temp

Author: hvitved

ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll

@@ -813,20 +813,59 @@ module ExprNodes {
     override SelfVariableAccess getExpr() { result = VariableAccessCfgNode.super.getExpr() }
   }
 
+  private class VariableWriteAccessChildMapping extends ExprChildMapping, VariableWriteAccess {
+    override predicate relevantChild(AstNode n) { this.isExplicitWrite(n) }
+  }
+
   /** A control-flow node that wraps a `VariableWriteAccess` AST expression. */
   class VariableWriteAccessCfgNode extends VariableAccessCfgNode {
+    /**
+     * Holds if this access is a write access belonging to the explicit
+     * assignment `assignment`. For example, in
+     *
+     * ```rb
+     * a = foo
+     * ```
+     *
+     * both `a` is write accesses belonging to the assignment `a = foo`.
+     */
+    predicate isExplicitWrite(CfgNode assignment) {
+      e.hasCfgChild(any(AstNode n | e.isExplicitWrite(n)), this, assignment)
+    }
+
+    /**
+     * Holds if this access is a write access belonging to an implicit assignment.
+     * For example, in
+     *
+     * ```rb
+     * def m elements
+     *   for e in elements do
+     *     puts e
+     *   end
+     * end
+     * ```
+     *
+     * the access to `elements` in the parameter list is an implicit assignment,
+     * as is the first access to `e`.
+     */
+    predicate isImplicitWrite() { e.isImplicitWrite() }
+
     override string getAPrimaryQlClass() { result = "VariableWriteAccessCfgNode" }
 
-    override VariableWriteAccess e;
+    override VariableWriteAccessChildMapping e;
 
     override VariableWriteAccess getExpr() { result = VariableAccessCfgNode.super.getExpr() }
   }
 
+  private class LocalVariableWriteAccessChildMapping extends VariableWriteAccessChildMapping,
+    LocalVariableWriteAccess
+  { }
+
   /** A control-flow node that wraps a `LocalVariableWriteAccess` AST expression. */
   class LocalVariableWriteAccessCfgNode extends VariableWriteAccessCfgNode {
     override string getAPrimaryQlClass() { result = "LocalVariableWriteAccessCfgNode" }
 
-    override LocalVariableWriteAccess e;
+    override LocalVariableWriteAccessChildMapping e;
 
     final override LocalVariableWriteAccess getExpr() { result = super.getExpr() }
 

ruby/ql/lib/codeql/ruby/dataflow/SSA.qll

@@ -192,7 +192,7 @@ module Ssa {
    * ```
    */
   class WriteDefinition extends Definition, SsaImpl::WriteDefinition {
-    private VariableWriteAccess write;
+    private VariableWriteAccessCfgNode write;
 
     WriteDefinition() {
       exists(BasicBlock bb, int i, Variable v |
@@ -202,7 +202,7 @@ module Ssa {
     }
 
     /** Gets the underlying write access. */
-    final VariableWriteAccess getWriteAccess() { result = write }
+    final VariableWriteAccessCfgNode getWriteAccess() { result = write }
 
     /**
      * Holds if this SSA definition represents a direct assignment of `value`

ruby/ql/lib/codeql/ruby/dataflow/internal/CapturedVariableFlow.qll

@@ -83,15 +83,29 @@ class CapturedVariable extends LocalVariable {
   CapturedVariable() { this.isCaptured() }
 }
 
+/** A variable scope that declares one or more captured variables. */
+private class CapturedScope extends Scope {
+  CapturedScope() { this = any(CapturedVariable v).getDeclaringScope() }
+
+  /** Gets a captured variable declared in this scope. */
+  CapturedVariable getACapturedVariable() { result.getDeclaringScope() = this }
+
+  /** Gets a CFG scope that is contained within this variable scope. */
+  Cfg::CfgScope getACfgScope() { result.(Scope).getOuterScope*() = this }
+}
+
 cached
 private newtype TCaptureAccess =
-  TEntryDef(Cfg::EntryBasicBlock bb) or
+  TEntryDef(Cfg::EntryBasicBlock bb) { bb.getScope() = any(CapturedScope s).getACfgScope() } or
   TVariableAccess(VariableAccessCfgNode access) { access.getVariable() instanceof CapturedVariable } or
-  TLambdaAccess(Callable c) or
-  TCallAccess(Cfg::BasicBlock bb, int i) {
-    bb.getNode(i) instanceof DataFlowPrivate::Argument
-    or
-    DataFlowPrivate::isBlockArgument(_, bb.getNode(i))
+  TLambdaAccess(Callable c) { c.getCfgScope() = any(CapturedScope s).getACfgScope() } or
+  TArgumentAccess(Cfg::BasicBlock bb, int i) {
+    bb.getScope() = any(CapturedScope s).getACfgScope() and
+    (
+      bb.getNode(i) instanceof DataFlowPrivate::Argument
+      or
+      DataFlowPrivate::isBlockArgument(_, bb.getNode(i))
+    )
   }
 
