C#: Model data-flow for System.Threading.Tasks.Task<T>.GetAwaiter()

Author: hvitved

csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

@@ -11,6 +11,7 @@ private import semmle.code.csharp.frameworks.system.io.Compression
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 private import semmle.code.csharp.frameworks.system.Net
 private import semmle.code.csharp.frameworks.system.Text
+private import semmle.code.csharp.frameworks.system.runtime.CompilerServices
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.ui.WebControls
@@ -95,6 +96,11 @@ module AccessPath {
     result = singleton(any(PropertyContent c | c.getProperty() = p.getSourceDeclaration()))
   }
 
+  /** Gets a singleton field access path. */
+  AccessPath field(Field f) {
+    result = singleton(any(FieldContent c | c.getField() = f.getSourceDeclaration()))
+  }
+
   /** Gets an access path representing a property inside a collection. */
   AccessPath properties(Property p) { result = TConsAccessPath(any(ElementContent c), property(p)) }
 }
@@ -1714,9 +1720,7 @@ class SystemThreadingTasksTaskFlow extends LibraryTypeDataFlow, SystemThreadingT
 }
 
 /** Data flow for `System.Threading.Tasks.Task<>`. */
-class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow {
-  SystemThreadingTasksTaskTFlow() { this instanceof SystemThreadingTasksTaskTClass }
-
+class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow, SystemThreadingTasksTaskTClass {
   override predicate callableFlow(
     CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
     SourceDeclarationCallable c, boolean preservesValue
@@ -1807,6 +1811,14 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow {
         sinkAp = AccessPath::property(this.(SystemThreadingTasksTaskTClass).getResultProperty())
       )
     )
+    or
+    m = this.getGetAwaiterMethod() and
+    source = TCallableFlowSourceQualifier() and
+    sourceAp = AccessPath::empty() and
+    sink = TCallableFlowSinkReturn() and
+    sinkAp =
+      AccessPath::field(any(SystemRuntimeCompilerServicesTaskAwaiterStruct s)
+            .getUnderlyingTaskField())
   }
 }
 
@@ -1891,6 +1903,29 @@ class SystemThreadingTasksFactoryFlow extends LibraryTypeDataFlow {
   }
 }
 
+/** Data flow for `System.Runtime.CompilerServices.TaskAwaiter<>`. */
+class SystemRuntimeCompilerServicesTaskAwaiterFlow extends LibraryTypeDataFlow,
+  SystemRuntimeCompilerServicesTaskAwaiterStruct {
+  override predicate callableFlow(
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    SourceDeclarationCallable c, boolean preservesValue
+  ) {
+    preservesValue = true and
+    c = this.getGetResultMethod() and
+    source = TCallableFlowSourceQualifier() and
+    sourceAp =
+      AccessPath::cons(any(FieldContent fc | fc.getField() = this.getUnderlyingTaskField()),
+        AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
+    sink = TCallableFlowSinkReturn() and
+    sinkAp = AccessPath::empty()
+  }
+
+  override predicate requiresAccessPath(Content head, AccessPath tail) {
+    head.(FieldContent).getField() = this.getUnderlyingTaskField() and
+    tail = AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())
+  }
+}
+
 /** Data flow for `System.Text.Encoding`. */
 library class SystemTextEncodingFlow extends LibraryTypeDataFlow, SystemTextEncodingClass {
   override predicate callableFlow(

