C#: Use source declarations in field flow

Author: hvitved

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -298,7 +298,7 @@ private class Argument extends Expr {
 private predicate instanceFieldLikeAssign(Expr e, FieldLike f, Expr src, Expr q) {
   exists(FieldLikeAccess fa, AssignableDefinition def |
     def.getTargetAccess() = fa and
-    f = fa.getTarget() and
+    f = fa.getTarget().getSourceDeclaration() and
     not f.isStatic() and
     src = def.getSource() and
     q = fa.getQualifier() and
@@ -313,7 +313,7 @@ private predicate instanceFieldLikeAssign(Expr e, FieldLike f, Expr src, Expr q)
 private predicate instanceFieldLikeInit(ObjectCreation oc, FieldLike f, Expr src) {
   exists(MemberInitializer mi |
     mi = oc.getInitializer().(ObjectInitializer).getAMemberInitializer() and
-    f = mi.getInitializedMember() and
+    f = mi.getInitializedMember().getSourceDeclaration() and
     not f.isStatic() and
     src = mi.getRValue()
   )
@@ -421,7 +421,8 @@ private module Cached {
   }
 
   cached
-  newtype TContent = TFieldLikeContent(FieldLike f) { not f.isStatic() }
+  newtype TContent =
+    TFieldLikeContent(FieldLike f) { not f.isStatic() and f.getSourceDeclaration() = f }
 
   /**
    * Holds if data can flow from `node1` to `node2` via an assignment to
@@ -449,7 +450,11 @@ private module Cached {
   predicate readStepImpl(Node node1, Content c, Node node2) {
     exists(ReadStepConfiguration x |
       x.hasNodePath(node1, node2) and
-      c.(FieldLikeContent).getField() = node2.asExpr().(FieldLikeRead).getTarget()
+      c.(FieldLikeContent).getField() = node2
+            .asExpr()
+            .(FieldLikeRead)
+            .getTarget()
+            .getSourceDeclaration()
     )
   }
 

csharp/ql/test/library-tests/dataflow/types/Types.cs

@@ -97,7 +97,7 @@ class E1 : E<C>
         {
             void M3()
             {
-                this.M2(new E1()); // no flow
+                this.M2(new E1()); // no flow (FALSE POSITIVE)
             }
 
             public override void M() { }
@@ -107,7 +107,7 @@ class E2 : E<D>
         {
             void M3()
             {
-                this.M2(new E2()); // flow (FALSE NEGATIVE)
+                this.M2(new E2()); // flow
             }
 
             public override void M()

