Merge pull request github#8938 from hvitved/ruby/with-without-mad-tokens

Ruby: Introduce `With(out)Element` MaD input tokens

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll

@@ -167,9 +167,16 @@ class AccessPathToken extends string {
   /** Gets the `n`th argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getArgument(int n) { result = this.getArgumentList().splitAt(",", n).trim() }
 
+  /** Gets the `n`th argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  pragma[nomagic]
+  string getArgument(string name, int n) { name = this.getName() and result = this.getArgument(n) }
+
   /** Gets an argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getAnArgument() { result = this.getArgument(_) }
 
+  /** Gets an argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  string getAnArgument(string name) { result = this.getArgument(name, _) }
+
   /** Gets the number of arguments to this token, such as 2 for `Member[x,y]` or zero for `ReturnValue`. */
   int getNumArgument() { result = count(int n | exists(this.getArgument(n))) }
 }

java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll

@@ -167,9 +167,16 @@ class AccessPathToken extends string {
   /** Gets the `n`th argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getArgument(int n) { result = this.getArgumentList().splitAt(",", n).trim() }
 
+  /** Gets the `n`th argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  pragma[nomagic]
+  string getArgument(string name, int n) { name = this.getName() and result = this.getArgument(n) }
+
   /** Gets an argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getAnArgument() { result = this.getArgument(_) }
 
+  /** Gets an argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  string getAnArgument(string name) { result = this.getArgument(name, _) }
+
   /** Gets the number of arguments to this token, such as 2 for `Member[x,y]` or zero for `ReturnValue`. */
   int getNumArgument() { result = count(int n | exists(this.getArgument(n))) }
 }

javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll

@@ -167,9 +167,16 @@ class AccessPathToken extends string {
   /** Gets the `n`th argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getArgument(int n) { result = this.getArgumentList().splitAt(",", n).trim() }
 
+  /** Gets the `n`th argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  pragma[nomagic]
+  string getArgument(string name, int n) { name = this.getName() and result = this.getArgument(n) }
+
   /** Gets an argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getAnArgument() { result = this.getArgument(_) }
 
+  /** Gets an argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  string getAnArgument(string name) { result = this.getArgument(name, _) }
+
   /** Gets the number of arguments to this token, such as 2 for `Member[x,y]` or zero for `ReturnValue`. */
   int getNumArgument() { result = count(int n | exists(this.getArgument(n))) }
 }

ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll

@@ -25,6 +25,10 @@ module SummaryComponent {
 
   predicate content = SC::content/1;
 
+  predicate withoutContent = SC::withoutContent/1;
+
+  predicate withContent = SC::withContent/1;
+
   /** Gets a summary component that represents a receiver. */
   SummaryComponent receiver() { result = argument(any(ParameterPosition pos | pos.isSelf())) }
 
@@ -124,13 +128,6 @@ abstract class SummarizedCallable extends LibraryCallable {
    */
   pragma[nomagic]
   predicate propagatesFlowExt(string input, string output, boolean preservesValue) { none() }
-
-  /**
-   * Holds if values stored inside `content` are cleared on objects passed as
-   * arguments at position `pos` to this callable.
-   */
-  pragma[nomagic]
-  predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) { none() }
 }
 
 /**
@@ -156,10 +153,6 @@ private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable
   ) {
     sc.propagatesFlow(input, output, preservesValue)
   }
-
-  final override predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) {
-    sc.clearsContent(pos, content)
-  }
 }
 
 class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;

ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll

@@ -167,9 +167,16 @@ class AccessPathToken extends string {
   /** Gets the `n`th argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getArgument(int n) { result = this.getArgumentList().splitAt(",", n).trim() }
 
+  /** Gets the `n`th argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  pragma[nomagic]
+  string getArgument(string name, int n) { name = this.getName() and result = this.getArgument(n) }
+
   /** Gets an argument to this token, such as `x` or `y` from `Member[x,y]`. */
   string getAnArgument() { result = this.getArgument(_) }
 
+  /** Gets an argument to this `name` token, such as `x` or `y` from `Member[x,y]`. */
+  string getAnArgument(string name) { result = this.getArgument(name, _) }
+
   /** Gets the number of arguments to this token, such as 2 for `Member[x,y]` or zero for `ReturnValue`. */
   int getNumArgument() { result = count(int n | exists(this.getArgument(n))) }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -56,15 +56,30 @@ predicate summaryElement(
   )
 }
 
+bindingset[arg]
+private SummaryComponent interpretElementArg(string arg) {
+  arg = "?" and
+  result = FlowSummary::SummaryComponent::elementUnknown()
+  or
+  arg = "any" and
+  result = FlowSummary::SummaryComponent::elementAny()
+  or
+  exists(ConstantValue cv | result = FlowSummary::SummaryComponent::elementKnown(cv) |
+    cv.isInt(AccessPath::parseInt(arg))
+    or
+    not exists(AccessPath::parseInt(arg)) and
+    cv.serialize() = arg
+  )
+}
+
 /**
  * Gets the summary component for specification component `c`, if any.
  *
  * This covers all the Ruby-specific components of a flow summary.
  */
 SummaryComponent interpretComponentSpecific(AccessPathToken c) {
-  c.getName() = "Argument" and
   exists(string arg, ParameterPosition ppos |
-    arg = c.getAnArgument() and
+    arg = c.getAnArgument("Argument") and
     result = FlowSummary::SummaryComponent::argument(ppos)
   |
     arg = "any" and
@@ -73,20 +88,17 @@ SummaryComponent interpretComponentSpecific(AccessPathToken c) {
     ppos.isPositionalLowerBound(AccessPath::parseLowerBound(arg))
   )
   or
-  c.getName() = "Element" and
-  exists(string arg | arg = c.getAnArgument() |
-    arg = "?" and
-    result = FlowSummary::SummaryComponent::elementUnknown()
-    or
-    arg = "any" and
-    result = FlowSummary::SummaryComponent::elementAny()
-    or
-    exists(ConstantValue cv | result = FlowSummary::SummaryComponent::elementKnown(cv) |
-      cv.isInt(AccessPath::parseInt(arg))
-      or
-      not exists(AccessPath::parseInt(arg)) and
-      cv.serialize() = c.getAnArgument()
-    )
+  result = interpretElementArg(c.getAnArgument("Element"))
+  or
+  exists(ContentSet cs |
+    FlowSummary::SummaryComponent::content(cs) = interpretElementArg(c.getAnArgument("WithElement")) and
+    result = FlowSummary::SummaryComponent::withContent(cs)
+  )
+  or
+  exists(ContentSet cs |
+    FlowSummary::SummaryComponent::content(cs) =
+      interpretElementArg(c.getAnArgument("WithoutElement")) and
+    result = FlowSummary::SummaryComponent::withoutContent(cs)
   )
 }
 

ruby/ql/lib/codeql/ruby/frameworks/Core.qll

@@ -62,11 +62,11 @@ private class SplatSummary extends SummarizedCallable {
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (
       // *1 = [1]
-      input = "Argument[self]" and
+      input = "Argument[self].WithoutElement[any]" and
       output = "ReturnValue.Element[0]"
       or
       // *[1] = [1]
-      input = "Argument[self]" and
+      input = "Argument[self].WithElement[any]" and
       output = "ReturnValue"
     ) and
     preservesValue = true