github
diff --git a/‎ruby/ql/lib/codeql/ruby/dataflow/internal/CapturedVariableFlow.qll
Lines changed: 155 additions & 53 deletions b/‎ruby/ql/lib/codeql/ruby/dataflow/internal/CapturedVariableFlow.qll
Lines changed: 155 additions & 53 deletions
@@ -1,111 +1,215 @@
+/**
+ * Provides classes and predicates for working with captured variables.
+ *
+ * We model reads from and writes to captured variable using field-flow.
+ *
+ * Example:
+ *
+ * ```rb
+ * def foo
+ *   x = 1
+ *   puts x
+ *   fn = -> {
+ *     puts x
+ *     x = 2
+ *   }
+ *   fn.call
+ *   puts x
+ * end
+ * ```
+ *
+ * We create a new kind of synthetic local variable, one per capturing callable,
+ * in this case `fn`, let's call it `fn_closure`.
+ *
+ * `fn_closure` will have an implicit entry definition at the start of `foo`,
+ * as well as at the start of the lambda itself, in which it behaves like a
+ * `self` parameter.
+ *
+ * Writes to captured variables will be turned into store steps, where the target
+ * of the store is the synthetic variable, and dually for reads.
+ *
+ * ```rb
+ * def foo
+ *   # fn_closure = implicit
+ *   x = 1 # fn_closure.x = 1
+ *   puts x # puts fn_closure.x
+ *   fn = -> {
+ *     # fn_closure = self
+ *     puts x # puts fn_closure.x
+ *     x = 2 # fn_closure.x = 2
+ *   }
+ *   fn.call
+ *   puts x # puts fn_closure.x
+ * end
+ * ```
+ *
+ * We will use SSA to construct adjacent use-use steps for `fn_closure`.
+ *
+ * Now we need to actually model flow in/out of the lambda. We do this by
+ * adding another synthetic access to `fn_closure` at the very definiton
+ * of the lambda, add a local flow step from this access to the lambda
+ * itself, and ensure that the receiver of a lambda call is a `self` argument:
+ *
+ * ```rb
+ * def foo
+ *   # fn_closure = implicit
+ *   x = 1 # fn_closure.x = 1
+ *   puts x # puts fn_closure.x
+ *   fn = # fn_closure, local step into the lambda below
+ *     -> {
+ *     # fn_closure = self
+ *     puts x # puts fn_closure.x
+ *     x = 2 # fn_closure.x = 2
+ *   }
+ *   fn.call # fn is a `self` argument
+ *   puts x # puts fn_closure.x
+ * end
+ * ```
+ *
+ * The above ensures flow _into_ the lambda. For flow out
+ */
+
 private import codeql.ssa.Ssa as SsaImplCommon
 private import codeql.ruby.AST
 private import codeql.ruby.CFG as Cfg
 private import codeql.ruby.controlflow.internal.ControlFlowGraphImplShared as ControlFlowGraphImplShared
 private import codeql.ruby.dataflow.SSA
-private import codeql.ruby.ast.Variable
 private import Cfg::CfgNodes::ExprNodes
+private import DataFlowPrivate as DataFlowPrivate
+private import codeql.util.Unit
 
-class CapturedVariableAccess extends LocalVariableAccess {
+private class CapturedVariableAccess extends LocalVariableAccess {
   CapturedVariableAccess() { this.isCapturedAccess() }
 }
 
+/** A variable that is captured. */
 class CapturedVariable extends LocalVariable {
   CapturedVariable() { this.isCaptured() }
 }
 
+/** A callable that captures a local variable. */
 class CapturingCallable extends Callable {
   CapturingCallable() { any(CapturedVariableAccess access).getCfgScope() = this }
 
+  /** Gets a local variable captured by this callable. */
   CapturedVariable getACapturedVariable() { result.getAnAccess().getCfgScope() = this }
 }
 
