C#: Fix data flow for out/ref parameters

hvitved · hvitved · commit 4d58154ff511 · 2019-08-02T14:25:38.000-07:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -738,7 +738,8 @@ private module ReturnNodes {
 
     OutRefReturnNode() {
       exists(Parameter p |
-        this.getDefinition().(Ssa::ExplicitDefinition).isLiveOutRefParameterDefinition(p)
+        this.getDefinition().(Ssa::ExplicitDefinition).isLiveOutRefParameterDefinition(p) and
+        kind.getPosition() = p.getPosition()
       |
         p.isOut() and kind instanceof OutReturnKind
         or
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
@@ -17,9 +17,6 @@
 | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
 | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
 | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
-| GlobalDataFlow.cs:107:15:107:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:109:15:109:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:136:15:136:19 | access to local variable sink4 |
 | GlobalDataFlow.cs:144:15:144:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:154:15:154:19 | access to local variable sink6 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected
@@ -1291,8 +1291,6 @@
 | GlobalDataFlow.cs:78:30:78:34 | access to local variable sink3 | GlobalDataFlow.cs:78:30:78:34 | access to local variable sink3 |
 | GlobalDataFlow.cs:78:30:78:34 | access to local variable sink3 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 |
 | GlobalDataFlow.cs:78:30:78:34 | access to local variable sink3 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 |
-| GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
-| GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 |
 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 | GlobalDataFlow.cs:287:50:287:50 | z |
 | GlobalDataFlow.cs:78:41:78:45 | access to local variable sink3 | GlobalDataFlow.cs:287:50:287:50 | z |
@@ -1690,8 +1688,6 @@
 | GlobalDataFlow.cs:105:15:105:22 | access to local variable nonSink0 | GlobalDataFlow.cs:105:15:105:22 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:106:9:106:49 | call to method ReturnOut | GlobalDataFlow.cs:106:9:106:49 | call to method ReturnOut |
 | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 |
-| GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:110:19:110:23 | access to local variable sink1 |
 | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:110:19:110:23 | access to local variable sink1 |
 | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:110:30:110:34 | access to local variable sink1 |
@@ -1731,8 +1727,6 @@
 | GlobalDataFlow.cs:108:27:108:34 | access to local variable nonSink0 | GlobalDataFlow.cs:108:27:108:34 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:108:27:108:34 | access to local variable nonSink0 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:108:27:108:34 | access to local variable nonSink0 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:287:50:287:50 | z |
 | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:287:50:287:50 | z |
@@ -1758,8 +1752,6 @@
 | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) | GlobalDataFlow.cs:124:39:124:43 | access to local variable sink1 |
 | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) | GlobalDataFlow.cs:124:39:124:43 | access to local variable sink1 |
 | GlobalDataFlow.cs:110:30:110:34 | access to local variable sink1 | GlobalDataFlow.cs:110:30:110:34 | access to local variable sink1 |
-| GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) |
-| GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) |
 | GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 | GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 | GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:110:41:110:48 | access to local variable nonSink0 | GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 |
@@ -3108,19 +3100,13 @@
 | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
 | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) |
 | GlobalDataFlow.cs:283:13:283:13 | access to parameter x | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) |
 | GlobalDataFlow.cs:283:13:283:13 | access to parameter x | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) |
 | GlobalDataFlow.cs:283:13:283:13 | access to parameter x | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) |
 | GlobalDataFlow.cs:283:13:283:13 | access to parameter x | GlobalDataFlow.cs:283:9:283:13 | SSA def(y) |
 | GlobalDataFlow.cs:283:13:283:13 | access to parameter x | GlobalDataFlow.cs:283:13:283:13 | access to parameter x |
 | GlobalDataFlow.cs:284:9:284:22 | ... = ... | GlobalDataFlow.cs:284:9:284:22 | ... = ... |
-| GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
-| GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
-| GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:284:9:284:22 | SSA def(z) | GlobalDataFlow.cs:284:9:284:22 | SSA def(z) |
@@ -3137,12 +3123,6 @@
 | GlobalDataFlow.cs:287:32:287:32 | x | GlobalDataFlow.cs:289:13:289:13 | access to parameter x |
