Make varargs extraction more Java-like:

* Extract varargs as if they are ordinary positional arguments * Adapt the QL that distinguishes varargs from ordinary arguments to account for Kotlin's varargs which can occur in the middle of the arg list * Add a test checking dataflow through varargs which doesn't work yet due to array-get and array-set not being extracted as IndexExprs * Extract the special case arrayOf(*x) as a clone call, which is (equivalent to) the Java lowering of that operation
2026-04-28 02:05:14 +02:00 · 2022-02-17 17:31:04 +00:00
parent 7368b49b16
commit 96f3ea460f
15 changed files with 230 additions and 122 deletions
--- a/java/ql/lib/config/semmlecode.dbscheme
+++ b/java/ql/lib/config/semmlecode.dbscheme
@@ -745,11 +745,10 @@ case @expr.kind of
 | 81  = @notinstanceofexpr
 | 82  = @stmtexpr
 | 83  = @stringtemplateexpr
-| 84  = @varargexpr
-| 85  = @notnullexpr
-| 86  = @unsafecoerceexpr
-| 87  = @valueeqexpr
-| 88  = @valueneexpr
+| 84  = @notnullexpr
+| 85  = @unsafecoerceexpr
+| 86  = @valueeqexpr
+| 87  = @valueneexpr
 ;

 /** Holds if this `when` expression was written as an `if` expression. */
--- a/java/ql/lib/semmle/code/java/ControlFlowGraph.qll
+++ b/java/ql/lib/semmle/code/java/ControlFlowGraph.qll
@@ -467,8 +467,6 @@ private module ControlFlowGraphImpl {
      or
      this instanceof StringTemplateExpr
      or
-      this instanceof VarArgExpr
-      or
      this instanceof ClassExpr
      or
      this instanceof RValue
@@ -562,10 +560,6 @@ private module ControlFlowGraphImpl {
        result = e.getComponent(index)
      )
      or
-      exists(VarArgExpr e | e = this |
-        result = e.getComponent(index)
-      )
-      or
      index = 0 and result = this.(ClassExpr).getExpr()
      or
      index = 0 and result = this.(ReturnStmt).getResult()
--- a/java/ql/lib/semmle/code/java/Expr.qll
+++ b/java/ql/lib/semmle/code/java/Expr.qll
@@ -2253,7 +2253,6 @@ class Argument extends Expr {
  predicate isExplicitVarargsArray() {
    exists(Array typ, Parameter p, Type ptyp |
      typ = this.getType() and
-      pos = call.getNumArgument() - 1 and
      call.getCallee().getParameter(pos) = p and
      p.isVarargs() and
      ptyp = p.getType() and
@@ -2275,11 +2274,13 @@ class Argument extends Expr {
   */
  predicate isNthVararg(int arrayindex) {
    not this.isExplicitVarargsArray() and
-    exists(Callable tgt |
+    exists(Callable tgt, Parameter varargsParam, int varargsParamPos |
      call.getCallee() = tgt and
-      tgt.isVarargs() and
-      arrayindex = pos - tgt.getNumberOfParameters() + 1 and
-      arrayindex >= 0
+      tgt.getParameter(varargsParamPos) = varargsParam and
+      varargsParam.isVarargs() and
+      arrayindex = pos - varargsParamPos and
+      arrayindex >= 0 and
+      arrayindex <= (call.getNumArgument() - tgt.getNumberOfParameters())
    )
  }
 }
@@ -2375,29 +2376,6 @@ class StringTemplateExpr extends Expr, @stringtemplateexpr {
  override string getAPrimaryQlClass() { result = "StringTemplateExpr" }
 }

-/**
- * A Kotlin(TODO: Should Java make these too?) vararg expression.
- * This is the argument to a function that corresponds to a `vararg`
- * parameter.
- */
-class VarArgExpr extends Expr, @varargexpr {
-  /**
-   * Gets the `i`th component of this vararg. TODO: Is this always Expr?
-   *
-   * For example, in the string template `"foo${bar}baz"`, the 0th
-   * component is the string literal `"foo"`, the 1st component is
-   * the variable access `bar`, and the 2nd component is the string
-   * literal `"bar"`.