-private predicate entryWrite(Cfg::EntryBasicBlock bb, int i, CapturingCallable v) {
-  i = -1 and
-  (
-    bb.getScope() = v
-    or
-    bb.getScope() = v.getACapturedVariable().getDeclaringScope()
-  )
-}
-
+// private predicate entryWrite(Cfg::EntryBasicBlock bb, int i, CapturingCallable c) {
+//   i = -1 and
+//   (
+//     bb.getScope() = c
+//     or
+//     bb.getScope() = c.getACapturedVariable().getDeclaringScope()
+//   )
+// }
+// private predicate entryWrite(Cfg::EntryBasicBlock bb, CapturingCallable c) {
+//     bb.getScope() instanceof CapturingCallable
+//     or
+//     or
+//     bb.getScope() = c.getACapturedVariable().getDeclaringScope()
+//   )
+// }
 private predicate captureRead1(
-  Cfg::BasicBlock bb, int i, CapturedVariable var, VariableAccessCfgNode access, CapturingCallable v
+  Cfg::BasicBlock bb, int i, CapturedVariable var, VariableAccessCfgNode access, CapturingCallable c
 ) {
   bb.getNode(i) = access and
   access.getNode() = var.getAnAccess() and
-  var = v.getACapturedVariable() and
-  (bb.getScope() = v or bb.getScope() = var.getDefiningAccess().getCfgScope())
+  var = c.getACapturedVariable() and
+  (bb.getScope() = c or bb.getScope() = var.getDefiningAccess().getCfgScope())
 }
 
-private predicate captureRead2(Cfg::BasicBlock bb, int i, CapturingCallable v) {
-  bb.getNode(i).getNode() = v
+private predicate captureRead2(Cfg::BasicBlock bb, int i, Callable c) {
+  bb.getNode(i).getNode() = c
 }
 
-newtype TCaptureAccess =
-  TEntryDef(Cfg::EntryBasicBlock bb, int i, CapturingCallable v) { entryWrite(bb, i, v) } or
+private predicate captureRead3(Cfg::BasicBlock bb, int i) {
+  // todo: BlockParameterNode
+  // DataFlowPrivate::lambdaCall(_, bb.getNode(i)) and
+  // (
+  //   bb.getScope() = c
+  //   or
+  //   bb.getScope() = c.getACapturedVariable().getDeclaringScope()
+  // )
+  bb.getNode(i) instanceof DataFlowPrivate::Argument
+  or
+  DataFlowPrivate::isBlockArgument(_, bb.getNode(i))
+}
+
+cached
+private newtype TCaptureAccess =
+  TEntryDef(Cfg::EntryBasicBlock bb) or
   TVariableAccess(VariableAccessCfgNode access, CapturingCallable v) {
     captureRead1(_, _, _, access, v)
   } or
-  TLambdaAccess(Cfg::BasicBlock bb, int i, CapturingCallable v) { captureRead2(bb, i, v) }
+  TLambdaAccess(Cfg::BasicBlock bb, int i, Callable c) { captureRead2(bb, i, c) } or
+  TCallAccess(Cfg::BasicBlock bb, int i) { captureRead3(bb, i) }
 
 class CaptureAccess extends TCaptureAccess {
   string toString() { result = "<captured variable>" }
 
   Location getLocation() {
-    exists(Cfg::EntryBasicBlock bb, int i, CapturingCallable v |
-      this = TEntryDef(bb, i, v) and
+    exists(Cfg::EntryBasicBlock bb |
+      this = TEntryDef(bb) and
       result = bb.getLocation()
     )
     or
     exists(VariableAccessCfgNode access | this = TVariableAccess(access, _) |
       result = access.getLocation()
     )
     or
-    exists(CapturingCallable c |
+    exists(Callable c |
       this = TLambdaAccess(_, _, c) and
       result = c.getLocation()
     )
+    or
+    exists(Cfg::BasicBlock bb, int i |
+      this = TCallAccess(bb, i) and
+      result = bb.getNode(i).getLocation()
+    )
   }
 
