Merge pull request #9342 from rdmarsh2/rdmarsh2/swift/dataflow-global-flow

Swift: initial interprocedural data flow implementation

Author: MathiasVP

swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowElements.qll

@@ -3,6 +3,7 @@ private import swift
 cached
 newtype TControlFlowElement =
   TAstElement(AstNode n) or
+  TFuncDeclElement(AbstractFunctionDecl func) { func.hasBody() } or
   TPropertyGetterElement(Decl accessor, Expr ref) { isPropertyGetterElement(accessor, ref) } or
   TPropertySetterElement(AccessorDecl accessor, AssignExpr assign) {
     isPropertySetterElement(accessor, assign)
@@ -161,3 +162,13 @@ class PropertyObserverElement extends ControlFlowElement, TPropertyObserverEleme
 
   AssignExpr getAssignExpr() { result = assign }
 }
+
+class FuncDeclElement extends ControlFlowElement, TFuncDeclElement {
+  AbstractFunctionDecl func;
+
+  FuncDeclElement() { this = TFuncDeclElement(func) }
+
+  override string toString() { result = func.toString() }
+
+  override Location getLocation() { result = func.getLocation() }
+}

swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImpl.qll

@@ -48,15 +48,15 @@ module CfgScope {
 
   private class BodyStmtCallableScope extends Range_ instanceof AbstractFunctionDecl {
     final override predicate entry(ControlFlowElement first) {
-      exists(Stmts::BraceStmtTree tree |
-        tree.getAst() = super.getBody() and
-        tree.firstInner(first)
+      exists(Decls::FuncDeclTree tree |
+        tree.getAst() = this and
+        first = tree
       )
     }
 
     final override predicate exit(ControlFlowElement last, Completion c) {
-      exists(Stmts::BraceStmtTree tree |
-        tree.getAst() = super.getBody() and
+      exists(Decls::FuncDeclTree tree |
+        tree.getAst() = this and
         tree.last(last, c)
       )
     }
@@ -881,6 +881,21 @@ module Decls {
       )
     }
   }
+
+  class FuncDeclTree extends StandardPreOrderTree, TFuncDeclElement {
+    AbstractFunctionDecl ast;
+
+    FuncDeclTree() { this = TFuncDeclElement(ast) }
+
+    AbstractFunctionDecl getAst() { result = ast }
+
+    final override ControlFlowElement getChildElement(int i) {
+      result.asAstNode() = ast.getParam(i)
+      or
+      result.asAstNode() = ast.getBody() and
+      i = ast.getNumberOfParams()
+    }
+  }
 }
 
 module Exprs {

swift/ql/lib/codeql/swift/dataflow/Ssa.qll

@@ -64,6 +64,29 @@ module Ssa {
         a = bb.getNode(i).getNode().asAstNode() and
         value.getNode().asAstNode() = a.getSource()
       )
+      or
+      exists(VarDecl var, BasicBlock bb, int blockIndex, PatternBindingDecl pbd |
+        this.definesAt(var, bb, blockIndex) and
+        pbd.getAPattern() = bb.getNode(blockIndex).getNode().asAstNode() and
+        value.getNode().asAstNode() = var.getParentInitializer()
+      )
+    }
+  }
+
+  cached
+  class PhiDefinition extends Definition, SsaImplCommon::PhiNode {
+    cached
+    override Location getLocation() {
+      exists(BasicBlock bb, int i |
+        this.definesAt(_, bb, i) and
+        result = bb.getLocation()
+      )
     }
+
+    cached
+    Definition getPhiInput(BasicBlock bb) { SsaImplCommon::phiHasInputFromBlock(this, result, bb) }
+
+    cached
+    Definition getAPhiInput() { result = this.getPhiInput(_) }
   }
 }

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -1,5 +1,6 @@
 private import swift
 private import DataFlowPrivate
+private import DataFlowPublic
 
 newtype TReturnKind = TNormalReturnKind()
 
@@ -42,47 +43,34 @@ class DataFlowCallable extends TDataFlowCallable {
  * A call. This includes calls from source code, as well as call(back)s
  * inside library callables with a flow summary.
  */
-class DataFlowCall extends TDataFlowCall {
+class DataFlowCall extends ExprNode {
+  DataFlowCall() { this.asExpr() instanceof CallExpr }
+
   /** Gets the enclosing callable. */
   DataFlowCallable getEnclosingCallable() { none() }
-
-  /** Gets a textual representation of this call. */
-  string toString() { none() }
-
-  /** Gets the location of this call. */
-  Location getLocation() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
 }
 
 cached
 private module Cached {
   cached
-  newtype TDataFlowCallable = TODO_TDataFlowCallable()
-
-  cached
-  newtype TDataFlowCall = TODO_TDataFlowCall()
+  newtype TDataFlowCallable = TDataFlowFunc(FuncDecl func)
 