-   */
-  Expr getComponent(int i) { result.isNthChildOf(this, i) }
-
-  override string toString() { result = "..." }
-
-  override string getHalsteadID() { result = "VarArgExpr" }
-
-  override string getAPrimaryQlClass() { result = "VarArgExpr" }
-}
-
 /** A Kotlin not-null expression. For example, `expr!!`. */
 class NotNullExpr extends UnaryExpr, @notnullexpr {
  override string toString() { result = "...!!" }
--- a/java/ql/test/kotlin/library-tests/arrays/arrayCreations.expected
+++ b/java/ql/test/kotlin/library-tests/arrays/arrayCreations.expected
@@ -103,3 +103,13 @@ arrayCreationInit
 | arrayCreations.kt:19:43:19:61 | new Integer[] | arrayCreations.kt:19:43:19:61 | {...} | arrayCreations.kt:19:54:19:54 | 2 | 1 |
 | arrayCreations.kt:19:43:19:61 | new Integer[] | arrayCreations.kt:19:43:19:61 | {...} | arrayCreations.kt:19:57:19:57 | 3 | 2 |
 | arrayCreations.kt:19:43:19:61 | new Integer[] | arrayCreations.kt:19:43:19:61 | {...} | arrayCreations.kt:19:60:19:60 | 4 | 3 |
+cloneCalls
+| arrayCreations.kt:29:18:29:29 | clone(...) | file://:0:0:0:0 | Integer[] |
+| arrayCreations.kt:30:18:30:35 | clone(...) | file://:0:0:0:0 | double[] |
+| arrayCreations.kt:31:18:31:34 | clone(...) | file://:0:0:0:0 | float[] |
+| arrayCreations.kt:32:18:32:33 | clone(...) | file://:0:0:0:0 | long[] |
+| arrayCreations.kt:33:18:33:32 | clone(...) | file://:0:0:0:0 | int[] |
+| arrayCreations.kt:34:18:34:33 | clone(...) | file://:0:0:0:0 | char[] |
+| arrayCreations.kt:35:18:35:34 | clone(...) | file://:0:0:0:0 | short[] |
+| arrayCreations.kt:36:18:36:33 | clone(...) | file://:0:0:0:0 | byte[] |
+| arrayCreations.kt:37:18:37:36 | clone(...) | file://:0:0:0:0 | boolean[] |
--- a/java/ql/test/kotlin/library-tests/arrays/arrayCreations.kt
+++ b/java/ql/test/kotlin/library-tests/arrays/arrayCreations.kt
@@ -25,5 +25,15 @@ class TestArrayCreation {
    val a13 = IntArray(5) { 1 }
    var a14 = IntArray(5) { it * 1 }
    val a15 = Array(4) { IntArray(2) }
+
+    val clone1 = arrayOf(*a1)
+    val clone2 = doubleArrayOf(*a2)
+    val clone3 = floatArrayOf(*a3)
+    val clone4 = longArrayOf(*a4)
+    val clone5 = intArrayOf(*a5)
+    val clone6 = charArrayOf(*a6)
+    val clone7 = shortArrayOf(*a7)
+    val clone8 = byteArrayOf(*a8)
+    val clone9 = booleanArrayOf(*a9)
  }
 }
--- a/java/ql/test/kotlin/library-tests/arrays/arrayCreations.ql
+++ b/java/ql/test/kotlin/library-tests/arrays/arrayCreations.ql
@@ -12,3 +12,7 @@ query predicate arrayCreationInit(ArrayCreationExpr ace, ArrayInit init, Expr e,
  ace.getInit() = init and
  init.getInit(idx) = e
 }
+
+query predicate cloneCalls(MethodAccess ma, Type resultType) {
+  ma.getMethod().getName() = "clone" and resultType = ma.getType()
+}
--- a/java/ql/test/kotlin/library-tests/arrays/test.expected
+++ b/java/ql/test/kotlin/library-tests/arrays/test.expected
@@ -4,9 +4,9 @@ cloneMethods
 | file://:0:0:0:0 | clone | clone() | file://:0:0:0:0 | int[] | file://:0:0:0:0 | int[] | file://:0:0:0:0 | Kotlin nullable FakeKotlinClass |
 | file://:0:0:0:0 | clone | clone() | file://:0:0:0:0 | int[][] | file://:0:0:0:0 | int[][] | file://:0:0:0:0 | Kotlin nullable FakeKotlinClass |