 class CaptureAccess extends TCaptureAccess {
@@ -113,7 +127,7 @@ class CaptureAccess extends TCaptureAccess {
     )
     or
     exists(Cfg::BasicBlock bb, int i |
-      this = TCallAccess(bb, i) and
+      this = TArgumentAccess(bb, i) and
       result = bb.getNode(i).getLocation()
     )
   }
@@ -134,7 +148,7 @@ class CaptureAccess extends TCaptureAccess {
     )
     or
     exists(Cfg::BasicBlock bb |
-      this = TCallAccess(bb, _) and
+      this = TArgumentAccess(bb, _) and
       result = bb.getScope()
     )
   }
@@ -143,14 +157,14 @@ class CaptureAccess extends TCaptureAccess {
     this = TLambdaAccess(bb.getNode(i).getNode())
   }
 
-  predicate isCallAccess(Cfg::BasicBlock bb, int i) { this = TCallAccess(bb, i) }
+  predicate isArgumentAccess(Cfg::BasicBlock bb, int i) { this = TArgumentAccess(bb, i) }
 
   predicate isRead(Cfg::BasicBlock bb, int i) {
     this = TVariableAccess(bb.getNode(i))
     or
     this.isLambdaAccess(bb, i)
     or
-    this.isCallAccess(bb, i)
+    this.isArgumentAccess(bb, i)
   }
 
   predicate isWrite(Cfg::BasicBlock bb, int i) { this = TEntryDef(bb) and i = -1 }
@@ -159,6 +173,18 @@ class CaptureAccess extends TCaptureAccess {
     this.isRead(bb, i) or
     this.isWrite(bb, i)
   }
+
+  pragma[nomagic]
+  predicate isWriteDef(Ssa::WriteDefinition def, CapturedVariable v) {
+    v = def.getSourceVariable() and
+    this = TVariableAccess(def.getWriteAccess())
+  }
+
+  pragma[nomagic]
+  predicate isReadAccess(VariableReadAccessCfgNode read, CapturedVariable v) {
+    v = read.getVariable() and
+    this = TVariableAccess(read)
+  }
 }
 
 private module SsaInput implements SsaImplCommon::InputSig {

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -250,7 +250,8 @@ private predicate selfInToplevel(SelfVariable self, Module m) {
 private predicate asModulePattern(SsaDefinitionExtNode def, Module m) {
   exists(AsPattern ap |
     m = resolveConstantReadAccess(ap.getPattern()) and
-    def.getDefinitionExt().(Ssa::WriteDefinition).getWriteAccess() = ap.getVariableAccess()
+    def.getDefinitionExt().(Ssa::WriteDefinition).getWriteAccess().getNode() =
+      ap.getVariableAccess()
   )
 }
 
@@ -423,8 +424,7 @@ private module Cached {
     THashSplatArgumentPosition() or
     TSplatAllArgumentPosition() or
     TAnyArgumentPosition() or
-    TAnyKeywordArgumentPosition() or
-    TCapturedVariableArgumentPosition()
+    TAnyKeywordArgumentPosition()
 
   cached
   newtype TParameterPosition =
@@ -446,8 +446,7 @@ private module Cached {
     THashSplatParameterPosition() or
     TSplatAllParameterPosition() or
     TAnyParameterPosition() or
-    TAnyKeywordParameterPosition() or
-    TCapturedVariableParameterPosition()
+    TAnyKeywordParameterPosition()
 }
 
 import Cached
@@ -1262,8 +1261,6 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
 
-  predicate isCapturedVariable() { this = TCapturedVariableParameterPosition() }
-
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -1283,8 +1280,6 @@ class ParameterPosition extends TParameterPosition {
     this.isAny() and result = "any"
     or
     this.isAnyNamed() and result = "any-named"
-    or
-    this.isCapturedVariable() and result = "captured variable"
   }
 }
 
@@ -1311,8 +1306,6 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
 
-  predicate isCapturedVariable() { this = TCapturedVariableArgumentPosition() }
-
   /**
    * Holds if this position represents a synthesized argument containing all keyword
    * arguments wrapped in a hash.
@@ -1338,8 +1331,6 @@ class ArgumentPosition extends TArgumentPosition {
     this.isHashSplat() and result = "**"
     or
     this.isSplatAll() and result = "*"
-    or
-    this.isCapturedVariable() and result = "captured variable"
   }
 }
 
@@ -1375,6 +1366,4 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   ppos.isAnyNamed() and apos.isKeyword(_)
   or
   apos.isAnyNamed() and ppos.isKeyword(_)
-  or
-  ppos.isCapturedVariable() and apos.isCapturedVariable()
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -140,6 +140,8 @@ module LocalFlow {
    * that parameter.
    *
    * This is intended to recover from flow not currently recognised by ordinary capture flow.
+   *
+   * TODO
    */
   predicate localFlowSsaParamCaptureInput(Node nodeFrom, Node nodeTo) {
     exists(Ssa::CapturedEntryDefinition def |
@@ -329,8 +331,9 @@ private module Cached {
       any()
     } or
     TCapturedVariableAcccessPostUpdateNode(CapturedVariableFlow::CaptureAccess access) {
-      // access.isCallAccess(_, _)
-      any()
+      access.isWriteDef(_, _)
+      or
+      access.isReadAccess(_,_)
     }
 
   class TParameterNode =
@@ -389,7 +392,7 @@ private module Cached {
     or
     exists(BasicBlock bb, int i |
       nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = bb.getNode(i) and
-      nodeTo.(CapturedVariableAcccessPostUpdateNode).getAccess().isCallAccess(bb, i)
+      nodeTo.(CapturedVariableAcccessNode).getAccess().isArgumentAccess(bb, i)
     )
   }
 
