github
diff --git a/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 71 additions & 29 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 71 additions & 29 deletions
@@ -41,5 +41,6 @@
   - The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument
   - The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations
 * The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`
+* The data-flow library (and taint-tracking library) now supports flow through fields. All existing configurations will have field-flow enabled by default, but it can be disabled by adding `override int fieldFlowBranchLimit() { result = 0 }` to the configuration class. Field assignments, `this.Foo = x`, object initializers, `new C() { Foo = x }`, and field initializers `int Foo = 0` are supported.
 
 ## Changes to autobuilder
@@ -278,10 +278,9 @@ private predicate nodeCandFwd1(Node node, boolean stored, Configuration config)
     )
     or
     // read
-    exists(Node mid, Content f |
-      nodeCandFwd1(mid, true, config) and
-      read(mid, f, node) and
-      storeCandFwd1(f, unbind(config)) and
+    exists(Content f |
+      nodeCandFwd1Read(f, node, config) and
+      storeCandFwd1(f, config) and
       (stored = false or stored = true) and
       not inBarrier(node, config)
     )
@@ -308,9 +307,18 @@ private predicate nodeCandFwd1(Node node, boolean stored, Configuration config)
   )
 }
 
+pragma[nomagic]
+private predicate nodeCandFwd1Read(Content f, Node node, Configuration config) {
+  exists(Node mid |
+    nodeCandFwd1(mid, true, config) and
+    read(mid, f, node)
+  )
+}
+
 /**
  * Holds if `f` is the target of a store in the flow covered by `nodeCandFwd1`.
  */
+pragma[noinline]
 private predicate storeCandFwd1(Content f, Configuration config) {
   exists(Node mid, Node node |
     not fullBarrier(node, config) and
@@ -358,10 +366,9 @@ private predicate nodeCand1(Node node, boolean stored, Configuration config) {
     )
     or
     // store
-    exists(Node mid, Content f |
-      store(node, f, mid) and
-      readCand1(f, unbind(config)) and
-      nodeCand1(mid, true, config) and
+    exists(Content f |
+      nodeCand1Store(f, node, config) and
+      readCand1(f, config) and
       (stored = false or stored = true)
     )
     or
@@ -398,6 +405,7 @@ private predicate nodeCand1(Node node, boolean stored, Configuration config) {
 /**
  * Holds if `f` is the target of a read in the flow covered by `nodeCand1`.
  */
+pragma[noinline]
 private predicate readCand1(Content f, Configuration config) {
   exists(Node mid, Node node |
     useFieldFlow(config) and
@@ -408,6 +416,15 @@ private predicate readCand1(Content f, Configuration config) {
   )
 }
 
+pragma[nomagic]
+private predicate nodeCand1Store(Content f, Node node, Configuration config) {
+  exists(Node mid |
+    nodeCand1(mid, true, config) and
+    storeCandFwd1(f, unbind(config)) and
+    store(node, f, mid)
+  )
+}
+
 private predicate throughFlowNodeCand(Node node, Configuration config) {
   nodeCand1(node, false, config) and
   not fullBarrier(node, config) and
@@ -669,10 +686,9 @@ private predicate nodeCandFwd2(Node node, boolean fromArg, boolean stored, Confi
     )
     or
     // read
-    exists(Node mid, Content f |
-      nodeCandFwd2(mid, fromArg, true, config) and
-      read(mid, f, node) and
-      storeCandFwd2(f, unbind(config)) and
+    exists(Content f |
+      nodeCandFwd2Read(f, node, fromArg, config) and
+      storeCandFwd2(f, config) and
       (stored = false or stored = true)
     )
     or
@@ -695,6 +711,7 @@ private predicate nodeCandFwd2(Node node, boolean fromArg, boolean stored, Confi
 /**
  * Holds if `f` is the target of a store in the flow covered by `nodeCandFwd2`.
  */
+pragma[noinline]
 private predicate storeCandFwd2(Content f, Configuration config) {
   exists(Node mid, Node node |
     useFieldFlow(config) and
@@ -705,6 +722,15 @@ private predicate storeCandFwd2(Content f, Configuration config) {
   )
 }
 
