temp3

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/internal/CapturedVariableFlow.qll

@@ -78,72 +78,21 @@ private import Cfg::CfgNodes::ExprNodes
 private import DataFlowPrivate as DataFlowPrivate
 private import codeql.util.Unit
 
-private class CapturedVariableAccess extends LocalVariableAccess {
-  CapturedVariableAccess() { this.isCapturedAccess() }
-}
-
 /** A variable that is captured. */
 class CapturedVariable extends LocalVariable {
   CapturedVariable() { this.isCaptured() }
 }
 
-/** A callable that captures a local variable. */
-class CapturingCallable extends Callable {
-  CapturingCallable() { any(CapturedVariableAccess access).getCfgScope() = this }
-
-  /** Gets a local variable captured by this callable. */
-  CapturedVariable getACapturedVariable() { result.getAnAccess().getCfgScope() = this }
-}
-
-// private predicate entryWrite(Cfg::EntryBasicBlock bb, int i, CapturingCallable c) {
-//   i = -1 and
-//   (
-//     bb.getScope() = c
-//     or
-//     bb.getScope() = c.getACapturedVariable().getDeclaringScope()
-//   )
-// }
-// private predicate entryWrite(Cfg::EntryBasicBlock bb, CapturingCallable c) {
-//     bb.getScope() instanceof CapturingCallable
-//     or
-//     or
-//     bb.getScope() = c.getACapturedVariable().getDeclaringScope()
-//   )
-// }
-private predicate captureRead1(
-  Cfg::BasicBlock bb, int i, CapturedVariable var, VariableAccessCfgNode access, CapturingCallable c
-) {
-  bb.getNode(i) = access and
-  access.getNode() = var.getAnAccess() and
-  var = c.getACapturedVariable() and
-  (bb.getScope() = c or bb.getScope() = var.getDefiningAccess().getCfgScope())
-}
-
-private predicate captureRead2(Cfg::BasicBlock bb, int i, Callable c) {
-  bb.getNode(i).getNode() = c
-}
-
-private predicate captureRead3(Cfg::BasicBlock bb, int i) {
-  // todo: BlockParameterNode
-  // DataFlowPrivate::lambdaCall(_, bb.getNode(i)) and
-  // (
-  //   bb.getScope() = c
-  //   or
-  //   bb.getScope() = c.getACapturedVariable().getDeclaringScope()
-  // )
-  bb.getNode(i) instanceof DataFlowPrivate::Argument
-  or
-  DataFlowPrivate::isBlockArgument(_, bb.getNode(i))
-}
-
 cached
 private newtype TCaptureAccess =
   TEntryDef(Cfg::EntryBasicBlock bb) or
-  TVariableAccess(VariableAccessCfgNode access, CapturingCallable v) {
-    captureRead1(_, _, _, access, v)
-  } or
-  TLambdaAccess(Cfg::BasicBlock bb, int i, Callable c) { captureRead2(bb, i, c) } or
-  TCallAccess(Cfg::BasicBlock bb, int i) { captureRead3(bb, i) }
+  TVariableAccess(VariableAccessCfgNode access) { access.getVariable() instanceof CapturedVariable } or
+  TLambdaAccess(Callable c) or
+  TCallAccess(Cfg::BasicBlock bb, int i) {
+    bb.getNode(i) instanceof DataFlowPrivate::Argument
+    or
+    DataFlowPrivate::isBlockArgument(_, bb.getNode(i))
+  }
 
 class CaptureAccess extends TCaptureAccess {
   string toString() { result = "<captured variable>" }
@@ -154,12 +103,12 @@ class CaptureAccess extends TCaptureAccess {
       result = bb.getLocation()
     )
     or
-    exists(VariableAccessCfgNode access | this = TVariableAccess(access, _) |
+    exists(VariableAccessCfgNode access | this = TVariableAccess(access) |
       result = access.getLocation()
     )
     or
     exists(Callable c |
-      this = TLambdaAccess(_, _, c) and
+      this = TLambdaAccess(c) and
       result = c.getLocation()
     )
     or
@@ -175,13 +124,13 @@ class CaptureAccess extends TCaptureAccess {
       result = bb.getScope()
     )
     or
-    exists(VariableAccessCfgNode access | this = TVariableAccess(access, _) |
+    exists(VariableAccessCfgNode access | this = TVariableAccess(access) |
       result = access.getScope()
     )
     or
-    exists(Cfg::BasicBlock bb |
-      this = TLambdaAccess(bb, _, _) and
-      result = bb.getScope()
+    exists(Callable c |
+      this = TLambdaAccess(c) and
+      result = c.getCfgScope()
     )
     or
     exists(Cfg::BasicBlock bb |
@@ -190,17 +139,16 @@ class CaptureAccess extends TCaptureAccess {
     )
   }
 
