Merge pull request #9014 from michaelnebel/csharp/dataflowcallablerefactor

C#: Dataflow callable refactoring.

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -515,8 +515,10 @@ Element interpretElement(
 /**
  * Holds if `c` has a `generated` summary.
  */
-predicate hasSummary(DataFlowCallable c, boolean generated) {
-  summaryElement(c, _, _, _, generated)
+predicate hasSummary(Callable c, boolean generated) {
+  exists(DataFlowCallable dc |
+    dc.asSummarizedCallable() = c and summaryElement(dc, _, _, _, generated)
+  )
 }
 
 cached

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -1,6 +1,7 @@
 /** Provides classes and predicates for defining flow summaries. */
 
 import csharp
+private import dotnet
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch as DataFlowDispatch
 
@@ -113,7 +114,69 @@ module SummaryComponentStack {
   SummaryComponentStack jump(Callable c) { result = singleton(SummaryComponent::jump(c)) }
 }
 
-class SummarizedCallable = Impl::Public::SummarizedCallable;
+/**
+ * A class for synthesized callables given by a summary.
+ */
+abstract class SummarizedCallable extends DotNet::Callable {
+  SummarizedCallable() { this.isUnboundDeclaration() }
+
+  /**
+   * Holds if data may flow from `input` to `output` through this callable.
+   *
+   * `preservesValue` indicates whether this is a value-preserving step
+   * or a taint-step.
+   *
+   * Input specifications are restricted to stacks that end with
+   * `SummaryComponent::argument(_)`, preceded by zero or more
+   * `SummaryComponent::return(_)` or `SummaryComponent::content(_)` components.
+   *
+   * Output specifications are restricted to stacks that end with
+   * `SummaryComponent::return(_)` or `SummaryComponent::argument(_)`.
+   *
+   * Output stacks ending with `SummaryComponent::return(_)` can be preceded by zero
+   * or more `SummaryComponent::content(_)` components.
+   *
+   * Output stacks ending with `SummaryComponent::argument(_)` can be preceded by an
+   * optional `SummaryComponent::parameter(_)` component, which in turn can be preceded
+   * by zero or more `SummaryComponent::content(_)` components.
+   */
+  pragma[nomagic]
+  predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if values stored inside `content` are cleared on objects passed as
+   * arguments at position `pos` to this callable.
+   */
+  pragma[nomagic]
+  predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) { none() }
+
+  /**
+   * Holds if the summary is auto generated.
+   */
+  predicate isAutoGenerated() { none() }
+}
+
+private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable {
+  private SummarizedCallable sc;
+
+  SummarizedCallableAdapter() { this = DataFlowDispatch::TSummarizedCallable(sc) }
+
+  final override predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    sc.propagatesFlow(input, output, preservesValue)
+  }
+
+  final override predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) {
+    sc.clearsContent(pos, content)
+  }
+
+  final override predicate isAutoGenerated() { sc.isAutoGenerated() }
+}
 
 private predicate recordConstructorFlow(Constructor c, int i, Property p) {
   c = any(RecordType r).getAMember() and

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -12,14 +12,6 @@ private import semmle.code.csharp.dispatch.RuntimeCallable
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
-private predicate summarizedCallable(DataFlowCallable c) {
-  c instanceof FlowSummary::SummarizedCallable
-  or
-  FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
-  or
-  c = interpretElement(_, _, _, _, _, _)
-}
-
 /**
  * Gets a source declaration of callable `c` that has a body or has
  * a flow summary.
@@ -29,9 +21,6 @@ private predicate summarizedCallable(DataFlowCallable c) {
  */
 DotNet::Callable getCallableForDataFlow(DotNet::Callable c) {
   exists(DotNet::Callable unboundDecl | unboundDecl = c.getUnboundDeclaration() |
-    summarizedCallable(unboundDecl) and
-    result = unboundDecl
-    or
     result.hasBody() and
     if unboundDecl.getFile().fromSource()
     then
@@ -81,17 +70,27 @@ newtype TReturnKind =
       v = def.getSourceVariable().getAssignable()
     )
   } or
-  TJumpReturnKind(DataFlowCallable target, ReturnKind rk) {
-    rk instanceof NormalReturnKind and
+  TJumpReturnKind(Callable target, ReturnKind rk) {
+    target.isUnboundDeclaration() and
     (
-      target instanceof Constructor or
-      not target.getReturnType() instanceof VoidType
+      rk instanceof NormalReturnKind and
+      (
+        target instanceof Constructor or
+        not target.getReturnType() instanceof VoidType
+      )
+      or
+      exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
     )
-    or
-    exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
   }
 
 private module Cached {
+  cached
+  newtype TDataFlowCallable =
+    TDotNetCallable(DotNet::Callable c) {
+      c.isUnboundDeclaration() and not c instanceof FlowSummary::SummarizedCallable
+    } or
+    TSummarizedCallable(FlowSummary::SummarizedCallable c)
+
   cached
   newtype TDataFlowCall =
     TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
@@ -108,7 +107,7 @@ private module Cached {
       // No need to include calls that are compiled from source
       not call.getImplementation().getMethod().compiledFromSource()
     } or
-    TSummaryCall(FlowSummary::SummarizedCallable c, Node receiver) {
+    TSummaryCall(FlowSummaryImpl::Public::SummarizedCallable c, Node receiver) {
       FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
     }
 