 sourceSignatures
-| arrayCreations.kt:3:1:29:1 | <obinit> | <obinit>() |
-| arrayCreations.kt:3:1:29:1 | TestArrayCreation | TestArrayCreation() |
-| arrayCreations.kt:4:3:28:3 | test1 | test1() |
+| arrayCreations.kt:3:1:39:1 | <obinit> | <obinit>() |
+| arrayCreations.kt:3:1:39:1 | TestArrayCreation | TestArrayCreation() |
+| arrayCreations.kt:4:3:38:3 | test1 | test1() |
 | arrayCreations.kt:22:29:22:33 |  |  |
 | arrayCreations.kt:22:29:22:33 | invoke | invoke(int) |
 | arrayCreations.kt:23:24:23:28 |  |  |
--- a/java/ql/test/kotlin/library-tests/vararg/args.expected
+++ b/java/ql/test/kotlin/library-tests/vararg/args.expected
@@ -1,9 +1,60 @@
-| intList.kt:3:14:3:31 | listOf(...) | 0 | intList.kt:3:21:3:30 | ... |
-| test.kt:12:14:12:31 | listOf(...) | 0 | test.kt:12:21:12:30 | ... |
-| test.kt:13:5:13:34 | funWithOnlyVarArgs(...) | 0 | test.kt:13:24:13:33 | ... |
-| test.kt:14:5:14:50 | funWithArgsAndVarArgs(...) | 0 | test.kt:14:28:14:30 | foo |
-| test.kt:14:5:14:50 | funWithArgsAndVarArgs(...) | 1 | test.kt:14:34:14:37 | true |
-| test.kt:14:5:14:50 | funWithArgsAndVarArgs(...) | 2 | test.kt:14:40:14:49 | ... |
-| test.kt:15:5:15:53 | funWithMiddleVarArgs(...) | 0 | test.kt:15:27:15:29 | foo |
-| test.kt:15:5:15:53 | funWithMiddleVarArgs(...) | 1 | test.kt:15:33:15:42 | ... |
-| test.kt:15:5:15:53 | funWithMiddleVarArgs(...) | 2 | test.kt:15:49:15:52 | true |
+varargsParams
+| test.kt:6:24:6:37 | xs | file://:0:0:0:0 | int[] |
+| test.kt:10:50:10:63 | xs | file://:0:0:0:0 | int[] |
+| test.kt:14:37:14:50 | xs | file://:0:0:0:0 | int[] |
+explicitVarargsArguments
+| test.kt:24:25:24:29 | array | test.kt:24:5:24:30 | funWithOnlyVarArgs(...) |
+| test.kt:25:41:25:45 | array | test.kt:25:5:25:46 | funWithArgsAndVarArgs(...) |
+| test.kt:26:34:26:38 | array | test.kt:26:5:26:49 | funWithMiddleVarArgs(...) |
+implicitVarargsArguments
+| intList.kt:3:21:3:22 | 10 | intList.kt:3:14:3:31 | listOf(...) | 0 |
+| intList.kt:3:25:3:26 | 11 | intList.kt:3:14:3:31 | listOf(...) | 1 |
+| intList.kt:3:29:3:30 | 12 | intList.kt:3:14:3:31 | listOf(...) | 2 |
+| test.kt:19:21:19:22 | 10 | test.kt:19:14:19:31 | listOf(...) | 0 |
+| test.kt:19:25:19:26 | 11 | test.kt:19:14:19:31 | listOf(...) | 1 |
+| test.kt:19:29:19:30 | 12 | test.kt:19:14:19:31 | listOf(...) | 2 |
+| test.kt:21:24:21:25 | 20 | test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 0 |
+| test.kt:21:28:21:29 | 21 | test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 1 |
+| test.kt:21:32:21:33 | 22 | test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 2 |
+| test.kt:22:40:22:41 | 30 | test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 0 |
+| test.kt:22:44:22:45 | 31 | test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 1 |
+| test.kt:22:48:22:49 | 32 | test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 2 |
+| test.kt:23:33:23:34 | 41 | test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 0 |
+| test.kt:23:37:23:38 | 42 | test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 1 |
+| test.kt:23:41:23:42 | 43 | test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 2 |
