Java/C++/C#: Bugfix for field flow through reverse read.

Author: aschackmull

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -360,7 +360,7 @@ private module ImplCommon {
      */
     cached
     predicate read(Node node1, Content f, Node node2) {
-      readStep(node1, f, node2) and storeStep(_, f, _)
+      readStep(node1, f, node2)
       or
       exists(DataFlowCall call, ReturnKind kind |
         read0(call, kind, node1, f) and

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -360,7 +360,7 @@ private module ImplCommon {
      */
     cached
     predicate read(Node node1, Content f, Node node2) {
-      readStep(node1, f, node2) and storeStep(_, f, _)
+      readStep(node1, f, node2)
       or
       exists(DataFlowCall call, ReturnKind kind |
         read0(call, kind, node1, f) and

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll

@@ -360,7 +360,7 @@ private module ImplCommon {
      */
     cached
     predicate read(Node node1, Content f, Node node2) {
-      readStep(node1, f, node2) and storeStep(_, f, _)
+      readStep(node1, f, node2)
       or
       exists(DataFlowCall call, ReturnKind kind |
         read0(call, kind, node1, f) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll

@@ -360,7 +360,7 @@ private module ImplCommon {
      */
     cached
     predicate read(Node node1, Content f, Node node2) {
-      readStep(node1, f, node2) and storeStep(_, f, _)
+      readStep(node1, f, node2)
       or
       exists(DataFlowCall call, ReturnKind kind |
         read0(call, kind, node1, f) and

java/ql/test/library-tests/dataflow/fields/E.java

@@ -0,0 +1,32 @@
+public class E {
+  static Object src() { return new Object(); }
+  static void sink(Object obj) {}
+
+  static class Buffer { Object content; }
+  static class BufHolder { Buffer buf; }
+  static class Packet { BufHolder data; }
+
+  static void recv(Buffer buf) {
+    buf.content = src();
+  }
+
+  static void foo(Buffer raw, BufHolder bh, Packet p) {
+    recv(raw);
+    recv(bh.buf);
+    recv(p.data.buf);
+
+    sink(raw.content);
+
+    BufHolder bh2 = bh;
+    sink(bh2.buf.content);
+
+    Packet p2 = p;
+    sink(p2.data.buf.content);
+
+    handlepacket(p);
+  }
+
+  static void handlepacket(Packet p) {
+    sink(p.data.buf.content);
+  }
+}

java/ql/test/library-tests/dataflow/fields/flow.expected

@@ -22,3 +22,7 @@
 | D.java:19:14:19:23 | new Elem(...) | D.java:33:10:33:31 | getElem(...) |
 | D.java:26:14:26:23 | new Elem(...) | D.java:33:10:33:31 | getElem(...) |
 | D.java:37:14:37:23 | new Elem(...) | D.java:44:10:44:26 | boxfield.box.elem |
+| E.java:2:32:2:43 | new Object(...) | E.java:18:10:18:20 | raw.content |
+| E.java:2:32:2:43 | new Object(...) | E.java:21:10:21:24 | bh2.buf.content |
+| E.java:2:32:2:43 | new Object(...) | E.java:24:10:24:28 | p2.data.buf.content |
+| E.java:2:32:2:43 | new Object(...) | E.java:30:10:30:27 | p.data.buf.content |