Ruby: Track types in data flow

Author: hvitved

ruby/ql/consistency-queries/DataFlowConsistency.ql

@@ -48,6 +48,14 @@ private module Input implements InputSig<RubyDataFlow> {
     // arguments to all `yield` calls
     arg instanceof ArgumentNodes::BlockParameterArgumentNode
   }
+
+  predicate uniqueTypeExclude(Node n) {
+    n =
+      any(DataFlow::CallNode call |
+        Private::isStandardNewCall(call.getExprNode(), _, _) and
+        not call.getReceiver().asExpr().getExpr() instanceof ConstantReadAccess
+      )
+  }
 }
 
 import MakeConsistency<RubyDataFlow, RubyTaintTracking, Input>

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -229,7 +229,7 @@ private predicate selfInModule(SelfVariable self, Module m) {
 
 /** Holds if `self` belongs to method `method` inside module `m`. */
 pragma[nomagic]
-private predicate selfInMethod(SelfVariable self, MethodBase method, Module m) {
+predicate selfInMethod(SelfVariable self, MethodBase method, Module m) {
   exists(ModuleBase encl |
     method = self.getDeclaringScope() and
     encl = method.getEnclosingModule() and
@@ -239,64 +239,6 @@ private predicate selfInMethod(SelfVariable self, MethodBase method, Module m) {
   )
 }
 
-/** Holds if `self` belongs to the top-level. */
-pragma[nomagic]
-private predicate selfInToplevel(SelfVariable self, Module m) {
-  self.getDeclaringScope() instanceof Toplevel and
-  m = TResolved("Object")
-}
-
-/**
- * Holds if SSA definition `def` belongs to a variable introduced via pattern
- * matching on type `m`. For example, in
- *
- * ```rb
- * case object
- *   in C => c then c.foo
- * end
- * ```
- *
- * the SSA definition for `c` is introduced by matching on `C`.
- */
-private predicate asModulePattern(SsaDefinitionExtNode def, Module m) {
-  exists(AsPattern ap |
-    m = resolveConstantReadAccess(ap.getPattern()) and
-    def.getDefinitionExt().(Ssa::WriteDefinition).getWriteAccess().getAstNode() =
-      ap.getVariableAccess()
-  )
-}
-
-/**
- * Holds if `read1` and `read2` are adjacent reads of SSA definition `def`,
- * and `read2` is checked to have type `m`. For example, in
- *
- * ```rb
- * case object
- *   when C then object.foo
- * end
- * ```
- *
- * the two reads of `object` are adjacent, and the second is checked to have type `C`.
- */
-private predicate hasAdjacentTypeCheckedReads(
-  Ssa::Definition def, CfgNodes::ExprCfgNode read1, CfgNodes::ExprCfgNode read2, Module m
-) {
-  exists(
-    CfgNodes::ExprCfgNode pattern, ConditionBlock cb, CfgNodes::ExprNodes::CaseExprCfgNode case
-  |
-    m = resolveConstantReadAccess(pattern.getExpr()) and
-    cb.getLastNode() = pattern and
-    cb.controls(read2.getBasicBlock(),
-      any(SuccessorTypes::MatchingSuccessor match | match.getValue() = true)) and
-    def.hasAdjacentReads(read1, read2) and
-    case.getValue() = read1
-  |
-    pattern = case.getBranch(_).(CfgNodes::ExprNodes::WhenClauseCfgNode).getPattern(_)
-    or
-    pattern = case.getBranch(_).(CfgNodes::ExprNodes::InClauseCfgNode).getPattern()
-  )
-}
-
 /** Holds if `new` is a user-defined `self.new` method. */
 predicate isUserDefinedNew(SingletonMethod new) {
   exists(Expr object | singletonMethod(new, "new", object) |
@@ -507,7 +449,7 @@ private predicate hasUserDefinedNew(Module m) {
  * `self.new` on `m`.
  */
 pragma[nomagic]
-private predicate isStandardNewCall(RelevantCall new, Module m, boolean exact) {
+predicate isStandardNewCall(RelevantCall new, Module m, boolean exact) {
   exists(DataFlow::LocalSourceNode sourceNode |
     flowsToMethodCallReceiver(new, sourceNode, "new") and
     // `m` should not have a user-defined `self.new` method
@@ -537,105 +479,15 @@ private predicate localFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo,
 
