Merge pull request #11836 from geoffw0/optbinding

Swift: Data flow through optional binding

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/Ssa.qll

@@ -30,9 +30,16 @@ module Ssa {
         certain = true
       )
       or
-      exists(PatternBindingDecl decl, Pattern pattern |
+      // Any variable initialization through pattern matching. For example each `x*` in:
+      // ```
+      // var x1 = v
+      // let x2 = v
+      // let (x3, x4) = tuple
+      // if let x5 = optional { ... }
+      // guard let x6 = optional else { ... }
+      // ```
+      exists(Pattern pattern |
         bb.getNode(i).getNode().asAstNode() = pattern and
-        decl.getAPattern() = pattern and
         v.getParentPattern() = pattern and
         certain = true
       )
@@ -158,6 +165,15 @@ module Ssa {
         // TODO: We should probably enumerate more cfg nodes here.
         value.(PropertyGetterCfgNode).getRef() = init
       )
+      or
+      exists(SsaInput::BasicBlock bb, int blockIndex, ConditionElement ce, Expr init |
+        this.definesAt(_, bb, blockIndex) and
+        ce.getPattern() = bb.getNode(blockIndex).getNode().asAstNode() and
+        init = ce.getInitializer() and
+        strictcount(Ssa::WriteDefinition alt | alt.definesAt(_, bb, blockIndex)) = 1 // exclude cases where there are multiple writes from the same pattern, this is at best taint flow.
+      |
+        value.getNode().asAstNode() = init
+      )
     }
   }
 

