mirror of
https://github.com/github/codeql.git
synced 2026-05-16 12:17:07 +02:00
Compare commits
20 Commits
codeql-cli
...
dataflow/l
| Author | SHA1 | Date | |
|---|---|---|---|
|
19119ea0d4 | ||
|
|
134707605b | ||
|
|
1f2cda933d | ||
|
|
5c9e79e947 | ||
|
|
9d6ece1039 | ||
|
|
6ef4aef600 | ||
|
|
9891b412ca | ||
|
|
c71898c265 | ||
|
|
3ae793dd31 | ||
|
|
906a4789f7 | ||
|
|
7265884768 | ||
|
|
333be603d3 | ||
|
|
9907e0d0bf | ||
|
|
6e69b636b9 | ||
|
|
8154500aa5 | ||
|
|
a43b0234b9 | ||
|
|
925fd92485 | ||
|
|
7228766a7c | ||
|
|
15c8968dd4 | ||
|
|
c63283f762 |
@@ -76,7 +76,8 @@ private module Cached {
|
||||
} or
|
||||
TSummaryCall(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
|
||||
FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
|
||||
}
|
||||
} or
|
||||
TLambdaSynthCall(Node creation) { lambdaCreation(creation, _, _) }
|
||||
|
||||
/** Gets a viable run-time target for the call `call`. */
|
||||
cached
|
||||
@@ -497,6 +498,24 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
|
||||
override Location getLocation() { result = c.getLocation() }
|
||||
}
|
||||
|
||||
class LambdaSynthCall extends DataFlowCall, TLambdaSynthCall {
|
||||
private NodeImpl creation;
|
||||
|
||||
LambdaSynthCall() { this = TLambdaSynthCall(creation) }
|
||||
|
||||
override DataFlowCallable getARuntimeTarget() { none() }
|
||||
|
||||
override ControlFlow::Nodes::ElementNode getControlFlowNode() { none() }
|
||||
|
||||
override DataFlow::Node getNode() { none() }
|
||||
|
||||
override DataFlowCallable getEnclosingCallable() { result = creation.getEnclosingCallableImpl() }
|
||||
|
||||
override string toString() { result = "[lambda] call to " + creation }
|
||||
|
||||
override Location getLocation() { result = creation.getLocation() }
|
||||
}
|
||||
|
||||
/** A parameter position. */
|
||||
class ParameterPosition extends TParameterPosition {
|
||||
/** Gets the underlying integer position, if any. */
|
||||
|
||||
@@ -126,13 +126,12 @@ private class ExprNodeImpl extends ExprNode, NodeImpl {
|
||||
* Needed for flow through captured variables, where we treat local functions
|
||||
* as if they were lambdas.
|
||||
*/
|
||||
abstract private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctionCreationNode {
|
||||
private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctionCreationNode {
|
||||
ControlFlow::Nodes::ElementNode cfn;
|
||||
LocalFunction function;
|
||||
boolean isPostUpdate;
|
||||
|
||||
LocalFunctionCreationNode() {
|
||||
this = TLocalFunctionCreationNode(cfn, isPostUpdate) and
|
||||
this = TLocalFunctionCreationNode(cfn) and
|
||||
function = cfn.getAstNode().(LocalFunctionStmt).getLocalFunction()
|
||||
}
|
||||
|
||||
@@ -156,10 +155,6 @@ abstract private class LocalFunctionCreationNode extends NodeImpl, TLocalFunctio
|
||||
ControlFlow::Nodes::ElementNode getUnderlyingControlFlowNode() { result = cfn }
|
||||
|
||||
override Location getLocationImpl() { result = cfn.getLocation() }
|
||||
}
|
||||
|
||||
private class LocalFunctionCreationPreNode extends LocalFunctionCreationNode {
|
||||
LocalFunctionCreationPreNode() { isPostUpdate = false }
|
||||
|
||||
override string toStringImpl() { result = cfn.toString() }
|
||||
}
|
||||
@@ -419,17 +414,14 @@ module VariableCapture {
|
||||
result.(Flow::ExprNode).getExpr() =
|
||||
[
|
||||
n.(ExprNode).getControlFlowNode(),
|
||||
n.(LocalFunctionCreationPreNode).getUnderlyingControlFlowNode()
|
||||
n.(LocalFunctionCreationNode).getUnderlyingControlFlowNode()
|
||||
]
|
||||
or
|
||||
result.(Flow::VariableWriteSourceNode).getVariableWrite().getRhs() =
|
||||
n.(ExprNode).getControlFlowNode()
|
||||
or
|
||||
result.(Flow::ExprPostUpdateNode).getExpr() =
|
||||
[
|
||||
n.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode(),
|
||||
n.(LocalFunctionCreationPostUpdateNode).getUnderlyingControlFlowNode()
|
||||
]
|
||||
[n.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode(),]
|
||||
or
|
||||
result.(Flow::ParameterNode).getParameter().getParameterNode() = n
|
||||
or
|
||||
@@ -767,6 +759,8 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
|
||||
VariableCapture::valueStep(nodeFrom, nodeTo)
|
||||
or
|
||||
nodeTo = nodeFrom.(LocalFunctionCreationNode).getAnAccess(true)
|
||||
or
|
||||
delegateCreationStep(nodeFrom, nodeTo)
|
||||
) and
|
||||
model = ""
|
||||
or
|
||||
@@ -1073,7 +1067,7 @@ private module Cached {
|
||||
l = c.getARelevantLocation()
|
||||
} or
|
||||
TDelegateSelfReferenceNode(Callable c) { lambdaCreationExpr(_, c) } or
|
||||
TLocalFunctionCreationNode(ControlFlow::Nodes::ElementNode cfn, Boolean isPostUpdate) {
|
||||
TLocalFunctionCreationNode(ControlFlow::Nodes::ElementNode cfn) {
|
||||
cfn.getAstNode() instanceof LocalFunctionStmt
|
||||
} or
|
||||
TYieldReturnNode(ControlFlow::Nodes::ElementNode cfn) {
|
||||
@@ -1150,13 +1144,22 @@ private module Cached {
|
||||
TCapturedVariableContent(VariableCapture::CapturedVariable v) or
|
||||
TDelegateCallArgumentContent(int i) {
|
||||
i = [0 .. max(any(DelegateLikeCall dc).getNumberOfArguments()) - 1]
|
||||
or
|
||||
i in [0 .. 1000] // todo
|
||||
or
|
||||
// exists(ArgumentPosition apos |
|
||||
// FlowSummaryImpl::Private::summaryArgumentNode(_, _, apos) and
|
||||
// i = apos.getPosition()
|
||||
// )
|
||||
i = -1
|
||||
} or
|
||||
TDelegateCallReturnContent()
|
||||
|
||||
cached
|
||||
newtype TContentSet =
|
||||
TSingletonContent(Content c) { not c instanceof PropertyContent } or
|
||||
TPropertyContentSet(Property p) { p.isUnboundDeclaration() }
|
||||
TPropertyContentSet(Property p) { p.isUnboundDeclaration() } or
|
||||
TVariableCaptureContentSet()
|
||||
|
||||
cached
|
||||
newtype TContentApprox =
|
||||
@@ -2600,7 +2603,7 @@ DataFlowType getNodeType(Node n) {
|
||||
or
|
||||
[
|
||||
n.asExpr().(ControlFlowElement),
|
||||
n.(LocalFunctionCreationPreNode).getUnderlyingControlFlowNode().getAstNode()
|
||||
n.(LocalFunctionCreationNode).getUnderlyingControlFlowNode().getAstNode()
|
||||
] = result.getADelegateCreation()
|
||||
}
|
||||
|
||||
@@ -2835,16 +2838,6 @@ module PostUpdateNodes {
|
||||
override string toStringImpl() { result = "[post] this" }
|
||||
}
|
||||
|
||||
class LocalFunctionCreationPostUpdateNode extends LocalFunctionCreationNode, PostUpdateNode {
|
||||
LocalFunctionCreationPostUpdateNode() { isPostUpdate = true }
|
||||
|
||||
override LocalFunctionCreationPreNode getPreUpdateNode() {
|
||||
result = TLocalFunctionCreationNode(cfn, false)
|
||||
}
|
||||
|
||||
override string toStringImpl() { result = "[post] " + cfn }
|
||||
}
|
||||
|
||||
private class CapturePostUpdateNode extends PostUpdateNode, CaptureNode {
|
||||
private CaptureNode pre;
|
||||
|
||||
@@ -2908,7 +2901,11 @@ int accessPathLimit() { result = 5 }
|
||||
* Holds if access paths with `c` at their head always should be tracked at high
|
||||
* precision. This disables adaptive access path precision for such access paths.
|
||||
*/
|
||||
predicate forceHighPrecision(Content c) { c instanceof ElementContent }
|
||||
predicate forceHighPrecision(Content c) {
|
||||
c instanceof ElementContent or
|
||||
c instanceof DelegateCallArgumentContent or
|
||||
c instanceof DelegateCallReturnContent
|
||||
}
|
||||
|
||||
private predicate lambdaCreationExpr(ControlFlowElement creation, Callable c) {
|
||||
c =
|
||||
@@ -2924,10 +2921,42 @@ class LambdaCallKind = Unit;
|
||||
|
||||
/** Holds if `creation` is an expression that creates a delegate for `c`. */
|
||||
predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
|
||||
lambdaCreationExpr(creation.asExpr(), c.asCallable(_)) and
|
||||
(
|
||||
lambdaCreationExpr(creation.asExpr(), c.asCallable(_))
|
||||
or
|
||||
creation.(LocalFunctionCreationNode).getFunction() = c.asCallable(_)
|
||||
) and
|
||||
exists(kind)
|
||||
}
|
||||
|
||||
/** Holds if `creation` is an expression that creates a delegate for `c`. */
|
||||
predicate lambdaCreation(
|
||||
Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
|
||||
) {
|
||||
lambdaCreation(creation, kind, c) and
|
||||
synthCall = TLambdaSynthCall(creation)
|
||||
}
|
||||
|
||||
Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind rk) {
|
||||
result = TDelegateCallReturnContent() and
|
||||
exists(kind) and
|
||||
rk = TNormalReturnKind()
|
||||
}
|
||||
|
||||
Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos) {
|
||||
(
|
||||
result = TDelegateCallArgumentContent(pos.getPosition())
|
||||
or
|
||||
result = TDelegateCallArgumentContent(-1) and
|
||||
pos.isDelegateSelf()
|
||||
) and
|
||||
exists(kind)
|
||||
}
|
||||
|
||||
predicate isLambdaInstanceParameter(ParameterNode p) { p instanceof DelegateSelfReferenceNode }
|
||||
|
||||
predicate isVariableCaptureContentSet(ContentSet c) { c.isCapturedVariable() }
|
||||
|
||||
private predicate isLocalFunctionCallReceiver(
|
||||
LocalFunctionCall call, LocalFunctionAccess receiver, LocalFunction f
|
||||
) {
|
||||
@@ -2973,9 +3002,7 @@ private predicate lambdaCallExpr(DataFlowCall call, ControlFlow::Node receiver)
|
||||
/** Holds if `call` is a lambda call where `receiver` is the lambda expression. */
|
||||
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
|
||||
(
|
||||
lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) and
|
||||
// local function calls can be resolved directly without a flow analysis
|
||||
not call.getControlFlowNode().getAstNode() instanceof LocalFunctionCall
|
||||
lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) //and
|
||||
or
|
||||
receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver()
|
||||
) and
|
||||
@@ -3052,6 +3079,8 @@ predicate allowParameterReturnInSelf(ParameterNode p) {
|
||||
or
|
||||
VariableCapture::Flow::heuristicAllowInstanceParameterReturnInSelf(p.(DelegateSelfReferenceNode)
|
||||
.getCallable())
|
||||
or
|
||||
p.getType() instanceof SystemLinqExpressions::DelegateExtType
|
||||
}
|
||||
|
||||
/** An approximated `Content`. */
|
||||
|
||||
@@ -3,7 +3,6 @@ private import DataFlowDispatch
|
||||
private import DataFlowPrivate
|
||||
private import semmle.code.csharp.controlflow.Guards
|
||||
private import semmle.code.csharp.Unification
|
||||
private import semmle.code.csharp.frameworks.system.linq.Expressions
|
||||
|
||||
/**
|
||||
* An element, viewed as a node in a data flow graph. Either an expression
|
||||
@@ -324,6 +323,8 @@ class ContentSet extends TContentSet {
|
||||
*/
|
||||
predicate isProperty(Property p) { this = TPropertyContentSet(p) }
|
||||
|
||||
predicate isCapturedVariable() { this = TVariableCaptureContentSet() }
|
||||
|
||||
/**
|
||||
* Holds if this content set represents the `i`th argument of a delegate call.
