C#: Rework function pointer/delegate call DF

Author: tamasvajk

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -63,7 +63,7 @@ predicate mayEscape(LocalVariable v) {
   exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
     e = getADelegateExpr(c) and
     DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getDelegateExpr() and
+    not succ = any(DelegateCall dc).getExpr() and
     not succ = any(Cast cast).getExpr() and
     not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
     not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()

csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Delegate.qll

@@ -97,9 +97,7 @@ private class TranslatedDelegateInvokeCall extends TranslatedCompilerGeneratedCa
     )
   }
 
-  override TranslatedExprBase getQualifier() {
-    result = getTranslatedExpr(generatedBy.getDelegateExpr())
-  }
+  override TranslatedExprBase getQualifier() { result = getTranslatedExpr(generatedBy.getExpr()) }
 
   override Instruction getQualifierResult() { result = getQualifier().getResult() }
 

csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll

@@ -11,7 +11,8 @@ cached
 private newtype TCallContext =
   TEmptyCallContext() or
   TArgNonDelegateCallContext(Expr arg) { exists(DispatchCall dc | arg = dc.getArgument(_)) } or
-  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) }
+  TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) } or
+  TArgFunctionPointerCallContext(FunctionPointerCall fptrc, int i) { exists(fptrc.getArgument(i)) }
 
 /**
  * A call context.
@@ -60,12 +61,14 @@ class NonDelegateCallArgumentCallContext extends ArgumentCallContext, TArgNonDel
   override Location getLocation() { result = arg.getLocation() }
 }
 
-/** An argument of a delegate call. */
-class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateCallContext {
-  DelegateCall dc;
+/** An argument of a delegate or function pointer call. */
+class DelegateLikeCallArgumentCallContext extends ArgumentCallContext {
+  DelegateLikeCall dc;
   int arg;
 
-  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
+  DelegateLikeCallArgumentCallContext() {
+    this = TArgDelegateCallContext(dc, arg) or this = TArgFunctionPointerCallContext(dc, arg)
+  }
 
   override predicate isArgument(Expr call, int i) {
     call = dc and
@@ -76,3 +79,15 @@ class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateC
 
   override Location getLocation() { result = dc.getArgument(arg).getLocation() }
 }
+
+/** An argument of a delegate call. */
+class DelegateCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgDelegateCallContext {
+  DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
+}
+
+/** An argument of a function pointer call. */
+class FunctionPointerCallArgumentCallContext extends DelegateLikeCallArgumentCallContext,
+  TArgFunctionPointerCallContext {
+  FunctionPointerCallArgumentCallContext() { this = TArgFunctionPointerCallContext(dc, arg) }
+}

csharp/ql/src/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll

@@ -14,8 +14,14 @@ private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 
+/** A source of flow for a delegate or function pointer expression. */
+private class DelegateLikeFlowSource extends DataFlow::ExprNode {
+  /** Gets the callable that is referenced in this delegate or function pointer flow source. */
+  Callable getCallable() { none() }
+}
+
 /** A source of flow for a delegate expression. */
-private class DelegateFlowSource extends DataFlow::ExprNode {
+private class DelegateFlowSource extends DelegateLikeFlowSource {
   Callable c;
 
   DelegateFlowSource() {
@@ -27,11 +33,26 @@ private class DelegateFlowSource extends DataFlow::ExprNode {
   }
 
   /** Gets the callable that is referenced in this delegate flow source. */
-  Callable getCallable() { result = c }
+  override Callable getCallable() { result = c }
+}
+
+/** A source of flow for a function pointer expression. */
+private class FunctionPointerFlowSource extends DelegateLikeFlowSource {
+  Callable c;
+
+  FunctionPointerFlowSource() {
+    this.getExpr() =
+      any(Expr e |
+        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
+      )
+  }
+
+  /** Gets the callable that is referenced in this function pointer flow source. */
+  override Callable getCallable() { result = c }
 }
 
-/** A sink of flow for a delegate expression. */
-abstract private class DelegateFlowSink extends DataFlow::Node {
+/** A sink of flow for a delegate or function pointer expression. */
+abstract private class DelegateLikeFlowSink extends DataFlow::Node {
   /**
    * Gets an actual run-time target of this delegate call in the given call
    * context, if any. The call context records the *last* call required to
@@ -85,33 +106,49 @@ abstract private class DelegateFlowSink extends DataFlow::Node {
    */
   cached
   Callable getARuntimeTarget(CallContext context) {
-    exists(DelegateFlowSource dfs |
+    exists(DelegateLikeFlowSource dfs |
       flowsFrom(this, dfs, _, context) and
       result = dfs.getCallable()
     )
   }
 }
 