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -100,36 +100,48 @@ edges
 | test.swift:225:14:225:21 | call to source() :  | test.swift:235:13:235:15 | .source_value |
 | test.swift:225:14:225:21 | call to source() :  | test.swift:238:13:238:15 | .source_value |
 | test.swift:259:12:259:19 | call to source() :  | test.swift:263:13:263:28 | call to optionalSource() :  |
+| test.swift:259:12:259:19 | call to source() :  | test.swift:439:13:439:28 | call to optionalSource() :  |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:265:15:265:15 | x |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:267:15:267:16 | ...! |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:271:15:271:16 | ...? :  |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:274:15:274:20 | ... ??(_:_:) ... |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:275:15:275:27 | ... ??(_:_:) ... |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:279:15:279:31 | ... ? ... : ... |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:280:15:280:38 | ... ? ... : ... |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:285:19:285:19 | z |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:291:16:291:17 | ...? :  |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:300:15:300:15 | z1 |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:303:15:303:16 | ...! :  |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:307:19:307:19 | z |
 | test.swift:270:15:270:22 | call to source() :  | file://:0:0:0:0 | [summary param] this in signum() :  |
 | test.swift:270:15:270:22 | call to source() :  | test.swift:270:15:270:31 | call to signum() |
 | test.swift:271:15:271:16 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  |
 | test.swift:271:15:271:16 | ...? :  | test.swift:271:15:271:25 | call to signum() :  |
 | test.swift:271:15:271:25 | call to signum() :  | test.swift:271:15:271:25 | OptionalEvaluationExpr |
 | test.swift:280:31:280:38 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() :  | test.swift:282:15:282:38 | ... ? ... : ... |
-| test.swift:302:14:302:26 | (...) [Tuple element at index 1] :  | test.swift:306:15:306:15 | t1 [Tuple element at index 1] :  |
-| test.swift:302:18:302:25 | call to source() :  | test.swift:302:14:302:26 | (...) [Tuple element at index 1] :  |
-| test.swift:306:15:306:15 | t1 [Tuple element at index 1] :  | test.swift:306:15:306:18 | .1 |
-| test.swift:314:5:314:5 | [post] t1 [Tuple element at index 0] :  | test.swift:317:15:317:15 | t1 [Tuple element at index 0] :  |
-| test.swift:314:12:314:19 | call to source() :  | test.swift:314:5:314:5 | [post] t1 [Tuple element at index 0] :  |
-| test.swift:317:15:317:15 | t1 [Tuple element at index 0] :  | test.swift:317:15:317:18 | .0 |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 0] :  | test.swift:327:15:327:15 | t1 [Tuple element at index 0] :  |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 0] :  | test.swift:331:15:331:15 | t2 [Tuple element at index 0] :  |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 1] :  | test.swift:328:15:328:15 | t1 [Tuple element at index 1] :  |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 1] :  | test.swift:332:15:332:15 | t2 [Tuple element at index 1] :  |
-| test.swift:322:18:322:25 | call to source() :  | test.swift:322:14:322:45 | (...) [Tuple element at index 0] :  |
-| test.swift:322:31:322:38 | call to source() :  | test.swift:322:14:322:45 | (...) [Tuple element at index 1] :  |
-| test.swift:327:15:327:15 | t1 [Tuple element at index 0] :  | test.swift:327:15:327:18 | .0 |
-| test.swift:328:15:328:15 | t1 [Tuple element at index 1] :  | test.swift:328:15:328:18 | .1 |
-| test.swift:331:15:331:15 | t2 [Tuple element at index 0] :  | test.swift:331:15:331:18 | .0 |
-| test.swift:332:15:332:15 | t2 [Tuple element at index 1] :  | test.swift:332:15:332:18 | .1 |
+| test.swift:291:16:291:17 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  |
+| test.swift:291:16:291:17 | ...? :  | test.swift:291:16:291:26 | call to signum() :  |
+| test.swift:291:16:291:26 | call to signum() :  | test.swift:292:19:292:19 | z |
+| test.swift:303:15:303:16 | ...! :  | file://:0:0:0:0 | [summary param] this in signum() :  |
+| test.swift:303:15:303:16 | ...! :  | test.swift:303:15:303:25 | call to signum() |
+| test.swift:331:14:331:26 | (...) [Tuple element at index 1] :  | test.swift:335:15:335:15 | t1 [Tuple element at index 1] :  |
+| test.swift:331:18:331:25 | call to source() :  | test.swift:331:14:331:26 | (...) [Tuple element at index 1] :  |
+| test.swift:335:15:335:15 | t1 [Tuple element at index 1] :  | test.swift:335:15:335:18 | .1 |
+| test.swift:343:5:343:5 | [post] t1 [Tuple element at index 0] :  | test.swift:346:15:346:15 | t1 [Tuple element at index 0] :  |
+| test.swift:343:12:343:19 | call to source() :  | test.swift:343:5:343:5 | [post] t1 [Tuple element at index 0] :  |