|
||||
*/
|
||||
@@ -362,6 +363,9 @@ class ContentSet extends TContentSet {
|
||||
or
|
||||
overridesOrImplementsSourceDecl(p1, p2)
|
||||
)
|
||||
or
|
||||
this.isCapturedVariable() and
|
||||
result instanceof CapturedVariableContent
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this content set. */
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
|
||||
private import csharp
|
||||
private import semmle.code.csharp.commons.QualifiedName
|
||||
private import semmle.code.csharp.frameworks.system.linq.Expressions
|
||||
private import codeql.dataflow.internal.FlowSummaryImpl
|
||||
private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
|
||||
private import DataFlowImplSpecific as DataFlowImplSpecific
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
| lambdas.cs:8:9:8:13 | delegate call | lambdas.cs:7:23:7:23 | x | lambdas.cs:8:12:8:12 | 1 |
|
||||
| lambdas.cs:11:9:11:16 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:11:12:11:12 | 2 |
|
||||
| lambdas.cs:11:9:11:16 | delegate call | lambdas.cs:10:30:10:30 | y | lambdas.cs:11:15:11:15 | 3 |
|
||||
| lambdas.cs:12:9:12:13 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:12:12:12:12 | 4 |
|
||||
| lambdas.cs:13:9:13:16 | delegate call | lambdas.cs:10:23:10:23 | x | lambdas.cs:13:12:13:12 | 5 |
|
||||
| lambdas.cs:13:9:13:16 | delegate call | lambdas.cs:10:30:10:30 | y | lambdas.cs:13:15:13:15 | 6 |
|
||||
| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:12:17:12 | 7 |
|
||||
| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:15:17:15 | 8 |
|
||||
| lambdas.cs:17:9:17:19 | delegate call | lambdas.cs:15:32:15:32 | x | lambdas.cs:17:18:17:18 | 9 |
|
||||
| lambdas.cs:25:9:25:23 | delegate call | lambdas.cs:24:31:24:31 | x | lambdas.cs:25:22:25:22 | 5 |
|
||||
| lambdas.cs:25:9:25:23 | delegate call | lambdas.cs:24:38:24:38 | y | lambdas.cs:25:16:25:16 | 4 |
|
||||
|
||||
@@ -18,11 +18,21 @@ edges
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:181:23:181:25 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:182:23:182:25 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:175:16:175:18 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | provenance | |
|
||||
| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance | |
|
||||
nodes
|
||||
| CSharp7.cs:39:9:39:9 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
@@ -47,18 +57,26 @@ nodes
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
|
||||
| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | semmle.label | g(...) : g [delegate return] : String |
|
||||
| CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
|
||||
| CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
|
||||
| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | semmle.label | h(...) : h [delegate return] : String |
|
||||
| CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
|
||||
| CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | semmle.label | [post] access to local function g : null [delegate argument at position 0] : String |
|
||||
| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
|
||||
| CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | semmle.label | [post] access to local function h : null [delegate argument at position 0] : String |
|
||||
| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | semmle.label | access to local function h : h [delegate return] : String |
|
||||
| CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
subpaths
|
||||
| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:9 | access to parameter y : String | CSharp7.cs:55:30:55:31 | String t4 : String |
|
||||
| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h |
|
||||
#select
|
||||
| CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |
|
||||
|
||||
@@ -19,17 +19,37 @@ edges
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:181:23:181:25 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | CSharp7.cs:182:23:182:25 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" : String | CSharp7.cs:175:16:175:18 | access to local variable src : String | provenance | |
|
||||
| CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:33:176:33 | access to parameter s : String | provenance | |
|
||||
| CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | CSharp7.cs:176:31:176:34 | call to local function g : String | provenance | |
|
||||
| CSharp7.cs:176:31:176:34 | call to local function g : String | CSharp7.cs:176:31:176:39 | ... + ... : String | provenance | |
|
||||
| CSharp7.cs:176:31:176:34 | call to local function g : String | CSharp7.cs:176:31:176:39 | ... + ... : String | provenance | |
|
||||
| CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance | |
|
||||
| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String | provenance | |
|
||||
| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String | provenance | |
|
||||
| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | provenance | |
|
||||
| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | provenance | |
|
||||
| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:25:176:25 | s : String | provenance | |
|
||||
| CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance | |
|
||||
| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String | provenance | |
|
||||
| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | provenance | |
|
||||
| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:180:21:180:26 | call to local function f | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | provenance | |
|
||||
| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | provenance | |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:181:21:181:26 | call to local function g | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | provenance | |
|
||||
| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | provenance | |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:182:21:182:26 | call to local function h | provenance | |
|
||||
nodes
|
||||
| CSharp7.cs:39:9:39:9 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
@@ -54,26 +74,41 @@ nodes
|
||||
| CSharp7.cs:175:16:175:18 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" | semmle.label | "tainted" |
|
||||
| CSharp7.cs:175:22:175:30 | "tainted" : String | semmle.label | "tainted" : String |
|
||||
| CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String | semmle.label | f(...) : f [delegate return] : String |
|
||||
| CSharp7.cs:176:25:176:25 | s : String | semmle.label | s : String |
|
||||
| CSharp7.cs:176:31:176:31 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
|
||||
| CSharp7.cs:176:31:176:34 | call to local function g : String | semmle.label | call to local function g : String |
|
||||
| CSharp7.cs:176:31:176:34 | call to local function g : String | semmle.label | call to local function g : String |
|
||||
| CSharp7.cs:176:31:176:39 | ... + ... : String | semmle.label | ... + ... : String |
|
||||
| CSharp7.cs:176:31:176:39 | ... + ... : String | semmle.label | ... + ... : String |
|
||||
| CSharp7.cs:176:33:176:33 | access to parameter s : String | semmle.label | access to parameter s : String |
|
||||
| CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String | semmle.label | g(...) : g [delegate return] : String |
|
||||
| CSharp7.cs:177:25:177:25 | s : String | semmle.label | s : String |
|
||||
| CSharp7.cs:177:31:177:31 | access to parameter s : String | semmle.label | access to parameter s : String |
|
||||
| CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String | semmle.label | h(...) : h [delegate return] : String |
|
||||
| CSharp7.cs:178:25:178:25 | s : String | semmle.label | s : String |
|
||||
| CSharp7.cs:178:37:178:37 | access to parameter s : String | semmle.label | access to parameter s : String |
|
||||
| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | semmle.label | [post] access to local function f : null [delegate argument at position 0] : String |
|
||||
| CSharp7.cs:180:21:180:21 | access to local function f : f [delegate return] : String | semmle.label | access to local function f : f [delegate return] : String |
|
||||
| CSharp7.cs:180:21:180:26 | call to local function f | semmle.label | call to local function f |
|
||||
| CSharp7.cs:180:23:180:25 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | semmle.label | [post] access to local function g : null [delegate argument at position 0] : String |
|
||||
| CSharp7.cs:181:21:181:21 | access to local function g : g [delegate return] : String | semmle.label | access to local function g : g [delegate return] : String |
|
||||
| CSharp7.cs:181:21:181:26 | call to local function g | semmle.label | call to local function g |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | semmle.label | [post] access to local function h : null [delegate argument at position 0] : String |
|
||||
| CSharp7.cs:182:21:182:21 | access to local function h : h [delegate return] : String | semmle.label | access to local function h : h [delegate return] : String |
|
||||
| CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
|
||||
subpaths
|
||||
| CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:9 | access to parameter y : String | CSharp7.cs:55:30:55:31 | String t4 : String |
|
||||
| CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |
|
||||
| CSharp7.cs:176:33:176:33 | access to parameter s : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:176:31:176:34 | call to local function g : String |
|
||||
| CSharp7.cs:180:21:180:21 | [post] access to local function f : null [delegate argument at position 0] : String | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:176:9:176:40 | f(...) : f [delegate return] : String |
|
||||
| CSharp7.cs:180:23:180:25 | access to local variable src : String | CSharp7.cs:176:25:176:25 | s : String | CSharp7.cs:176:31:176:39 | ... + ... : String | CSharp7.cs:180:21:180:26 | call to local function f |
|
||||
| CSharp7.cs:181:21:181:21 | [post] access to local function g : null [delegate argument at position 0] : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:177:9:177:32 | g(...) : g [delegate return] : String |
|
||||
| CSharp7.cs:181:23:181:25 | access to local variable src : String | CSharp7.cs:177:25:177:25 | s : String | CSharp7.cs:177:31:177:31 | access to parameter s : String | CSharp7.cs:181:21:181:26 | call to local function g |
|
||||
| CSharp7.cs:182:21:182:21 | [post] access to local function h : null [delegate argument at position 0] : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:178:9:178:40 | h(...) : h [delegate return] : String |
|
||||
| CSharp7.cs:182:23:182:25 | access to local variable src : String | CSharp7.cs:178:25:178:25 | s : String | CSharp7.cs:178:37:178:37 | access to parameter s : String | CSharp7.cs:182:21:182:26 | call to local function h |
|
||||
#select
|
||||
| CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:39:13:39:21 | "tainted" : String | CSharp7.cs:51:18:51:19 | access to local variable t1 | $@ | CSharp7.cs:51:18:51:19 | access to local variable t1 | access to local variable t1 |
|
||||
|
||||
@@ -13,9 +13,6 @@
|
||||
| CallableReturnsArg.cs:71:31:71:36 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:76:33:76:38 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:81:22:81:27 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:90:21:90:35 | ApplyWrapper`1 | 2 | -1 |
|
||||
| CallableReturnsArg.cs:95:26:95:46 | ApplyNonPreservingFP1 | 0 | -1 |
|
||||
| CallableReturnsArg.cs:97:40:97:45 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:100:26:100:46 | ApplyNonPreservingFP2 | 0 | -1 |
|
||||
| CallableReturnsArg.cs:102:29:102:34 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:112:26:112:40 | ReturnNoBarrier | 0 | -1 |
|
||||
|
||||
@@ -17,9 +17,6 @@
|
||||
| CallableReturnsArg.cs:71:31:71:36 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:76:33:76:38 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:81:22:81:27 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:90:21:90:35 | ApplyWrapper`1 | 2 | -1 |
|
||||
| CallableReturnsArg.cs:95:26:95:46 | ApplyNonPreservingFP1 | 0 | -1 |
|
||||
| CallableReturnsArg.cs:97:40:97:45 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:100:26:100:46 | ApplyNonPreservingFP2 | 0 | -1 |
|
||||
| CallableReturnsArg.cs:102:29:102:34 | (...) => ... | 0 | -1 |
|
||||
| CallableReturnsArg.cs:112:26:112:40 | ReturnNoBarrier | 0 | -1 |
|
||||
|
||||
@@ -249,8 +249,9 @@ edges
|
||||
| CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | provenance | |
|
||||
| CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair<A,Int32> : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:308:9:308:12 | [post] access to local variable list : List<T> [element, property Key] : A | provenance | MaD:3 |
|
||||
| CollectionFlow.cs:308:43:308:43 | access to local variable a : A | CollectionFlow.cs:308:18:308:47 | object creation of type KeyValuePair<A,Int32> : KeyValuePair<T,T> [property Key] : A | provenance | MaD:13 |
|
||||
| CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | provenance | MaD:18 |
|
||||
| CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | provenance | MaD:18 |
|
||||
| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | provenance | |
|
||||
| CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | provenance | |
|
||||
| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | CollectionFlow.cs:311:18:311:24 | access to property Key | provenance | |
|
||||
| CollectionFlow.cs:328:32:328:38 | element : A | CollectionFlow.cs:328:55:328:61 | access to parameter element : A | provenance | |
|
||||
| CollectionFlow.cs:328:44:328:48 | [post] access to parameter array : A[] [element] : A | CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | provenance | |
|
||||
@@ -560,6 +561,7 @@ nodes
|
||||
| CollectionFlow.cs:308:43:308:43 | access to local variable a : A | semmle.label | access to local variable a : A |
|
||||
| CollectionFlow.cs:309:9:309:12 | access to local variable list : List<T> [element, property Key] : A | semmle.label | access to local variable list : List<T> [element, property Key] : A |
|
||||
| CollectionFlow.cs:309:21:309:23 | kvp : KeyValuePair<T,T> [property Key] : A | semmle.label | kvp : KeyValuePair<T,T> [property Key] : A |
|
||||
| CollectionFlow.cs:309:21:313:9 | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0, property Key] : A |
|
||||
| CollectionFlow.cs:311:18:311:20 | access to parameter kvp : KeyValuePair<T,T> [property Key] : A | semmle.label | access to parameter kvp : KeyValuePair<T,T> [property Key] : A |
|
||||
| CollectionFlow.cs:311:18:311:24 | access to property Key | semmle.label | access to property Key |
|
||||
| CollectionFlow.cs:328:23:328:27 | array [Return] : A[] [element] : A | semmle.label | array [Return] : A[] [element] : A |
|
||||
|
||||
@@ -1,63 +1,2 @@
|
||||
delegateCall
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:16:12:16:19 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:27:12:27:19 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:98:9:98:37 | LocalFunction |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:119:18:119:27 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:125:15:125:24 | (...) => ... |
|
||||
| DelegateFlow.cs:11:9:11:12 | delegate call | DelegateFlow.cs:10:13:10:20 | (...) => ... |
|
||||
| DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:38:12:38:25 | (...) => ... |
|
||||
| DelegateFlow.cs:38:19:38:22 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
|
||||
| DelegateFlow.cs:44:15:44:22 | delegate call | DelegateFlow.cs:43:22:43:29 | (...) => ... |
|
||||
| DelegateFlow.cs:57:9:57:11 | delegate call | DelegateFlow.cs:53:34:53:47 | (...) => ... |
