Be more careful about type equivalence up to aliasing in read steps

Author: owen-mc

go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll

@@ -57,7 +57,7 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
  * as well as array iteration through enhanced `for` statements.
  */
 predicate containerReadStep(Node node1, Node node2, Content c) {
-  exists(Type t | t = node1.getType().getUnderlyingType() |
+  exists(Type t | t = node1.getType().getUnderlyingType().getDeepUnaliasedType() |
     c instanceof ArrayContent and
     (
       t instanceof ArrayType or

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -180,12 +180,21 @@ predicate readStep(Node node1, ContentSet cs, Node node2) {
   exists(Content c | cs.asOneContent() = c |
     node1 = node2.(PointerDereferenceNode).getOperand() and
     c =
-      any(DataFlow::PointerContent pc | pc.getPointerType() = node1.getType().getDeepUnaliasedType())
+      any(DataFlow::PointerContent pc |
+        pc.getPointerType().getDeepUnaliasedType() = node1.getType().getDeepUnaliasedType()
+      )
     or
     exists(FieldReadNode read |
       node2 = read and
       node1 = read.getBase() and
-      c = any(DataFlow::FieldContent fc | fc.getField() = read.getField())
+      exists(DataFlow::FieldContent fc, Field f1, Field f2 |
+        f1 = fc.getField() and
+        f2 = read.getField() and
+        f1.getDeclaringType().getDeepUnaliasedType() = f2.getDeclaringType().getDeepUnaliasedType() and
+        f1.getName() = f2.getName()
+      |
+        c = fc
+      )
     )
     or
     containerReadStep(node1, node2, c)

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -35,11 +35,11 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
 }
 
 private Type getElementType(Type containerType) {
-  result = containerType.(ArrayType).getElementType() or
-  result = containerType.(SliceType).getElementType() or
-  result = containerType.(ChanType).getElementType() or
-  result = containerType.(MapType).getValueType() or
-  result = containerType.(PointerType).getPointerType()
+  result = containerType.getDeepUnaliasedType().(ArrayType).getElementType() or
+  result = containerType.getDeepUnaliasedType().(SliceType).getElementType() or
+  result = containerType.getDeepUnaliasedType().(ChanType).getElementType() or
+  result = containerType.getDeepUnaliasedType().(MapType).getValueType() or
+  result = containerType.getDeepUnaliasedType().(PointerType).getPointerType()
 }
 
 /**
@@ -50,7 +50,7 @@ bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs) {
   exists(Type containerType, DataFlow::Content c |
     node instanceof DataFlow::ArgumentNode and
-    getElementType*(node.getType()) = containerType and
+    getElementType*(node.getType()).getDeepUnaliasedType() = containerType and
     cs.asOneContent() = c
   |
     containerType instanceof ArrayType and
@@ -65,7 +65,7 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs)
     containerType instanceof MapType and
     c instanceof DataFlow::MapValueContent
     or
-    c.(DataFlow::PointerContent).getPointerType() = containerType
+    c.(DataFlow::PointerContent).getPointerType().getDeepUnaliasedType() = containerType
   )
 }