Make separate post-update nodes

owen-mc · owen-mc · commit a35771237e5c · 2025-09-19T07:42:35.000+01:00
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -12,7 +12,8 @@ private newtype TNode =
   MkGlobalFunctionNode(Function f) or
   MkImplicitVarargsSlice(CallExpr c) { c.hasImplicitVarargs() } or
   MkSliceElementNode(SliceExpr se) or
-  MkFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn)
+  MkFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
+  MkDefaultPostUpdateNode(IR::Instruction insn) { insnHasPostUpdateNode(insn) }
 
 /** Nodes intended for only use inside the data-flow libraries. */
 module Private {
@@ -844,20 +845,22 @@ module Public {
     insn = getAWrittenInsn()
   }
 
-  private class DefaultPostUpdateNode extends PostUpdateNode {
+  private class DefaultPostUpdateNode extends PostUpdateNode, MkDefaultPostUpdateNode {
     Node preupd;
 
-    DefaultPostUpdateNode() {
-      insnHasPostUpdateNode(preupd.asInstruction()) and
-      (
-        preupd = this.(SsaNode).getAUse()
-        or
-        preupd = this and
-        not basicLocalFlowStep(_, this)
-      )
-    }
+    DefaultPostUpdateNode() { this = MkDefaultPostUpdateNode(preupd.asInstruction()) }
 