|
||||
| DelegateFlow.cs:57:9:57:14 | delegate call | DelegateFlow.cs:53:40:53:47 | (...) => ... |
|
||||
| DelegateFlow.cs:67:9:67:16 | delegate call | DelegateFlow.cs:62:16:62:23 | (...) => ... |
|
||||
| DelegateFlow.cs:77:9:77:15 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:77:9:77:15 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:74:17:74:19 | M12 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:93:13:93:21 | (...) => ... |
|
||||
| DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:7:17:7:18 | M2 |
|
||||
| DelegateFlow.cs:125:9:125:25 | function pointer call | DelegateFlow.cs:7:17:7:18 | M2 |
|
||||
| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:131:17:131:25 | (...) => ... |
|
||||
| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:135:29:135:37 | (...) => ... |
|
||||
| DelegateFlow.cs:153:9:153:21 | delegate call | DelegateFlow.cs:149:13:149:20 | (...) => ... |
|
||||
| DelegateFlow.cs:154:9:154:21 | delegate call | DelegateFlow.cs:150:13:150:20 | (...) => ... |
|
||||
| DelegateFlow.cs:155:9:155:16 | delegate call | DelegateFlow.cs:149:13:149:20 | (...) => ... |
|
||||
| DelegateFlow.cs:156:9:156:16 | delegate call | DelegateFlow.cs:150:13:150:20 | (...) => ... |
|
||||
viableLambda
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:16:9:16:20 | call to method M2 | DelegateFlow.cs:16:12:16:19 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:17:9:17:14 | call to method M2 | DelegateFlow.cs:5:10:5:11 | M1 |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:22:9:22:13 | call to method M2 | DelegateFlow.cs:5:10:5:11 | M1 |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:22:9:22:13 | call to method M2 | DelegateFlow.cs:27:12:27:19 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:99:9:99:25 | call to method M2 | DelegateFlow.cs:98:9:98:37 | LocalFunction |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:119:18:119:27 | (...) => ... |
|
||||
| DelegateFlow.cs:9:9:9:12 | delegate call | DelegateFlow.cs:125:9:125:25 | function pointer call | DelegateFlow.cs:125:15:125:24 | (...) => ... |
|
||||
| DelegateFlow.cs:11:9:11:12 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:10:13:10:20 | (...) => ... |
|
||||
| DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:38:9:38:30 | call to method M6 | DelegateFlow.cs:38:12:38:25 | (...) => ... |
|
||||
| DelegateFlow.cs:38:19:38:22 | delegate call | DelegateFlow.cs:33:9:33:13 | delegate call | DelegateFlow.cs:5:10:5:11 | M1 |
|
||||
| DelegateFlow.cs:44:15:44:22 | delegate call | DelegateFlow.cs:50:9:50:14 | dynamic access to member Prop | DelegateFlow.cs:43:22:43:29 | (...) => ... |
|
||||
| DelegateFlow.cs:57:9:57:11 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:53:34:53:47 | (...) => ... |
|
||||
| DelegateFlow.cs:57:9:57:14 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:53:40:53:47 | (...) => ... |
|
||||
| DelegateFlow.cs:67:9:67:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:62:16:62:23 | (...) => ... |
|
||||
| DelegateFlow.cs:77:9:77:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:77:9:77:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:84:9:84:15 | delegate call | DelegateFlow.cs:78:9:78:15 | call to method M13 | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:84:9:84:15 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:90:9:90:31 | call to local function M14 | DelegateFlow.cs:55:10:55:11 | M9 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:91:9:91:48 | call to local function M14 | DelegateFlow.cs:65:10:65:12 | M11 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:92:9:92:16 | call to local function M14 | DelegateFlow.cs:74:17:74:19 | M12 |
|
||||
| DelegateFlow.cs:89:35:89:37 | delegate call | DelegateFlow.cs:93:9:93:22 | call to local function M14 | DelegateFlow.cs:93:13:93:21 | (...) => ... |
|
||||
| DelegateFlow.cs:114:9:114:16 | function pointer call | DelegateFlow.cs:119:9:119:28 | call to method M16 | DelegateFlow.cs:7:17:7:18 | M2 |
|
||||
| DelegateFlow.cs:125:9:125:25 | function pointer call | file://:0:0:0:0 | (none) | DelegateFlow.cs:7:17:7:18 | M2 |
|
||||
| DelegateFlow.cs:132:9:132:11 | delegate call | DelegateFlow.cs:135:25:135:41 | call to method M19 | DelegateFlow.cs:135:29:135:37 | (...) => ... |
|
||||
| DelegateFlow.cs:132:9:132:11 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:131:17:131:25 | (...) => ... |
|
||||
| DelegateFlow.cs:153:9:153:21 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:149:13:149:20 | (...) => ... |
|
||||
| DelegateFlow.cs:154:9:154:21 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:150:13:150:20 | (...) => ... |
|
||||
| DelegateFlow.cs:155:9:155:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:149:13:149:20 | (...) => ... |
|
||||
| DelegateFlow.cs:156:9:156:16 | delegate call | file://:0:0:0:0 | (none) | DelegateFlow.cs:150:13:150:20 | (...) => ... |
|
||||
| file://:0:0:0:0 | [summary] call to [summary param] position 0 in Lazy in Lazy | DelegateFlow.cs:105:9:105:24 | object creation of type Lazy<Int32> | DelegateFlow.cs:104:23:104:30 | (...) => ... |
|
||||
| file://:0:0:0:0 | [summary] call to [summary param] position 0 in Lazy in Lazy | DelegateFlow.cs:107:9:107:24 | object creation of type Lazy<Int32> | DelegateFlow.cs:106:13:106:20 | (...) => ... |
|
||||
|
||||
@@ -66,27 +66,33 @@ edges
|
||||
| ExternalFlow.cs:54:36:54:47 | object creation of type Object : Object | ExternalFlow.cs:54:13:54:16 | [post] this access : D [element] : Object | provenance | MaD:12 |
|
||||
| ExternalFlow.cs:55:18:55:21 | this access : D [element] : Object | ExternalFlow.cs:55:18:55:41 | call to method StepElementGetter | provenance | MaD:11 |
|
||||
| ExternalFlow.cs:60:35:60:35 | o : Object | ExternalFlow.cs:60:47:60:47 | access to parameter o | provenance | |
|
||||
| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:35:60:35 | o : Object | provenance | MaD:3 |
|
||||
| ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:60:35:60:35 | o : Object | provenance | |
|
||||
| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:3 |
|
||||
| ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | ExternalFlow.cs:66:18:66:18 | access to local variable o | provenance | |
|
||||
| ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | provenance | |
|
||||
| ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | provenance | MaD:2 |
|
||||
| ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | provenance | MaD:2 |
|
||||
| ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | provenance | |
|
||||
| ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:71:30:71:45 | { ..., ... } : null [element] : Object | ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | ExternalFlow.cs:71:30:71:45 | { ..., ... } : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:23:72:23 | o : Object | provenance | MaD:4 |
|
||||
| ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:4 |
|
||||
| ExternalFlow.cs:72:23:72:23 | o : Object | ExternalFlow.cs:72:35:72:35 | access to parameter o | provenance | |
|
||||
| ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:72:23:72:23 | o : Object | provenance | |
|
||||
| ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | provenance | MaD:5 |
|
||||
| ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | provenance | MaD:5 |
|
||||
| ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | provenance | |
|
||||
| ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:24 | access to array element | provenance | |
|
||||
| ExternalFlow.cs:83:17:83:20 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | ExternalFlow.cs:83:17:83:20 | access to local variable objs : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | provenance | |
|
||||
| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | provenance | MaD:4 |
|
||||
| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | provenance | MaD:4 |
|
||||
| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | provenance | MaD:4 |
|
||||
| ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | provenance | |
|
||||
| ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | provenance | MaD:5 |
|
||||
| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | provenance | |
|
||||
| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | provenance | |
|
||||
| ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:25 | access to array element | provenance | |
|
||||
| ExternalFlow.cs:90:17:90:17 | access to local variable s : String | ExternalFlow.cs:91:19:91:19 | access to local variable s : String | provenance | |
|
||||
| ExternalFlow.cs:90:21:90:34 | object creation of type String : String | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | provenance | |
|
||||
@@ -96,7 +102,8 @@ edges
|
||||
| ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | provenance | |
|
||||
| ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | provenance | |
|
||||
| ExternalFlow.cs:100:20:100:20 | d : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | provenance | |
|
||||
| ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object | provenance | MaD:1 |
|
||||
| ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | ExternalFlow.cs:100:20:100:20 | d : Object | provenance | |
|
||||
| ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | provenance | MaD:1 |
|
||||
| ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | provenance | |
|
||||
| ExternalFlow.cs:111:13:111:13 | [post] access to local variable f : F [field MyField] : Object | ExternalFlow.cs:112:18:112:18 | access to local variable f : F [field MyField] : Object | provenance | |
|
||||
| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f : F [field MyField] : Object | provenance | MaD:19 |
|
||||
@@ -191,10 +198,12 @@ nodes
|
||||
| ExternalFlow.cs:55:18:55:21 | this access : D [element] : Object | semmle.label | this access : D [element] : Object |
|
||||
| ExternalFlow.cs:55:18:55:41 | call to method StepElementGetter | semmle.label | call to method StepElementGetter |
|
||||
| ExternalFlow.cs:60:35:60:35 | o : Object | semmle.label | o : Object |
|
||||
| ExternalFlow.cs:60:35:60:61 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
|
||||
| ExternalFlow.cs:60:47:60:47 | access to parameter o | semmle.label | access to parameter o |
|
||||
| ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:65:17:65:17 | access to local variable o : Object | semmle.label | access to local variable o : Object |
|
||||
| ExternalFlow.cs:65:21:65:60 | call to method Apply<Int32,Object> : Object | semmle.label | call to method Apply<Int32,Object> : Object |
|
||||
| ExternalFlow.cs:65:40:65:56 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
|
||||
| ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:66:18:66:18 | access to local variable o | semmle.label | access to local variable o |
|
||||
| ExternalFlow.cs:71:17:71:20 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
|
||||
@@ -202,9 +211,11 @@ nodes
|
||||
| ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:72:17:72:20 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
|
||||
| ExternalFlow.cs:72:23:72:23 | o : Object | semmle.label | o : Object |
|
||||
| ExternalFlow.cs:72:23:72:49 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
|
||||
| ExternalFlow.cs:72:35:72:35 | access to parameter o | semmle.label | access to parameter o |
|
||||
| ExternalFlow.cs:77:17:77:20 | access to local variable objs : T[] [element] : Object | semmle.label | access to local variable objs : T[] [element] : Object |
|
||||
| ExternalFlow.cs:77:24:77:58 | call to method Map<Int32,Object> : T[] [element] : Object | semmle.label | call to method Map<Int32,Object> : T[] [element] : Object |
|
||||
| ExternalFlow.cs:77:41:77:57 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
|
||||
| ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | semmle.label | access to local variable objs : T[] [element] : Object |
|
||||
| ExternalFlow.cs:78:18:78:24 | access to array element | semmle.label | access to array element |
|
||||
@@ -215,6 +226,8 @@ nodes
|
||||
| ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | semmle.label | call to method Map<Object,Object> : T[] [element] : Object |
|
||||
| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
|
||||
| ExternalFlow.cs:84:35:84:35 | o : Object | semmle.label | o : Object |
|
||||
| ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object | semmle.label | (...) => ... : (...) => ... [delegate return] : Object |
|
||||
| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object |
|
||||
| ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | semmle.label | access to parameter o : Object |
|
||||
| ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | semmle.label | access to local variable objs2 : T[] [element] : Object |
|
||||
| ExternalFlow.cs:85:18:85:25 | access to array element | semmle.label | access to array element |
|
||||
@@ -226,6 +239,7 @@ nodes
|
||||
| ExternalFlow.cs:98:13:98:14 | [post] access to local variable d1 : D [field Field] : Object | semmle.label | [post] access to local variable d1 : D [field Field] : Object |
|
||||
| ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
|
||||
| ExternalFlow.cs:100:20:100:20 | d : Object | semmle.label | d : Object |
|
||||
| ExternalFlow.cs:100:20:103:13 | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object | semmle.label | [post] (...) => ... : Action<Object> [delegate argument at position 0] : Object |
|
||||
| ExternalFlow.cs:102:22:102:22 | access to parameter d | semmle.label | access to parameter d |
|
||||
| ExternalFlow.cs:103:16:103:17 | access to local variable d1 : D [field Field] : Object | semmle.label | access to local variable d1 : D [field Field] : Object |
|
||||
| ExternalFlow.cs:104:18:104:19 | access to local variable d1 : D [field Field] : Object | semmle.label | access to local variable d1 : D [field Field] : Object |
|
||||
@@ -293,7 +307,7 @@ nodes
|
||||
| ExternalFlow.cs:345:18:345:18 | access to local variable l : Library [synthetic X] : Object | semmle.label | access to local variable l : Library [synthetic X] : Object |
|
||||
| ExternalFlow.cs:345:18:345:29 | call to method GetValue | semmle.label | call to method GetValue |
|
||||
subpaths
|
||||
| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object |
|
||||
| ExternalFlow.cs:84:35:84:40 | [post] (...) => ... : Func<T,T> [delegate argument at position 0] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | ExternalFlow.cs:84:35:84:40 | (...) => ... : (...) => ... [delegate return] : Object |
|
||||
invalidModelRow
|
||||
#select
|
||||
| ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | $@ | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | object creation of type Object : Object |
|
||||
|
||||
@@ -1,20 +1,2 @@
|
||||
fptrCall
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:5:24:5:27 | Log1 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:6:24:6:27 | Log2 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:10:24:10:27 | Log6 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction |
|
||||
| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | FunctionPointerFlow.cs:7:24:7:27 | Log3 |
|
||||
| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | FunctionPointerFlow.cs:8:24:8:27 | Log4 |
|
||||
| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | FunctionPointerFlow.cs:9:24:9:27 | Log5 |
|
||||
| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:24:24:24:25 | M4 |
|
||||
| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:72:24:72:26 | M17 |
|
||||
fptrCallContext
