Merge pull request #13947 from rdmarsh2/rdmarsh2/swift/dictionary-flow-tuples

Swift: collection/tuple content for dictionary flow

Author: MathiasVP

swift/ql/lib/change-notes/2023-08-11-dictionary-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow steps through `Dictionary` keys and values.

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -9,6 +9,7 @@ private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 private import codeql.swift.frameworks.StandardLibrary.Array
+private import codeql.swift.frameworks.StandardLibrary.Dictionary
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.(NodeImpl).getEnclosingCallable() }
@@ -114,6 +115,9 @@ private module Cached {
           any(ApplyExpr apply).getQualifier(), any(TupleElementExpr te).getSubExpr(),
           any(SubscriptExpr se).getBase()
         ])
+    } or
+    TDictionarySubscriptNode(SubscriptExpr e) {
+      e.getBase().getType().getCanonicalType() instanceof CanonicalDictionaryType
     }
 
   private predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
@@ -296,6 +300,28 @@ import Cached
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
 
+/**
+ * The intermediate node for a dictionary subscript operation `dict[key]`. In a write, this is used
+ * as the destination of the `storeStep`s that add `TupleContent`s and the source of the storeStep
+ * that adds `CollectionContent`. In a read, this is the destination of the `readStep` that pops
+ * `CollectionContent` and the source of the `readStep` that pops `TupleContent[0]`
+ */
+private class DictionarySubscriptNode extends NodeImpl, TDictionarySubscriptNode {
+  SubscriptExpr expr;
+
+  DictionarySubscriptNode() { this = TDictionarySubscriptNode(expr) }
+
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = expr.getEnclosingCallable()
+  }
+
+  override string toStringImpl() { result = "DictionarySubscriptNode" }
+
+  override Location getLocationImpl() { result = expr.getLocation() }
+
+  SubscriptExpr getExpr() { result = expr }
+}
+
 private module ParameterNodes {
   abstract class ParameterNodeImpl extends NodeImpl {
     predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { none() }
@@ -735,6 +761,32 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     c instanceof OptionalSomeContentSet
   )
   or
+  // assignment to a dictionary value via subscript operator, with intermediate step
+  // `dict[key] = value`
+  exists(AssignExpr assign, SubscriptExpr subscript |
+    subscript = assign.getDest() and
+    (
+      subscript.getArgument(0).getExpr() = node1.asExpr() and
+      node2.(DictionarySubscriptNode).getExpr() = subscript and
+      c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 0))
+      or
+      assign.getSource() = node1.asExpr() and
+      node2.(DictionarySubscriptNode).getExpr() = subscript and
+      c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 1))
+      or
+      node1.(DictionarySubscriptNode).getExpr() = subscript and
+      node2.(PostUpdateNode).getPreUpdateNode().asExpr() = subscript.getBase() and
+      c.isSingleton(any(Content::CollectionContent cc))
+    )
+  )
+  or
+  // creation of a dictionary `[key: value, ...]`
+  exists(DictionaryExpr dict |
+    node1.asExpr() = dict.getAnElement() and
+    node2.asExpr() = dict and
+    c.isSingleton(any(Content::CollectionContent cc))
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
 }
@@ -826,6 +878,17 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     )
   )
   or
+  // read of a dictionary value via subscript operator
+  exists(SubscriptExpr subscript |
+    subscript.getBase() = node1.asExpr() and
+    node2.(DictionarySubscriptNode).getExpr() = subscript and
+    c.isSingleton(any(Content::CollectionContent cc))
+    or
+    subscript = node2.asExpr() and
+    node1.(DictionarySubscriptNode).getExpr() = subscript and
+    c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 1))
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
 }
@@ -836,7 +899,12 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
  * in `x.f = newValue`.
  */
 predicate clearsContent(Node n, ContentSet c) {
-  n = any(PostUpdateNode pun | storeStep(_, c, pun)).getPreUpdateNode()
+  n = any(PostUpdateNode pun | storeStep(_, c, pun)).getPreUpdateNode() and
+  (
+    c.isSingleton(any(Content::FieldContent fc)) or
+    c.isSingleton(any(Content::TupleContent tc)) or
+    c.isSingleton(any(Content::EnumContent ec))
+  )
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll

@@ -9,7 +9,7 @@ private import codeql.swift.dataflow.ExternalFlow
  * An instance of the `Array` type.
  */
 class ArrayType extends Type {
-  ArrayType() { this.getName().matches("Array<%") or this.getName().matches("[%]") }
+  ArrayType() { this.getCanonicalType().getName().matches("Array<%") }
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides models for the Swift `Dictionary` class.
+ */
+
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * An instance of the `Dictionary` type.
+ */
+class CanonicalDictionaryType extends BoundGenericType {
+  CanonicalDictionaryType() { this.getName().matches("Dictionary<%") }
+}
+
+/**
+ * A model for `Dictionary` and related class members that permit data flow.
+ */
+private class DictionarySummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";Dictionary;true;updateValue(_:forKey:);;;Argument[0];Argument[-1].CollectionElement.TupleElement[1];value",
+        ";Dictionary;true;updateValue(_:forKey:);;;Argument[1];Argument[-1].CollectionElement.TupleElement[0];value",
+        ";Dictionary;true;updateValue(_:forKey:);;;Argument[-1].CollectionElement.TupleElement[1];ReturnValue.OptionalSome;value"
+      ]
+  }
+}