   Cfg::CfgScope getCfgScope() {
-    exists(Cfg::EntryBasicBlock bb, int i, CapturingCallable v |
-      this = TEntryDef(bb, i, v) and
+    exists(Cfg::EntryBasicBlock bb |
+      this = TEntryDef(bb) and
       result = bb.getScope()
     )
     or
     exists(VariableAccessCfgNode access | this = TVariableAccess(access, _) |
       result = access.getScope()
     )
     or
-    exists(CapturingCallable c |
-      this = TLambdaAccess(_, _, c) and
-      result = c.getCfgScope()
+    exists(Cfg::BasicBlock bb |
+      this = TLambdaAccess(bb, _, _) and
+      result = bb.getScope()
+    )
+    or
+    exists(Cfg::BasicBlock bb |
+      this = TCallAccess(bb, _) and
+      result = bb.getScope()
     )
   }
 
-  predicate isLambdaAccess(Cfg::BasicBlock bb, int i, CapturingCallable v) {
-    captureRead2(bb, i, v) and
-    this = TLambdaAccess(bb, i, v)
-  }
+  predicate isLambdaAccess(Cfg::BasicBlock bb, int i, Callable c) { this = TLambdaAccess(bb, i, c) }
+
+  predicate isCallAccess(Cfg::BasicBlock bb, int i) { this = TCallAccess(bb, i) }
 
-  predicate isRead(Cfg::BasicBlock bb, int i, CapturingCallable v) {
-    exists(VariableAccessCfgNode acc |
+  predicate isRead(Cfg::BasicBlock bb, int i) {
+    exists(VariableAccessCfgNode acc, CapturingCallable v |
       captureRead1(bb, i, _, acc, v) and
       this = TVariableAccess(acc, v)
     )
     or
-    this.isLambdaAccess(bb, i, v)
+    this.isLambdaAccess(bb, i, _)
+    or
+    this.isCallAccess(bb, i)
   }
 
-  predicate isWrite(Cfg::BasicBlock bb, int i, CapturingCallable v) {
-    entryWrite(bb, i, v) and
-    this = TEntryDef(bb, i, v)
-  }
+  predicate isWrite(Cfg::BasicBlock bb, int i) { this = TEntryDef(bb) and i = -1 }
 
-  predicate isReadOrWrite(Cfg::BasicBlock bb, int i, CapturingCallable v) {
-    this.isRead(bb, i, v) or
-    this.isWrite(bb, i, v)
+  predicate isReadOrWrite(Cfg::BasicBlock bb, int i) {
+    this.isRead(bb, i) or
+    this.isWrite(bb, i)
   }
 }
 
@@ -120,20 +224,22 @@ private module SsaInput implements SsaImplCommon::InputSig {
 
   class ExitBasicBlock = BasicBlocks::ExitBasicBlock;
 
-  class SourceVariable = CapturingCallable;
+  class SourceVariable = Unit;
 
   /**
    * Holds if the statement at index `i` of basic block `bb` contains a write to variable `v`.
    * `certain` is true if the write definitely occurs.
    */
   predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    any(CaptureAccess access).isWrite(bb, i, v) and
-    certain = true
+    any(CaptureAccess access).isWrite(bb, i) and
+    certain = true and
+    exists(v)
   }
 
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    any(CaptureAccess access).isRead(bb, i, v) and
-    certain = true
+    any(CaptureAccess access).isRead(bb, i) and
+    certain = true and
+    exists(v)
   }
 }
 
@@ -142,13 +248,9 @@ private import SsaImplCommon::Make<SsaInput> as Impl
 class Definition = Impl::Definition;
 
 predicate adjacentStep(CaptureAccess access1, CaptureAccess access2) {
-  exists(
-    Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2,
-    SsaInput::SourceVariable v
-  |
+  exists(Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 |
     Impl::adjacentDefRead(def, bb1, i1, bb2, i2) and
-    v = def.getSourceVariable() and
-    access1.isReadOrWrite(bb1, i1, v) and
-    access2.isReadOrWrite(bb2, i2, v)
+    access1.isReadOrWrite(bb1, i1) and
+    access2.isReadOrWrite(bb2, i2)
   )
 }