codeql/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll at 6246521fdfead08f281c09ec9f09915019333ab9 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
/**
 * Provides classes representing the control flow graph within callables.
 */

import csharp
private import internal.ControlFlowGraph
private import codeql.controlflow.SuccessorType
private import semmle.code.csharp.commons.Compilation
private import semmle.code.csharp.controlflow.internal.NonReturning as NonReturning

private module Cfg0 = Make0<Location, Ast>;

private module Cfg1 = Make1<Input>;

private module Cfg2 = Make2<Input>;

private import Cfg0
private import Cfg1
private import Cfg2
import Public

/**
 * A compilation.
 *
 * Unlike the standard `Compilation` class, this class also supports buildless
 * extraction.
 */
private newtype TCompilationExt =
  TCompilation(Compilation c) { not extractionIsStandalone() } or
  TBuildless() { extractionIsStandalone() }

private class CompilationExt extends TCompilationExt {
  string toString() {
    exists(Compilation c |
      this = TCompilation(c) and
      result = c.toString()
    )
    or
    this = TBuildless() and result = "buildless compilation"
  }
}

/** Gets the compilation that source file `f` belongs to. */
bindingset[e]
pragma[inline_late]
private CompilationExt getCompilation(Element e) {
  exists(Compilation c |
    e.getALocation().getFile() = c.getAFileCompiled() and
    result = TCompilation(c)
  )
  or
  result = TBuildless()
}

private module Exceptions {
  private import semmle.code.csharp.commons.Assertions

  private class Overflowable extends UnaryOperation {
    Overflowable() {
      not this instanceof UnaryBitwiseOperation and
      this.getType() instanceof IntegralType
    }
  }

  /** Holds if `cfe` is a control flow element that may throw an exception. */
  predicate mayThrowException(ControlFlowElement cfe) {
    cfe.(TriedControlFlowElement).mayThrowException()
    or
    cfe instanceof Assertion
  }

  /** A control flow element that is inside a `try` block. */
  private class TriedControlFlowElement extends ControlFlowElement {
    TriedControlFlowElement() {
      this = any(TryStmt try).getATriedElement() and
      not this instanceof NonReturning::NonReturningCall
    }

    /**
     * Holds if this element may potentially throw an exception.
     */
    predicate mayThrowException() {
      this instanceof Overflowable
      or
      this.(CastExpr).getType() instanceof IntegralType
      or
      invalidCastCandidate(this)
      or
      this instanceof Call
      or
      this =
        any(MemberAccess ma |
          not ma.isConditional() and
          ma.getQualifier() = any(Expr e | not e instanceof TypeAccess)
        )
      or
      this instanceof DelegateCreation
      or
      this instanceof ArrayCreation
      or
      this =
        any(AddOperation ae |
          ae.getType() instanceof StringType
          or
          ae.getType() instanceof IntegralType
        )
      or
      this = any(SubOperation se | se.getType() instanceof IntegralType)
      or
      this = any(MulOperation me | me.getType() instanceof IntegralType)
      or
      this = any(DivOperation de | not de.getDenominator().getValue().toFloat() != 0)
      or
      this instanceof RemOperation
      or
      this instanceof DynamicExpr
    }
  }

  pragma[nomagic]
  private ValueOrRefType getACastExprBaseType(CastExpr ce) {
    result = ce.getType().(ValueOrRefType).getABaseType()
    or
    result = getACastExprBaseType(ce).getABaseType()
  }

  pragma[nomagic]
  private predicate invalidCastCandidate(CastExpr ce) {
    ce.getExpr().getType() = getACastExprBaseType(ce)
  }
}

private module Input implements InputSig1, InputSig2 {
  predicate cfgCachedStageRef() { CfgCachedStage::ref() }

  predicate catchAll(Ast::CatchClause catch) { catch instanceof GeneralCatchClause }

  predicate matchAll(Ast::Case c) { c instanceof DefaultCase or c.(SwitchCaseExpr).matchesAll() }

  private newtype TLabel =
    TLblGoto(string label) { any(GotoLabelStmt goto).getLabel() = label } or
    TLblSwitchCase(string value) { any(GotoCaseStmt goto).getLabel() = value } or
    TLblSwitchDefault()

  class Label extends TLabel {
    string toString() {
      this = TLblGoto(result)
      or
      this = TLblSwitchCase(result)
      or
      this = TLblSwitchDefault() and result = "default"
    }
  }

  predicate hasLabel(Ast::AstNode n, Label l) {
    l = TLblGoto(n.(GotoLabelStmt).getLabel())
    or
    l = TLblSwitchCase(n.(GotoCaseStmt).getLabel())
    or
    l = TLblSwitchDefault() and n instanceof GotoDefaultStmt
    or
    l = TLblGoto(n.(LabelStmt).getLabel())
  }

  class CallableContext = CompilationExt;

  pragma[nomagic]
  Ast::AstNode callableGetBodyPart(Ast::Callable c, CallableContext ctx, int index) {
    not Ast::skipControlFlow(result) and
    ctx = getCompilation(result) and
    (
      result = Initializers::initializedInstanceMemberOrder(c, index)
      or
      result = Initializers::initializedStaticMemberOrder(c, index)
      or
      exists(Constructor ctor, int i, int staticMembers |
        c = ctor and
        staticMembers = count(Expr init | Initializers::staticMemberInitializer(ctor, init)) and
        index = staticMembers + i + 1
      |
        i = 0 and result = ctor.getObjectInitializerCall()
        or
        i = 1 and result = ctor.getInitializer()
        or
        i = 2 and result = ctor.getBody()
      )
      or
      not c instanceof Constructor and
      result = c.getBody() and
      index = 0
    )
  }

