Merge pull request #5052 from tamasvajk/feature/fnptr-df

C#: Add data flow 'getARuntimeTarget' predicate to 'FunctionPointerCall'

Author: tamasvajk

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -63,7 +63,7 @@ predicate mayEscape(LocalVariable v) {
   exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
     e = getADelegateExpr(c) and
     DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getDelegateExpr() and
+    not succ = any(DelegateCall dc).getExpr() and
     not succ = any(Cast cast).getExpr() and
     not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
     not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()

csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll

@@ -97,9 +97,7 @@ private class TranslatedDelegateInvokeCall extends TranslatedCompilerGeneratedCa
     )
   }
 
-  override TranslatedExprBase getQualifier() {
-    result = getTranslatedExpr(generatedBy.getDelegateExpr())
-  }
+  override TranslatedExprBase getQualifier() { result = getTranslatedExpr(generatedBy.getExpr()) }
 
   override Instruction getQualifierResult() { result = getQualifier().getResult() }
 

csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll

@@ -11,7 +11,8 @@ cached
 private newtype TCallContext =
   TEmptyCallContext() or
   TArgNonDelegateCallContext(Expr arg) { exists(DispatchCall dc | arg = dc.getArgument(_)) } or
-  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) }
+  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) } or
+  TArgFunctionPointerCallContext(FunctionPointerCall fptrc, int i) { exists(fptrc.getArgument(i)) }
 
 /**
  * A call context.
@@ -60,12 +61,14 @@ class NonDelegateCallArgumentCallContext extends ArgumentCallContext, TArgNonDel
   override Location getLocation() { result = arg.getLocation() }
 }
 
-/** An argument of a delegate call. */
-class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateCallContext {
-  DelegateCall dc;
+/** An argument of a delegate or function pointer call. */
+class DelegateLikeCallArgumentCallContext extends ArgumentCallContext {
+  DelegateLikeCall dc;
   int arg;
 
-  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
+  DelegateLikeCallArgumentCallContext() {
+    this = TArgDelegateCallContext(dc, arg) or this = TArgFunctionPointerCallContext(dc, arg)
+  }
 
   override predicate isArgument(Expr call, int i) {
     call = dc and
@@ -76,3 +79,11 @@ class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateC
 
   override Location getLocation() { result = dc.getArgument(arg).getLocation() }
 }
+
+/** An argument of a delegate call. */
+class DelegateCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgDelegateCallContext { }
+
+/** An argument of a function pointer call. */
+class FunctionPointerCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgFunctionPointerCallContext { }

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -101,7 +101,7 @@ private module Cached {
     TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
       cfn.getElement() = dc.getCall()
     } or
-    TExplicitDelegateCall(ControlFlow::Nodes::ElementNode cfn, DelegateCall dc) {
+    TExplicitDelegateLikeCall(ControlFlow::Nodes::ElementNode cfn, DelegateLikeCall dc) {
       cfn.getElement() = dc
     } or
     TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn, Callable target) {
@@ -308,12 +308,12 @@ abstract class DelegateDataFlowCall extends DataFlowCall {
   override DataFlowCallable getARuntimeTarget() { result = this.getARuntimeTarget(_) }
 }
 
-/** An explicit delegate call relevant for data flow. */
-class ExplicitDelegateDataFlowCall extends DelegateDataFlowCall, TExplicitDelegateCall {
+/** An explicit delegate or function pointer call relevant for data flow. */
+class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDelegateLikeCall {
   private ControlFlow::Nodes::ElementNode cfn;
-  private DelegateCall dc;
+  private DelegateLikeCall dc;
 
-  ExplicitDelegateDataFlowCall() { this = TExplicitDelegateCall(cfn, dc) }
+  ExplicitDelegateLikeDataFlowCall() { this = TExplicitDelegateLikeCall(cfn, dc) }
 
   override DataFlowCallable getARuntimeTarget(CallContext::CallContext cc) {
     result = getCallableForDataFlow(dc.getARuntimeTarget(cc))

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -1394,7 +1394,7 @@ private module OutNodes {
 
   private DataFlowCall csharpCall(Expr e, ControlFlow::Node cfn) {
     e = any(DispatchCall dc | result = TNonDelegateCall(cfn, dc)).getCall() or
-    result = TExplicitDelegateCall(cfn, e)
+    result = TExplicitDelegateLikeCall(cfn, e)
   }
 
   /** A valid return type for a method that uses `yield return`. */

csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll

@@ -14,8 +14,14 @@ private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 
+/** A source of flow for a delegate or function pointer expression. */
+abstract private class DelegateLikeFlowSource extends DataFlow::ExprNode {
+  /** Gets the callable that is referenced in this delegate or function pointer flow source. */
+  abstract Callable getCallable();
+}
+
 /** A source of flow for a delegate expression. */
-private class DelegateFlowSource extends DataFlow::ExprNode {
+private class DelegateFlowSource extends DelegateLikeFlowSource {
   Callable c;
 
   DelegateFlowSource() {
@@ -27,11 +33,29 @@ private class DelegateFlowSource extends DataFlow::ExprNode {
   }
 