@@ -144,7 +143,7 @@ private module DispatchImpl {
    * call is a delegate call, or if the qualifier accesses a parameter of
    * the enclosing callable `c` (including the implicit `this` parameter).
    */
-  predicate mayBenefitFromCallContext(NonDelegateDataFlowCall call, Callable c) {
+  predicate mayBenefitFromCallContext(NonDelegateDataFlowCall call, DataFlowCallable c) {
     c = call.getEnclosingCallable() and
     call.getDispatchCall().mayBenefitFromCallContext()
   }
@@ -154,7 +153,7 @@ private module DispatchImpl {
    * restricted to those `call`s for which a context might make a difference.
    */
   DataFlowCallable viableImplInCallContext(NonDelegateDataFlowCall call, DataFlowCall ctx) {
-    result =
+    result.getUnderlyingCallable() =
       call.getDispatchCall()
           .getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall).getDispatchCall())
           .getUnboundDeclaration()
@@ -233,22 +232,38 @@ class ImplicitCapturedReturnKind extends ReturnKind, TImplicitCapturedReturnKind
  * one API entry point and out of another.
  */
 class JumpReturnKind extends ReturnKind, TJumpReturnKind {
-  private DataFlowCallable target;
+  private Callable target;
   private ReturnKind rk;
 
   JumpReturnKind() { this = TJumpReturnKind(target, rk) }
 
   /** Gets the target of the jump. */
-  DataFlowCallable getTarget() { result = target }
+  Callable getTarget() { result = target }
 
   /** Gets the return kind of the target. */
   ReturnKind getTargetReturnKind() { result = rk }
 
   override string toString() { result = "jump to " + target }
 }
 
-class DataFlowCallable extends DotNet::Callable {
-  DataFlowCallable() { this.isUnboundDeclaration() }
+/** A callable used for data flow. */
+class DataFlowCallable extends TDataFlowCallable {
+  /** Get the underlying source code callable, if any. */
+  DotNet::Callable asCallable() { this = TDotNetCallable(result) }
+
+  /** Get the underlying summarized callable, if any. */
+  FlowSummary::SummarizedCallable asSummarizedCallable() { this = TSummarizedCallable(result) }
+
+  /** Get the underlying callable. */
+  DotNet::Callable getUnderlyingCallable() {
+    result = this.asCallable() or result = this.asSummarizedCallable()
+  }
+
+  /** Gets a textual representation of this dataflow callable. */
+  string toString() { result = this.getUnderlyingCallable().toString() }
+
+  /** Get the location of this dataflow callable. */
+  Location getLocation() { result = this.getUnderlyingCallable().getLocation() }
 }
 
 /** A call relevant for data flow. */
@@ -306,18 +321,32 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
   DispatchCall getDispatchCall() { result = dc }
 
   override DataFlowCallable getARuntimeTarget() {
-    result = getCallableForDataFlow(dc.getADynamicTarget())
+    result.asCallable() = getCallableForDataFlow(dc.getADynamicTarget())
+    or
+    exists(Callable c, boolean static |
+      result.asSummarizedCallable() = c and
+      c = this.getATarget(static)
+    |
+      static = false
+      or
+      static = true and not c instanceof RuntimeCallable
+    )
+  }
+
+  /** Gets a static or dynamic target of this call. */
+  Callable getATarget(boolean static) {
+    result = dc.getADynamicTarget().getUnboundDeclaration() and static = false
     or
-    result = dc.getAStaticTarget().getUnboundDeclaration() and
-    summarizedCallable(result) and
-    not result instanceof RuntimeCallable
+    result = dc.getAStaticTarget().getUnboundDeclaration() and static = true
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = cfn.toString() }
 
@@ -345,7 +374,9 @@ class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDe
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = cfn.toString() }
 
@@ -363,13 +394,15 @@ class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCa
 
   TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn, target) }
 
-  override DataFlowCallable getARuntimeTarget() { result = target }
+  override DataFlowCallable getARuntimeTarget() { result.getUnderlyingCallable() = target }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
 
   override DataFlow::ExprNode getNode() { none() }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = "[transitive] " + cfn.toString() }
 
@@ -384,14 +417,16 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
 
   override DataFlowCallable getARuntimeTarget() {
     // There is no dispatch library for CIL, so do not consider overrides for now
-    result = getCallableForDataFlow(call.getTarget())
+    result.getUnderlyingCallable() = getCallableForDataFlow(call.getTarget())
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { none() }
 
   override DataFlow::ExprNode getNode() { result.getExpr() = call }
 
-  override DataFlowCallable getEnclosingCallable() { result = call.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = call.getEnclosingCallable()
+  }
 
   override string toString() { result = call.toString() }
 
@@ -406,7 +441,7 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
  * the method `Select`.
  */
 class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
-  private FlowSummary::SummarizedCallable c;
+  private FlowSummaryImpl::Public::SummarizedCallable c;
   private Node receiver;
 
   SummaryCall() { this = TSummaryCall(c, receiver) }