Merge pull request #16576 from hvitved/csharp/static-field-side-effect

C#: Add support for flow through side-effects on static fields
2026-04-26 17:25:19 +02:00 · 2024-08-13 14:16:28 +02:00
parent aeabee3e34 1bcac50db1
commit 3395dc9e71
4 changed files with 51 additions and 2 deletions
--- a/csharp/ql/lib/change-notes/2024-05-23-static-field-side-effect.md
+++ b/csharp/ql/lib/change-notes/2024-05-23-static-field-side-effect.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -2170,9 +2170,11 @@ predicate jumpStep(Node pred, Node succ) {
    f.getAnAssignedValue() = pred.asExpr() and
    succ = TFlowInsensitiveFieldNode(f)
    or
-    exists(FieldOrPropertyRead fr |
+    exists(FieldOrPropertyRead fr | f.getAnAccess() = fr |
+      fr = pred.(PostUpdateNode).getPreUpdateNode().asExpr() and
+      succ = TFlowInsensitiveFieldNode(f)
+      or
      pred = TFlowInsensitiveFieldNode(f) and
-      f.getAnAccess() = fr and
      fr = succ.asExpr() and
      fr.hasNonlocalValue()
    )
--- a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected
@@ -1152,6 +1152,16 @@ edges
 | J.cs:125:14:125:14 | access to local variable a : Int32[] [element] : Int32 | J.cs:125:14:125:17 | access to array element : Int32 | provenance |  |
 | J.cs:125:14:125:17 | access to array element : Int32 | J.cs:125:14:125:17 | (...) ... | provenance |  |
 | J.cs:125:14:125:17 | access to array element : Int32 | J.cs:125:14:125:17 | (...) ... | provenance |  |
+| K.cs:7:13:7:13 | access to local variable o : String | K.cs:8:22:8:22 | access to local variable o : String | provenance |  |
+| K.cs:7:13:7:13 | access to local variable o : String | K.cs:8:22:8:22 | access to local variable o : String | provenance |  |
+| K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:7:13:7:13 | access to local variable o : String | provenance |  |
+| K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:7:13:7:13 | access to local variable o : String | provenance |  |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:22:8:22 | access to local variable o : String | K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:8:22:8:22 | access to local variable o : String | K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | provenance |  |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | K.cs:13:14:13:23 | access to array element | provenance |  |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | K.cs:13:14:13:23 | access to array element | provenance |  |
 nodes
 | A.cs:5:13:5:13 | access to local variable c : C | semmle.label | access to local variable c : C |
 | A.cs:5:13:5:13 | access to local variable c : C | semmle.label | access to local variable c : C |
@@ -2393,6 +2403,18 @@ nodes
 | J.cs:125:14:125:17 | (...) ... | semmle.label | (...) ... |
 | J.cs:125:14:125:17 | access to array element : Int32 | semmle.label | access to array element : Int32 |
 | J.cs:125:14:125:17 | access to array element : Int32 | semmle.label | access to array element : Int32 |
+| K.cs:7:13:7:13 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:7:13:7:13 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:7:17:7:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| K.cs:7:17:7:33 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | semmle.label | [post] access to field Strings : String[] [element] : String |
+| K.cs:8:9:8:15 | [post] access to field Strings : String[] [element] : String | semmle.label | [post] access to field Strings : String[] [element] : String |
+| K.cs:8:22:8:22 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:8:22:8:22 | access to local variable o : String | semmle.label | access to local variable o : String |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | semmle.label | access to field Strings : String[] [element] : String |
+| K.cs:13:14:13:20 | access to field Strings : String[] [element] : String | semmle.label | access to field Strings : String[] [element] : String |
+| K.cs:13:14:13:23 | access to array element | semmle.label | access to array element |
+| K.cs:13:14:13:23 | access to array element | semmle.label | access to array element |
 subpaths
 | A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C | A.cs:149:20:149:27 | object creation of type B : B [field c] : C | A.cs:6:17:6:25 | call to method Make : B [field c] : C |
 | A.cs:6:24:6:24 | access to local variable c : C | A.cs:147:32:147:32 | c : C | A.cs:149:20:149:27 | object creation of type B : B [field c] : C | A.cs:6:17:6:25 | call to method Make : B [field c] : C |
@@ -2648,3 +2670,5 @@ testFailures
 | J.cs:107:14:107:17 | access to property Y | J.cs:105:32:105:48 | call to method Source<Object> : Object | J.cs:107:14:107:17 | access to property Y | $@ | J.cs:105:32:105:48 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | J.cs:125:14:125:17 | (...) ... | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | J.cs:125:14:125:17 | (...) ... | $@ | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | call to method Source<Int32> : Int32 |
 | J.cs:125:14:125:17 | (...) ... | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | J.cs:125:14:125:17 | (...) ... | $@ | J.cs:119:20:119:34 | call to method Source<Int32> : Int32 | call to method Source<Int32> : Int32 |
+| K.cs:13:14:13:23 | access to array element | K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:13:14:13:23 | access to array element | $@ | K.cs:7:17:7:33 | call to method Source<String> : String | call to method Source<String> : String |
+| K.cs:13:14:13:23 | access to array element | K.cs:7:17:7:33 | call to method Source<String> : String | K.cs:13:14:13:23 | access to array element | $@ | K.cs:7:17:7:33 | call to method Source<String> : String | call to method Source<String> : String |
--- a/csharp/ql/test/library-tests/dataflow/fields/K.cs
+++ b/csharp/ql/test/library-tests/dataflow/fields/K.cs
@@ -0,0 +1,19 @@
+public class K
+{
+    static string[] Strings = new string[10];
+
+    private void M1()
+    {
+        var o = Source<string>(1);
+        Strings[0] = o;
+    }
+
+    private void M2()
+    {
+        Sink(Strings[0]); // $ hasValueFlow=1
+    }
+
+    public static void Sink(object o) { }
+
+    static T Source<T>(object source) => throw null;
+}