From bfc257147c25bd6fa1939355bbcff25b75973404 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 16 Dec 2022 11:15:28 +0100
Subject: [PATCH] Ruby: Fix bug in call-sensitivity logic for `initialize`
 calls

---
 .../dataflow/internal/DataFlowDispatch.qll    |  2 +-
 .../call-sensitivity.expected                 | 27 ++++++++++++++++++-
 .../call-sensitivity/call_sensitivity.rb      |  8 +++---
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
index 963313f54cd2..b77aab6d43c2 100644
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -1175,7 +1175,7 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
       exists(Module m, string name |
         mayBenefitFromCallContextInitialize(ctx.asCall(), pragma[only_bind_into](call0), _, _,
           pragma[only_bind_into](m), pragma[only_bind_into](name)) and
-        res = getTargetInstance(call0, name) and
+        res = getInitializeTarget(call0) and
         res = lookupMethod(m, name)
         or
         exists(boolean exact |
diff --git a/ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected b/ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
index 345b73e9dffc..46491d9b9803 100644
--- a/ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
+++ b/ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
@@ -1,5 +1,4 @@
 failures
-| call_sensitivity.rb:97:12:97:66 | # $ hasValueFlow=26 $ hasValueFlow=30 $ hasValueFlow=32 | Missing result:hasValueFlow=26 |
 edges
 | call_sensitivity.rb:9:7:9:13 | call to taint :  | call_sensitivity.rb:9:6:9:14 | ( ... ) |
 | call_sensitivity.rb:9:7:9:13 | call to taint :  | call_sensitivity.rb:9:6:9:14 | ( ... ) |
@@ -97,8 +96,14 @@ edges
 | call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:97:10:97:10 | x |
 | call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:97:10:97:10 | x |
 | call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:97:10:97:10 | x |
+| call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:97:10:97:10 | x |
+| call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:97:10:97:10 | x |
+| call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:98:13:98:13 | x :  |
 | call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:98:13:98:13 | x :  |
 | call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:98:13:98:13 | x :  |
+| call_sensitivity.rb:96:18:96:18 | x :  | call_sensitivity.rb:98:13:98:13 | x :  |
+| call_sensitivity.rb:98:13:98:13 | x :  | call_sensitivity.rb:50:15:50:15 | x :  |
+| call_sensitivity.rb:98:13:98:13 | x :  | call_sensitivity.rb:50:15:50:15 | x :  |
 | call_sensitivity.rb:98:13:98:13 | x :  | call_sensitivity.rb:50:15:50:15 | x :  |
 | call_sensitivity.rb:98:13:98:13 | x :  | call_sensitivity.rb:50:15:50:15 | x :  |
 | call_sensitivity.rb:102:11:102:20 | ( ... ) :  | call_sensitivity.rb:96:18:96:18 | x :  |
@@ -125,6 +130,12 @@ edges
 | call_sensitivity.rb:112:26:112:33 | call to taint :  | call_sensitivity.rb:92:35:92:35 | x :  |
 | call_sensitivity.rb:149:14:149:22 | call to taint :  | call_sensitivity.rb:74:18:74:18 | y :  |
 | call_sensitivity.rb:149:14:149:22 | call to taint :  | call_sensitivity.rb:74:18:74:18 | y :  |
+| call_sensitivity.rb:156:19:156:19 | x :  | call_sensitivity.rb:157:12:157:12 | x :  |
+| call_sensitivity.rb:156:19:156:19 | x :  | call_sensitivity.rb:157:12:157:12 | x :  |
+| call_sensitivity.rb:157:12:157:12 | x :  | call_sensitivity.rb:96:18:96:18 | x :  |
+| call_sensitivity.rb:157:12:157:12 | x :  | call_sensitivity.rb:96:18:96:18 | x :  |
+| call_sensitivity.rb:160:11:160:19 | call to taint :  | call_sensitivity.rb:156:19:156:19 | x :  |
+| call_sensitivity.rb:160:11:160:19 | call to taint :  | call_sensitivity.rb:156:19:156:19 | x :  |
 | call_sensitivity.rb:169:11:169:20 | ( ... ) :  | call_sensitivity.rb:96:18:96:18 | x :  |
 | call_sensitivity.rb:169:11:169:20 | ( ... ) :  | call_sensitivity.rb:96:18:96:18 | x :  |
 | call_sensitivity.rb:169:12:169:19 | call to taint :  | call_sensitivity.rb:169:11:169:20 | ( ... ) :  |
@@ -240,10 +251,14 @@ nodes
 | call_sensitivity.rb:96:18:96:18 | x :  | semmle.label | x :  |
 | call_sensitivity.rb:96:18:96:18 | x :  | semmle.label | x :  |
 | call_sensitivity.rb:96:18:96:18 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:96:18:96:18 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:96:18:96:18 | x :  | semmle.label | x :  |
 | call_sensitivity.rb:97:10:97:10 | x | semmle.label | x |
 | call_sensitivity.rb:97:10:97:10 | x | semmle.label | x |
 | call_sensitivity.rb:98:13:98:13 | x :  | semmle.label | x :  |
 | call_sensitivity.rb:98:13:98:13 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:98:13:98:13 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:98:13:98:13 | x :  | semmle.label | x :  |
 | call_sensitivity.rb:102:11:102:20 | ( ... ) :  | semmle.label | ( ... ) :  |
 | call_sensitivity.rb:102:11:102:20 | ( ... ) :  | semmle.label | ( ... ) :  |
 | call_sensitivity.rb:102:12:102:19 | call to taint :  | semmle.label | call to taint :  |
@@ -268,6 +283,12 @@ nodes
 | call_sensitivity.rb:112:26:112:33 | call to taint :  | semmle.label | call to taint :  |
