C#: Adjust data-flow for with expressions

hvitved · tamasvajk · commit 6a6644b5c261 · 2021-02-12T19:54:52.000+01:00
In `x with { Foo = bar }`, instead of having a single data-flow step

`x =&gt; x with { Foo = bar }`

we now have two steps:

`x =&gt; { Foo = bar }`

and

`{ Foo = bar } =&gt; x with { Foo = bar }`

Moreover, `clearsContent` now targets the object initializer instead of the
whole `with` expression, which means that it will only apply to values carried
over from the old object and not those explicitly stored into the new object.
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -210,9 +210,16 @@ module LocalFlow {
         scope = e2 and
         isSuccessor = true
         or
-        e1 = e2.(WithExpr).getExpr() and
-        scope = e2 and
-        isSuccessor = true
+        exists(WithExpr we |
+          scope = we and
+          isSuccessor = true
+        |
+          e1 = we.getExpr() and
+          e2 = we.getInitializer()
+          or
+          e1 = we.getInitializer() and
+          e2 = we
+        )
       )
     }
 
@@ -799,8 +806,6 @@ private module Cached {
   predicate clearsContent(Node n, Content c) {
     fieldOrPropertyStore(_, c, _, n.asExpr(), true)
     or
-    fieldOrPropertyStore(_, c, _, n.asExpr().(WithExpr), false)
-    or
     fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
     or
     FlowSummaryImpl::Private::storeStep(n, c, _) and
@@ -811,6 +816,13 @@ private module Cached {
       input = SummaryInput::parameter(i) and
       n.(ArgumentNode).argumentOf(call, i)
     )
+    or
+    exists(WithExpr we, ObjectInitializer oi, FieldOrProperty f |
+      oi = we.getInitializer() and
+      n.asExpr() = oi and
+      f = oi.getAMemberInitializer().getInitializedMember() and
+      c = f.getContent()
+    )
   }
 
   /**
@@ -904,6 +916,8 @@ private module Cached {
     n instanceof SummaryNodeImpl
     or
     n instanceof ParamsArgumentNode
+    or
+    n.asExpr() = any(WithExpr we).getInitializer()
   }
 }
 
diff --git a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
@@ -239,14 +239,17 @@ edges
 | I.cs:39:9:39:9 | access to parameter i [Field1] : Object | I.cs:40:14:40:14 | access to parameter i [Field1] : Object |
 | I.cs:40:14:40:14 | access to parameter i [Field1] : Object | I.cs:40:14:40:21 | access to field Field1 |
 | J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:13:48:13:48 | access to local variable o : Object |
+| J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:21:36:21:36 | access to local variable o : Object |
 | J.cs:13:38:13:50 | { ..., ... } [Prop1] : Object | J.cs:14:14:14:15 | access to local variable r1 [Prop1] : Object |
 | J.cs:13:38:13:50 | { ..., ... } [Prop1] : Object | J.cs:18:14:18:15 | access to local variable r2 [Prop1] : Object |
-| J.cs:13:38:13:50 | { ..., ... } [Prop1] : Object | J.cs:21:18:21:38 | ... with { ... } [Prop1] : Object |
+| J.cs:13:38:13:50 | { ..., ... } [Prop1] : Object | J.cs:22:14:22:15 | access to local variable r3 [Prop1] : Object |
 | J.cs:13:48:13:48 | access to local variable o : Object | J.cs:13:38:13:50 | { ..., ... } [Prop1] : Object |
 | J.cs:14:14:14:15 | access to local variable r1 [Prop1] : Object | J.cs:14:14:14:21 | access to property Prop1 |
 | J.cs:18:14:18:15 | access to local variable r2 [Prop1] : Object | J.cs:18:14:18:21 | access to property Prop1 |
-| J.cs:21:18:21:38 | ... with { ... } [Prop1] : Object | J.cs:22:14:22:15 | access to local variable r3 [Prop1] : Object |
+| J.cs:21:18:21:38 | ... with { ... } [Prop2] : Object | J.cs:23:14:23:15 | access to local variable r3 [Prop2] : Object |
+| J.cs:21:36:21:36 | access to local variable o : Object | J.cs:21:18:21:38 | ... with { ... } [Prop2] : Object |
 | J.cs:22:14:22:15 | access to local variable r3 [Prop1] : Object | J.cs:22:14:22:21 | access to property Prop1 |
+| J.cs:23:14:23:15 | access to local variable r3 [Prop2] : Object | J.cs:23:14:23:21 | access to property Prop2 |
 nodes
 | A.cs:5:17:5:23 | object creation of type C : C | semmle.label | object creation of type C : C |
 | A.cs:6:17:6:25 | call to method Make [c] : C | semmle.label | call to method Make [c] : C |
@@ -529,9 +532,12 @@ nodes
 | J.cs:14:14:14:21 | access to property Prop1 | semmle.label | access to property Prop1 |
 | J.cs:18:14:18:15 | access to local variable r2 [Prop1] : Object | semmle.label | access to local variable r2 [Prop1] : Object |
 | J.cs:18:14:18:21 | access to property Prop1 | semmle.label | access to property Prop1 |
-| J.cs:21:18:21:38 | ... with { ... } [Prop1] : Object | semmle.label | ... with { ... } [Prop1] : Object |
+| J.cs:21:18:21:38 | ... with { ... } [Prop2] : Object | semmle.label | ... with { ... } [Prop2] : Object |
+| J.cs:21:36:21:36 | access to local variable o : Object | semmle.label | access to local variable o : Object |
 | J.cs:22:14:22:15 | access to local variable r3 [Prop1] : Object | semmle.label | access to local variable r3 [Prop1] : Object |
 | J.cs:22:14:22:21 | access to property Prop1 | semmle.label | access to property Prop1 |
+| J.cs:23:14:23:15 | access to local variable r3 [Prop2] : Object | semmle.label | access to local variable r3 [Prop2] : Object |
+| J.cs:23:14:23:21 | access to property Prop2 | semmle.label | access to property Prop2 |
 #select
 | A.cs:7:14:7:16 | access to field c | A.cs:5:17:5:23 | object creation of type C : C | A.cs:7:14:7:16 | access to field c | $@ | A.cs:5:17:5:23 | object creation of type C : C | object creation of type C : C |
 | A.cs:14:14:14:20 | call to method Get | A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:14:14:14:20 | call to method Get | $@ | A.cs:13:15:13:22 | object creation of type C1 : C1 | object creation of type C1 : C1 |
@@ -588,3 +594,4 @@ nodes
 | J.cs:14:14:14:21 | access to property Prop1 | J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:14:14:14:21 | access to property Prop1 | $@ | J.cs:12:17:12:28 | object creation of type Object : Object | object creation of type Object : Object |
 | J.cs:18:14:18:21 | access to property Prop1 | J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:18:14:18:21 | access to property Prop1 | $@ | J.cs:12:17:12:28 | object creation of type Object : Object | object creation of type Object : Object |
 | J.cs:22:14:22:21 | access to property Prop1 | J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:22:14:22:21 | access to property Prop1 | $@ | J.cs:12:17:12:28 | object creation of type Object : Object | object creation of type Object : Object |
+| J.cs:23:14:23:21 | access to property Prop2 | J.cs:12:17:12:28 | object creation of type Object : Object | J.cs:23:14:23:21 | access to property Prop2 | $@ | J.cs:12:17:12:28 | object creation of type Object : Object | object creation of type Object : Object |