-  predicate isLambdaAccess(Cfg::BasicBlock bb, int i, Callable c) { this = TLambdaAccess(bb, i, c) }
+  predicate isLambdaAccess(Cfg::BasicBlock bb, int i) {
+    this = TLambdaAccess(bb.getNode(i).getNode())
+  }
 
   predicate isCallAccess(Cfg::BasicBlock bb, int i) { this = TCallAccess(bb, i) }
 
   predicate isRead(Cfg::BasicBlock bb, int i) {
-    exists(VariableAccessCfgNode acc, CapturingCallable v |
-      captureRead1(bb, i, _, acc, v) and
-      this = TVariableAccess(acc, v)
-    )
+    this = TVariableAccess(bb.getNode(i))
     or
-    this.isLambdaAccess(bb, i, _)
+    this.isLambdaAccess(bb, i)
     or
     this.isCallAccess(bb, i)
   }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -421,7 +421,8 @@ private module Cached {
     THashSplatArgumentPosition() or
     TSplatAllArgumentPosition() or
     TAnyArgumentPosition() or
-    TAnyKeywordArgumentPosition()
+    TAnyKeywordArgumentPosition() or
+    TCapturedVariableArgumentPosition()
 
   cached
   newtype TParameterPosition =
@@ -443,7 +444,8 @@ private module Cached {
     THashSplatParameterPosition() or
     TSplatAllParameterPosition() or
     TAnyParameterPosition() or
-    TAnyKeywordParameterPosition()
+    TAnyKeywordParameterPosition() or
+    TCapturedVariableParameterPosition()
 }
 
 import Cached
@@ -1249,6 +1251,8 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
 
+  predicate isCapturedVariable() { this = TCapturedVariableParameterPosition() }
+
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -1268,6 +1272,8 @@ class ParameterPosition extends TParameterPosition {
     this.isAny() and result = "any"
     or
     this.isAnyNamed() and result = "any-named"
+    or
+    this.isCapturedVariable() and result = "captured variable"
   }
 }
 
@@ -1294,6 +1300,8 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
 
+  predicate isCapturedVariable() { this = TCapturedVariableArgumentPosition() }
+
   /**
    * Holds if this position represents a synthesized argument containing all keyword
    * arguments wrapped in a hash.
@@ -1319,6 +1327,8 @@ class ArgumentPosition extends TArgumentPosition {
     this.isHashSplat() and result = "**"
     or
     this.isSplatAll() and result = "*"
+    or
+    this.isCapturedVariable() and result = "captured variable"
   }
 }
 
@@ -1354,4 +1364,6 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   ppos.isAnyNamed() and apos.isKeyword(_)
   or
   apos.isAnyNamed() and ppos.isKeyword(_)
+  or
+  ppos.isCapturedVariable() and apos.isCapturedVariable()
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -1,4 +1,3 @@
-private import codeql.util.Boolean
 private import codeql.ruby.AST
 private import codeql.ruby.ast.internal.Synthesis
 private import codeql.ruby.CFG
@@ -325,7 +324,14 @@ private module Cached {
       or
       c.getAnArgument() instanceof CfgNodes::ExprNodes::PairCfgNode
     } or
-    TCapturedVariableAcccessNode(CapturedVariableFlow::CaptureAccess access, Boolean post)
+    TCapturedVariableAcccessNode(CapturedVariableFlow::CaptureAccess access) {
+      //  not access.isCallAccess(_, _)
+      any()
+    } or
+    TCapturedVariableAcccessPostUpdateNode(CapturedVariableFlow::CaptureAccess access) {
+      // access.isCallAccess(_, _)
+      any()
+    }
 