+| test.swift:346:15:346:15 | t1 [Tuple element at index 0] :  | test.swift:346:15:346:18 | .0 |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 0] :  | test.swift:356:15:356:15 | t1 [Tuple element at index 0] :  |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 0] :  | test.swift:360:15:360:15 | t2 [Tuple element at index 0] :  |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 1] :  | test.swift:357:15:357:15 | t1 [Tuple element at index 1] :  |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 1] :  | test.swift:361:15:361:15 | t2 [Tuple element at index 1] :  |
+| test.swift:351:18:351:25 | call to source() :  | test.swift:351:14:351:45 | (...) [Tuple element at index 0] :  |
+| test.swift:351:31:351:38 | call to source() :  | test.swift:351:14:351:45 | (...) [Tuple element at index 1] :  |
+| test.swift:356:15:356:15 | t1 [Tuple element at index 0] :  | test.swift:356:15:356:18 | .0 |
+| test.swift:357:15:357:15 | t1 [Tuple element at index 1] :  | test.swift:357:15:357:18 | .1 |
+| test.swift:360:15:360:15 | t2 [Tuple element at index 0] :  | test.swift:360:15:360:18 | .0 |
+| test.swift:361:15:361:15 | t2 [Tuple element at index 1] :  | test.swift:361:15:361:18 | .1 |
+| test.swift:439:13:439:28 | call to optionalSource() :  | test.swift:442:19:442:19 | a |
 nodes
 | file://:0:0:0:0 | .a [x] :  | semmle.label | .a [x] :  |
 | file://:0:0:0:0 | .x :  | semmle.label | .x :  |
@@ -258,26 +270,36 @@ nodes
 | test.swift:280:31:280:38 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:282:15:282:38 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:302:14:302:26 | (...) [Tuple element at index 1] :  | semmle.label | (...) [Tuple element at index 1] :  |
-| test.swift:302:18:302:25 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:306:15:306:15 | t1 [Tuple element at index 1] :  | semmle.label | t1 [Tuple element at index 1] :  |
-| test.swift:306:15:306:18 | .1 | semmle.label | .1 |
-| test.swift:314:5:314:5 | [post] t1 [Tuple element at index 0] :  | semmle.label | [post] t1 [Tuple element at index 0] :  |
-| test.swift:314:12:314:19 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:317:15:317:15 | t1 [Tuple element at index 0] :  | semmle.label | t1 [Tuple element at index 0] :  |
-| test.swift:317:15:317:18 | .0 | semmle.label | .0 |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 0] :  | semmle.label | (...) [Tuple element at index 0] :  |
-| test.swift:322:14:322:45 | (...) [Tuple element at index 1] :  | semmle.label | (...) [Tuple element at index 1] :  |
-| test.swift:322:18:322:25 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:322:31:322:38 | call to source() :  | semmle.label | call to source() :  |
-| test.swift:327:15:327:15 | t1 [Tuple element at index 0] :  | semmle.label | t1 [Tuple element at index 0] :  |
-| test.swift:327:15:327:18 | .0 | semmle.label | .0 |
-| test.swift:328:15:328:15 | t1 [Tuple element at index 1] :  | semmle.label | t1 [Tuple element at index 1] :  |
-| test.swift:328:15:328:18 | .1 | semmle.label | .1 |
-| test.swift:331:15:331:15 | t2 [Tuple element at index 0] :  | semmle.label | t2 [Tuple element at index 0] :  |
-| test.swift:331:15:331:18 | .0 | semmle.label | .0 |
-| test.swift:332:15:332:15 | t2 [Tuple element at index 1] :  | semmle.label | t2 [Tuple element at index 1] :  |
-| test.swift:332:15:332:18 | .1 | semmle.label | .1 |
+| test.swift:285:19:285:19 | z | semmle.label | z |
+| test.swift:291:16:291:17 | ...? :  | semmle.label | ...? :  |
+| test.swift:291:16:291:26 | call to signum() :  | semmle.label | call to signum() :  |
+| test.swift:292:19:292:19 | z | semmle.label | z |
+| test.swift:300:15:300:15 | z1 | semmle.label | z1 |
+| test.swift:303:15:303:16 | ...! :  | semmle.label | ...! :  |
+| test.swift:303:15:303:25 | call to signum() | semmle.label | call to signum() |
+| test.swift:307:19:307:19 | z | semmle.label | z |
+| test.swift:331:14:331:26 | (...) [Tuple element at index 1] :  | semmle.label | (...) [Tuple element at index 1] :  |
+| test.swift:331:18:331:25 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:335:15:335:15 | t1 [Tuple element at index 1] :  | semmle.label | t1 [Tuple element at index 1] :  |
+| test.swift:335:15:335:18 | .1 | semmle.label | .1 |
+| test.swift:343:5:343:5 | [post] t1 [Tuple element at index 0] :  | semmle.label | [post] t1 [Tuple element at index 0] :  |
+| test.swift:343:12:343:19 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:346:15:346:15 | t1 [Tuple element at index 0] :  | semmle.label | t1 [Tuple element at index 0] :  |
+| test.swift:346:15:346:18 | .0 | semmle.label | .0 |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 0] :  | semmle.label | (...) [Tuple element at index 0] :  |
+| test.swift:351:14:351:45 | (...) [Tuple element at index 1] :  | semmle.label | (...) [Tuple element at index 1] :  |
+| test.swift:351:18:351:25 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:351:31:351:38 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:356:15:356:15 | t1 [Tuple element at index 0] :  | semmle.label | t1 [Tuple element at index 0] :  |