   /** Gets the callable that is referenced in this delegate flow source. */
-  Callable getCallable() { result = c }
+  override Callable getCallable() { result = c }
 }
 
-/** A sink of flow for a delegate expression. */
-abstract private class DelegateFlowSink extends DataFlow::Node {
+/** A source of flow for a function pointer expression. */
+private class FunctionPointerFlowSource extends DelegateLikeFlowSource {
+  Callable c;
+
+  FunctionPointerFlowSource() {
+    c =
+      this.getExpr()
+          .(AddressOfExpr)
+          .getOperand()
+          .(CallableAccess)
+          .getTarget()
+          .getUnboundDeclaration()
+  }
+
+  /** Gets the callable that is referenced in this function pointer flow source. */
+  override Callable getCallable() { result = c }
+}
+
+/** A sink of flow for a delegate or function pointer expression. */
+abstract private class DelegateLikeFlowSink extends DataFlow::Node {
   /**
    * Gets an actual run-time target of this delegate call in the given call
    * context, if any. The call context records the *last* call required to
@@ -85,33 +109,33 @@ abstract private class DelegateFlowSink extends DataFlow::Node {
    */
   cached
   Callable getARuntimeTarget(CallContext context) {
-    exists(DelegateFlowSource dfs |
+    exists(DelegateLikeFlowSource dfs |
       flowsFrom(this, dfs, _, context) and
       result = dfs.getCallable()
     )
   }
 }
 
-/** A delegate call expression. */
-class DelegateCallExpr extends DelegateFlowSink, DataFlow::ExprNode {
-  DelegateCall dc;
+/** A delegate or function pointer call expression. */
+class DelegateLikeCallExpr extends DelegateLikeFlowSink, DataFlow::ExprNode {
+  DelegateLikeCall dc;
 
-  DelegateCallExpr() { this.getExpr() = dc.getDelegateExpr() }
+  DelegateLikeCallExpr() { this.getExpr() = dc.getExpr() }
 
-  /** Gets the delegate call that this expression belongs to. */
-  DelegateCall getDelegateCall() { result = dc }
+  /** Gets the delegate or function pointer call that this expression belongs to. */
+  DelegateLikeCall getCall() { result = dc }
 }
 
 /** A parameter of delegate type belonging to a callable with a flow summary. */
-class SummaryDelegateParameterSink extends DelegateFlowSink, ParameterNode {
+class SummaryDelegateParameterSink extends DelegateLikeFlowSink, ParameterNode {
   SummaryDelegateParameterSink() {
     this.getType() instanceof SystemLinqExpressions::DelegateExtType and
     this.isParameterOf(any(SummarizedCallable c), _)
   }
 }
 
 /** A delegate expression that is added to an event. */
-class AddEventSource extends DelegateFlowSink, DataFlow::ExprNode {
+class AddEventSource extends DelegateLikeFlowSink, DataFlow::ExprNode {
   AddEventExpr ae;
 
   AddEventSource() { this.getExpr() = ae.getRValue() }
@@ -150,7 +174,7 @@ private class NormalReturnNode extends Node {
  * records the last call on the path from `node` to `sink`, if any.
  */
 private predicate flowsFrom(
-  DelegateFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
+  DelegateLikeFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
 ) {
   // Base case
   sink = node and
@@ -188,7 +212,8 @@ private predicate flowsFrom(
   or
   // Flow into a callable (delegate call)
   exists(
-    ParameterNode mid, CallContext prevLastCall, DelegateCall call, Callable c, Parameter p, int i
+    ParameterNode mid, CallContext prevLastCall, DelegateLikeCall call, Callable c, Parameter p,
+    int i
   |
     flowsFrom(sink, mid, isReturned, prevLastCall) and
     isReturned = false and
@@ -238,14 +263,14 @@ private predicate flowIntoNonDelegateCall(NonDelegateCall call, Expr arg, DotNet
 }
 
 pragma[noinline]
-private predicate flowIntoDelegateCall(DelegateCall call, Callable c, Expr arg, int i) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce |
+private predicate flowIntoDelegateCall(DelegateLikeCall call, Callable c, Expr arg, int i) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce |
     // the call context is irrelevant because the delegate call
     // itself will be the context
     flowsFrom(dce, dfs, _, _) and
     arg = call.getArgument(i) and
     c = dfs.getCallable() and
-    call = dce.getDelegateCall()
+    call = dce.getCall()
   )
 }
 
