Skip to content

C#: Restrict dataflow node creation to source and source-referenced entities #17482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

C#: Restrict dataflow node creation to source and source-referenced entities #17482

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 35 additions & 4 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1080,6 +1080,30 @@ private class InstanceCallable extends Callable {
Location getARelevantLocation() { result = l }
}

/**
* A callable which is either itself defined in source or which is the target
* of some call in source, and therefore ought to have dataflow nodes created.
*/
private class CallableUsedInSource extends Callable {
CallableUsedInSource() {
this.fromSource()
or
this.getACall().fromSource()
}
}

/**
* A field or property which is either itself defined in source or which is the target
* of some access in source, and therefore ought to have dataflow nodes created.
*/
private class FieldOrPropertyUsedInSource extends FieldOrProperty {
FieldOrPropertyUsedInSource() {
this.fromSource()
or
this.getAnAccess().fromSource()
}
}

/** A collection of cached types and predicates to be evaluated in the same stage. */
cached
private module Cached {
Expand Down Expand Up @@ -1107,8 +1131,13 @@ private module Cached {
TAssignableDefinitionNode(AssignableDefinition def, ControlFlow::Node cfn) {
cfn = def.getExpr().getAControlFlowNode()
} or
TExplicitParameterNode(Parameter p, DataFlowCallable c) { p = c.asCallable(_).getAParameter() } or
TInstanceParameterNode(InstanceCallable c, Location l) { l = c.getARelevantLocation() } or
TExplicitParameterNode(Parameter p, DataFlowCallable c) {
p = c.asCallable(_).(CallableUsedInSource).getAParameter()
Comment on lines +1134 to +1135
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Java simply uses the constraint exists(p.getCallable().getBody()). Would that be enough in this case?

Suggested change
TExplicitParameterNode(Parameter p, DataFlowCallable c) {
p = c.asCallable(_).(CallableUsedInSource).getAParameter()
TExplicitParameterNode(Parameter p, DataFlowCallable c) {
exists(Callable c0 | c0 = c.asCallable(_) and p = c0.getAParameter() and exists(c0.getBody()))

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've refined this further at #17483 -- my observations so far:

There are methods with no body but which are from source where we probably ought to include parameter nodes, e.g. abstract and interface methods

There are also methods that have a body but for which fromSource doesn't hold -- synthetic methods, so far as I can tell, such as default constructors.

Therefore I've included both criteria for now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are methods with no body but which are from source where we probably ought to include parameter nodes, e.g. abstract and interface methods

Why? What use are they? Those parameter nodes cannot flow to anything.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They indeed cannot; my concern was whether interface or abstract method parameter nodes might be relevant to models, either MaD-written or implemented in QL? The short answer is I don't know, but the cost of keeping them is probably small since they're bounded by the size of the source code, and giving nodes as-is to everything present in source is the least surprising route for any third-party code we don't get to exercise via DCA and QA.

} or
TInstanceParameterNode(InstanceCallable c, Location l) {
c instanceof CallableUsedInSource and
l = c.getARelevantLocation()
} or
TDelegateSelfReferenceNode(Callable c) { lambdaCreationExpr(_, c) } or
TLocalFunctionCreationNode(ControlFlow::Nodes::ElementNode cfn, Boolean isPostUpdate) {
cfn.getAstNode() instanceof LocalFunctionStmt
Expand Down Expand Up @@ -1144,11 +1173,13 @@ private module Cached {
or
lambdaCallExpr(_, cfn)
} or
TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) {
sn.getSummarizedCallable() instanceof CallableUsedInSource
} or
TParamsArgumentNode(ControlFlow::Node callCfn) {
callCfn = any(Call c | isParamsArg(c, _, _)).getAControlFlowNode()
} or
TFlowInsensitiveFieldNode(FieldOrProperty f) { f.isFieldLike() } or
TFlowInsensitiveFieldNode(FieldOrPropertyUsedInSource f) { f.isFieldLike() } or
TFlowInsensitiveCapturedVariableNode(LocalScopeVariable v) { v.isCaptured() } or
TInstanceParameterAccessNode(ControlFlow::Node cfn, Boolean isPostUpdate) {
cfn = getAPrimaryConstructorParameterCfn(_)
Expand Down
Loading