Java/C++/C#: Add field flow support for stores in nested fields.

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll

@@ -215,12 +215,14 @@ private module ImplCommon {
 
   /*
    * Calculation of `predicate store(Node node1, Content f, Node node2)`:
-   * There are three cases:
+   * There are four cases:
    * - The base case: A direct local assignment given by `storeStep`.
    * - A call to a method or constructor with two arguments, `arg1` and `arg2`,
-   *   such the call has the side-effect `arg2.f = arg1`.
+   *   such that the call has the side-effect `arg2.f = arg1`.
    * - A call to a method that returns an object in which an argument has been
    *   stored.
+   * - A reverse step through a read when the result of the read has been
+   *   stored into. This handles cases like `x.f1.f2 = y`.
    * `storeViaSideEffect` covers the first two cases, and `storeReturn` covers
    * the third case.
    */
@@ -232,7 +234,8 @@ private module ImplCommon {
   cached
   predicate store(Node node1, Content f, Node node2) {
     storeViaSideEffect(node1, f, node2) or
-    storeReturn(node1, f, node2)
+    storeReturn(node1, f, node2) or
+    read(node2.(PostUpdateNode).getPreUpdateNode(), f, node1.(PostUpdateNode).getPreUpdateNode())
   }
 
   private predicate storeViaSideEffect(Node node1, Content f, PostUpdateNode node2) {

java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -20,13 +20,19 @@ private newtype TNode =
   TInstanceParameterNode(Callable c) { exists(c.getBody()) and not c.isStatic() } or
   TImplicitInstanceAccess(InstanceAccessExt ia) { not ia.isExplicit(_) } or
   TMallocNode(ClassInstanceExpr cie) or
-  TExplicitArgPostCall(Expr e) { explicitInstanceArgument(_, e) or e instanceof Argument } or
-  TImplicitArgPostCall(InstanceAccessExt ia) { implicitInstanceArgument(_, ia) } or
-  TExplicitStoreTarget(Expr e) {
-    exists(FieldAccess fa | instanceFieldAssign(_, fa) and e = fa.getQualifier())
+  TExplicitExprPostUpdate(Expr e) {
+    explicitInstanceArgument(_, e)
+    or
+    e instanceof Argument
+    or
+    exists(FieldAccess fa | fa.getField() instanceof InstanceField and e = fa.getQualifier())
   } or
-  TImplicitStoreTarget(InstanceAccessExt ia) {
-    exists(FieldAccess fa | instanceFieldAssign(_, fa) and ia.isImplicitFieldQualifier(fa))
+  TImplicitExprPostUpdate(InstanceAccessExt ia) {
+    implicitInstanceArgument(_, ia)
+    or
+    exists(FieldAccess fa |
+      fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
+    )
   }
 
 /**
@@ -257,23 +263,13 @@ abstract private class ImplicitPostUpdateNode extends PostUpdateNode {
   override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
 }
 
-private class ExplicitArgPostCall extends ImplicitPostUpdateNode, TExplicitArgPostCall {
-  override Node getPreUpdateNode() { this = TExplicitArgPostCall(result.asExpr()) }
+private class ExplicitExprPostUpdate extends ImplicitPostUpdateNode, TExplicitExprPostUpdate {
+  override Node getPreUpdateNode() { this = TExplicitExprPostUpdate(result.asExpr()) }
 }
 
-private class ImplicitArgPostCall extends ImplicitPostUpdateNode, TImplicitArgPostCall {
+private class ImplicitExprPostUpdate extends ImplicitPostUpdateNode, TImplicitExprPostUpdate {
   override Node getPreUpdateNode() {
-    this = TImplicitArgPostCall(result.(ImplicitInstanceAccess).getInstanceAccess())
-  }
-}
-
-private class ExplicitStoreTarget extends ImplicitPostUpdateNode, TExplicitStoreTarget {
-  override Node getPreUpdateNode() { this = TExplicitStoreTarget(result.asExpr()) }
-}
-
-private class ImplicitStoreTarget extends ImplicitPostUpdateNode, TImplicitStoreTarget {
-  override Node getPreUpdateNode() {
-    this = TImplicitStoreTarget(result.(ImplicitInstanceAccess).getInstanceAccess())
+    this = TImplicitExprPostUpdate(result.(ImplicitInstanceAccess).getInstanceAccess())
   }
 }