@@ -255,11 +280,13 @@ private predicate flowOutOfNonDelegateCall(NonDelegateCall call, NormalReturnNod
 }
 
 pragma[noinline]
-private predicate flowOutOfDelegateCall(DelegateCall dc, NormalReturnNode ret, CallContext lastCall) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce, Callable c |
+private predicate flowOutOfDelegateCall(
+  DelegateLikeCall dc, NormalReturnNode ret, CallContext lastCall
+) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce, Callable c |
     flowsFrom(dce, dfs, _, lastCall) and
     ret.getEnclosingCallable() = c and
     c = dfs.getCallable() and
-    dc = dce.getDelegateCall()
+    dc = dce.getCall()
   )
 }

csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -245,7 +245,7 @@ private module CallGraph {
      * a library callable and `e` is a delegate argument.
      */
     private predicate delegateCall(Call c, Expr e, boolean libraryDelegateCall) {
-      c = any(DelegateCall dc | e = dc.getDelegateExpr()) and
+      c = any(DelegateCall dc | e = dc.getExpr()) and
       libraryDelegateCall = false
       or
       c.getTarget().fromLibrary() and

csharp/ql/src/semmle/code/csharp/exprs/Call.qll

@@ -527,6 +527,46 @@ class MutatorOperatorCall extends OperatorCall {
   predicate isPostfix() { mutator_invocation_mode(this, 2) }
 }
 
+private class DelegateLikeCall_ = @delegate_invocation_expr or @function_pointer_invocation_expr;
+
+/**
+ * A function pointer or delegate call.
+ */
+class DelegateLikeCall extends Call, DelegateLikeCall_ {
+  override Callable getTarget() { none() }
+
+  /**
+   * Gets a potential run-time target of this delegate or function pointer call in the given
+   * call context `cc`.
+   */
+  Callable getARuntimeTarget(CallContext::CallContext cc) {
+    exists(DelegateLikeCallExpr call |
+      this = call.getCall() and
+      result = call.getARuntimeTarget(cc)
+    )
+  }
+
+  /**
+   * Gets the delegate or function pointer expression of this call. For example, the
+   * delegate expression of `X()` on line 5 is the access to the field `X` in
+   *
+   * ```csharp
+   * class A {
+   *   Action X = () => { };
+   *
+   *   void CallX() {
+   *     X();
+   *   }
+   * }
+   * ```
+   */
+  Expr getExpr() { result = this.getChild(-1) }
+
+  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
+
+  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
+}
+
 /**
  * A delegate call, for example `x()` on line 5 in
  *
@@ -540,18 +580,13 @@ class MutatorOperatorCall extends OperatorCall {
  * }
  * ```
  */
-class DelegateCall extends Call, @delegate_invocation_expr {
-  override Callable getTarget() { none() }
-
+class DelegateCall extends DelegateLikeCall, @delegate_invocation_expr {
   /**
    * Gets a potential run-time target of this delegate call in the given
    * call context `cc`.
    */
-  Callable getARuntimeTarget(CallContext::CallContext cc) {
-    exists(DelegateCallExpr call |
-      this = call.getDelegateCall() and
-      result = call.getARuntimeTarget(cc)
-    )
+  override Callable getARuntimeTarget(CallContext::CallContext cc) {
+    result = DelegateLikeCall.super.getARuntimeTarget(cc)
     or
     exists(AddEventSource aes, CallContext::CallContext cc2 |
       aes = this.getAnAddEventSource(_) and
@@ -567,7 +602,7 @@ class DelegateCall extends Call, @delegate_invocation_expr {
   }
 
   private AddEventSource getAnAddEventSource(Callable enclosingCallable) {
-    this.getDelegateExpr().(EventAccess).getTarget() = result.getEvent() and
+    this.getExpr().(EventAccess).getTarget() = result.getEvent() and
     enclosingCallable = result.getExpr().getEnclosingCallable()
   }
 
@@ -579,25 +614,12 @@ class DelegateCall extends Call, @delegate_invocation_expr {
     exists(Callable c | result = getAnAddEventSource(c) | c != this.getEnclosingCallable())
   }
 
-  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
-
-  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
-
   /**
-   * Gets the delegate expression of this delegate call. For example, the
-   * delegate expression of `X()` on line 5 is the access to the field `X` in
+   * DEPRECATED: use `getExpr` instead.
    *
-   * ```csharp
-   * class A {
-   *   Action X = () => { };
-   *
-   *   void CallX() {
-   *     X();
-   *   }
-   * }
-   * ```
+   * Gets the delegate expression of this call.
    */
-  Expr getDelegateExpr() { result = this.getChild(-1) }
+  deprecated Expr getDelegateExpr() { result = this.getExpr() }
 
   override string toString() { result = "delegate call" }
 
@@ -615,11 +637,7 @@ class DelegateCall extends Call, @delegate_invocation_expr {
  * }
  * ```
  */
-class FunctionPointerCall extends Call, @function_pointer_invocation_expr {
-  override Callable getTarget() { none() }
-
-  override Expr getRuntimeArgument(int i) { result = getArgument(i) }
-
+class FunctionPointerCall extends DelegateLikeCall, @function_pointer_invocation_expr {
   override string toString() { result = "function pointer call" }
 
   override string getAPrimaryQlClass() { result = "FunctionPointerCall" }

csharp/ql/src/semmle/code/csharp/metrics/Coupling.qll

@@ -78,7 +78,7 @@ predicate depends(ValueOrRefType t, ValueOrRefType u) {
     or
     exists(DelegateCall dc, DelegateType dt |
       dc.getEnclosingCallable().getDeclaringType() = t and
-      dc.getDelegateExpr().getType() = dt and
+      dc.getExpr().getType() = dt and
       usesType(dt.getUnboundDeclaration(), u)
     )
     or