+#select
+| intList.kt:3:14:3:31 | listOf(...) | 0 | intList.kt:3:21:3:22 | 10 |
+| intList.kt:3:14:3:31 | listOf(...) | 1 | intList.kt:3:25:3:26 | 11 |
+| intList.kt:3:14:3:31 | listOf(...) | 2 | intList.kt:3:29:3:30 | 12 |
+| test.kt:7:5:7:19 | sink(...) | 0 | test.kt:7:10:7:18 | get(...) |
+| test.kt:7:10:7:18 | get(...) | 0 | test.kt:7:13:7:17 | get(...) |
+| test.kt:7:13:7:17 | get(...) | 0 | test.kt:7:16:7:16 | 0 |
+| test.kt:11:5:11:19 | sink(...) | 0 | test.kt:11:10:11:18 | get(...) |
+| test.kt:11:10:11:18 | get(...) | 0 | test.kt:11:13:11:17 | get(...) |
+| test.kt:11:13:11:17 | get(...) | 0 | test.kt:11:16:11:16 | 0 |
+| test.kt:15:5:15:19 | sink(...) | 0 | test.kt:15:10:15:18 | get(...) |
+| test.kt:15:10:15:18 | get(...) | 0 | test.kt:15:13:15:17 | get(...) |
+| test.kt:15:13:15:17 | get(...) | 0 | test.kt:15:16:15:16 | 0 |
+| test.kt:19:14:19:31 | listOf(...) | 0 | test.kt:19:21:19:22 | 10 |
+| test.kt:19:14:19:31 | listOf(...) | 1 | test.kt:19:25:19:26 | 11 |
+| test.kt:19:14:19:31 | listOf(...) | 2 | test.kt:19:29:19:30 | 12 |
+| test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 0 | test.kt:21:24:21:25 | 20 |
+| test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 1 | test.kt:21:28:21:29 | 21 |
+| test.kt:21:5:21:34 | funWithOnlyVarArgs(...) | 2 | test.kt:21:32:21:33 | 22 |
+| test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 0 | test.kt:22:28:22:30 | foo |
+| test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 1 | test.kt:22:34:22:37 | true |
+| test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 2 | test.kt:22:40:22:41 | 30 |
+| test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 3 | test.kt:22:44:22:45 | 31 |
+| test.kt:22:5:22:50 | funWithArgsAndVarArgs(...) | 4 | test.kt:22:48:22:49 | 32 |
+| test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 0 | test.kt:23:27:23:29 | foo |
+| test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 1 | test.kt:23:33:23:34 | 41 |
+| test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 2 | test.kt:23:37:23:38 | 42 |
+| test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 3 | test.kt:23:41:23:42 | 43 |
+| test.kt:23:5:23:53 | funWithMiddleVarArgs(...) | 4 | test.kt:23:49:23:52 | true |
+| test.kt:24:5:24:30 | funWithOnlyVarArgs(...) | 0 | test.kt:24:25:24:29 | array |
+| test.kt:25:5:25:46 | funWithArgsAndVarArgs(...) | 0 | test.kt:25:28:25:30 | foo |
+| test.kt:25:5:25:46 | funWithArgsAndVarArgs(...) | 1 | test.kt:25:34:25:37 | true |
+| test.kt:25:5:25:46 | funWithArgsAndVarArgs(...) | 2 | test.kt:25:41:25:45 | array |
+| test.kt:26:5:26:49 | funWithMiddleVarArgs(...) | 0 | test.kt:26:27:26:29 | foo |
+| test.kt:26:5:26:49 | funWithMiddleVarArgs(...) | 1 | test.kt:26:34:26:38 | array |
+| test.kt:26:5:26:49 | funWithMiddleVarArgs(...) | 2 | test.kt:26:45:26:48 | true |
--- a/java/ql/test/kotlin/library-tests/vararg/args.ql
+++ b/java/ql/test/kotlin/library-tests/vararg/args.ql
@@ -1,4 +1,20 @@
 import java

+query predicate varargsParams(Parameter p, Type t) {
+  p.getCallable().fromSource() and
+  p.isVarargs() and
+  t = p.getType()