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:21:9:21:17 | call to method M2 | FunctionPointerFlow.cs:5:24:5:27 | Log1 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:26:9:26:13 | call to method M2 | FunctionPointerFlow.cs:6:24:6:27 | Log2 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:26:9:26:13 | call to method M2 | FunctionPointerFlow.cs:10:24:10:27 | Log6 |
|
||||
| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:47:9:47:26 | call to method M2 | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction |
|
||||
| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:7:24:7:27 | Log3 |
|
||||
| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:8:24:8:27 | Log4 |
|
||||
| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | file://:0:0:0:0 | (none) | FunctionPointerFlow.cs:9:24:9:27 | Log5 |
|
||||
| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:64:9:64:23 | call to method M10 | FunctionPointerFlow.cs:24:24:24:25 | M4 |
|
||||
| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:81:9:81:29 | call to method M16 | FunctionPointerFlow.cs:72:24:72:26 | M17 |
|
||||
|
||||
@@ -2,8 +2,9 @@ import csharp
|
||||
|
||||
module FlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr().(StringLiteral).getValue() = "taint source"
|
||||
source.asExpr().(StringLiteral).getValue() = "taint source" //and
|
||||
or
|
||||
// source.getLocation().getStartLine() = 81
|
||||
source.asParameter().hasName("tainted")
|
||||
}
|
||||
|
||||
@@ -13,6 +14,7 @@ module FlowConfig implements DataFlow::ConfigSig {
|
||||
mc.getAnArgument() = sink.asExpr()
|
||||
)
|
||||
}
|
||||
// predicate includeHiddenNodes() { any() }
|
||||
}
|
||||
|
||||
module Flow = DataFlow::Global<FlowConfig>;
|
||||
|
||||
@@ -12,8 +12,8 @@
|
||||
| Capture.cs:163:15:163:20 | access to local variable sink36 |
|
||||
| Capture.cs:171:15:171:20 | access to local variable sink37 |
|
||||
| Capture.cs:197:15:197:20 | access to local variable sink38 |
|
||||
| Capture.cs:199:15:199:22 | access to local variable nonSink0 |
|
||||
| Capture.cs:206:19:206:19 | access to parameter s |
|
||||
| Capture.cs:217:19:217:19 | access to parameter s |
|
||||
| Capture.cs:231:19:231:19 | access to local variable x |
|
||||
| Capture.cs:234:15:234:15 | access to local variable x |
|
||||
| Capture.cs:246:19:246:25 | access to field Field |
|
||||
@@ -40,6 +40,7 @@
|
||||
| GlobalDataFlow.cs:86:15:86:20 | access to local variable sink15 |
|
||||
| GlobalDataFlow.cs:88:15:88:20 | access to local variable sink16 |
|
||||
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
|
||||
| GlobalDataFlow.cs:144:15:144:22 | access to local variable nonSink0 |
|
||||
| GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
|
||||
| GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
|
||||
| GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
|
||||
@@ -53,6 +54,12 @@
|
||||
| GlobalDataFlow.cs:217:15:217:20 | access to local variable sink24 |
|
||||
| GlobalDataFlow.cs:219:15:219:20 | access to local variable sink25 |
|
||||
| GlobalDataFlow.cs:221:15:221:20 | access to local variable sink26 |
|
||||
| GlobalDataFlow.cs:224:59:224:70 | access to parameter nonSinkParam |
|
||||
| GlobalDataFlow.cs:227:15:227:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:229:15:229:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:231:15:231:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:233:15:233:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:235:15:235:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 |
|
||||
| GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 |
|
||||
| GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 |
|
||||
@@ -65,6 +72,7 @@
|
||||
| GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
|
||||
| GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
|
||||
| GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
|
||||
| GlobalDataFlow.cs:335:15:335:26 | access to parameter nonSinkParam |
|
||||
| GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
|
||||
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
|
||||
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -12,8 +12,8 @@
|
||||
| Capture.cs:163:15:163:20 | access to local variable sink36 |
|
||||
| Capture.cs:171:15:171:20 | access to local variable sink37 |
|
||||
| Capture.cs:197:15:197:20 | access to local variable sink38 |
|
||||
| Capture.cs:199:15:199:22 | access to local variable nonSink0 |
|
||||
| Capture.cs:206:19:206:19 | access to parameter s |
|
||||
| Capture.cs:217:19:217:19 | access to parameter s |
|
||||
| Capture.cs:231:19:231:19 | access to local variable x |
|
||||
| Capture.cs:234:15:234:15 | access to local variable x |
|
||||
| Capture.cs:246:19:246:25 | access to field Field |
|
||||
@@ -45,6 +45,7 @@
|
||||
| GlobalDataFlow.cs:98:15:98:20 | access to local variable sink22 |
|
||||
| GlobalDataFlow.cs:101:15:101:21 | access to local variable sink21b |
|
||||
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink4 |
|
||||
| GlobalDataFlow.cs:144:15:144:22 | access to local variable nonSink0 |
|
||||
| GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 |
|
||||
| GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 |
|
||||
| GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 |
|
||||
@@ -58,6 +59,12 @@
|
||||
| GlobalDataFlow.cs:217:15:217:20 | access to local variable sink24 |
|
||||
| GlobalDataFlow.cs:219:15:219:20 | access to local variable sink25 |
|
||||
| GlobalDataFlow.cs:221:15:221:20 | access to local variable sink26 |
|
||||
| GlobalDataFlow.cs:224:59:224:70 | access to parameter nonSinkParam |
|
||||
| GlobalDataFlow.cs:227:15:227:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:229:15:229:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:231:15:231:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:233:15:233:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:235:15:235:21 | access to local variable nonSink |
|
||||
| GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 |
|
||||
| GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 |
|
||||
| GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 |
|
||||
@@ -70,6 +77,7 @@
|
||||
| GlobalDataFlow.cs:317:15:317:24 | access to parameter sinkParam8 |
|
||||
| GlobalDataFlow.cs:323:15:323:24 | access to parameter sinkParam9 |
|
||||
| GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
|
||||
| GlobalDataFlow.cs:335:15:335:26 | access to parameter nonSinkParam |
|
||||
| GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
|
||||
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
|
||||
| GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 |
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
190
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.cs
Normal file
190
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.cs
Normal file
@@ -0,0 +1,190 @@
|
||||
using System;
|
||||
|
||||
public class LambdaFlow
|
||||
{
|
||||
/// <summary>
|
||||
/// Flow into a normal method
|
||||
/// </summary>
|
||||
class Ex1
|
||||
{
|
||||
void M1(string s)
|
||||
{
|
||||
Sink(s); // $ hasValueFlow=1
|
||||
}
|
||||
|
||||
public void M2()
|
||||
{
|
||||
var source = Source(1);
|
||||
M1(source);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Flow into a lambda
|
||||
/// </summary>
|
||||
class Ex2
|
||||
{
|
||||
void M1(Action<string> lambda)
|
||||
{
|
||||
var source = Source(2);
|
||||
lambda(source);
|
||||
}
|
||||
|
||||
void M2()
|
||||
{
|
||||
Action<string> lambda = x => Sink(x); // $ hasValueFlow=2
|
||||
M1(lambda);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Flow out of a lambda
|
||||
/// </summary>
|
||||
class Ex3
|
||||
{
|
||||
Func<string> M1()
|
||||
{
|
||||
return () => Source(3);
|
||||
}
|
||||
|
||||
void M2()
|
||||
{
|
||||
var lambda = M1();
|
||||
Sink(lambda()); // $ hasValueFlow=3
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Flow through a lambda
|
||||
/// </summary>
|
||||
class Ex4
|
||||
{
|
||||
string M1(Func<string, string> lambda, string input)
|
||||
{
|
||||
return lambda(input);
|
||||
}
|
||||
|
||||
void M2()
|
||||
{
|
||||
Func<string, string> id = x => x;
|
||||
var source = Source(4);
|
||||
var output = M1(id, source);
|
||||
Sink(output); // $ hasValueFlow=4
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// No flow into lambda (call context sensitivity)
|
||||
/// </summary>
|
||||
class Ex5
|
||||
{
|
||||
void M1(Action<string> lambda, string input)
|
||||
{
|
||||
lambda(input);
|
||||
}
|
||||
|
||||
void M2(Action<string> lambda, string input)
|
||||
{
|
||||
M1(lambda, input);
|
||||
}
|
||||
|
||||
void M3()
|
||||
{
|
||||
Action<string> lambda1 = arg => Sink(arg);
|
||||
Action<string> lambda2 = arg => { };
|
||||
|
||||
var source = Source(5);
|
||||
var nonSource = "non-source";
|
||||
|
||||
M1(lambda1, nonSource);
|
||||
M1(lambda2, source);
|
||||
|
||||
M2(lambda1, nonSource);
|
||||
M2(lambda2, source);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Flow into a returned lambda
|
||||
/// </summary>
|
||||
class Ex6
|
||||
{
|
||||
Action<string> M1()
|
||||
{
|
||||
return x => Sink(x); // $ hasValueFlow=6
|
||||
}
|
||||
|
||||
void M2()
|
||||
{
|
||||
var source = Source(6);
|
||||
var lambda = M1();
|
||||
lambda(source);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// No flow through lambda
|
||||
/// </summary>
|
||||
class Ex7
|
||||
{
|
||||
void M1(Func<string, string> lambda)
|
||||
{
|
||||
var source = Source(7);
|
||||
lambda(source);
|
||||
}
|
||||
|
||||
void M2(Func<string, string> lambda)
|
||||
{
|
||||
var nonSource = "non-source";
|
||||
var output = lambda(nonSource);
|
||||
Sink(output);
|
||||
}
|
||||
|
||||
void M3()
|
||||
{
|
||||
Func<string, string> id = x => x;
|
||||
M1(id);
|
||||
M2(id);
|
||||
}
|
||||
}
|
||||
|
||||
static string Source(int source) => source.ToString();
|
||||
|
||||
static void Sink(string value) { }
|
||||
}
|
||||
120
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.expected
Normal file
120
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.expected
Normal file
@@ -0,0 +1,120 @@
|
||||
models
|
||||
edges
|
||||
| LambdaFlow.cs:10:24:10:24 | s : String | LambdaFlow.cs:12:18:12:18 | access to parameter s | provenance | |
|
||||
| LambdaFlow.cs:17:17:17:22 | access to local variable source : String | LambdaFlow.cs:18:16:18:21 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:17:26:17:34 | call to method Source : String | LambdaFlow.cs:17:17:17:22 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:18:16:18:21 | access to local variable source : String | LambdaFlow.cs:10:24:10:24 | s : String | provenance | |
|
||||
| LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:35:17:35:22 | access to local variable source : String | LambdaFlow.cs:36:20:36:25 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:35:26:35:34 | call to method Source : String | LambdaFlow.cs:35:17:35:22 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:36:20:36:25 | access to local variable source : String | LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:41:37:41:37 | x : String | LambdaFlow.cs:41:47:41:47 | access to parameter x | provenance | |
|
||||
| LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | LambdaFlow.cs:41:37:41:37 | x : String | provenance | |
|
||||
| LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:59:26:59:34 | call to method Source : String | LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:65:18:65:25 | delegate call | provenance | |
|
||||
| LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:80:55:80:59 | input : String | LambdaFlow.cs:82:27:82:31 | access to parameter input : String | provenance | |
|
||||
| LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:32 | delegate call : String | provenance | |
|
||||
| LambdaFlow.cs:82:27:82:31 | access to parameter input : String | LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:87:39:87:39 | x : String | LambdaFlow.cs:87:44:87:44 | access to parameter x : String | provenance | |
|
||||
| LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:88:17:88:22 | access to local variable source : String | LambdaFlow.cs:89:33:89:38 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:88:26:88:34 | call to method Source : String | LambdaFlow.cs:88:17:88:22 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:89:17:89:22 | access to local variable output : String | LambdaFlow.cs:90:18:90:23 | access to local variable output | provenance | |
|
||||
| LambdaFlow.cs:89:26:89:39 | call to method M1 : String | LambdaFlow.cs:89:17:89:22 | access to local variable output : String | provenance | |
|
||||
| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:39 | x : String | provenance | |
|
||||
| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:89:26:89:39 | call to method M1 : String | provenance | |
|
||||
| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:80:55:80:59 | input : String | provenance | |
|
||||
| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:168:17:168:22 | access to local variable source : String | LambdaFlow.cs:169:20:169:25 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:168:26:168:34 | call to method Source : String | LambdaFlow.cs:168:17:168:22 | access to local variable source : String | provenance | |
|
||||
| LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:169:20:169:25 | access to local variable source : String | LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | provenance | |
|
||||
| LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:175:17:175:22 | access to local variable output : String | LambdaFlow.cs:176:18:176:23 | access to local variable output | provenance | |
|
||||
| LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:175:26:175:42 | delegate call : String | provenance | |
|
||||
| LambdaFlow.cs:175:26:175:42 | delegate call : String | LambdaFlow.cs:175:17:175:22 | access to local variable output : String | provenance | |
|
||||
| LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:181:39:181:39 | x : String | LambdaFlow.cs:181:44:181:44 | access to parameter x : String | provenance | |
|
||||
| LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:39 | x : String | provenance | |
|
||||
| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | provenance | |
|
||||
| LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | provenance | |
|
||||
nodes
|
||||
| LambdaFlow.cs:10:24:10:24 | s : String | semmle.label | s : String |
|
||||
| LambdaFlow.cs:12:18:12:18 | access to parameter s | semmle.label | access to parameter s |
|
||||
| LambdaFlow.cs:17:17:17:22 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:17:26:17:34 | call to method Source : String | semmle.label | call to method Source : String |
|
||||
| LambdaFlow.cs:18:16:18:21 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:33:32:33:37 | lambda [Return] : Action<String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Action<String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:35:17:35:22 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:35:26:35:34 | call to method Source : String | semmle.label | call to method Source : String |
|
||||
| LambdaFlow.cs:36:13:36:18 | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Action<String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:36:20:36:25 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:41:37:41:37 | x : String | semmle.label | x : String |
|
||||
| LambdaFlow.cs:41:47:41:47 | access to parameter x | semmle.label | access to parameter x |
|
||||