@@ -522,9 +525,9 @@ private module Cached {
         name = [input, output].regexpFind("(?<=(^|\\.)Field\\[)[^\\]]+(?=\\])", _, _).trim()
       )
     } or
+    TCapturedVariable(CapturedVariableFlow::CapturedVariable v) or
     // Only used by type-tracking
-    TAttributeName(string name) { name = any(SetterMethodCall c).getTargetName() } or
-    TCapturedVariable(CapturedVariableFlow::CapturedVariable v)
+    TAttributeName(string name) { name = any(SetterMethodCall c).getTargetName() }
 
   /**
    * Holds if `e` is an `ExprNode` that may be returned by a call to `c`.
@@ -889,7 +892,7 @@ private module ParameterNodes {
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       c.asCallable() = this.getCfgScope() and
-      pos.isCapturedVariable()
+      pos.isSelf()
     }
   }
 }
@@ -1016,12 +1019,12 @@ private module ArgumentNodes {
     override string toStringImpl() { result = "**" }
   }
 
-  class CaptureArgumentNode extends ArgumentNode {
-    CaptureArgumentNode() { lambdaCall(_, _, this) }
+  class LambdaSelfArgumentNode extends ArgumentNode {
+    LambdaSelfArgumentNode() { lambdaCall(_, _, this) }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       lambdaCall(call, _, this) and
-      pos.isCapturedVariable()
+      pos.isSelf()
     }
 
     override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
@@ -1272,16 +1275,10 @@ pragma[nomagic]
 private predicate capturedVariableStoreStep(
   SsaDefinitionExtNode node1, ContentSet c, CapturedVariableAcccessPostUpdateNode node2
 ) {
-  exists(BasicBlock bb, int i, Ssa::WriteDefinition def |
+  exists(Ssa::WriteDefinition def, CapturedVariableFlow::CapturedVariable v |
     def = node1.getDefinitionExt() and
-    bb.getNode(i).getNode() = def.getWriteAccess() and // TODO: splitting
-    c.isSingleton(any(Content::CapturedVariableContent cvc |
-        cvc.getVariable() = def.getSourceVariable()
-      ))
-  |
-    node2.getAccess().isReadOrWrite(bb, i)
-    // or
-    // node2.getAccess().isWrite(bb, i)
+    node2.getAccess().isWriteDef(def, v) and
+    c.isSingleton(any(Content::CapturedVariableContent cvc | cvc.getVariable() = v))
   )
 }
 
@@ -1324,12 +1321,10 @@ private predicate capturedVariableReadStep(
   CapturedVariableAcccessNode node1, ContentSet c, Node node2
 ) {
   exists(
-    BasicBlock bb, int i, CfgNodes::ExprNodes::VariableReadAccessCfgNode read, LocalVariable v
+    CfgNodes::ExprNodes::VariableReadAccessCfgNode read, CapturedVariableFlow::CapturedVariable v
   |
-    node1.getAccess().isRead(bb, i) and
+    node1.getAccess().isReadAccess(read, v) and
     node2.asExpr() = read and
-    read = bb.getNode(i) and
-    v = read.getVariable() and
     c.isSingleton(any(Content::CapturedVariableContent cvc | cvc.getVariable() = v))
   )
 }
@@ -1402,10 +1397,7 @@ predicate clearsContent(Node n, ContentSet c) {
 predicate expectsContent(Node n, ContentSet c) {
   FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c)
   or
-  exists(CapturedVariableFlow::CaptureAccess access |
-    access.isReadOrWrite(_, _) and
-    c.isAnyCapturedVariable()
-  |
+  exists(CapturedVariableFlow::CaptureAccess access | c.isAnyCapturedVariable() |
     n = TCapturedVariableAcccessNode(access) or
     n = TCapturedVariableAcccessPostUpdateNode(access)
   )

ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll

@@ -344,11 +344,11 @@ private module Cached {
    */
   cached
   predicate variableWriteActual(
-    Cfg::BasicBlock bb, int i, LocalVariable v, VariableWriteAccess write
+    Cfg::BasicBlock bb, int i, LocalVariable v, VariableWriteAccessCfgNode write
   ) {
-    exists(AstNode n |
+    exists(Cfg::CfgNode n |
       write.getVariable() = v and
-      n = bb.getNode(i).getNode()
+      n = bb.getNode(i)
     |
       write.isExplicitWrite(n)
       or