+/** A delegate or function pointer call expression. */
+class DelegateLikeCallExpr extends DelegateLikeFlowSink, DataFlow::ExprNode {
+  /** Gets the delegate or function pointer call that this expression belongs to. */
+  DelegateLikeCall getCall() { none() }
+}
+
 /** A delegate call expression. */
-class DelegateCallExpr extends DelegateFlowSink, DataFlow::ExprNode {
+class DelegateCallExpr extends DelegateLikeCallExpr {
   DelegateCall dc;
 
-  DelegateCallExpr() { this.getExpr() = dc.getDelegateExpr() }
+  DelegateCallExpr() { this.getExpr() = dc.getExpr() }
 
   /** Gets the delegate call that this expression belongs to. */
-  DelegateCall getDelegateCall() { result = dc }
+  override DelegateCall getCall() { result = dc }
+}
+
+/** A function pointer call expression. */
+class FunctionPointerCallExpr extends DelegateLikeCallExpr {
+  FunctionPointerCall fptrc;
+
+  FunctionPointerCallExpr() { this.getExpr() = fptrc.getExpr() }
+
+  /** Gets the function pointer call that this expression belongs to. */
+  override FunctionPointerCall getCall() { result = fptrc }
 }
 
 /** A parameter of delegate type belonging to a callable with a flow summary. */
-class SummaryDelegateParameterSink extends DelegateFlowSink, ParameterNode {
+class SummaryDelegateParameterSink extends DelegateLikeFlowSink, ParameterNode {
   SummaryDelegateParameterSink() {
     this.getType() instanceof SystemLinqExpressions::DelegateExtType and
     this.isParameterOf(any(SummarizedCallable c), _)
   }
 }
 
 /** A delegate expression that is added to an event. */
-class AddEventSource extends DelegateFlowSink, DataFlow::ExprNode {
+class AddEventSource extends DelegateLikeFlowSink, DataFlow::ExprNode {
   AddEventExpr ae;
 
   AddEventSource() { this.getExpr() = ae.getRValue() }
@@ -150,7 +187,7 @@ private class NormalReturnNode extends Node {
  * records the last call on the path from `node` to `sink`, if any.
  */
 private predicate flowsFrom(
-  DelegateFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
+  DelegateLikeFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
 ) {
   // Base case
   sink = node and
@@ -188,7 +225,8 @@ private predicate flowsFrom(
   or
   // Flow into a callable (delegate call)
   exists(
-    ParameterNode mid, CallContext prevLastCall, DelegateCall call, Callable c, Parameter p, int i
+    ParameterNode mid, CallContext prevLastCall, DelegateLikeCall call, Callable c, Parameter p,
+    int i
   |
     flowsFrom(sink, mid, isReturned, prevLastCall) and
     isReturned = false and
@@ -238,14 +276,14 @@ private predicate flowIntoNonDelegateCall(NonDelegateCall call, Expr arg, DotNet
 }
 
 pragma[noinline]
-private predicate flowIntoDelegateCall(DelegateCall call, Callable c, Expr arg, int i) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce |
+private predicate flowIntoDelegateCall(DelegateLikeCall call, Callable c, Expr arg, int i) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce |
     // the call context is irrelevant because the delegate call
     // itself will be the context
     flowsFrom(dce, dfs, _, _) and
     arg = call.getArgument(i) and
     c = dfs.getCallable() and
-    call = dce.getDelegateCall()
+    call = dce.getCall()
   )
 }
 
@@ -255,11 +293,13 @@ private predicate flowOutOfNonDelegateCall(NonDelegateCall call, NormalReturnNod
 }
 
 pragma[noinline]
-private predicate flowOutOfDelegateCall(DelegateCall dc, NormalReturnNode ret, CallContext lastCall) {
-  exists(DelegateFlowSource dfs, DelegateCallExpr dce, Callable c |
+private predicate flowOutOfDelegateCall(
+  DelegateLikeCall dc, NormalReturnNode ret, CallContext lastCall
+) {
+  exists(DelegateLikeFlowSource dfs, DelegateLikeCallExpr dce, Callable c |
     flowsFrom(dce, dfs, _, lastCall) and
     ret.getEnclosingCallable() = c and
     c = dfs.getCallable() and
-    dc = dce.getDelegateCall()
+    dc = dce.getCall()
   )
 }