 | GlobalDataFlow.cs:287:32:287:32 | x | GlobalDataFlow.cs:289:13:289:13 | access to parameter x |
 | GlobalDataFlow.cs:287:32:287:32 | x | GlobalDataFlow.cs:289:13:289:13 | access to parameter x |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) |
-| GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:110:30:110:34 | SSA def(sink1) |
 | GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:287:50:287:50 | z |
 | GlobalDataFlow.cs:287:50:287:50 | z | GlobalDataFlow.cs:287:50:287:50 | z |
 | GlobalDataFlow.cs:289:9:289:13 | ... = ... | GlobalDataFlow.cs:289:9:289:13 | ... = ... |
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -122,7 +122,6 @@ edges
 | GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | GlobalDataFlow.cs:70:21:70:46 | call to method Return |
 | GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
 | GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
-| GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 |
 | GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:72:21:72:101 | (...) ... |
 | GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 | GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
 | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
@@ -131,12 +130,6 @@ edges
 | GlobalDataFlow.cs:78:19:78:23 | access to local variable sink2 | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
 | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
 | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) | GlobalDataFlow.cs:135:29:135:33 | access to local variable sink3 |
-| GlobalDataFlow.cs:106:19:106:23 | access to local variable sink1 | GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) |
-| GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) | GlobalDataFlow.cs:107:15:107:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:106:41:106:48 | SSA def(nonSink0) | GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) | GlobalDataFlow.cs:109:15:109:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) | GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:108:41:108:48 | access to local variable nonSink0 | GlobalDataFlow.cs:108:27:108:34 | SSA def(nonSink0) |
 | GlobalDataFlow.cs:135:21:135:34 | delegate call | GlobalDataFlow.cs:136:15:136:19 | access to local variable sink4 |
 | GlobalDataFlow.cs:135:21:135:34 | delegate call | GlobalDataFlow.cs:143:39:143:43 | access to local variable sink4 |
 | GlobalDataFlow.cs:135:29:135:33 | access to local variable sink3 | GlobalDataFlow.cs:135:21:135:34 | delegate call |
@@ -205,9 +198,6 @@ edges
 | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
 | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
 | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 |
-| GlobalDataFlow.cs:107:15:107:22 | access to local variable nonSink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:107:15:107:22 | access to local variable nonSink0 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:109:15:109:22 | access to local variable nonSink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:109:15:109:22 | access to local variable nonSink0 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 | access to local variable nonSink0 |
 | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 |
 | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | access to local variable sink1 |
 | GlobalDataFlow.cs:190:15:190:20 | access to local variable sink10 | GlobalDataFlow.cs:318:16:318:29 | "taint source" | GlobalDataFlow.cs:190:15:190:20 | access to local variable sink10 | access to local variable sink10 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
@@ -25,11 +25,6 @@
 | GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
 | GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
 | GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
-| GlobalDataFlow.cs:107:15:107:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:109:15:109:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:111:15:111:22 | access to local variable nonSink0 |
-| GlobalDataFlow.cs:113:15:113:22 | access to local variable nonSink1 |
-| GlobalDataFlow.cs:115:15:115:22 | access to local variable nonSink1 |
 | GlobalDataFlow.cs:136:15:136:19 | access to local variable sink4 |
 | GlobalDataFlow.cs:144:15:144:19 | access to local variable sink5 |
 | GlobalDataFlow.cs:154:15:154:19 | access to local variable sink6 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingEdges.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingEdges.expected
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

Original file line number	Diff line number	Diff line change
`@@ -738,7 +738,8 @@ private module ReturnNodes {`
`738`	`738`
`739`	`739`	`OutRefReturnNode() {`
`740`	`740`	`exists(Parameter p \|`
`741`		`- this.getDefinition().(Ssa::ExplicitDefinition).isLiveOutRefParameterDefinition(p)`
	`741`	`+ this.getDefinition().(Ssa::ExplicitDefinition).isLiveOutRefParameterDefinition(p) and`
	`742`	`+ kind.getPosition() = p.getPosition()`
`742`	`743`	`\|`
`743`	`744`	`p.isOut() and kind instanceof OutReturnKind`
`744`	`745`	`or`