| type_tracker.rb:42:25:42:25 | 6 | type_tracker.rb:44:5:44:13 | ...[...] |
 backwardButNoForwardFlow