Data flow: No more flow summaries

csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll

@@ -1,12 +1,23 @@
 import csharp
 private import semmle.code.csharp.controlflow.Guards
 
+private predicate outRefDef(DataFlow::ExprNode ne, int outRef) {
+  exists(Ssa::ExplicitDefinition def, Parameter outRefParameter |
+    outRefParameter.isOutOrRef() and
+    ne.getExpr() = def.getADefinition().getSource() and
+    def.isLiveOutRefParameterDefinition(outRefParameter) and
+    outRef = outRefParameter.getPosition()
+  )
+}
+
 class Configuration extends DataFlow::Configuration {
   Configuration() { this = "Configuration" }
 
-  override predicate isSource(DataFlow::Node source) { any() }
+  override predicate isSource(DataFlow::Node source) { source instanceof DataFlow::ParameterNode }
 
-  override predicate isSink(DataFlow::Node sink) { any() }
+  override predicate isSink(DataFlow::Node sink) {
+    any(Callable c).canReturn(sink.asExpr()) or outRefDef(sink, _)
+  }
 
   override predicate isBarrier(DataFlow::Node node) {
     exists(AbstractValues::NullValue nv | node.(GuardedDataFlowNode).mustHaveValue(nv) |
@@ -24,15 +35,9 @@ predicate flowOutFromParameter(DataFlow::Configuration c, Parameter p) {
 }
 
 predicate flowOutFromParameterOutOrRef(DataFlow::Configuration c, Parameter p, int outRef) {
-  exists(
-    DataFlow::ExprNode ne, Ssa::ExplicitDefinition def, DataFlow::ParameterNode np,
-    Parameter outRefParameter
-  |
-    outRefParameter.isOutOrRef() and
+  exists(DataFlow::ExprNode ne, DataFlow::ParameterNode np |
+    outRefDef(ne, outRef) and
     np.getParameter() = p and
-    ne.getExpr() = def.getADefinition().getSource() and
-    def.isLiveOutRefParameterDefinition(outRefParameter) and
-    c.hasFlow(np, ne) and
-    outRef = outRefParameter.getPosition()
+    c.hasFlow(np, ne)
   )
 }

csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected

@@ -201,6 +201,20 @@ edges
 | H.cs:131:18:131:18 | access to local variable a [FieldA] : Object | H.cs:131:14:131:19 | call to method Get |
 | H.cs:147:17:147:32 | call to method Through : A | H.cs:148:14:148:14 | access to local variable a |
 | H.cs:147:25:147:31 | object creation of type A : A | H.cs:147:17:147:32 | call to method Through : A |
+| H.cs:155:17:155:23 | object creation of type B : B | H.cs:157:20:157:20 | access to local variable b : B |
+| H.cs:157:9:157:9 | [post] access to parameter a [FieldA] : B | H.cs:164:19:164:19 | [post] access to local variable a [FieldA] : B |
+| H.cs:157:20:157:20 | access to local variable b : B | H.cs:157:9:157:9 | [post] access to parameter a [FieldA] : B |
+| H.cs:163:17:163:28 | object creation of type Object : Object | H.cs:164:22:164:22 | access to local variable o : Object |
+| H.cs:164:19:164:19 | [post] access to local variable a [FieldA, FieldB] | H.cs:165:21:165:21 | access to local variable a [FieldA, FieldB] |
+| H.cs:164:19:164:19 | [post] access to local variable a [FieldA] : B | H.cs:165:21:165:21 | access to local variable a [FieldA] : B |
+| H.cs:164:22:164:22 | access to local variable o : Object | H.cs:164:19:164:19 | [post] access to local variable a [FieldA, FieldB] |
+| H.cs:165:17:165:28 | (...) ... : B | H.cs:166:14:166:14 | access to local variable b |
+| H.cs:165:17:165:28 | (...) ... [FieldB] : Object | H.cs:167:14:167:14 | access to local variable b [FieldB] : Object |
+| H.cs:165:21:165:21 | access to local variable a [FieldA, FieldB] | H.cs:165:21:165:28 | access to field FieldA [FieldB] : Object |
+| H.cs:165:21:165:21 | access to local variable a [FieldA] : B | H.cs:165:21:165:28 | access to field FieldA : B |
+| H.cs:165:21:165:28 | access to field FieldA : B | H.cs:165:17:165:28 | (...) ... : B |
+| H.cs:165:21:165:28 | access to field FieldA [FieldB] : Object | H.cs:165:17:165:28 | (...) ... [FieldB] : Object |
+| H.cs:167:14:167:14 | access to local variable b [FieldB] : Object | H.cs:167:14:167:21 | access to field FieldB |
 nodes
 | A.cs:5:17:5:23 | object creation of type C : C | semmle.label | object creation of type C : C |
 | A.cs:6:17:6:25 | call to method Make [c] : C | semmle.label | call to method Make [c] : C |
@@ -434,6 +448,22 @@ nodes
 | H.cs:147:17:147:32 | call to method Through : A | semmle.label | call to method Through : A |
 | H.cs:147:25:147:31 | object creation of type A : A | semmle.label | object creation of type A : A |
 | H.cs:148:14:148:14 | access to local variable a | semmle.label | access to local variable a |
+| H.cs:155:17:155:23 | object creation of type B : B | semmle.label | object creation of type B : B |
+| H.cs:157:9:157:9 | [post] access to parameter a [FieldA] : B | semmle.label | [post] access to parameter a [FieldA] : B |
+| H.cs:157:20:157:20 | access to local variable b : B | semmle.label | access to local variable b : B |
+| H.cs:163:17:163:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
+| H.cs:164:19:164:19 | [post] access to local variable a [FieldA, FieldB] | semmle.label | [post] access to local variable a [FieldA, FieldB] |
+| H.cs:164:19:164:19 | [post] access to local variable a [FieldA] : B | semmle.label | [post] access to local variable a [FieldA] : B |
+| H.cs:164:22:164:22 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| H.cs:165:17:165:28 | (...) ... : B | semmle.label | (...) ... : B |
+| H.cs:165:17:165:28 | (...) ... [FieldB] : Object | semmle.label | (...) ... [FieldB] : Object |
+| H.cs:165:21:165:21 | access to local variable a [FieldA, FieldB] | semmle.label | access to local variable a [FieldA, FieldB] |
+| H.cs:165:21:165:21 | access to local variable a [FieldA] : B | semmle.label | access to local variable a [FieldA] : B |
+| H.cs:165:21:165:28 | access to field FieldA : B | semmle.label | access to field FieldA : B |
+| H.cs:165:21:165:28 | access to field FieldA [FieldB] : Object | semmle.label | access to field FieldA [FieldB] : Object |
+| H.cs:166:14:166:14 | access to local variable b | semmle.label | access to local variable b |
+| H.cs:167:14:167:14 | access to local variable b [FieldB] : Object | semmle.label | access to local variable b [FieldB] : Object |
+| H.cs:167:14:167:21 | access to field FieldB | semmle.label | access to field FieldB |
 #select
 | A.cs:7:14:7:16 | access to field c | A.cs:5:17:5:23 | object creation of type C : C | A.cs:7:14:7:16 | access to field c | $@ | A.cs:5:17:5:23 | object creation of type C : C | object creation of type C : C |
 | A.cs:14:14:14:20 | call to method Get | A.cs:13:15:13:22 | object creation of type C1 : C1 | A.cs:14:14:14:20 | call to method Get | $@ | A.cs:13:15:13:22 | object creation of type C1 : C1 | object creation of type C1 : C1 |
@@ -481,3 +511,5 @@ nodes
 | H.cs:114:14:114:21 | access to field FieldB | H.cs:112:20:112:31 | object creation of type Object : Object | H.cs:114:14:114:21 | access to field FieldB | $@ | H.cs:112:20:112:31 | object creation of type Object : Object | object creation of type Object : Object |
 | H.cs:131:14:131:19 | call to method Get | H.cs:130:20:130:31 | object creation of type Object : Object | H.cs:131:14:131:19 | call to method Get | $@ | H.cs:130:20:130:31 | object creation of type Object : Object | object creation of type Object : Object |
 | H.cs:148:14:148:14 | access to local variable a | H.cs:147:25:147:31 | object creation of type A : A | H.cs:148:14:148:14 | access to local variable a | $@ | H.cs:147:25:147:31 | object creation of type A : A | object creation of type A : A |
+| H.cs:166:14:166:14 | access to local variable b | H.cs:155:17:155:23 | object creation of type B : B | H.cs:166:14:166:14 | access to local variable b | $@ | H.cs:155:17:155:23 | object creation of type B : B | object creation of type B : B |
+| H.cs:167:14:167:21 | access to field FieldB | H.cs:163:17:163:28 | object creation of type Object : Object | H.cs:167:14:167:21 | access to field FieldB | $@ | H.cs:163:17:163:28 | object creation of type Object : Object | object creation of type Object : Object |