| LambdaFlow.cs:42:16:42:21 | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable lambda : Action<String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:59:20:59:34 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:59:26:59:34 | call to method Source : String | semmle.label | call to method Source : String |
|
||||
| LambdaFlow.cs:64:17:64:22 | access to local variable lambda : (...) => ... [delegate return] : String | semmle.label | access to local variable lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:64:26:64:29 | call to method M1 : (...) => ... [delegate return] : String | semmle.label | call to method M1 : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:65:18:65:23 | access to local variable lambda : (...) => ... [delegate return] : String | semmle.label | access to local variable lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:65:18:65:25 | delegate call | semmle.label | delegate call |
|
||||
| LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | semmle.label | lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:80:55:80:59 | input : String | semmle.label | input : String |
|
||||
| LambdaFlow.cs:82:20:82:25 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:82:20:82:25 | access to parameter lambda : (...) => ... [delegate return] : String | semmle.label | access to parameter lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:82:20:82:32 | delegate call : String | semmle.label | delegate call : String |
|
||||
| LambdaFlow.cs:82:27:82:31 | access to parameter input : String | semmle.label | access to parameter input : String |
|
||||
| LambdaFlow.cs:87:34:87:35 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:87:39:87:39 | x : String | semmle.label | x : String |
|
||||
| LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:87:44:87:44 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| LambdaFlow.cs:88:17:88:22 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:88:26:88:34 | call to method Source : String | semmle.label | call to method Source : String |
|
||||
| LambdaFlow.cs:89:17:89:22 | access to local variable output : String | semmle.label | access to local variable output : String |
|
||||
| LambdaFlow.cs:89:26:89:39 | call to method M1 : String | semmle.label | call to method M1 : String |
|
||||
| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:90:18:90:23 | access to local variable output | semmle.label | access to local variable output |
|
||||
| LambdaFlow.cs:166:38:166:43 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | semmle.label | lambda [Return] : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:168:17:168:22 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:168:26:168:34 | call to method Source : String | semmle.label | call to method Source : String |
|
||||
| LambdaFlow.cs:169:13:169:18 | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to parameter lambda : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:169:20:169:25 | access to local variable source : String | semmle.label | access to local variable source : String |
|
||||
| LambdaFlow.cs:172:38:172:43 | lambda : (...) => ... [delegate return] : String | semmle.label | lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:175:17:175:22 | access to local variable output : String | semmle.label | access to local variable output : String |
|
||||
| LambdaFlow.cs:175:26:175:31 | access to parameter lambda : (...) => ... [delegate return] : String | semmle.label | access to parameter lambda : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:175:26:175:42 | delegate call : String | semmle.label | delegate call : String |
|
||||
| LambdaFlow.cs:176:18:176:23 | access to local variable output | semmle.label | access to local variable output |
|
||||
| LambdaFlow.cs:181:34:181:35 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:181:39:181:39 | x : String | semmle.label | x : String |
|
||||
| LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String | semmle.label | (...) => ... : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:181:44:181:44 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | semmle.label | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:183:16:183:17 | access to local variable id : (...) => ... [delegate return] : String | semmle.label | access to local variable id : (...) => ... [delegate return] : String |
|
||||
subpaths
|
||||
| LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:87:39:87:39 | x : String | LambdaFlow.cs:87:44:87:44 | access to parameter x : String | LambdaFlow.cs:87:39:87:44 | (...) => ... : (...) => ... [delegate return] : String |
|
||||
| LambdaFlow.cs:89:29:89:30 | access to local variable id : (...) => ... [delegate return] : String | LambdaFlow.cs:80:40:80:45 | lambda : (...) => ... [delegate return] : String | LambdaFlow.cs:82:20:82:32 | delegate call : String | LambdaFlow.cs:89:26:89:39 | call to method M1 : String |
|
||||
| LambdaFlow.cs:89:33:89:38 | access to local variable source : String | LambdaFlow.cs:80:55:80:59 | input : String | LambdaFlow.cs:80:40:80:45 | lambda [Return] : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:89:29:89:30 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String |
|
||||
| LambdaFlow.cs:182:16:182:17 | [post] access to local variable id : Func<String,String> [delegate argument at position 0] : String | LambdaFlow.cs:181:39:181:39 | x : String | LambdaFlow.cs:181:44:181:44 | access to parameter x : String | LambdaFlow.cs:181:39:181:44 | (...) => ... : (...) => ... [delegate return] : String |
|
||||
testFailures
|
||||
| LambdaFlow.cs:144:34:144:52 | // ... | Missing result: hasValueFlow=6 |
|
||||
| LambdaFlow.cs:176:18:176:23 | access to local variable output | Unexpected result: hasValueFlow=7 |
|
||||
#select
|
||||
| LambdaFlow.cs:12:18:12:18 | access to parameter s | LambdaFlow.cs:17:26:17:34 | call to method Source : String | LambdaFlow.cs:12:18:12:18 | access to parameter s | $@ | LambdaFlow.cs:17:26:17:34 | call to method Source : String | call to method Source : String |
|
||||
| LambdaFlow.cs:41:47:41:47 | access to parameter x | LambdaFlow.cs:35:26:35:34 | call to method Source : String | LambdaFlow.cs:41:47:41:47 | access to parameter x | $@ | LambdaFlow.cs:35:26:35:34 | call to method Source : String | call to method Source : String |
|
||||
| LambdaFlow.cs:65:18:65:25 | delegate call | LambdaFlow.cs:59:26:59:34 | call to method Source : String | LambdaFlow.cs:65:18:65:25 | delegate call | $@ | LambdaFlow.cs:59:26:59:34 | call to method Source : String | call to method Source : String |
|
||||
| LambdaFlow.cs:90:18:90:23 | access to local variable output | LambdaFlow.cs:88:26:88:34 | call to method Source : String | LambdaFlow.cs:90:18:90:23 | access to local variable output | $@ | LambdaFlow.cs:88:26:88:34 | call to method Source : String | call to method Source : String |
|
||||
| LambdaFlow.cs:176:18:176:23 | access to local variable output | LambdaFlow.cs:168:26:168:34 | call to method Source : String | LambdaFlow.cs:176:18:176:23 | access to local variable output | $@ | LambdaFlow.cs:168:26:168:34 | call to method Source : String | call to method Source : String |
|
||||
12
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.ql
Normal file
12
csharp/ql/test/library-tests/dataflow/lambda/LambdaFlow.ql
Normal file
@@ -0,0 +1,12 @@
|
||||
/**
|
||||
* @kind path-problem
|
||||
*/
|
||||
|
||||
import csharp
|
||||
import TestUtilities.InlineFlowTest
|
||||
import ValueFlowTest<DefaultFlowConfig>
|
||||
import PathGraph
|
||||
|
||||
from PathNode source, PathNode sink
|
||||
where flowPath(source, sink)
|
||||
select sink, source, sink, "$@", source, source.toString()
|
||||
@@ -4,20 +4,32 @@ models
|
||||
edges
|
||||
| TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:20:23:20 | x : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | provenance | |
|
||||
| TypeFlowDispatch.cs:23:20:23:20 | x : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | provenance | |
|
||||
| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:20 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
@@ -26,30 +38,50 @@ edges
|
||||
| TypeFlowDispatch.cs:36:42:36:52 | call to method Source<String> : String | TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | provenance | MaD:1 |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | provenance | MaD:2 |
|
||||
| TypeFlowDispatch.cs:39:34:39:34 | x : String | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | provenance | |
|
||||
| TypeFlowDispatch.cs:39:34:39:34 | x : String | TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | provenance | |
|
||||
| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:34 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:52:32:52:32 | t : String | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | provenance | |
|
||||
| TypeFlowDispatch.cs:52:32:52:32 | t : String | TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | provenance | |
|
||||
| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | provenance | |
|
||||
@@ -58,25 +90,43 @@ edges
|
||||
| TypeFlowDispatch.cs:74:42:74:52 | call to method Source<String> : String | TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | provenance | MaD:1 |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | provenance | |
|
||||
| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:52:32:52:32 | t : String | provenance | |
|
||||
nodes
|
||||
| TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:11:42:11:42 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:11:42:11:42 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:13:9:13:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:13:11:13:11 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:16:46:16:46 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:16:46:16:46 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:23:20:23:20 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:23:20:23:20 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | semmle.label | access to parameter x |
|
||||
| TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | semmle.label | access to parameter x |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
|
||||
| TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:31:9:31:9 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:31:19:31:19 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:36:13:36:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:36:23:36:54 | object creation of type List<String> : List<T> [element] : String | semmle.label | object creation of type List<String> : List<T> [element] : String |
|
||||
@@ -87,32 +137,52 @@ nodes
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:39:34:39:34 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:39:34:39:34 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String | semmle.label | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | semmle.label | access to parameter x |
|
||||
| TypeFlowDispatch.cs:39:46:39:46 | access to parameter x | semmle.label | access to parameter x |
|
||||
| TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:42:42:42:42 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:42:42:42:42 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:44:9:44:9 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:44:11:44:11 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:47:46:47:46 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:47:46:47:46 | x : String | semmle.label | x : String |
|
||||
| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | semmle.label | access to parameter x : String |
|
||||
| TypeFlowDispatch.cs:52:32:52:32 | t : String | semmle.label | t : String |
|
||||
| TypeFlowDispatch.cs:52:32:52:32 | t : String | semmle.label | t : String |
|
||||
| TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | semmle.label | access to parameter t |
|
||||
| TypeFlowDispatch.cs:52:43:52:43 | access to parameter t | semmle.label | access to parameter t |
|
||||
| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
|
||||
| TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:63:27:63:27 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:64:13:64:13 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | semmle.label | access to local variable x : String |
|
||||
| TypeFlowDispatch.cs:64:15:64:15 | access to local variable x : String | semmle.label | access to local variable x : String |
|
||||
| TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | semmle.label | l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | semmle.label | f [Return] : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | semmle.label | access to parameter l : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String | semmle.label | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:74:13:74:19 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:74:23:74:54 | object creation of type List<String> : List<T> [element] : String | semmle.label | object creation of type List<String> : List<T> [element] : String |
|
||||
@@ -121,7 +191,23 @@ nodes
|
||||
| TypeFlowDispatch.cs:74:42:74:52 | call to method Source<String> : String | semmle.label | call to method Source<String> : String |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | semmle.label | access to local variable tainted : List<T> [element] : String |
|
||||
| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String | semmle.label | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
subpaths
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:18:19:18:19 | access to parameter x : String | TypeFlowDispatch.cs:11:42:11:42 | x : String | TypeFlowDispatch.cs:11:37:11:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:18:16:18:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:16:46:16:46 | x : String | TypeFlowDispatch.cs:16:41:16:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:23:20:23:36 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:39:25:39:31 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:29:37:29:37 | l : List<T> [element] : String | TypeFlowDispatch.cs:29:50:29:50 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:39:34:39:50 | [post] (...) => ... : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:49:19:49:19 | access to parameter x : String | TypeFlowDispatch.cs:42:42:42:42 | x : String | TypeFlowDispatch.cs:42:37:42:37 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:49:16:49:16 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:57:38:57:48 | call to method Source<String> : String | TypeFlowDispatch.cs:47:46:47:46 | x : String | TypeFlowDispatch.cs:47:41:47:41 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:57:20:57:35 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:69:17:69:17 | access to parameter l : List<T> [element] : String | TypeFlowDispatch.cs:61:29:61:29 | l : List<T> [element] : String | TypeFlowDispatch.cs:61:42:61:42 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:69:20:69:20 | [post] access to parameter f : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
| TypeFlowDispatch.cs:77:21:77:27 | access to local variable tainted : List<T> [element] : String | TypeFlowDispatch.cs:67:33:67:33 | l : List<T> [element] : String | TypeFlowDispatch.cs:67:46:67:46 | f [Return] : Action<T> [delegate argument at position 0] : String | TypeFlowDispatch.cs:77:30:77:45 | [post] delegate creation of type Action<String> : Action<T> [delegate argument at position 0] : String |
|
||||
testFailures
|
||||
#select
|
||||
| TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | TypeFlowDispatch.cs:23:32:23:32 | access to parameter x | $@ | TypeFlowDispatch.cs:23:39:23:49 | call to method Source<String> : String | call to method Source<String> : String |