+pragma[nomagic]
+private predicate nodeCandFwd2Read(Content f, Node node, boolean fromArg, Configuration config) {
+  exists(Node mid |
+    nodeCandFwd2(mid, fromArg, true, config) and
+    read(mid, f, node) and
+    readCand1(f, unbind(config))
+  )
+}
+
 /**
  * Holds if `node` is part of a path from a source to a sink in the given
  * configuration taking simple call contexts into consideration.
@@ -742,10 +768,9 @@ private predicate nodeCand2(Node node, boolean toReturn, boolean stored, Configu
     )
     or
     // store
-    exists(Node mid, Content f |
-      store(node, f, mid) and
-      readCand2(f, unbind(config)) and
-      nodeCand2(mid, toReturn, true, config) and
+    exists(Content f |
+      nodeCand2Store(f, node, toReturn, config) and
+      readCand2(f, config) and
       (stored = false or stored = true)
     )
     or
@@ -776,6 +801,7 @@ private predicate nodeCand2(Node node, boolean toReturn, boolean stored, Configu
 /**
  * Holds if `f` is the target of a read in the flow covered by `nodeCand2`.
  */
+pragma[noinline]
 private predicate readCand2(Content f, Configuration config) {
   exists(Node mid, Node node |
     useFieldFlow(config) and
@@ -786,25 +812,30 @@ private predicate readCand2(Content f, Configuration config) {
   )
 }
 
+pragma[noinline]
+private predicate nodeCand2Store(Content f, Node node, boolean toReturn, Configuration config) {
+  exists(Node mid |
+    store(node, f, mid) and
+    nodeCand2(mid, toReturn, true, config)
+  )
+}
+
 pragma[nomagic]
 private predicate storeCand(Content f, Configuration conf) {
-  exists(Node n1, Node n2 |
-    store(n1, f, n2) and
-    nodeCand2(n1, _, _, conf) and
-    nodeCand2(n2, _, _, unbind(conf))
+  exists(Node node |
+    nodeCand2Store(f, node, _, conf) and
+    nodeCand2(node, _, _, conf)
   )
 }
 
-private predicate readCand(Content f, Configuration conf) { readCand2(f, conf) }
-
 /**
  * Holds if `f` is the target of both a store and a read in the path graph
  * covered by `nodeCand2`.
  */
 pragma[noinline]
 private predicate readStoreCand(Content f, Configuration conf) {
   storeCand(f, conf) and
-  readCand(f, conf)
+  readCand2(f, conf)
 }
 
 private predicate nodeCand(Node node, Configuration config) { nodeCand2(node, _, _, config) }
@@ -1030,15 +1061,13 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf,
     apf.headUsesContent(f)
   )
   or
-  exists(Node mid, Content f, AccessPathFront apf0 |
-    flowCandFwd(mid, fromArg, apf0, config) and
-    read(mid, f, node) and
-    nodeCand(node, config) and
-    apf0.headUsesContent(f) and
-    consCandFwd(f, apf, unbind(config))
+  exists(Content f |
+    flowCandFwdRead(f, node, fromArg, config) and
+    consCandFwd(f, apf, config)
   )
 }
 
+pragma[noinline]
 private predicate consCandFwd(Content f, AccessPathFront apf, Configuration config) {
   exists(Node mid, Node n |
     flowCandFwd(mid, _, apf, config) and
@@ -1049,6 +1078,16 @@ private predicate consCandFwd(Content f, AccessPathFront apf, Configuration conf
   )
 }
 
+pragma[nomagic]
+private predicate flowCandFwdRead(Content f, Node node, boolean fromArg, Configuration config) {
+  exists(Node mid, AccessPathFront apf |
+    flowCandFwd(mid, fromArg, apf, config) and
+    read(mid, f, node) and
+    apf.headUsesContent(f) and
+    nodeCand(node, unbind(config))
+  )
+}
+
 /**
  * Holds if data can flow from a source to `node` with the given `apf` and
  * from there flow to a sink.
@@ -1139,6 +1178,7 @@ private predicate flowCandRead(
   )
 }
 
+pragma[nomagic]
 private predicate flowCandStore(
   Node node, Content f, boolean toReturn, AccessPathFront apf0, Configuration config
 ) {
@@ -1148,6 +1188,7 @@ private predicate flowCandStore(
   )
 }
 
+pragma[noinline]
 private predicate consCand(Content f, AccessPathFront apf, Configuration config) {
   consCandFwd(f, apf, config) and
   exists(Node n, AccessPathFront apf0 |
@@ -1672,6 +1713,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat
   valuePathThroughCallable(mid, node, cc) and ap = mid.getAp()
 }
 
+pragma[noinline]
 private predicate contentReadStep(PathNodeMid mid, Node node, AccessPath ap) {
   exists(Content f, AccessPath ap0 |
     ap0 = mid.getAp() and