   /** Gets a viable run-time target for the call `call`. */
   cached
-  DataFlowCallable viableCallable(DataFlowCall call) { none() }
+  DataFlowCallable viableCallable(DataFlowCall call) {
+    result = TDataFlowFunc(call.asExpr().(CallExpr).getStaticTarget())
+  }
 
   cached
-  newtype TArgumentPosition = TODO_TArgumentPosition()
+  newtype TArgumentPosition =
+    TThisArgument() or
+    // we rely on default exprs generated in the caller for ordering
+    TPositionalArgument(int n) { n = any(Argument arg).getIndex() }
 
   cached
-  newtype TParameterPosition = TODO_TParameterPosition()
+  newtype TParameterPosition =
+    TThisParameter() or
+    TPositionalParameter(int n) { n = any(Argument arg).getIndex() }
 }
 
 import Cached
@@ -105,12 +93,25 @@ class ParameterPosition extends TParameterPosition {
   string toString() { none() }
 }
 
+class PositionalParameterPosition extends ParameterPosition, TPositionalParameter {
+  int getIndex() { this = TPositionalParameter(result) }
+}
+
 /** An argument position. */
 class ArgumentPosition extends TArgumentPosition {
   /** Gets a textual representation of this position. */
   string toString() { none() }
 }
 
+class PositionalArgumentPosition extends ArgumentPosition, TPositionalArgument {
+  int getIndex() { this = TPositionalArgument(result) }
+}
+
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { none() }
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
+  ppos instanceof TThisParameter and
+  apos instanceof TThisArgument
+  or
+  ppos.(PositionalParameterPosition).getIndex() = apos.(PositionalArgumentPosition).getIndex()
+}

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,8 @@ private import DataFlowPublic
 private import DataFlowDispatch
 private import codeql.swift.controlflow.CfgNodes
 private import codeql.swift.dataflow.Ssa
+private import codeql.swift.controlflow.BasicBlocks
+private import codeql.swift.dataflow.internal.SsaImplCommon as SsaImpl
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -31,12 +33,25 @@ private class ExprNodeImpl extends ExprNode, NodeImpl {
   override Location getLocationImpl() { result = expr.getLocation() }
 
   override string toStringImpl() { result = expr.toString() }
+
+  override DataFlowCallable getEnclosingCallable() { result = TDataFlowFunc(expr.getScope()) }
 }
 
 private class SsaDefinitionNodeImpl extends SsaDefinitionNode, NodeImpl {
   override Location getLocationImpl() { result = def.getLocation() }
 
   override string toStringImpl() { result = def.toString() }
+
+  override DataFlowCallable getEnclosingCallable() {
+    result = TDataFlowFunc(def.getBasicBlock().getScope())
+  }
+}
+
+private predicate localFlowSsaInput(Node nodeFrom, Ssa::Definition def, Ssa::Definition next) {
+  exists(BasicBlock bb, int i | SsaImpl::lastRefRedef(def, bb, i, next) |
+    def.definesAt(_, bb, i) and
+    def = nodeFrom.asDefinition()
+  )
 }
 
 /** A collection of cached types and predicates to be evaluated in the same stage. */
@@ -45,7 +60,6 @@ private module Cached {
   cached
   newtype TNode =
     TExprNode(ExprCfgNode e) or
-    TNormalParameterNode(ParamDecl p) or
     TSsaDefinitionNode(Ssa::Definition def)
 
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
@@ -60,6 +74,9 @@ private module Cached {
       or
       // use-use flow
       def.adjacentReadPair(nodeFrom.getCfgNode(), nodeTo.getCfgNode())
+      or
+      // step from previous read to Phi node
+      localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
     )
   }
 
@@ -93,18 +110,29 @@ private module ParameterNodes {
     predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { none() }
   }
 
-  class NormalParameterNode extends ParameterNodeImpl, TNormalParameterNode {
+  class NormalParameterNode extends ParameterNodeImpl, SsaDefinitionNode {
     ParamDecl param;
 