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
| LockOrder.cs:6:15:6:15 | b | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:6:18:6:18 | c | c | LockOrder.cs:10:18:10:37 | lock (...) {...} | b | LockOrder.cs:10:27:10:37 | lock (...) {...} | c | LockOrder.cs:15:18:15:37 | lock (...) {...} | c | LockOrder.cs:15:27:15:37 | lock (...) {...} | b |
|
||||
| LockOrder.cs:27:22:27:22 | b | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:27:25:27:25 | c | c | LockOrder.cs:36:8:36:20 | lock (...) {...} | b | LockOrder.cs:42:9:42:20 | lock (...) {...} | c | LockOrder.cs:37:8:37:20 | lock (...) {...} | c | LockOrder.cs:47:9:47:20 | lock (...) {...} | b |
|
||||
| LockOrder.cs:54:19:54:19 | a | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrder.cs:54:22:54:22 | b | b | LockOrder.cs:61:9:61:25 | lock (...) {...} | a | LockOrder.cs:59:33:59:43 | lock (...) {...} | b | LockOrder.cs:62:9:62:25 | lock (...) {...} | b | LockOrder.cs:58:33:58:43 | lock (...) {...} | a |
|
||||
| LockOrderBad.cs:6:29:6:33 | lock1 | Inconsistent lock sequence with $@. Lock sequences $@, $@ and $@, $@ found. | LockOrderBad.cs:7:29:7:33 | lock2 | lock2 | LockOrderBad.cs:11:9:19:9 | lock (...) {...} | lock1 | LockOrderBad.cs:16:13:18:13 | lock (...) {...} | lock2 | LockOrderBad.cs:24:9:32:9 | lock (...) {...} | lock2 | LockOrderBad.cs:29:13:31:13 | lock (...) {...} | lock1 |
|
||||
|
||||
@@ -6,6 +6,7 @@ private import semmle.code.java.dataflow.TypeFlow
|
||||
private import semmle.code.java.dataflow.FlowSteps
|
||||
private import DataFlowPrivate
|
||||
private import DataFlowUtil
|
||||
private import DataFlowDispatch
|
||||
private import FlowSummaryImpl as FlowSummaryImpl
|
||||
private import DataFlowImplCommon as DataFlowImplCommon
|
||||
private import semmle.code.java.controlflow.Guards
|
||||
@@ -68,7 +69,11 @@ private module Cached {
|
||||
TMapKeyContent() or
|
||||
TMapValueContent() or
|
||||
TCapturedVariableContent(CapturedVariable v) or
|
||||
TSyntheticFieldContent(SyntheticField s)
|
||||
TSyntheticFieldContent(SyntheticField s) or
|
||||
TLambdaReturnContent(Method m) or
|
||||
TLambdaArgumentContent(Method m, ArgumentPosition pos) {
|
||||
exists(m.getParameter(pos)) or pos = -1
|
||||
}
|
||||
|
||||
cached
|
||||
newtype TContentApprox =
|
||||
@@ -78,7 +83,11 @@ private module Cached {
|
||||
TMapKeyContentApprox() or
|
||||
TMapValueContentApprox() or
|
||||
TCapturedVariableContentApprox(CapturedVariable v) or
|
||||
TSyntheticFieldApproxContent()
|
||||
TSyntheticFieldApproxContent() or
|
||||
TLambdaReturnContentApprox(Method m) or
|
||||
TLambdaArgumentApprox(Method m, ArgumentPosition pos) {
|
||||
exists(m.getParameter(pos)) or pos = -1
|
||||
}
|
||||
}
|
||||
|
||||
import Cached
|
||||
|
||||
@@ -464,7 +464,8 @@ private newtype TDataFlowCall =
|
||||
TCall(Call c) or
|
||||
TSummaryCall(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
|
||||
FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
|
||||
}
|
||||
} or
|
||||
TLambdaSynthCall(Node node) { lambdaCreationHelper(node, _, _) }
|
||||
|
||||
/** A call relevant for data flow. Includes both source calls and synthesized calls. */
|
||||
class DataFlowCall extends TDataFlowCall {
|
||||
@@ -526,6 +527,21 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
|
||||
override Location getLocation() { result = c.getLocation() }
|
||||
}
|
||||
|
||||
/** A synthesized call inside a `SummarizedCallable`. */
|
||||
class LambdaSynthCall extends DataFlowCall, TLambdaSynthCall {
|
||||
private Node node;
|
||||
|
||||
LambdaSynthCall() { this = TLambdaSynthCall(node) }
|
||||
|
||||
override DataFlowCallable getEnclosingCallable() {
|
||||
result.asCallable() = node.getEnclosingCallable()
|
||||
}
|
||||
|
||||
override string toString() { result = "[synthetic] call to " + node }
|
||||
|
||||
override Location getLocation() { result = node.getLocation() }
|
||||
}
|
||||
|
||||
class NodeRegion instanceof BasicBlock {
|
||||
string toString() { result = "NodeRegion" }
|
||||
|
||||
@@ -585,8 +601,7 @@ predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
|
||||
|
||||
class LambdaCallKind = Method; // the "apply" method in the functional interface
|
||||
|
||||
/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
|
||||
predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
|
||||
predicate lambdaCreationHelper(Node creation, LambdaCallKind kind, DataFlowCallable c) {
|
||||
exists(ClassInstanceExpr func, Interface t, FunctionalInterface interface |
|
||||
creation.asExpr() = func and
|
||||
func.getAnonymousClass().getAMethod() = c.asCallable() and
|
||||
@@ -597,6 +612,14 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
|
||||
)
|
||||
}
|
||||
|
||||
/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
|
||||
predicate lambdaCreation(
|
||||
Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
|
||||
) {
|
||||
synthCall = TLambdaSynthCall(creation) and
|
||||
lambdaCreationHelper(creation, kind, c)
|
||||
}
|
||||
|
||||
/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
|
||||
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
|
||||
receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver() and
|
||||
@@ -734,6 +757,12 @@ class ContentApprox extends TContentApprox {
|
||||
or
|
||||
this = TSyntheticFieldApproxContent() and
|
||||
result = "approximated synthetic field"
|
||||
or
|
||||
this = TLambdaReturnContentApprox(_) and
|
||||
result = "<lambda-return>"
|
||||
or
|
||||
this = TLambdaArgumentApprox(_, _) and
|
||||
result = "<lambda-argument>"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -755,6 +784,12 @@ ContentApprox getContentApprox(Content c) {
|
||||
)
|
||||
or
|
||||
c instanceof SyntheticFieldContent and result = TSyntheticFieldApproxContent()
|
||||
or
|
||||
exists(Method m | c = TLambdaReturnContent(m) and result = TLambdaReturnContentApprox(m))
|
||||
or
|
||||
exists(Method m, ArgumentPosition pos |
|
||||
c = TLambdaArgumentContent(m, pos) and result = TLambdaArgumentApprox(m, pos)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -766,3 +801,15 @@ predicate containerContent(ContentSet c) {
|
||||
c instanceof MapKeyContent or
|
||||
c instanceof MapValueContent
|
||||
}
|
||||
|
||||
Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind k) {
|
||||
result = TLambdaReturnContent(kind) and exists(k)
|
||||
}
|
||||
|
||||
Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos) {
|
||||
result = TLambdaArgumentContent(kind, pos)
|
||||
}
|
||||
|
||||
predicate isLambdaInstanceParameter(ParameterNode p) {
|
||||
exists(DataFlowCallable c | lambdaCreationHelper(_, _, c) and p.isParameterOf(c, -1))
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
private import java
|
||||
private import DataFlowPrivate
|
||||
private import DataFlowDispatch
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
private import semmle.code.java.controlflow.Guards
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
@@ -359,6 +360,27 @@ class SyntheticFieldContent extends Content, TSyntheticFieldContent {
|
||||
override string toString() { result = s.toString() }
|
||||
}
|
||||
|
||||
class LambdaReturnContent extends Content, TLambdaReturnContent {
|
||||
Method m;
|
||||
|
||||
LambdaReturnContent() { this = TLambdaReturnContent(m) }
|
||||
|
||||
override DataFlowType getType() { result = getErasedRepr(m.getReturnType()) }
|
||||
|
||||
override string toString() { result = "<lambda-return>" }
|
||||
}
|
||||
|
||||
class LambdaArgumentContent extends Content, TLambdaArgumentContent {
|
||||
Method m;
|
||||
ArgumentPosition pos;
|
||||
|
||||
LambdaArgumentContent() { this = TLambdaArgumentContent(m, pos) }
|
||||
|
||||
override DataFlowType getType() { result = getErasedRepr(m.getParameter(pos).getType()) }
|
||||
|
||||
override string toString() { result = "<lambda-argument> " + pos.toString() }
|
||||
}
|
||||
|
||||
/**
|
||||
* An entity that represents a set of `Content`s.
|
||||
*
|
||||
|
||||
@@ -290,7 +290,9 @@ signature module InputSig<LocationSig Location> {
|
||||
class LambdaCallKind;
|
||||
|
||||
/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
|
||||
predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c);
|
||||
predicate lambdaCreation(
|
||||
Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall
|
||||
);
|
||||
|
||||
/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
|
||||
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver);
|
||||
@@ -344,6 +346,14 @@ signature module InputSig<LocationSig Location> {
|
||||
|
||||
/** Holds if `fieldFlowBranchLimit` should be ignored for flow going into/out of `c`. */
|
||||
default predicate ignoreFieldFlowBranchLimit(DataFlowCallable c) { none() }
|
||||
|
||||
Content getLambdaReturnContent(LambdaCallKind kind, ReturnKind retKind);
|
||||
|
||||
Content getLambdaArgumentContent(LambdaCallKind kind, ArgumentPosition pos);
|
||||
|
||||
predicate isLambdaInstanceParameter(ParameterNode p);
|
||||
|
||||
predicate isVariableCaptureContentSet(ContentSet c);
|
||||
}
|
||||
|
||||
module Configs<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
@@ -1051,8 +1051,8 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
|
||||
* since normal use-use flow for `fn` does not take the overwrite at (2) into account.
|
||||
*/
|
||||
|
||||
storeStepClosure(_, v, node, true)
|
||||
or
|
||||
// storeStepClosure(_, v, node, true)
|
||||
// or
|
||||
exists(BasicBlock bb, int i |
|
||||
captureWrite(v, bb, i, false, _) and
|
||||
node = TSynthThisQualifier(bb, i, false)
|
||||
|
||||
@@ -216,7 +216,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
private predicate readStep(Node node1, State state1, ContentSet c, Node node2, ReadState state2) {
|
||||
exists(int size |
|
||||
readSet(node1, c, node2) and
|
||||
readSet(any(NodeEx n1 | n1.asNode() = node1), c, any(NodeEx n2 | n2.asNode() = node2)) and // todo
|
||||
ContentConfig::isRelevantContent(c) and
|
||||
state2.decode(size + 1, true)
|
||||
|
|
||||
|
||||
@@ -423,7 +423,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate readSetEx(NodeEx node1, ContentSet c, NodeEx node2) {
|
||||
readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
|
||||
readSet(node1, c, node2) and
|
||||
stepFilter(node1, node2)
|
||||
or
|
||||
exists(Node n |
|
||||
@@ -450,20 +450,19 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
bindingset[c]
|
||||
private predicate expectsContentEx(NodeEx n, Content c) {
|
||||
exists(ContentSet cs |
|
||||
expectsContentCached(n.asNode(), cs) and
|
||||
expectsContentCached(n, cs) and
|
||||
pragma[only_bind_out](c) = pragma[only_bind_into](cs).getAReadContent()
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n.asNode(), _) }
|
||||
private predicate notExpectsContent(NodeEx n) { not expectsContentCached(n, _) }
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate storeExUnrestricted(
|
||||
NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType
|
||||
) {
|
||||
store(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode()),
|
||||
contentType, containerType) and
|
||||
store(node1, c, node2, contentType, containerType) and
|
||||
stepFilter(node1, node2)
|
||||
}
|
||||
|
||||
@@ -478,16 +477,6 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
hasReadStep(c)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate viableReturnPosOutEx(DataFlowCall call, ReturnPosition pos, NodeEx out) {
|
||||
viableReturnPosOut(call, pos, out.asNode())
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
|
||||
viableParamArg(call, p.asNode(), arg.asNode())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if field flow should be used for the given configuration.
|
||||
*/
|
||||
@@ -2629,7 +2618,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
(
|
||||
castNode(this.asNode()) or
|
||||
clearsContentCached(this.asNode(), _) or
|
||||
expectsContentCached(this.asNode(), _) or
|
||||
expectsContentCached(this, _) or
|
||||
neverSkipInPathGraph(this.asNode()) or
|
||||
Config::neverSkip(this.asNode())
|
||||
)
|
||||
@@ -2665,7 +2654,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
or
|
||||
node instanceof ParamNodeEx
|
||||
or
|
||||
node.asNode() instanceof OutNodeExt
|
||||
node instanceof OutNodeEx
|
||||
or
|
||||
storeStepCand(_, _, _, node, _, _)
|
||||
or
|
||||
@@ -2899,15 +2888,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
predicate isHidden() {
|
||||
not Config::includeHiddenNodes() and
|
||||
(
|
||||
hiddenNode(this.getNodeEx().asNode()) and
|
||||
not this.isSource() and
|
||||
not this instanceof PathNodeSink
|
||||
or
|
||||
this.getNodeEx() instanceof TNodeImplicitRead
|
||||
or
|
||||
hiddenNode(this.getNodeEx().asParamReturnNode())
|
||||
)
|
||||
hiddenNode(this.getNodeEx()) and
|
||||
not this.isSource() and
|
||||
not this instanceof PathNodeSink
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
@@ -5444,7 +5427,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
exists(ReturnKindExt kind, DataFlowCall call |
|
||||
partialPathOutOfCallable1(mid, call, kind, state, cc, t, ap)
|
||||
|
|
||||
out.asNode() = kind.getAnOutNode(call)
|
||||
out = kind.getAnOutNodeEx(call)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -5529,7 +5512,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
|
||||
) {
|
||||
exists(DataFlowCall call, ReturnKindExt kind |
|
||||
partialPathThroughCallable0(call, mid, kind, state, cc, t, ap) and
|
||||
out.asNode() = kind.getAnOutNode(call)
|
||||
out = kind.getAnOutNodeEx(call)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
private import codeql.dataflow.DataFlow
|
||||
private import codeql.typetracking.TypeTracking as Tt
|
||||
private import codeql.util.Location
|
||||
private import codeql.util.Option
|
||||
private import codeql.util.Boolean
|
||||
private import codeql.util.Unit
|
||||
private import codeql.util.Option
|
||||
|
||||
@@ -118,10 +118,12 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
// TODO: support setters
|
||||
// TODO extend
|
||||
predicate storeStep(Node n1, Node n2, Content f) { storeSet(n1, f, n2, _, _) }
|
||||
|
||||
private predicate loadStep0(Node n1, Node n2, Content f) {
|
||||
readSet(n1, f, n2)
|
||||
// TODO extend
|
||||
readStep(n1, f, n2)
|
||||
or
|
||||
argumentValueFlowsThrough(n1, TReadStepTypesSome(_, f, _), n2, _)
|
||||
}
|
||||
@@ -139,7 +141,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
predicate callStep(Node n1, LocalSourceNode n2) { viableParamArg(_, n2, n1) }
|
||||
|
||||
predicate returnStep(Node n1, LocalSourceNode n2) {
|
||||
viableReturnPosOut(_, [getValueReturnPosition(n1), getParamReturnPosition(n1, _)], n2)
|
||||
// TODO: extend to NodeEx
|
||||
viableReturnPosOut(_,
|
||||
[getValueReturnPosition(n1), getParamReturnPosition(any(NodeEx n | n.asNode() = n1), _)], n2)
|
||||
}
|
||||
|
||||
predicate hasFeatureBacktrackStoreTarget() { none() }
|
||||
@@ -183,6 +187,24 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `arg` is an argument of `call` with an argument position that matches
|
||||
* parameter position `ppos`.
|
||||
*/
|
||||
pragma[noinline]
|
||||
private predicate argumentPositionMatchEx(DataFlowCall call, ArgNodeEx arg, ParameterPosition ppos) {
|
||||
exists(ArgumentPosition apos |
|
||||
arg.argumentOf(call, apos) and
|
||||
parameterMatch(ppos, apos)
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate hasSimpleReturnKindIn(ReturnNode ret, ReturnKind kind, DataFlowCallable c) {
|
||||
c = getNodeEnclosingCallable(ret) and
|
||||
kind = ret.getKind()
|
||||
}
|
||||
|
||||
/**
|
||||
* Provides a simple data-flow analysis for resolving lambda calls. The analysis
|
||||
* currently excludes read-steps, store-steps, and flow-through.