   class TParameterNode =
     TNormalParameterNode or TBlockParameterNode or TSelfParameterNode or
@@ -377,7 +383,7 @@ private module Cached {
     nodeTo = nodeFrom.(CapturedVariableAcccessPostUpdateNode).getPreUpdateNode().getANextAccess()
     or
     exists(BasicBlock bb, int i |
-      nodeFrom.(CapturedVariableAcccessNode).getAccess().isLambdaAccess(bb, i, _) and
+      nodeFrom.(CapturedVariableAcccessNode).getAccess().isLambdaAccess(bb, i) and
       nodeTo.asExpr() = bb.getNode(i)
     )
     or
@@ -550,12 +556,6 @@ import Cached
 predicate nodeIsHidden(Node n) {
   n instanceof SsaDefinitionExtNode
   or
-  // exists(SsaImpl::DefinitionExt def | def = n.(SsaDefinitionExtNode).getDefinitionExt() |
-  //   def instanceof Ssa::PhiNode or
-  //   def instanceof SsaImpl::PhiReadNode or
-  //   def instanceof Ssa::CapturedEntryDefinition or
-  //   def instanceof Ssa::CapturedCallDefinition
-  // )
   n = LocalFlow::getParameterDefNode(_)
   or
   isDesugarNode(n.(ExprNode).getExprNode().getExpr())
@@ -571,6 +571,8 @@ predicate nodeIsHidden(Node n) {
   n instanceof SynthHashSplatArgumentNode
   or
   n instanceof TCapturedVariableAcccessNode
+  or
+  n instanceof TCapturedVariableAcccessPostUpdateNode
 }
 
 /** An SSA definition, viewed as a node in a data flow graph. */
@@ -628,7 +630,7 @@ class ReturningStatementNode extends NodeImpl, TReturningNode {
 class CapturedVariableAcccessNode extends NodeImpl, TCapturedVariableAcccessNode {
   private CapturedVariableFlow::CaptureAccess access;
 
-  CapturedVariableAcccessNode() { this = TCapturedVariableAcccessNode(access, false) }
+  CapturedVariableAcccessNode() { this = TCapturedVariableAcccessNode(access) }
 
   CapturedVariableFlow::CaptureAccess getAccess() { result = access }
 
@@ -645,16 +647,17 @@ class CapturedVariableAcccessNode extends NodeImpl, TCapturedVariableAcccessNode
 
 /** A data-flow node used to model flow summaries. */
 class CapturedVariableAcccessPostUpdateNode extends NodeImpl, PostUpdateNodeImpl,
-  TCapturedVariableAcccessNode
+  TCapturedVariableAcccessPostUpdateNode
 {
   private CapturedVariableFlow::CaptureAccess access;
 
-  CapturedVariableAcccessPostUpdateNode() { this = TCapturedVariableAcccessNode(access, true) }
+  CapturedVariableAcccessPostUpdateNode() { this = TCapturedVariableAcccessPostUpdateNode(access) }
 
   CapturedVariableFlow::CaptureAccess getAccess() { result = access }
 
   override CapturedVariableAcccessNode getPreUpdateNode() {
-    result = TCapturedVariableAcccessNode(access, false)
+    result = TCapturedVariableAcccessNode(access)
+    // result = TCapturedVariableAcccessNode(access, false)
   }
 
   override CfgScope getCfgScope() { result = access.getCfgScope() }
@@ -886,7 +889,7 @@ private module ParameterNodes {
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       c.asCallable() = this.getCfgScope() and
-      pos.isSelf()
+      pos.isCapturedVariable()
     }
   }
 }
@@ -1018,7 +1021,7 @@ private module ArgumentNodes {
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       lambdaCall(call, _, this) and
-      pos.isSelf()
+      pos.isCapturedVariable()
     }
 
     override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
@@ -1400,9 +1403,11 @@ predicate expectsContent(Node n, ContentSet c) {
   FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c)
   or
   exists(CapturedVariableFlow::CaptureAccess access |
-    n = TCapturedVariableAcccessNode(access, _) and
     access.isReadOrWrite(_, _) and
     c.isAnyCapturedVariable()
+  |
+    n = TCapturedVariableAcccessNode(access) or
+    n = TCapturedVariableAcccessPostUpdateNode(access)
   )
 }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -16,7 +16,7 @@ class SummarizedCallableBase = string;
 DataFlowCallable inject(SummarizedCallable c) { result.asLibraryCallable() = c }
 
 /** Gets the parameter position of the instance parameter. */
-ArgumentPosition instanceParameterPosition() { result.isSelf() }
+ArgumentPosition instanceParameterPosition() { result.isCapturedVariable() }
 
 /** Gets the synthesized summary data-flow node for the given values. */
 Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = TSummaryNode(c, state) }