csharp/ql/src/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll

@@ -0,0 +1,30 @@
+/** Provides definitions related to the namespace `System.Runtime.CompilerServices`. */
+
+import csharp
+private import semmle.code.csharp.frameworks.system.Runtime
+
+/** The `System.Runtime.CompilerServices` namespace. */
+class SystemRuntimeCompilerServicesNamespace extends Namespace {
+  SystemRuntimeCompilerServicesNamespace() {
+    this.getParentNamespace() instanceof SystemRuntimeNamespace and
+    this.hasName("CompilerServices")
+  }
+}
+
+/** An unbound generic struct in the `System.Runtime.CompilerServices` namespace. */
+class SystemRuntimeCompilerServicesNamespaceUnboundGenericStruct extends UnboundGenericStruct {
+  SystemRuntimeCompilerServicesNamespaceUnboundGenericStruct() {
+    this = any(SystemRuntimeCompilerServicesNamespace n).getATypeDeclaration()
+  }
+}
+
+/** The `System.Runtime.CompilerServices.TaskAwaiter<>` struct. */
+class SystemRuntimeCompilerServicesTaskAwaiterStruct extends SystemRuntimeCompilerServicesNamespaceUnboundGenericStruct {
+  SystemRuntimeCompilerServicesTaskAwaiterStruct() { this.hasName("TaskAwaiter<>") }
+
+  /** Gets the `GetResult` method. */
+  Method getGetResultMethod() { result = this.getAMethod("GetResult") }
+
+  /** Gets the field that stores the underlying task. */
+  Field getUnderlyingTaskField() { result = this.getAField() and result.hasName("m_task") }
+}

csharp/ql/src/semmle/code/csharp/frameworks/system/threading/Tasks.qll

@@ -38,4 +38,7 @@ class SystemThreadingTasksTaskTClass extends SystemThreadingTasksUnboundGenericC
     result.hasName("Result") and
     result.getType() = this.getTypeParameter(0)
   }
+
+  /** Gets the `GetAwaiter` method. */
+  Method getGetAwaiterMethod() { result = this.getAMethod("GetAwaiter") }
 }

csharp/ql/test/library-tests/dataflow/library/LibraryTypeDataFlow.cs

@@ -85,7 +85,7 @@ void M()
         HttpContextBase context = null;
         string name = context.Request.QueryString["name"];
 
-        var dict = new Dictionary<string, int>() { {"abc", 0 } };
+        var dict = new Dictionary<string, int>() { { "abc", 0 } };
     }
 
     [DataContract]

csharp/ql/test/library-tests/dataflow/library/LibraryTypeDataFlow.expected

@@ -1780,6 +1780,7 @@ callableFlowAccessPath
 | System.Runtime.CompilerServices.ReadOnlyCollectionBuilder<>.Reverse(int, int) | argument 0 [[]] -> return [[]] | true |
 | System.Runtime.CompilerServices.ReadOnlyCollectionBuilder<>.get_Item(int) | qualifier [[]] -> return [<empty>] | true |
 | System.Runtime.CompilerServices.ReadOnlyCollectionBuilder<>.set_Item(int, T) | argument 1 [<empty>] -> qualifier [[]] | true |
+| System.Runtime.CompilerServices.TaskAwaiter<>.GetResult() | qualifier [m_task, Result] -> return [<empty>] | true |
 | System.Security.PermissionSet.CopyTo(Array, int) | qualifier [[]] -> argument 0 [[]] | true |
 | System.Security.PermissionSet.GetEnumerator() | qualifier [[]] -> return [Current] | true |
 | System.String.Concat(IEnumerable<String>) | argument 0 [[]] -> return [<empty>] | false |
@@ -1929,6 +1930,7 @@ callableFlowAccessPath
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, CancellationToken, TaskContinuationOptions, TaskScheduler) | output from argument 0 [<empty>] -> return [Result] | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskContinuationOptions) | output from argument 0 [<empty>] -> return [Result] | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskScheduler) | output from argument 0 [<empty>] -> return [Result] | true |
+| System.Threading.Tasks.Task<>.GetAwaiter() | qualifier [<empty>] -> return [m_task] | true |
 | System.Threading.Tasks.Task<>.Task(Func<Object, TResult>, object) | output from argument 0 [<empty>] -> return [Result] | true |
 | System.Threading.Tasks.Task<>.Task(Func<Object, TResult>, object, CancellationToken) | output from argument 0 [<empty>] -> return [Result] | true |
 | System.Threading.Tasks.Task<>.Task(Func<Object, TResult>, object, CancellationToken, TaskCreationOptions) | output from argument 0 [<empty>] -> return [Result] | true |