  pragma[nomagic]
  Ast::Parameter callableGetParameter(Ast::Callable c, CallableContext ctx, int index) {
    result = Ast::callableGetParameter(c, index) and
    ctx = getCompilation(result)
  }

  private Expr getQualifier(QualifiableExpr qe) {
    result = qe.getQualifier() or
    result = qe.(ExtensionMethodCall).getArgument(0)
  }

  predicate inConditionalContext(Ast::AstNode n, ConditionKind kind) {
    kind.isNullness() and
    exists(QualifiableExpr qe | qe.isConditional() | n = getQualifier(qe))
  }

  predicate postOrInOrder(Ast::AstNode n) {
    n instanceof YieldStmt
    or
    n instanceof Call and not n instanceof LogicalNotExpr
  }

  predicate beginAbruptCompletion(
    Ast::AstNode ast, PreControlFlowNode n, AbruptCompletion c, boolean always
  ) {
    // `yield break` behaves like a return statement
    ast instanceof YieldBreakStmt and
    n.isIn(ast) and
    c.asSimpleAbruptCompletion() instanceof ReturnSuccessor and
    always = true
    or
    Exceptions::mayThrowException(ast) and
    n.isIn(ast) and
    c.asSimpleAbruptCompletion() instanceof ExceptionSuccessor and
    always = false
    or
    ast instanceof NonReturning::NonReturningCall and
    n.isIn(ast) and
    c.asSimpleAbruptCompletion() instanceof ExceptionSuccessor and
    always = true
  }

  predicate endAbruptCompletion(Ast::AstNode ast, PreControlFlowNode n, AbruptCompletion c) {
    exists(SwitchStmt switch, Label l, Ast::Case case |
      ast.(Stmt).getParent() = switch and
      c.getSuccessorType() instanceof GotoSuccessor and
      c.hasLabel(l) and
      n.isAfterValue(case, any(MatchingSuccessor t | t.getValue() = true))
    |
      exists(string value, ConstCase cc |
        l = TLblSwitchCase(value) and
        switch.getAConstCase() = cc and
        cc.getLabel() = value and
        cc = case
      )
      or
      l = TLblSwitchDefault() and switch.getDefaultCase() = case
    )
  }

  predicate step(PreControlFlowNode n1, PreControlFlowNode n2) {
    exists(QualifiableExpr qe | qe.isConditional() |
      n1.isBefore(qe) and n2.isBefore(getQualifier(qe))
      or
      exists(NullnessSuccessor t | n1.isAfterValue(getQualifier(qe), t) |
        if t.isNull()
        then (
          // if `q` is null in `q?.f = x` then the assignment is skipped. This
          // holds for both regular, compound, and null-coalescing assignments.
          // On the other hand, the CFG definition for the assignment can treat
          // the LHS the same regardless of whether it's a conditionally
          // qualified access or not, as it just connects to the "before" and
          // "after" nodes of the LHS, and the "after" node is skipped in this
          // case.
          exists(AssignableDefinition def |
            def.getTargetAccess() = qe and
            n2.isAfterValue(def.getExpr(), t)
          )
          or
          not qe instanceof AssignableWrite and
          n2.isAfterValue(qe, t)
        ) else (
          n2.isBefore(Ast::getChild(qe, 0))
          or
          n2.isIn(qe) and not exists(Ast::getChild(qe, 0))
        )
      )
      or
      exists(int i | i >= 0 and n1.isAfter(Ast::getChild(qe, i)) |
        n2.isBefore(Ast::getChild(qe, i + 1))
        or
        not exists(Ast::getChild(qe, i + 1)) and n2.isIn(qe)
      )
      or
      n1.isIn(qe) and n2.isAfter(qe) and not beginAbruptCompletion(qe, n1, _, true)
    )
    or
    exists(ObjectCreation oc |
      n1.isBefore(oc) and n2.isBefore(oc.getArgument(0))
      or
      n1.isBefore(oc) and n2.isIn(oc) and not exists(oc.getAnArgument())
      or
      exists(int i | n1.isAfter(oc.getArgument(i)) |
        n2.isBefore(oc.getArgument(i + 1))
        or
        not exists(oc.getArgument(i + 1)) and n2.isIn(oc)
      )
      or
      n1.isIn(oc) and n2.isBefore(oc.getInitializer())
      or
      n1.isIn(oc) and n2.isAfter(oc) and not exists(oc.getInitializer())
      or
      n1.isAfter(oc.getInitializer()) and n2.isAfter(oc)
    )
  }
}

/** Provides different types of control flow nodes. */
module ControlFlowNodes {
  /**
   * A node for a control flow element, that is, an expression or a statement.
   *
   * Each control flow element maps to zero or one `ElementNode`s: zero when
   * the element is in unreachable (dead) code, and otherwise one.
   */
  class ElementNode extends ControlFlowNode {
    ElementNode() { exists(this.asExpr()) or exists(this.asStmt()) }
  }

  /** A control-flow node for an expression. */
  class ExprNode extends ElementNode {
    Expr e;

    ExprNode() { e = this.asExpr() }

    /** Gets the expression that this control-flow node belongs to. */
    Expr getExpr() { result = e }

    /** Gets the value of this expression node, if any. */
    string getValue() { result = e.getValue() }

    /** Gets the type of this expression node. */
    Type getType() { result = e.getType() }
  }
}