csharp/ql/test/library-tests/dataflow/types/Types.expected

@@ -45,6 +45,20 @@ edges
 | Types.cs:74:9:74:9 | access to local variable d : D | Types.cs:16:30:16:30 | this : D |
 | Types.cs:77:22:77:22 | a : C | Types.cs:80:18:80:18 | access to local variable b |
 | Types.cs:77:22:77:22 | a : D | Types.cs:80:18:80:18 | access to local variable b |
+| Types.cs:90:22:90:22 | e : E1 | Types.cs:92:26:92:26 | access to parameter e : E1 |
+| Types.cs:90:22:90:22 | e : E2 | Types.cs:92:26:92:26 | access to parameter e : E2 |
+| Types.cs:92:13:92:16 | [post] this access [Field] : E1 | Types.cs:93:13:93:16 | this access [Field] : E1 |
+| Types.cs:92:13:92:16 | [post] this access [Field] : E2 | Types.cs:93:13:93:16 | this access [Field] : E2 |
+| Types.cs:92:26:92:26 | access to parameter e : E1 | Types.cs:92:13:92:16 | [post] this access [Field] : E1 |
+| Types.cs:92:26:92:26 | access to parameter e : E2 | Types.cs:92:13:92:16 | [post] this access [Field] : E2 |
+| Types.cs:93:13:93:16 | this access [Field] : E1 | Types.cs:113:34:113:34 | this [Field] : E1 |
+| Types.cs:93:13:93:16 | this access [Field] : E2 | Types.cs:113:34:113:34 | this [Field] : E2 |
+| Types.cs:100:25:100:32 | object creation of type E1 : E1 | Types.cs:90:22:90:22 | e : E1 |
+| Types.cs:110:25:110:32 | object creation of type E2 : E2 | Types.cs:90:22:90:22 | e : E2 |
+| Types.cs:113:34:113:34 | this [Field] : E1 | Types.cs:115:22:115:25 | this access [Field] : E1 |
+| Types.cs:113:34:113:34 | this [Field] : E2 | Types.cs:115:22:115:25 | this access [Field] : E2 |
+| Types.cs:115:22:115:25 | this access [Field] : E1 | Types.cs:115:22:115:31 | access to field Field |
+| Types.cs:115:22:115:25 | this access [Field] : E2 | Types.cs:115:22:115:31 | access to field Field |
 nodes
 | Types.cs:7:21:7:25 | this : C | semmle.label | this : C |
 | Types.cs:7:21:7:25 | this : D | semmle.label | this : D |
@@ -101,6 +115,21 @@ nodes
 | Types.cs:77:22:77:22 | a : C | semmle.label | a : C |
 | Types.cs:77:22:77:22 | a : D | semmle.label | a : D |
 | Types.cs:80:18:80:18 | access to local variable b | semmle.label | access to local variable b |
+| Types.cs:90:22:90:22 | e : E1 | semmle.label | e : E1 |
+| Types.cs:90:22:90:22 | e : E2 | semmle.label | e : E2 |
+| Types.cs:92:13:92:16 | [post] this access [Field] : E1 | semmle.label | [post] this access [Field] : E1 |
+| Types.cs:92:13:92:16 | [post] this access [Field] : E2 | semmle.label | [post] this access [Field] : E2 |
+| Types.cs:92:26:92:26 | access to parameter e : E1 | semmle.label | access to parameter e : E1 |
+| Types.cs:92:26:92:26 | access to parameter e : E2 | semmle.label | access to parameter e : E2 |
+| Types.cs:93:13:93:16 | this access [Field] : E1 | semmle.label | this access [Field] : E1 |
+| Types.cs:93:13:93:16 | this access [Field] : E2 | semmle.label | this access [Field] : E2 |
+| Types.cs:100:25:100:32 | object creation of type E1 : E1 | semmle.label | object creation of type E1 : E1 |
+| Types.cs:110:25:110:32 | object creation of type E2 : E2 | semmle.label | object creation of type E2 : E2 |
+| Types.cs:113:34:113:34 | this [Field] : E1 | semmle.label | this [Field] : E1 |
+| Types.cs:113:34:113:34 | this [Field] : E2 | semmle.label | this [Field] : E2 |
+| Types.cs:115:22:115:25 | this access [Field] : E1 | semmle.label | this access [Field] : E1 |
+| Types.cs:115:22:115:25 | this access [Field] : E2 | semmle.label | this access [Field] : E2 |
+| Types.cs:115:22:115:31 | access to field Field | semmle.label | access to field Field |
 #select
 | Types.cs:22:9:22:15 | object creation of type C : C | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
 | Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:50:18:50:18 | access to local variable c | Types.cs:50:18:50:18 | access to local variable c | $@ | Types.cs:50:18:50:18 | access to local variable c | access to local variable c |
@@ -122,3 +151,5 @@ nodes
 | Types.cs:40:12:40:18 | object creation of type D : D | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
 | Types.cs:41:12:41:18 | object creation of type D : D | Types.cs:80:18:80:18 | access to local variable b | Types.cs:80:18:80:18 | access to local variable b | $@ | Types.cs:80:18:80:18 | access to local variable b | access to local variable b |
 | Types.cs:43:20:43:23 | null : null | Types.cs:44:14:44:14 | access to local variable o | Types.cs:44:14:44:14 | access to local variable o | $@ | Types.cs:44:14:44:14 | access to local variable o | access to local variable o |
+| Types.cs:100:25:100:32 | object creation of type E1 : E1 | Types.cs:115:22:115:31 | access to field Field | Types.cs:115:22:115:31 | access to field Field | $@ | Types.cs:115:22:115:31 | access to field Field | access to field Field |
+| Types.cs:110:25:110:32 | object creation of type E2 : E2 | Types.cs:115:22:115:31 | access to field Field | Types.cs:115:22:115:31 | access to field Field | $@ | Types.cs:115:22:115:31 | access to field Field | access to field Field |