csharp/ql/test/library-tests/dataflow/fields/H.cs

@@ -150,5 +150,22 @@ void M7()
         Sink(b); // no flow
     }
 
+    void SetNested(A a, object o)
+    {
+        var b = new B();
+        b.FieldB = o;
+        a.FieldA = b;
+    }
+
+    void M8()
+    {
+        var a = new A();
+        var o = new object();
+        SetNested(a, o);
+        var b = (B) a.FieldA;
+        Sink(b); // flow (from `new B()` inside `SetNested`)
+        Sink(b.FieldB); // flow
+    }
+
     public static void Sink(object o) { }
 }

csharp/ql/test/library-tests/dataflow/types/Types.cs

@@ -114,6 +114,18 @@ public override void M()
             {
                 Sink(this.Field);
             }
+
+            void M10()
+            {
+                var a = new A();
+                var e2 = new E2();
+                Sink(Through(a)); // flow
+                Sink(Through(e2)); // flow
+                Sink((E2)Through(a)); // no flow
+                Sink((A)Through(e2)); // no flow
+            }
         }
     }
+
+    static object Through(object x) => x;
 }

csharp/ql/test/library-tests/dataflow/types/Types.expected

@@ -39,6 +39,10 @@ edges
 | Types.cs:110:25:110:32 | object creation of type E2 : E2 | Types.cs:90:22:90:22 | e : E2 |
 | Types.cs:113:34:113:34 | this [Field] : E2 | Types.cs:115:22:115:25 | this access [Field] : E2 |
 | Types.cs:115:22:115:25 | this access [Field] : E2 | Types.cs:115:22:115:31 | access to field Field |
+| Types.cs:120:25:120:31 | object creation of type A : A | Types.cs:122:30:122:30 | access to local variable a : A |
+| Types.cs:121:26:121:33 | object creation of type E2 : E2 | Types.cs:123:30:123:31 | access to local variable e2 : E2 |
+| Types.cs:122:30:122:30 | access to local variable a : A | Types.cs:122:22:122:31 | call to method Through |
+| Types.cs:123:30:123:31 | access to local variable e2 : E2 | Types.cs:123:22:123:32 | call to method Through |
 nodes
 | Types.cs:7:21:7:25 | this : D | semmle.label | this : D |
 | Types.cs:7:32:7:35 | this access : D | semmle.label | this access : D |
@@ -90,6 +94,12 @@ nodes
 | Types.cs:113:34:113:34 | this [Field] : E2 | semmle.label | this [Field] : E2 |
 | Types.cs:115:22:115:25 | this access [Field] : E2 | semmle.label | this access [Field] : E2 |
 | Types.cs:115:22:115:31 | access to field Field | semmle.label | access to field Field |
+| Types.cs:120:25:120:31 | object creation of type A : A | semmle.label | object creation of type A : A |
+| Types.cs:121:26:121:33 | object creation of type E2 : E2 | semmle.label | object creation of type E2 : E2 |
+| Types.cs:122:22:122:31 | call to method Through | semmle.label | call to method Through |
+| Types.cs:122:30:122:30 | access to local variable a : A | semmle.label | access to local variable a : A |
+| Types.cs:123:22:123:32 | call to method Through | semmle.label | call to method Through |
+| Types.cs:123:30:123:31 | access to local variable e2 : E2 | semmle.label | access to local variable e2 : E2 |
 #select
 | Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:50:18:50:18 | access to local variable c | Types.cs:50:18:50:18 | access to local variable c | $@ | Types.cs:50:18:50:18 | access to local variable c | access to local variable c |
 | Types.cs:25:12:25:18 | object creation of type C : C | Types.cs:63:33:63:36 | (...) ... | Types.cs:63:33:63:36 | (...) ... | $@ | Types.cs:63:33:63:36 | (...) ... | (...) ... |
@@ -106,3 +116,5 @@ nodes
 | Types.cs:40:12:40:18 | object creation of type D : D | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
 | Types.cs:43:20:43:23 | null : null | Types.cs:44:14:44:14 | access to local variable o | Types.cs:44:14:44:14 | access to local variable o | $@ | Types.cs:44:14:44:14 | access to local variable o | access to local variable o |
 | Types.cs:110:25:110:32 | object creation of type E2 : E2 | Types.cs:115:22:115:31 | access to field Field | Types.cs:115:22:115:31 | access to field Field | $@ | Types.cs:115:22:115:31 | access to field Field | access to field Field |
+| Types.cs:120:25:120:31 | object creation of type A : A | Types.cs:122:22:122:31 | call to method Through | Types.cs:122:22:122:31 | call to method Through | $@ | Types.cs:122:22:122:31 | call to method Through | call to method Through |
+| Types.cs:121:26:121:33 | object creation of type E2 : E2 | Types.cs:123:22:123:32 | call to method Through | Types.cs:123:22:123:32 | call to method Through | $@ | Types.cs:123:22:123:32 | call to method Through | call to method Through |