     override Node getPreUpdateNode() { result = preupd }
+
+    override ControlFlow::Root getRoot() { result = preupd.getRoot() }
+
+    override Type getType() { result = preupd.getType() }
+
+    override string getNodeKind() { result = "post-update node" }
+
+    override string toString() { result = preupd.toString() + " [postupdate]" }
+
+    override Location getLocation() { result = preupd.getLocation() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -68,7 +68,10 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // Instruction -> SSA defn
   exists(IR::Instruction pred, SsaExplicitDefinition succ |
     succ.getRhs() = pred and
-    nodeFrom = instructionNode(pred) and
+    (
+      nodeFrom = instructionNode(pred) or
+      nodeFrom.(PostUpdateNode).getPreUpdateNode() = instructionNode(pred)
+    ) and
     nodeTo = ssaNode(succ.getVariable())
   )
   or
@@ -82,7 +85,10 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // SSA use -> successive SSA use
   // Note this case includes Phi node traversal
   exists(IR::Instruction pred, IR::Instruction succ | succ = getAnAdjacentUse(pred) |
-    nodeFrom = instructionNode(pred) and
+    (
+      nodeFrom = instructionNode(pred) or
+      nodeFrom.(PostUpdateNode).getPreUpdateNode() = instructionNode(pred)
+    ) and
     nodeTo = instructionNode(succ)
   )
   or
diff --git a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
@@ -88,14 +88,18 @@ class AdditionalTaintStep extends Unit {
  * global taint flow configurations.
  */
 predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, string model) {
-  (
-    referenceStep(pred, succ) or
-    elementWriteStep(pred, succ) or
-    fieldReadStep(pred, succ) or
-    elementStep(pred, succ) or
-    tupleStep(pred, succ) or
-    stringConcatStep(pred, succ) or
-    sliceStep(pred, succ)
+  exists(DataFlow::Node pred2 |
+    pred2 = pred
+    or
+    pred2 = pred.(DataFlow::PostUpdateNode).getPreUpdateNode()
+  |
+    referenceStep(pred2, succ) or
+    elementWriteStep(pred2, succ) or
+    fieldReadStep(pred2, succ) or
+    elementStep(pred2, succ) or
+    tupleStep(pred2, succ) or
+    stringConcatStep(pred2, succ) or
+    sliceStep(pred2, succ)
   ) and
   model = ""
   or
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected b/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected
@@ -1,26 +1,26 @@
 | file://:0:0:0:0 | [summary param] 0 in copy | file://:0:0:0:0 | [summary] to write: Argument[0] in copy |
-| test.go:23:2:23:2 | a | test.go:22:2:22:2 | definition of a |
-| test.go:23:11:23:14 | &... | test.go:23:11:23:14 | &... |
-| test.go:23:12:23:14 | selection of b | test.go:23:12:23:14 | selection of b |
-| test.go:24:2:24:2 | a | test.go:22:2:22:2 | definition of a |
-| test.go:24:2:24:5 | selection of bs | test.go:24:2:24:5 | selection of bs |
-| test.go:24:2:24:8 | index expression | test.go:24:2:24:8 | index expression |
-| test.go:24:17:24:20 | &... | test.go:24:17:24:20 | &... |
-| test.go:24:18:24:20 | struct literal | test.go:24:18:24:20 | struct literal |
-| test.go:25:2:25:2 | a | test.go:22:2:22:2 | definition of a |
-| test.go:25:2:25:5 | selection of bs | test.go:25:2:25:5 | selection of bs |
-| test.go:25:2:25:8 | index expression | test.go:25:2:25:8 | index expression |
-| test.go:25:2:25:13 | implicit dereference | test.go:25:2:25:13 | implicit dereference |
-| test.go:25:2:25:13 | selection of cptr | test.go:25:2:25:13 | selection of cptr |
-| test.go:26:2:26:2 | a | test.go:22:2:22:2 | definition of a |
-| test.go:26:2:26:7 | implicit dereference | test.go:26:2:26:7 | implicit dereference |
-| test.go:26:2:26:7 | selection of bptr | test.go:26:2:26:7 | selection of bptr |
-| test.go:26:2:26:12 | implicit dereference | test.go:26:2:26:12 | implicit dereference |
-| test.go:26:2:26:12 | selection of cptr | test.go:26:2:26:12 | selection of cptr |
-| test.go:28:7:28:10 | struct literal | test.go:28:7:28:10 | struct literal |
-| test.go:29:2:29:2 | c | test.go:28:2:28:2 | definition of c |
-| test.go:29:6:29:6 | a | test.go:22:2:22:2 | definition of a |
-| test.go:30:2:30:2 | c | test.go:28:2:28:2 | definition of c |
-| test.go:30:7:30:7 | a | test.go:22:2:22:2 | definition of a |
-| test.go:35:4:35:4 | a | test.go:22:2:22:2 | definition of a |
-| test.go:36:5:36:5 | a | test.go:22:2:22:2 | definition of a |
+| test.go:23:2:23:2 | a | test.go:23:2:23:2 | a [postupdate] |
+| test.go:23:11:23:14 | &... | test.go:23:11:23:14 | &... [postupdate] |
+| test.go:23:12:23:14 | selection of b | test.go:23:12:23:14 | selection of b [postupdate] |
+| test.go:24:2:24:2 | a | test.go:24:2:24:2 | a [postupdate] |
+| test.go:24:2:24:5 | selection of bs | test.go:24:2:24:5 | selection of bs [postupdate] |
+| test.go:24:2:24:8 | index expression | test.go:24:2:24:8 | index expression [postupdate] |
+| test.go:24:17:24:20 | &... | test.go:24:17:24:20 | &... [postupdate] |
+| test.go:24:18:24:20 | struct literal | test.go:24:18:24:20 | struct literal [postupdate] |
+| test.go:25:2:25:2 | a | test.go:25:2:25:2 | a [postupdate] |
+| test.go:25:2:25:5 | selection of bs | test.go:25:2:25:5 | selection of bs [postupdate] |
+| test.go:25:2:25:8 | index expression | test.go:25:2:25:8 | index expression [postupdate] |
+| test.go:25:2:25:13 | implicit dereference | test.go:25:2:25:13 | implicit dereference [postupdate] |
+| test.go:25:2:25:13 | selection of cptr | test.go:25:2:25:13 | selection of cptr [postupdate] |
+| test.go:26:2:26:2 | a | test.go:26:2:26:2 | a [postupdate] |
+| test.go:26:2:26:7 | implicit dereference | test.go:26:2:26:7 | implicit dereference [postupdate] |
+| test.go:26:2:26:7 | selection of bptr | test.go:26:2:26:7 | selection of bptr [postupdate] |
+| test.go:26:2:26:12 | implicit dereference | test.go:26:2:26:12 | implicit dereference [postupdate] |
+| test.go:26:2:26:12 | selection of cptr | test.go:26:2:26:12 | selection of cptr [postupdate] |
+| test.go:28:7:28:10 | struct literal | test.go:28:7:28:10 | struct literal [postupdate] |
+| test.go:29:2:29:2 | c | test.go:29:2:29:2 | c [postupdate] |
+| test.go:29:6:29:6 | a | test.go:29:6:29:6 | a [postupdate] |
+| test.go:30:2:30:2 | c | test.go:30:2:30:2 | c [postupdate] |
+| test.go:30:7:30:7 | a | test.go:30:7:30:7 | a [postupdate] |
+| test.go:35:4:35:4 | a | test.go:35:4:35:4 | a [postupdate] |
+| test.go:36:5:36:5 | a | test.go:36:5:36:5 | a [postupdate] |