|
||||
@@ -192,9 +214,24 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
* calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
|
||||
*/
|
||||
private module LambdaFlow {
|
||||
private predicate lambdaLocalFlow(Node lambda, Node node) {
|
||||
lambdaCreation(lambda, _, _, _) and
|
||||
node = lambda
|
||||
or
|
||||
exists(Node mid |
|
||||
lambdaLocalFlow(lambda, mid) and
|
||||
simpleLocalFlowStep(mid, node, _) and
|
||||
validParameterAliasStep(mid, node)
|
||||
)
|
||||
}
|
||||
|
||||
predicate lambdaFlowsToPostUpdate(Node lambda, PostUpdateNode post) {
|
||||
lambdaLocalFlow(lambda, post.getPreUpdateNode())
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
|
||||
p.isParameterOf(viableCallable(call), ppos)
|
||||
p.isParameterOf(viableCallableCached(call), ppos)
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
@@ -224,12 +261,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate hasSimpleReturnKindIn(ReturnNode ret, ReturnKind kind, DataFlowCallable c) {
|
||||
c = getNodeEnclosingCallable(ret) and
|
||||
kind = ret.getKind()
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private TReturnPositionSimple getReturnPositionSimple(ReturnNode ret) {
|
||||
exists(ReturnKind kind, DataFlowCallable c |
|
||||
@@ -240,7 +271,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
pragma[nomagic]
|
||||
private TReturnPositionSimple viableReturnPosNonLambda(DataFlowCall call, ReturnKind kind) {
|
||||
result = TReturnPositionSimple0(viableCallable(call), kind)
|
||||
result = TReturnPositionSimple0(viableCallableCached(call), kind)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
@@ -857,6 +888,21 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
exists(Node n | this.isImplicitReadNode(n) | result = n.toString() + " [Ext]")
|
||||
or
|
||||
result = this.asParamReturnNode().toString() + " [Return]"
|
||||
or
|
||||
result = this.asLambdaMallocNode().toString() + " [LambdaMalloc]"
|
||||
or
|
||||
result = this.asLambdaArgsNode().toString() + " [LambdaArgs]"
|
||||
or
|
||||
result = this.asLambdaCaptureNode().toString() + " [LambdaCapture]"
|
||||
or
|
||||
result = this.asLambdaInstancePostUpdateNode().toString() + " [LambdaPostUpdate]"
|
||||
or
|
||||
exists(DataFlowCall synthCall, ArgumentPosition apos, boolean isPost |
|
||||
this.isLambdaArgNode(synthCall, apos, isPost)
|
||||
|
|
||||
result =
|
||||
synthCall.toString() + "-" + apos.toString() + "-" + isPost.toString() + " [LambdaArg]"
|
||||
)
|
||||
}
|
||||
|
||||
Node asNode() { this = TNodeNormal(result) }
|
||||
@@ -868,10 +914,39 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
ParameterNode asParamReturnNode() { this = TParamReturnNode(result, _) }
|
||||
|
||||
ParameterNode asLambdaInstancePostUpdateNode() { this = TNodeLambdaInstancePostUpdate(result) }
|
||||
|
||||
Node asLambdaMallocNode() { this = TNodeLambdaMalloc(result) }
|
||||
|
||||
Node asLambdaArgsNode() { this = TNodeLambdaArgs(result) }
|
||||
|
||||
Node asLambdaCaptureNode() { this = TNodeLambdaCapture(result) }
|
||||
|
||||
predicate isLambdaArgNode(DataFlowCall synthCall, ArgumentPosition apos, boolean isPost) {
|
||||
this = TNodeLambdaArg(synthCall, apos, isPost)
|
||||
}
|
||||
|
||||
Node projectToNode() {
|
||||
this = TNodeNormal(result) or
|
||||
this = TNodeImplicitRead(result) or
|
||||
this = TNodeNormal(result)
|
||||
or
|
||||
this = TNodeImplicitRead(result)
|
||||
or
|
||||
this = TParamReturnNode(result, _)
|
||||
or
|
||||
this = TNodeLambdaInstancePostUpdate(result)
|
||||
or
|
||||
this = TNodeLambdaMalloc(result)
|
||||
or
|
||||
this = TNodeLambdaArgs(result)
|
||||
or
|
||||
this = TNodeLambdaCapture(result)
|
||||
or
|
||||
this = TNodeLambdaCapture(result)
|
||||
or
|
||||
exists(DataFlowCall synthCall |
|
||||
this = TNodeLambdaArg(synthCall, _, _) and
|
||||
lambdaCreation(result, _, _, synthCall)
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
@@ -889,6 +964,25 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
nodeDataFlowType(this.asNode(), result)
|
||||
or
|
||||
nodeDataFlowType(this.asParamReturnNode(), result)
|
||||
or
|
||||
nodeDataFlowType(this.asLambdaInstancePostUpdateNode(), result)
|
||||
or
|
||||
nodeDataFlowType(this.asLambdaMallocNode(), result)
|
||||
or
|
||||
nodeDataFlowType(this.asLambdaArgsNode(), result)
|
||||
or
|
||||
nodeDataFlowType(this.asLambdaCaptureNode(), result)
|
||||
or
|
||||
exists(
|
||||
DataFlowCall synthCall, ArgumentPosition apos, DataFlowCallable c, ParameterNode p,
|
||||
ParameterPosition ppos
|
||||
|
|
||||
this.isLambdaArgNode(synthCall, apos, _) and
|
||||
lambdaCreation(_, _, c, synthCall) and
|
||||
isParameterNode(p, c, ppos) and
|
||||
parameterMatch(ppos, apos) and
|
||||
nodeDataFlowType(p, result)
|
||||
)
|
||||
}
|
||||
|
||||
pragma[inline]
|
||||
@@ -900,9 +994,29 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
final class ArgNodeEx extends NodeEx {
|
||||
ArgNodeEx() { this.asNode() instanceof ArgNode }
|
||||
private DataFlowCall call_;
|
||||
private ArgumentPosition pos_;
|
||||
|
||||
DataFlowCall getCall() { this.asNode().(ArgNode).argumentOf(result, _) }
|
||||
ArgNodeEx() {
|
||||
this.asNode().(ArgNode).argumentOf(call_, pos_)
|
||||
or
|
||||
this.isLambdaArgNode(call_, pos_, false)
|
||||
or
|
||||
exists(Node lambda, DataFlowCallable c, ParameterNode p, ParameterPosition ppos |
|
||||
lambda = this.asLambdaMallocNode() and
|
||||
lambdaCreation(lambda, _, c, call_) and
|
||||
isParameterNode(p, c, ppos) and
|
||||
isLambdaInstanceParameter(p) and
|
||||
parameterMatch(ppos, pos_)
|
||||
)
|
||||
}
|
||||
|
||||
final DataFlowCall getCall() { this.argumentOf(result, _) }
|
||||
|
||||
final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
|
||||
call = call_ and
|
||||
pos = pos_
|
||||
}
|
||||
}
|
||||
|
||||
final class ParamNodeEx extends NodeEx {
|
||||
@@ -929,6 +1043,35 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
ReturnKindExt getKind() { result = pos.getKind() }
|
||||
}
|
||||
|
||||
final class OutNodeEx extends NodeEx {
|
||||
OutNodeEx() {
|
||||
this.asNode() instanceof OutNodeExt
|
||||
or
|
||||
this.(PostUpdateNodeEx).getPreUpdateNode() instanceof ArgNodeEx
|
||||
}
|
||||
}
|
||||
|
||||
class PostUpdateNodeEx extends NodeEx {
|
||||
private NodeEx pre;
|
||||
|
||||
PostUpdateNodeEx() {
|
||||
pre.asNode() = this.asNode().(PostUpdateNode).getPreUpdateNode()
|
||||
or
|
||||
pre.asNode() = this.asLambdaInstancePostUpdateNode()
|
||||
or
|
||||
// Every argument in the synthetic call has a post update node
|
||||
// corresponding to the argument node.
|
||||
exists(DataFlowCall synthCall, ArgumentPosition apos |
|
||||
this.isLambdaArgNode(synthCall, apos, true) and
|
||||
pre.isLambdaArgNode(synthCall, apos, false)
|
||||
)
|
||||
or
|
||||
pre.asLambdaMallocNode() = this.asNode()
|
||||
}
|
||||
|
||||
NodeEx getPreUpdateNode() { result = pre }
|
||||
}
|
||||
|
||||
cached
|
||||
private module Cached {
|
||||
/**
|
||||
@@ -979,7 +1122,12 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }
|
||||
|
||||
cached
|
||||
predicate expectsContentCached(Node n, ContentSet c) { expectsContent(n, c) }
|
||||
predicate expectsContentCached(NodeEx n, ContentSet c) {
|
||||
expectsContent(n.asNode(), c)
|
||||
or
|
||||
exists(n.asLambdaCaptureNode()) and
|
||||
isVariableCaptureContentSet(c)
|
||||
}
|
||||
|
||||
cached
|
||||
predicate isUnreachableInCallCached(NodeRegion nr, DataFlowCall call) {
|
||||
@@ -994,7 +1142,16 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
cached
|
||||
predicate hiddenNode(Node n) { nodeIsHidden(n) }
|
||||
predicate hiddenNode(NodeEx n) {
|
||||
nodeIsHidden(n.asNode()) or
|
||||
n.isImplicitReadNode(_) or
|
||||
exists(n.asLambdaInstancePostUpdateNode()) or
|
||||
exists(n.asLambdaMallocNode()) or
|
||||
exists(n.asLambdaArgsNode()) or
|
||||
exists(n.asLambdaCaptureNode()) or
|
||||
n.isLambdaArgNode(_, _, _) or
|
||||
hiddenNode(any(NodeEx p | n.asParamReturnNode() = p.asNode()))
|
||||
}
|
||||
|
||||
cached
|
||||
OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
|
||||
@@ -1006,18 +1163,49 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate paramReturnNode(
|
||||
PostUpdateNode n, ParamNode p, SndLevelScopeOption scope, ReturnKindExt k
|
||||
) {
|
||||
exists(ParameterPosition pos |
|
||||
parameterValueFlowsToPreUpdate(p, n) and
|
||||
p.isParameterOf(_, pos) and
|
||||
k = TParamUpdate(pos) and
|
||||
scope = getSecondLevelScopeCached(n)
|
||||
cached
|
||||
OutNodeEx getAnOutNodeEx(DataFlowCall call, ReturnKindExt k) {
|
||||
result.asNode() = getAnOutNodeExt(call, k)
|
||||
or
|
||||
exists(ArgNodeEx arg |
|
||||
result.(PostUpdateNodeEx).getPreUpdateNode() = arg and
|
||||
arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate paramReturnNode(
|
||||
PostUpdateNodeEx n, ParamNode p, SndLevelScopeOption scope, ReturnKindExt k
|
||||
) {
|
||||
exists(ParameterPosition pos |
|
||||
parameterValueFlowsToPreUpdate(p, n.asNode()) and
|
||||
p.isParameterOf(_, pos) and
|
||||
k = TParamUpdate(pos) and
|
||||
scope = getSecondLevelScopeCached(n.asNode())
|
||||
)
|
||||
or
|
||||
exists(ParameterPosition pos |
|
||||
n.asLambdaInstancePostUpdateNode() = p and
|
||||
p.isParameterOf(_, pos) and
|
||||
scope = getSecondLevelScopeCached(p) and
|
||||
k = TParamUpdate(pos)
|
||||
)
|
||||
}
|
||||
|
||||
/*
|
||||
* lambda = (x) = x.addTaint();
|
||||
* synthcall(lambda, lambda.arg0); // arg0[post] --store(Argument0)--> lambda (post-update) [Argument0]
|
||||
*
|
||||
*
|
||||
* foo(lambda)
|
||||
*
|
||||
* foo(l1) {
|
||||
* l1(x); // x --store(Argument0)--> l1 (post-update) [Argument0]
|
||||
* // l1 [Argument0] --read(Argument0)--> x (post-update)
|
||||
* // l1 [ReturnValue] --read(ReturnValue)--> l1(x)
|
||||
* }
|
||||
*/
|
||||
|
||||
cached
|
||||
predicate castNode(Node n) { n instanceof CastNode }
|
||||
|
||||
@@ -1029,7 +1217,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
// For reads, `x.f`, we want to check that the tracked type after the read (which
|
||||
// is obtained by popping the head of the access path stack) is compatible with
|
||||
// the type of `x.f`.
|
||||
readSet(_, _, n)
|
||||
readStep(_, _, n)
|
||||
}
|
||||
|
||||
cached
|
||||
@@ -1043,7 +1231,88 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
cached
|
||||
DataFlowCallable viableCallableCached(DataFlowCall call) { result = viableCallable(call) }
|
||||
DataFlowCallable viableCallableCached(DataFlowCall call) {
|
||||
result = viableCallable(call)
|
||||
or
|
||||
lambdaCreation(_, _, result, call)
|
||||
}
|
||||
|
||||
/*
|
||||
* foo(x => sink(x), notaint)
|
||||
* foo(x => safe(x), taint)
|
||||
*
|
||||
* foo(lambda, x) {
|
||||
* lambda(x);
|
||||
* }
|
||||
*
|
||||
* x.Field = taint;
|
||||
* taint --store(Field) --> x [Field]
|
||||
*
|
||||
* y = x; // x [Field] --> y [Field]
|
||||
*
|
||||
* sink(y.Field) // y [Field] --read(Field)--> y.Field
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* lambda = () => "taint";
|
||||
*
|
||||
* "taint" --store(ReturnValue)--> this (post-update) [ReturnValue]
|
||||
*
|
||||
* lambda.synth_call();
|
||||
*
|
||||
* this (post-update) [ReturnValue] --> lambda (post-update) [ReturnValue]
|
||||
*
|
||||
* sink(lambda_1());
|
||||
*
|
||||
* "taint" --store(ReturnValue)--> () => "taint" [ReturnValue]
|
||||
* () => "taint" [ReturnValue] --> lambda [ReturnValue]
|
||||
* lambda [ReturnValue] --> lambda_1 [ReturnValue]
|
||||
* lambda_1 [ReturnValue] --read(ReturnValue)--> lambda_1()
|
||||
*
|
||||
*
|
||||
* setField(p, value) {
|
||||
* sink(p.Field);
|
||||
* p.Field = value; // value --store(Field)--> p (post-update) [Field]
|
||||
* }
|
||||
*
|
||||
* // p (post-update) [Field] --> x (post-update) [Field]
|
||||
*
|
||||
* setField(x, "taint");
|
||||
* sink(x.Field);
|
||||
*
|
||||
*
|
||||
* lambda = (x) => sink(x);
|
||||
* lambda.synth_call_lambda(lambda_arg0, lambda_arg1)
|
||||
*
|
||||
*
|
||||
*
|
||||
* foo(lambda);
|
||||
*
|
||||
* foo(l1) {
|
||||
* bar(l1)
|
||||
* }
|
||||
*
|
||||
* bar(l2) {
|
||||
* l2("taint"); // taint --store(Argument0)--> l2 (post-update) [Argument0]
|
||||
* }
|
||||
*
|
||||
* l2 (post-update) [Argument0] --> l1 (post-update) [Argument0]
|
||||
*
|
||||
* l1 (post-update) [Argument0] --> lambda (post-update) [Argument0]
|
||||
*
|
||||
*
|
||||
* id = (x) => x;
|
||||
* id.synth_call(arg0)
|
||||
* foo(id);
|
||||
*
|
||||
* foo(l) {
|
||||
* x = l("taint");
|
||||
* y = l("safe");
|
||||
* sink(x);
|
||||
* sink(y);
|
||||
* }
|
||||
*/
|
||||
|
||||
/**
|
||||
* Gets a viable target for the lambda call `call`.