+}
+
+query predicate explicitVarargsArguments(Argument a, Call c) {
+  a.isExplicitVarargsArray() and
+  a.getCall() = c
+}
+
+query predicate implicitVarargsArguments(Argument a, Call c, int pos) {
+  a.isNthVararg(pos) and
+  a.getCall() = c
+}
+
 from Call c, int i
 select c, i, c.getArgument(i)
--- a/java/ql/test/kotlin/library-tests/vararg/dataflow.expected
+++ b/java/ql/test/kotlin/library-tests/vararg/dataflow.expected
--- a/java/ql/test/kotlin/library-tests/vararg/dataflow.ql
+++ b/java/ql/test/kotlin/library-tests/vararg/dataflow.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+class Config extends DataFlow::Configuration {
+  Config() { this = "varargs-dataflow-test" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(CompileTimeConstantExpr).getEnclosingCallable().fromSource()
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr() = any(MethodAccess ma | ma.getMethod().getName() = "sink").getAnArgument()
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink, Config c
+where c.hasFlow(source, sink)
+select source, sink
--- a/java/ql/test/kotlin/library-tests/vararg/test.kt
+++ b/java/ql/test/kotlin/library-tests/vararg/test.kt
@@ -1,17 +1,27 @@

+fun sink(sunk: Int) {
+    
+}
+
 fun funWithOnlyVarArgs(vararg xs: Int) {
+    sink(xs[xs[0]])
 }

 fun funWithArgsAndVarArgs(x: String, y: Boolean, vararg xs: Int) {
+    sink(xs[xs[0]])
 }

 fun funWithMiddleVarArgs(x: String, vararg xs: Int, y: Boolean) {
+    sink(xs[xs[0]])
 }

 fun myFun() {
    val xs = listOf(10, 11, 12)
+    val array = intArrayOf(100, 101, 102)
    funWithOnlyVarArgs(20, 21, 22)
    funWithArgsAndVarArgs("foo", true, 30, 31, 32)
    funWithMiddleVarArgs("foo", 41, 42, 43, y = true)
+    funWithOnlyVarArgs(*array)
+    funWithArgsAndVarArgs("foo", true, *array)
+    funWithMiddleVarArgs("foo", *array, y = true)
 }
-
--- a/java/ql/test/kotlin/library-tests/vararg/varargs.expected
+++ b/java/ql/test/kotlin/library-tests/vararg/varargs.expected
@@ -1,15 +0,0 @@
-| intList.kt:3:21:3:30 | ... | 0 | intList.kt:3:21:3:22 | 10 |
-| intList.kt:3:21:3:30 | ... | 1 | intList.kt:3:25:3:26 | 11 |
-| intList.kt:3:21:3:30 | ... | 2 | intList.kt:3:29:3:30 | 12 |
-| test.kt:12:21:12:30 | ... | 0 | test.kt:12:21:12:22 | 10 |
-| test.kt:12:21:12:30 | ... | 1 | test.kt:12:25:12:26 | 11 |
-| test.kt:12:21:12:30 | ... | 2 | test.kt:12:29:12:30 | 12 |
-| test.kt:13:24:13:33 | ... | 0 | test.kt:13:24:13:25 | 20 |
-| test.kt:13:24:13:33 | ... | 1 | test.kt:13:28:13:29 | 21 |
-| test.kt:13:24:13:33 | ... | 2 | test.kt:13:32:13:33 | 22 |
-| test.kt:14:40:14:49 | ... | 0 | test.kt:14:40:14:41 | 30 |
-| test.kt:14:40:14:49 | ... | 1 | test.kt:14:44:14:45 | 31 |
-| test.kt:14:40:14:49 | ... | 2 | test.kt:14:48:14:49 | 32 |
-| test.kt:15:33:15:42 | ... | 0 | test.kt:15:33:15:34 | 41 |
-| test.kt:15:33:15:42 | ... | 1 | test.kt:15:37:15:38 | 42 |
-| test.kt:15:33:15:42 | ... | 2 | test.kt:15:41:15:42 | 43 |
--- a/java/ql/test/kotlin/library-tests/vararg/varargs.ql
+++ b/java/ql/test/kotlin/library-tests/vararg/varargs.ql
@@ -1,4 +0,0 @@
-import java
-
-from VarArgExpr vae, int i
-select vae, i, vae.getComponent(i)