 private module TrackInstanceInput implements CallGraphConstruction::InputSig {
   pragma[nomagic]
-  private predicate isInstanceNoCall(DataFlow::Node n, Module tp, boolean exact) {
-    n.asExpr().getExpr() instanceof NilLiteral and
-    tp = TResolved("NilClass") and
-    exact = true
-    or
-    n.asExpr().getExpr().(BooleanLiteral).isFalse() and
-    tp = TResolved("FalseClass") and
-    exact = true
-    or
-    n.asExpr().getExpr().(BooleanLiteral).isTrue() and
-    tp = TResolved("TrueClass") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof IntegerLiteral and
-    tp = TResolved("Integer") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof FloatLiteral and
-    tp = TResolved("Float") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof RationalLiteral and
-    tp = TResolved("Rational") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof ComplexLiteral and
-    tp = TResolved("Complex") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof StringlikeLiteral and
-    tp = TResolved("String") and
-    exact = true
-    or
-    n.asExpr() instanceof CfgNodes::ExprNodes::ArrayLiteralCfgNode and
-    tp = TResolved("Array") and
-    exact = true
-    or
-    n.asExpr() instanceof CfgNodes::ExprNodes::HashLiteralCfgNode and
-    tp = TResolved("Hash") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof MethodBase and
-    tp = TResolved("Symbol") and
-    exact = true
-    or
-    n.asParameter() instanceof BlockParameter and
-    tp = TResolved("Proc") and
-    exact = true
-    or
-    n.asExpr().getExpr() instanceof Lambda and
-    tp = TResolved("Proc") and
-    exact = true
-    or
-    // `self` reference in method or top-level (but not in module or singleton method,
-    // where instance methods cannot be called; only singleton methods)
-    n =
-      any(SelfLocalSourceNode self |
-        exists(MethodBase m |
-          selfInMethod(self.getVariable(), m, tp) and
-          not m instanceof SingletonMethod and
-          if m.getEnclosingModule() instanceof Toplevel then exact = true else exact = false
-        )
-        or
-        selfInToplevel(self.getVariable(), tp) and
-        exact = true
-      )
-    or
-    // `in C => c then c.foo`
-    asModulePattern(n, tp) and
-    exact = false
-    or
-    // `case object when C then object.foo`
-    hasAdjacentTypeCheckedReads(_, _, n.asExpr(), tp) and
-    exact = false
-  }
-
-  pragma[nomagic]
-  private predicate isInstanceCall(DataFlow::Node n, Module tp, boolean exact) {
-    isStandardNewCall(n.asExpr(), tp, exact)
-  }
-
-  /** Holds if `n` is an instance of type `tp`. */
-  pragma[inline]
-  private predicate isInstance(DataFlow::Node n, Module tp, boolean exact) {
-    isInstanceNoCall(n, tp, exact)
-    or
-    isInstanceCall(n, tp, exact)
-  }
-
-  pragma[nomagic]
-  private predicate hasAdjacentTypeCheckedReads(DataFlow::Node node) {
-    hasAdjacentTypeCheckedReads(_, _, node.asExpr(), _)
+  private predicate hasAdjacentTypeCheckedRead(DataFlow::Node node) {
+    TypeInference::hasAdjacentTypeCheckedRead(node.asExpr(), _)
   }
 
   newtype State = additional MkState(Module m, Boolean exact)
 
   predicate start(DataFlow::Node start, State state) {
     exists(Module tp, boolean exact | state = MkState(tp, exact) |
-      isInstance(start, tp, exact)
+      TypeInference::hasType(start, tp, exact)
       or
       exists(Module m |
         (if m.isClass() then tp = TResolved("Class") else tp = TResolved("Module")) and
@@ -663,8 +515,8 @@ private module TrackInstanceInput implements CallGraphConstruction::InputSig {
     // We exclude steps into type checked variables. For those, we instead rely on the
     // type being checked against
     localFlowStep(nodeFrom, nodeTo, summary) and
-    not hasAdjacentTypeCheckedReads(nodeTo) and
-    not asModulePattern(nodeTo, _)
+    not hasAdjacentTypeCheckedRead(nodeTo) and
+    not TypeInference::asModulePattern(nodeTo.(SsaDefinitionExtNode).getDefinitionExt(), _)
   }
 
   predicate stepCall(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, StepSummary summary) {