|
||||
@@ -1053,9 +1322,10 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
*/
|
||||
cached
|
||||
DataFlowCallable viableCallableLambda(DataFlowCall call, DataFlowCallOption lastCall) {
|
||||
none() and
|
||||
exists(Node creation, LambdaCallKind kind |
|
||||
LambdaFlow::revLambdaFlow(call, kind, creation, _, _, _, lastCall) and
|
||||
lambdaCreation(creation, kind, result)
|
||||
lambdaCreation(creation, kind, result, _)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1080,7 +1350,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
cached
|
||||
DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) {
|
||||
result = viableImplInCallContext(call, ctx) and
|
||||
result = viableCallable(call)
|
||||
result = viableCallableCached(call)
|
||||
or
|
||||
result = viableCallableLambda(call, TDataFlowCallSome(ctx))
|
||||
or
|
||||
@@ -1224,6 +1494,35 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
predicate viableReturnPosOutEx(DataFlowCall call, ReturnPosition pos, NodeEx out) {
|
||||
viableReturnPosOut(call, pos, out.asNode())
|
||||
or
|
||||
exists(ReturnKindExt kind |
|
||||
pos = viableReturnPos(call, kind) and
|
||||
out = kind.getAnOutNodeEx(call)
|
||||
)
|
||||
}
|
||||
|
||||
bindingset[call, p, arg]
|
||||
private predicate golangSpecificParamArgFilterEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
|
||||
golangSpecificParamArgFilter(call, p.asNode(), arg.asNode())
|
||||
or
|
||||
not p.asNode() instanceof ParamNode
|
||||
or
|
||||
not arg.asNode() instanceof ArgNode
|
||||
}
|
||||
|
||||
cached
|
||||
predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx arg) {
|
||||
exists(ParameterPosition ppos |
|
||||
viableParam(call, ppos, p.asNode()) and
|
||||
argumentPositionMatchEx(call, arg, ppos) and
|
||||
compatibleTypesFilter(arg.getDataFlowType(), p.getDataFlowType()) and
|
||||
golangSpecificParamArgFilterEx(call, p, arg)
|
||||
)
|
||||
}
|
||||
|
||||
/** Provides predicates for calculating flow-through summaries. */
|
||||
private module FlowThrough {
|
||||
/**
|
||||
@@ -1255,7 +1554,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
// read
|
||||
exists(Node mid |
|
||||
parameterValueFlowCand(p, mid, false) and
|
||||
readSet(mid, _, node) and
|
||||
readStep(mid, _, node) and
|
||||
read = true
|
||||
)
|
||||
or
|
||||
@@ -1271,7 +1570,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
argumentValueFlowsThroughCand(arg, node, false)
|
||||
)
|
||||
) and
|
||||
not expectsContentCached(node, _)
|
||||
not expectsContent(node, _)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
@@ -1502,7 +1801,37 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
cached
|
||||
predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
|
||||
predicate readSet(NodeEx node1, ContentSet c, NodeEx node2) {
|
||||
readStep(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode()))
|
||||
or
|
||||
exists(DataFlowCall call, LambdaCallKind k, Node receiver, ReturnKind kind |
|
||||
lambdaCall(call, k, receiver) and
|
||||
node1.asNode() = receiver
|
||||
|
|
||||
c.getAReadContent() = getLambdaReturnContent(k, kind) and
|
||||
getAnOutNode(call, kind) = node2.asNode()
|
||||
or
|
||||
exists(ArgumentPosition apos |
|
||||
c.getAReadContent() = getLambdaArgumentContent(k, apos) and
|
||||
node2.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(call, apos) and
|
||||
// we should never read from the lambda itself
|
||||
not any(ArgNodeEx arg | exists(arg.asLambdaMallocNode())).argumentOf(_, apos)
|
||||
)
|
||||
)
|
||||
or
|
||||
//read step from malloc to args
|
||||
//lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c, DataFlowCall synthCall)
|
||||
exists(Node lambda, DataFlowCall synthCall, LambdaCallKind k, ArgumentPosition apos |
|
||||
lambdaCreation(lambda, k, _, synthCall) and
|
||||
lambda = node1.asLambdaArgsNode() and
|
||||
c.getAReadContent() = getLambdaArgumentContent(k, apos)
|
||||
|
|
||||
node2.isLambdaArgNode(synthCall, apos, false)
|
||||
or
|
||||
node2.asLambdaMallocNode() = lambda and
|
||||
node2.(ArgNodeEx).argumentOf(_, apos)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
predicate storeSet(
|
||||
@@ -1518,7 +1847,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
|
||||
argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1, _) // TODO
|
||||
or
|
||||
readSet(n2, c, n1) and
|
||||
readStep(n2, c, n1) and
|
||||
contentType = getNodeDataFlowType(n1) and
|
||||
containerType = getNodeDataFlowType(n2)
|
||||
)
|
||||
@@ -1533,10 +1862,42 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
*/
|
||||
cached
|
||||
predicate store(
|
||||
Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
|
||||
NodeEx node1, Content c, NodeEx node2, DataFlowType contentType, DataFlowType containerType
|
||||
) {
|
||||
exists(ContentSet cs |
|
||||
c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
|
||||
c = cs.getAStoreContent() and
|
||||
storeSet(pragma[only_bind_into](node1.asNode()), cs, pragma[only_bind_into](node2.asNode()),
|
||||
contentType, containerType)
|
||||
)
|
||||
or
|
||||
contentType = node1.getDataFlowType() and
|
||||
containerType = node2.getDataFlowType() and
|
||||
(
|
||||
// Arguments in a call to a lambda write to the receiving node at the
|
||||
// `Content` corresponding to the argument position.
|
||||
exists(DataFlowCall call, LambdaCallKind k, Node receiver, ArgumentPosition pos |
|
||||
lambdaCall(call, k, receiver) and
|
||||
node1.asNode().(ArgNode).argumentOf(call, pos) and
|
||||
c = getLambdaArgumentContent(k, pos) and
|
||||
node2.asNode().(PostUpdateNode).getPreUpdateNode() = receiver
|
||||
)
|
||||
or
|
||||
// Simple returns in a lambda write to the post node for the
|
||||
// lambda instance argument.
|
||||
exists(DataFlowCallable lambda, LambdaCallKind k, ReturnKind kind |
|
||||
lambdaCreation(_, k, lambda, _) and
|
||||
hasSimpleReturnKindIn(node1.asNode(), kind, lambda) and
|
||||
nodeGetEnclosingCallable(node2.asLambdaInstancePostUpdateNode()) = lambda and
|
||||
c = getLambdaReturnContent(k, kind)
|
||||
)
|
||||
or
|
||||
// Argument nodes to a synthetic call node for a lamda write to the
|
||||
// lambda at the `Content` corresponding to the argument position.
|
||||
exists(DataFlowCall synthCall, LambdaCallKind k, ArgumentPosition pos |
|
||||
lambdaCreation(node2.asNode(), k, _, synthCall) and
|
||||
node1.isLambdaArgNode(synthCall, pos, true) and
|
||||
c = getLambdaArgumentContent(k, pos)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1572,7 +1933,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
cached
|
||||
predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
|
||||
predicate allowParameterReturnInSelfCached(ParamNode p) {
|
||||
allowParameterReturnInSelf(p) or isLambdaInstanceParameter(p)
|
||||
}
|
||||
|
||||
cached
|
||||
predicate paramMustFlow(ParamNode p, ArgNode arg) { localMustFlowStep+(p, arg) }
|
||||
@@ -1625,9 +1988,10 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate hasParamReturnKindIn(
|
||||
PostUpdateNode n, ParamNode p, ReturnKindExt kind, DataFlowCallable c
|
||||
PostUpdateNodeEx n, ParamNode p, ReturnKindExt kind, DataFlowCallable c
|
||||
) {
|
||||
c = getNodeEnclosingCallable(n) and
|
||||
// c = getNodeEnclosingCallable(n) and
|
||||
c = n.getEnclosingCallable() and
|
||||
paramReturnNode(n, p, _, kind)
|
||||
}
|
||||
|
||||
@@ -1648,7 +2012,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
}
|
||||
|
||||
cached
|
||||
ReturnPosition getParamReturnPosition(PostUpdateNode n, ParamNode p) {
|
||||
ReturnPosition getParamReturnPosition(PostUpdateNodeEx n, ParamNode p) {
|
||||
exists(ReturnKindExt kind, DataFlowCallable c |
|
||||
hasParamReturnKindIn(n, p, kind, c) and
|
||||
result = TReturnPosition0(c, kind)
|
||||
@@ -1707,7 +2071,40 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
TNodeImplicitRead(Node n) or // will be restricted to nodes with actual implicit reads in `DataFlowImpl.qll`
|
||||
TParamReturnNode(ParameterNode p, SndLevelScopeOption scope) {
|
||||
paramReturnNode(_, p, scope, _)
|
||||
}
|
||||
} or
|
||||
TNodeLambdaInstancePostUpdate(ParameterNode pre) { isLambdaInstanceParameter(pre) } or
|
||||
TNodeLambdaMalloc(Node lambda) { lambdaCreation(lambda, _, _, _) } or
|
||||
TNodeLambdaArgs(Node lambda) { lambdaCreation(lambda, _, _, _) } or
|
||||
TNodeLambdaArg(DataFlowCall synthCall, ArgumentPosition apos, Boolean ispost) {
|
||||
exists(DataFlowCallable c, ParameterNode p, ParameterPosition ppos |
|
||||
lambdaCreation(_, _, c, synthCall) and
|
||||
isParameterNode(p, c, ppos) and
|
||||
parameterMatch(ppos, apos) and
|
||||
// not isLambdaInstanceParameter(p) and
|
||||
exists(ispost)
|
||||
)
|
||||
} or
|
||||
TNodeLambdaCapture(Node receiver) { lambdaCall(_, _, receiver) }
|
||||
|
||||
/*
|
||||
* foo(() => "taint"); // taint --store(ReturnValue)--> this (post-update) [ReturnValue]
|
||||
* // this (post-update) [ReturnValue] --> lambda (post-update) [ReturnValue]
|
||||
* //
|
||||
*/
|
||||
|
||||
/*
|
||||
* lambda = (x) = x.addTaint();
|
||||
* synthcall(lambda, lambda.arg0); // arg0[post] --store(Argument0)--> lambda (post-update) [Argument0]
|
||||
*
|
||||
*
|
||||
* foo(lambda)
|
||||
*
|
||||
* foo(l1) {
|
||||
* l1(x); // x --store(Argument0)--> l1 (post-update) [Argument0]
|
||||
* // l1 [Argument0] --read(Argument0)--> x (post-update)
|
||||
* // l1 [ReturnValue] --read(ReturnValue)--> l1(x)
|
||||
* }
|
||||
*/
|
||||
|
||||
/**
|
||||
* Holds if data can flow in one local step from `node1` to `node2`.
|
||||
@@ -1720,13 +2117,25 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2), model)
|
||||
)
|
||||
or
|
||||
exists(Node n1, Node n2, SndLevelScopeOption scope |
|
||||
node1.asNode() = n1 and
|
||||
exists(Node n2, SndLevelScopeOption scope |
|
||||
node2 = TParamReturnNode(n2, scope) and
|
||||
paramReturnNode(pragma[only_bind_into](n1), pragma[only_bind_into](n2),
|
||||
pragma[only_bind_into](scope), _) and
|
||||
paramReturnNode(node1, pragma[only_bind_into](n2), pragma[only_bind_into](scope), _) and
|
||||
model = ""
|
||||
)
|
||||
or
|
||||
LambdaFlow::lambdaFlowsToPostUpdate(node2.asLambdaArgsNode(), node1.asNode()) and
|
||||
model = ""
|
||||
or
|
||||
// When data is stored in a captured variable content and reaches a lambda call,
|
||||
// we need it to propagate back out to the lambda. We do this by adding flow
|
||||
// from the lambda receiver to the post-update of the lambda receiver, but _only_
|
||||
// for captured variable content. The latter restriction is enforced by going via
|
||||
// an intermediate `expectsContent` node.
|
||||
node1.asNode() = node2.asLambdaCaptureNode() and
|
||||
model = ""
|
||||
or
|
||||
node2.asNode().(PostUpdateNode).getPreUpdateNode() = node1.asLambdaCaptureNode() and
|
||||
model = ""
|
||||
}
|
||||
|
||||
cached
|
||||
@@ -2160,7 +2569,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
private predicate readStepWithTypes(
|
||||
Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
|
||||
) {
|
||||
readSet(n1, c, n2) and
|
||||
readStep(n1, c, n2) and
|
||||
container = getNodeDataFlowType(n1) and
|
||||
content = getNodeDataFlowType(n2)
|
||||
}
|
||||
@@ -2263,6 +2672,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
|
||||
|
||||
/** Gets a node corresponding to data flow out of `call`. */
|
||||
final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
|
||||
|
||||
/** Gets a node corresponding to data flow out of `call`. */
|
||||
final OutNodeEx getAnOutNodeEx(DataFlowCall call) { result = getAnOutNodeEx(call, this) }
|
||||
}
|
||||
|
||||
class ValueReturnKind extends ReturnKindExt, TValueReturn {
|
||||
|
||||
@@ -699,7 +699,8 @@ module Make<
|
||||
c.propagatesFlow(input, output, preservesValue, model)
|
||||
or
|
||||
// observe side effects of callbacks on input arguments
|
||||
c.propagatesFlow(output, input, preservesValue, model) and
|
||||
summary(c, output, input, preservesValue, model) and
|
||||
// c.propagatesFlow(output, input, preservesValue, model) and
|
||||
preservesValue = true and
|
||||
isCallbackParameter(input) and
|
||||
isContentOfArgument(output, _)
|
||||
|
||||
Reference in New Issue
Block a user