+| test.swift:356:15:356:18 | .0 | semmle.label | .0 |
+| test.swift:357:15:357:15 | t1 [Tuple element at index 1] :  | semmle.label | t1 [Tuple element at index 1] :  |
+| test.swift:357:15:357:18 | .1 | semmle.label | .1 |
+| test.swift:360:15:360:15 | t2 [Tuple element at index 0] :  | semmle.label | t2 [Tuple element at index 0] :  |
+| test.swift:360:15:360:18 | .0 | semmle.label | .0 |
+| test.swift:361:15:361:15 | t2 [Tuple element at index 1] :  | semmle.label | t2 [Tuple element at index 1] :  |
+| test.swift:361:15:361:18 | .1 | semmle.label | .1 |
+| test.swift:439:13:439:28 | call to optionalSource() :  | semmle.label | call to optionalSource() :  |
+| test.swift:442:19:442:19 | a | semmle.label | a |
 subpaths
 | test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:31:75:32 | [post] &... :  |
 | test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | arg :  | test.swift:110:12:110:12 | arg :  | test.swift:114:12:114:22 | call to ... :  |
@@ -306,6 +328,8 @@ subpaths
 | test.swift:219:13:219:15 | .a [x] :  | test.swift:163:7:163:7 | self [x] :  | file://:0:0:0:0 | .x :  | test.swift:219:13:219:17 | .x |
 | test.swift:270:15:270:22 | call to source() :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:270:15:270:31 | call to signum() |
 | test.swift:271:15:271:16 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:271:15:271:25 | call to signum() :  |
+| test.swift:291:16:291:17 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:291:16:291:26 | call to signum() :  |
+| test.swift:303:15:303:16 | ...! :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:303:15:303:25 | call to signum() |
 #select
 | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() :  | test.swift:7:15:7:15 | t1 | result |
 | test.swift:9:15:9:15 | t1 | test.swift:6:19:6:26 | call to source() :  | test.swift:9:15:9:15 | t1 | result |
@@ -345,9 +369,15 @@ subpaths
 | test.swift:280:15:280:38 | ... ? ... : ... | test.swift:259:12:259:19 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... | result |
 | test.swift:280:15:280:38 | ... ? ... : ... | test.swift:280:31:280:38 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... | result |
 | test.swift:282:15:282:38 | ... ? ... : ... | test.swift:282:31:282:38 | call to source() :  | test.swift:282:15:282:38 | ... ? ... : ... | result |
-| test.swift:306:15:306:18 | .1 | test.swift:302:18:302:25 | call to source() :  | test.swift:306:15:306:18 | .1 | result |
-| test.swift:317:15:317:18 | .0 | test.swift:314:12:314:19 | call to source() :  | test.swift:317:15:317:18 | .0 | result |
-| test.swift:327:15:327:18 | .0 | test.swift:322:18:322:25 | call to source() :  | test.swift:327:15:327:18 | .0 | result |
-| test.swift:328:15:328:18 | .1 | test.swift:322:31:322:38 | call to source() :  | test.swift:328:15:328:18 | .1 | result |
-| test.swift:331:15:331:18 | .0 | test.swift:322:18:322:25 | call to source() :  | test.swift:331:15:331:18 | .0 | result |
-| test.swift:332:15:332:18 | .1 | test.swift:322:31:322:38 | call to source() :  | test.swift:332:15:332:18 | .1 | result |
+| test.swift:285:19:285:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:285:19:285:19 | z | result |
+| test.swift:292:19:292:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:292:19:292:19 | z | result |
+| test.swift:300:15:300:15 | z1 | test.swift:259:12:259:19 | call to source() :  | test.swift:300:15:300:15 | z1 | result |
+| test.swift:303:15:303:25 | call to signum() | test.swift:259:12:259:19 | call to source() :  | test.swift:303:15:303:25 | call to signum() | result |
+| test.swift:307:19:307:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:307:19:307:19 | z | result |
+| test.swift:335:15:335:18 | .1 | test.swift:331:18:331:25 | call to source() :  | test.swift:335:15:335:18 | .1 | result |
+| test.swift:346:15:346:18 | .0 | test.swift:343:12:343:19 | call to source() :  | test.swift:346:15:346:18 | .0 | result |
+| test.swift:356:15:356:18 | .0 | test.swift:351:18:351:25 | call to source() :  | test.swift:356:15:356:18 | .0 | result |
+| test.swift:357:15:357:18 | .1 | test.swift:351:31:351:38 | call to source() :  | test.swift:357:15:357:18 | .1 | result |
+| test.swift:360:15:360:18 | .0 | test.swift:351:18:351:25 | call to source() :  | test.swift:360:15:360:18 | .0 | result |
+| test.swift:361:15:361:18 | .1 | test.swift:351:31:351:38 | call to source() :  | test.swift:361:15:361:18 | .1 | result |
+| test.swift:442:19:442:19 | a | test.swift:259:12:259:19 | call to source() :  | test.swift:442:19:442:19 | a | result |

swift/ql/test/library-tests/dataflow/dataflow/FlowConfig.qll

@@ -10,7 +10,7 @@ class TestConfiguration extends DataFlow::Configuration {
   TestConfiguration() { this = "TestConfiguration" }
 
   override predicate isSource(DataFlow::Node src) {
-    src.asExpr().(CallExpr).getStaticTarget().getName() = "source()"
+    src.asExpr().(CallExpr).getStaticTarget().getName().matches("source%()")
   }
 
   override predicate isSink(DataFlow::Node sink) {