 | call_sensitivity.rb:149:14:149:22 | call to taint :  | semmle.label | call to taint :  |
 | call_sensitivity.rb:149:14:149:22 | call to taint :  | semmle.label | call to taint :  |
+| call_sensitivity.rb:156:19:156:19 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:156:19:156:19 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:157:12:157:12 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:157:12:157:12 | x :  | semmle.label | x :  |
+| call_sensitivity.rb:160:11:160:19 | call to taint :  | semmle.label | call to taint :  |
+| call_sensitivity.rb:160:11:160:19 | call to taint :  | semmle.label | call to taint :  |
 | call_sensitivity.rb:169:11:169:20 | ( ... ) :  | semmle.label | ( ... ) :  |
 | call_sensitivity.rb:169:11:169:20 | ( ... ) :  | semmle.label | ( ... ) :  |
 | call_sensitivity.rb:169:12:169:19 | call to taint :  | semmle.label | call to taint :  |
@@ -286,11 +307,13 @@ subpaths
 | call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:106:16:106:24 | call to taint :  | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:106:16:106:24 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:107:14:107:22 | call to taint :  | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:107:14:107:22 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:149:14:149:22 | call to taint :  | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:149:14:149:22 | call to taint :  | call to taint :  |
+| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:160:11:160:19 | call to taint :  | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:160:11:160:19 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:109:21:109:28 | call to taint :  | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:109:21:109:28 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:110:26:110:33 | call to taint :  | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:110:26:110:33 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:111:24:111:32 | call to taint :  | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:111:24:111:32 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:112:26:112:33 | call to taint :  | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:112:26:112:33 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:97:10:97:10 | x | call_sensitivity.rb:102:12:102:19 | call to taint :  | call_sensitivity.rb:97:10:97:10 | x | $@ | call_sensitivity.rb:102:12:102:19 | call to taint :  | call to taint :  |
+| call_sensitivity.rb:97:10:97:10 | x | call_sensitivity.rb:160:11:160:19 | call to taint :  | call_sensitivity.rb:97:10:97:10 | x | $@ | call_sensitivity.rb:160:11:160:19 | call to taint :  | call to taint :  |
 | call_sensitivity.rb:97:10:97:10 | x | call_sensitivity.rb:169:12:169:19 | call to taint :  | call_sensitivity.rb:97:10:97:10 | x | $@ | call_sensitivity.rb:169:12:169:19 | call to taint :  | call to taint :  |
 mayBenefitFromCallContext
 | call_sensitivity.rb:51:5:51:10 | call to sink | call_sensitivity.rb:50:3:52:5 | method1 |
@@ -351,3 +374,5 @@ viableImplInCallContext
 | call_sensitivity.rb:128:5:128:25 | call to method3 | call_sensitivity.rb:148:1:148:25 | call to call_method3 | call_sensitivity.rb:62:3:64:5 | method3 |
 | call_sensitivity.rb:132:5:132:28 | call to singleton_method2 | call_sensitivity.rb:152:1:152:34 | call to call_singleton_method2 | call_sensitivity.rb:80:3:82:5 | singleton_method2 |
 | call_sensitivity.rb:136:5:136:35 | call to singleton_method3 | call_sensitivity.rb:154:1:154:34 | call to call_singleton_method3 | call_sensitivity.rb:88:3:90:5 | singleton_method3 |
+| call_sensitivity.rb:157:3:157:12 | call to new | call_sensitivity.rb:160:1:160:20 | call to create | call_sensitivity.rb:96:3:99:5 | initialize |
+| call_sensitivity.rb:157:3:157:12 | call to new | call_sensitivity.rb:161:1:161:20 | call to create | call_sensitivity.rb:139:3:141:5 | initialize |
diff --git a/ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb b/ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb
index a17e52251774..f96b61050e66 100644
--- a/ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb
+++ b/ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb
@@ -48,7 +48,7 @@ def apply_lambda (lambda, x)
 
 class A
   def method1 x
-    sink x # $ hasValueFlow=10 $ hasValueFlow=11 $ hasValueFlow=12 $ hasValueFlow=13 $ hasValueFlow=26 $ hasValueFlow=30 $ SPURIOUS: hasValueFlow=27
+    sink x # $ hasValueFlow=10 $ hasValueFlow=11 $ hasValueFlow=12 $ hasValueFlow=13 $ hasValueFlow=26 $ hasValueFlow=28 $ hasValueFlow=30 $ SPURIOUS: hasValueFlow=27
   end
 
   def method2 x
@@ -94,7 +94,7 @@ def self.call_singleton_method3 x
   end
 
   def initialize(x)
-    sink x # $ hasValueFlow=26 $ hasValueFlow=30 $ hasValueFlow=32
+    sink x # $ hasValueFlow=28 $ hasValueFlow=30 $ hasValueFlow=32
     method1 x
   end
 end
@@ -157,8 +157,8 @@ def create (type, x)
   type.new x
 end
 
-create(A, taint(26))
-create(B, taint(27))
+create(A, taint(28))
+create(B, taint(29))
 
 class C < A
   def method1 x