From 887452d2027ad5d97f69edf911232d5ec6b32096 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 1 Apr 2025 10:05:02 +0200 Subject: [PATCH 1/3] Swift: Update SSA to reference the new use-use predicates. --- swift/ql/lib/codeql/swift/dataflow/Ssa.qll | 12 +++++------- .../swift/dataflow/internal/DataFlowPrivate.qll | 6 ++---- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll index 94ba657e94d..f052ed8b314 100644 --- a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll +++ b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll @@ -151,10 +151,9 @@ module Ssa { cached ControlFlowNode getAFirstRead() { - exists(SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 | - this.definesAt(_, bb1, i1) and - SsaImpl::adjacentDefRead(this, bb1, i1, bb2, i2) and - result = bb2.getNode(i2) + exists(SsaInput::BasicBlock bb, int i | + SsaImpl::firstUse(this, bb, i, true) and + result = bb.getNode(i) ) } @@ -162,14 +161,13 @@ module Ssa { predicate adjacentReadPair(ControlFlowNode read1, ControlFlowNode read2) { exists(SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 | read1 = bb1.getNode(i1) and - SsaInput::variableRead(bb1, i1, _, true) and - SsaImpl::adjacentDefRead(this, bb1, i1, bb2, i2) and + SsaImpl::adjacentUseUse(bb1, i1, bb2, i2, _, true) and read2 = bb2.getNode(i2) ) } cached - predicate lastRefRedef(SsaInput::BasicBlock bb, int i, Definition next) { + deprecated predicate lastRefRedef(SsaInput::BasicBlock bb, int i, Definition next) { SsaImpl::lastRefRedef(this, bb, i, next) } } diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll index c84298771fb..4849c5ac235 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll @@ -111,10 +111,8 @@ private class CaptureNodeImpl extends CaptureNode, NodeImpl { } private predicate localFlowSsaInput(Node nodeFrom, Ssa::Definition def, Ssa::Definition next) { - exists(BasicBlock bb, int i | def.lastRefRedef(bb, i, next) | - def.definesAt(_, bb, i) and - def = nodeFrom.asDefinition() - ) + next.(Ssa::PhiDefinition).getAPhiInput() = def and + def = nodeFrom.asDefinition() } /** A collection of cached types and predicates to be evaluated in the same stage. */ From 7afcd1bbecf60c6c8bb7af57a31ae760b22f162e Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 1 Apr 2025 11:07:17 +0200 Subject: [PATCH 2/3] Swift: Update test output. --- .../ql/test/library-tests/dataflow/dataflow/DataFlow.expected | 3 +++ .../ql/test/library-tests/dataflow/dataflow/LocalFlow.expected | 2 ++ swift/ql/test/library-tests/dataflow/dataflow/test.swift | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected index bf6376bb0a1..7ab18dcf818 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected @@ -172,6 +172,7 @@ edges | test.swift:6:19:6:26 | call to source() | test.swift:7:15:7:15 | t1 | provenance | | | test.swift:6:19:6:26 | call to source() | test.swift:9:15:9:15 | t1 | provenance | | | test.swift:6:19:6:26 | call to source() | test.swift:10:15:10:15 | t2 | provenance | | +| test.swift:6:19:6:26 | call to source() | test.swift:15:15:15:15 | t2 | provenance | | | test.swift:25:20:25:27 | call to source() | test.swift:29:18:29:21 | x | provenance | | | test.swift:26:26:26:33 | call to source() | test.swift:29:26:29:29 | y | provenance | | | test.swift:29:18:29:21 | x | test.swift:30:15:30:15 | x | provenance | | @@ -964,6 +965,7 @@ nodes | test.swift:7:15:7:15 | t1 | semmle.label | t1 | | test.swift:9:15:9:15 | t1 | semmle.label | t1 | | test.swift:10:15:10:15 | t2 | semmle.label | t2 | +| test.swift:15:15:15:15 | t2 | semmle.label | t2 | | test.swift:25:20:25:27 | call to source() | semmle.label | call to source() | | test.swift:26:26:26:33 | call to source() | semmle.label | call to source() | | test.swift:29:18:29:21 | x | semmle.label | x | @@ -1706,6 +1708,7 @@ subpaths | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() | test.swift:7:15:7:15 | t1 | result | | test.swift:9:15:9:15 | t1 | test.swift:6:19:6:26 | call to source() | test.swift:9:15:9:15 | t1 | result | | test.swift:10:15:10:15 | t2 | test.swift:6:19:6:26 | call to source() | test.swift:10:15:10:15 | t2 | result | +| test.swift:15:15:15:15 | t2 | test.swift:6:19:6:26 | call to source() | test.swift:15:15:15:15 | t2 | result | | test.swift:30:15:30:15 | x | test.swift:25:20:25:27 | call to source() | test.swift:30:15:30:15 | x | result | | test.swift:31:15:31:15 | y | test.swift:26:26:26:33 | call to source() | test.swift:31:15:31:15 | y | result | | test.swift:39:15:39:29 | call to callee_source() | test.swift:35:12:35:19 | call to source() | test.swift:39:15:39:29 | call to callee_source() | result | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected index 7ec3f1a5aa4..3132e0aee3a 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected +++ b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected @@ -250,11 +250,13 @@ | test.swift:7:15:7:15 | [post] t1 | test.swift:8:10:8:10 | t1 | | test.swift:7:15:7:15 | t1 | test.swift:8:10:8:10 | t1 | | test.swift:8:5:8:10 | SSA def(t2) | test.swift:10:15:10:15 | t2 | +| test.swift:8:5:8:10 | SSA def(t2) | test.swift:15:5:15:5 | SSA phi(t2) | | test.swift:8:10:8:10 | t1 | test.swift:8:5:8:10 | SSA def(t2) | | test.swift:8:10:8:10 | t1 | test.swift:9:15:9:15 | t1 | | test.swift:9:15:9:15 | [post] t1 | test.swift:11:8:11:8 | t1 | | test.swift:9:15:9:15 | t1 | test.swift:11:8:11:8 | t1 | | test.swift:12:9:12:14 | SSA def(t2) | test.swift:13:19:13:19 | t2 | +| test.swift:12:9:12:14 | SSA def(t2) | test.swift:15:5:15:5 | SSA phi(t2) | | test.swift:12:14:12:14 | 0 | test.swift:12:9:12:14 | SSA def(t2) | | test.swift:15:5:15:5 | SSA phi(t2) | test.swift:15:15:15:15 | t2 | | test.swift:17:5:17:10 | SSA def(t1) | test.swift:21:15:21:15 | t1 | diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift index 515aa666201..b0f23ccb303 100644 --- a/swift/ql/test/library-tests/dataflow/dataflow/test.swift +++ b/swift/ql/test/library-tests/dataflow/dataflow/test.swift @@ -12,7 +12,7 @@ func intraprocedural_with_local_flow() -> Void { t2 = 0 sink(arg: t2) } - sink(arg: t2) // $ MISSING: flow=6 + sink(arg: t2) // $ flow=6 t1 = 0; while(false) { From e1ef56b8bb9242234078c685eff27ab13fc13d78 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 1 Apr 2025 15:23:16 +0200 Subject: [PATCH 3/3] Swift: Fix accidental cartesian product. --- swift/ql/lib/codeql/swift/dataflow/Ssa.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll index f052ed8b314..ed75a06e534 100644 --- a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll +++ b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll @@ -159,6 +159,7 @@ module Ssa { cached predicate adjacentReadPair(ControlFlowNode read1, ControlFlowNode read2) { + read1 = this.getARead() and exists(SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2 | read1 = bb1.getNode(i1) and SsaImpl::adjacentUseUse(bb1, i1, bb2, i2, _, true) and