-    NormalParameterNode() { this = TNormalParameterNode(param) }
+    NormalParameterNode() {
+      exists(BasicBlock bb, int i |
+        super.asDefinition().definesAt(param, bb, i) and
+        bb.getNode(i).getNode().asAstNode() = param
+      )
+    }
 
     override Location getLocationImpl() { result = param.getLocation() }
 
     override string toStringImpl() { result = param.toString() }
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-      none() // TODO
+      exists(FuncDecl f, int index |
+        c = TDataFlowFunc(f) and
+        f.getParam(index) = param and
+        pos = TPositionalParameter(index)
+      )
     }
+
+    override DataFlowCallable getEnclosingCallable() { isParameterOf(result, _) }
   }
 }
 
@@ -119,7 +147,16 @@ abstract class ArgumentNode extends Node {
   final DataFlowCall getCall() { this.argumentOf(result, _) }
 }
 
-private module ArgumentNodes { }
+private module ArgumentNodes {
+  class NormalArgumentNode extends ExprNode, ArgumentNode {
+    NormalArgumentNode() { exists(CallExpr call | call.getAnArgument().getExpr() = this.asExpr()) }
+
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      call.asExpr().(CallExpr).getArgument(pos.(PositionalArgumentPosition).getIndex()).getExpr() =
+        this.asExpr()
+    }
+  }
+}
 
 import ArgumentNodes
 
@@ -129,7 +166,13 @@ abstract class ReturnNode extends Node {
   abstract ReturnKind getKind();
 }
 
-private module ReturnNodes { }
+private module ReturnNodes {
+  class ReturnReturnNode extends ReturnNode, ExprNode {
+    ReturnReturnNode() { exists(ReturnStmt stmt | stmt.getResult() = this.asExpr()) }
+
+    override ReturnKind getKind() { result instanceof NormalReturnKind }
+  }
+}
 
 import ReturnNodes
 
@@ -139,7 +182,13 @@ abstract class OutNode extends Node {
   abstract DataFlowCall getCall(ReturnKind kind);
 }
 
-private module OutNodes { }
+private module OutNodes {
+  class CallOutNode extends OutNode, DataFlowCall {
+    override DataFlowCall getCall(ReturnKind kind) {
+      result = this and kind instanceof NormalReturnKind
+    }
+  }
+}
 
 import OutNodes
 
@@ -169,7 +218,9 @@ class DataFlowType extends TDataFlowType {
 }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(NodeImpl n) { none() }
+DataFlowType getNodeType(NodeImpl n) {
+  any() // return the singleton DataFlowType until we support type pruning for Swift
+}
 
 /** Gets a string representation of a `DataFlowType`. */
 string ppReprType(DataFlowType t) { result = t.toString() }

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -69,7 +69,7 @@ class ExprNode extends Node, TExprNode {
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNode extends Node, TNormalParameterNode instanceof ParameterNodeImpl { }
+class ParameterNode extends Node, SsaDefinitionNode instanceof ParameterNodeImpl { }
 
 /**
  */
@@ -98,7 +98,7 @@ class PostUpdateNode extends Node instanceof PostUpdateNodeImpl {
 }
 
 /** Gets a node corresponding to expression `e`. */
-ExprNode exprNode(DataFlowExpr e) { none() }
+ExprNode exprNode(DataFlowExpr e) { result.asExpr() = e }
 
 /**
  * Gets the node corresponding to the value of parameter `p` at function entry.

swift/ql/lib/codeql/swift/dataflow/internal/SsaImplSpecific.qll

@@ -27,6 +27,10 @@ predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain)
     v.getParentPattern() = pattern and
     certain = true
   )
+  or
+  v instanceof ParamDecl and
+  bb.getNode(i).getNode().asAstNode() = v and
+  certain = true
 }
 
 private predicate isLValue(DeclRefExpr ref) { any(AssignExpr assign).getDest() = ref }

swift/ql/lib/codeql/swift/elements/expr/Argument.qll

@@ -1,5 +1,8 @@
 private import codeql.swift.generated.expr.Argument
+private import codeql.swift.elements.expr.ApplyExpr
 
 class Argument extends ArgumentBase {
   override string toString() { result = this.getLabel() + ": " + this.getExpr().toString() }
+
+  int getIndex() { any(ApplyExpr apply).getArgument(result) = this }
 }