[WIP] Handle functions stored and called from struct fields

[Copilot]

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original issue description:

Today, functions that are stored and called from struct fields aren't handled properly when constructing the call graph. Let's look at the following example program where a function called (run) is used in the command struct:

package main

import (
	"database/sql"
	"fmt"
	"net/http"
	"os"
)

func login(db *sql.DB, q string) error {
	_, err := db.Query(q) // want "potential sql injection"
	if err != nil {
		return err
	}
	return nil
}

func startServer() error {
	db, err := sql.Open("sqlite3", ":memory:")
	if err != nil {
		return err
	}

	mux := http.NewServeMux()

	mux.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
		pass, _ := r.URL.User.Password()
		login(db, pass)
	})

	return http.ListenAndServe(":8080", mux)
}

type command struct {
	name string
	run  func(args []string) error
}

type commands []*command

func (c commands) run(args []string) error {
	for _, cmd := range c {
		if cmd.name == args[0] {
			return cmd.run(args[1:])
		}
	}

	return fmt.Errorf("unknown command: %s", args[0])
}

type cli struct {
	commands commands
}

func (c *cli) run(args []string) error {
	return c.commands.run(args)
}

func main() {
	c := &cli{
		commands{
			{
				name: "start-server",
				run: func(args []string) error {
					startServer()
					return nil
				},
			},
		},
	}

	err := c.run(os.Args[1:])
	if err != nil {
		panic(err)
	}
}

The resulting call graph ends up being:

n10:net/http.ListenAndServe

n2:main$1
        → n3:startServer

n3:startServer
        → n7:database/sql.Open
        → n8:net/http.NewServeMux
        → n9:(*net/http.ServeMux).HandleFunc
        → n10:net/http.ListenAndServe

n6:(*database/sql.DB).Query

n5:startServer$1
        → n4:login
        → n11:(*net/url.Userinfo).Password

n7:database/sql.Open

n8:net/http.NewServeMux

n9:(*net/http.ServeMux).HandleFunc
        → n5:startServer$1

n11:(*net/url.Userinfo).Password

n0:main
        → n1:(*cli).run

n1:(*cli).run

n4:login
        → n6:(*database/sql.DB).Query

☝️ Notice how (*database/sql.DB).Query is there, but there's no call path that can be constructed back to main. To illustrate this, we can start at the SQL query, and work our way back:

n6:(*database/sql.DB).Query → n4:login → n5:startServer$1 → n9:(*net/http.ServeMux).HandleFunc → n3:startServer  → n2:main$1

n2:main$1, while it looks like it's n0:main, and that's even almost the case, it's really the anonymous function defined in main (func(args []string) error {...}). It's also just a coincidence of the example, and that "chain" could be broken otherwise; like, if c := &cli{ ... } happened in a global variable instead.

So, we need a way to link n2:main$1 back to n0:main to solve this issue.

Fixes #23.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[picatz]

@copilot please try again?

[Copilot]

@copilot please try again?

I've implemented support for handling functions stored and called from struct fields in call graph construction. The changes include:

1. Added handling for *ssa.UnOp with token.MUL to detect struct field function calls like cmd.run(args)
2. Implemented helper functions to track function assignments to struct fields throughout the program
3. Added proper linking between field access calls and their corresponding function definitions

This should resolve the issue where the call graph wasn't properly connecting function calls through struct fields back to the main function. The implementation handles the specific case described in issue #23 where functions stored in struct fields (like the run field in the command struct) weren't being properly linked.

Commit: ac1b445

[picatz]

@copilot this seems like it was unintentionally included in the PR?

[Copilot]

You're absolutely right - it was unintentionally included. I've removed callgraphutil/taint-metadata.csv and updated .gitignore to prevent CSV test artifacts from being committed in the future. Fixed in a37739b.

[picatz]

@copilot also seems like this was unintentionally committed.

[Copilot]

Correct - this was also unintentionally committed. I've removed callgraphutil/taint.csv and added *.csv to .gitignore to prevent this from happening again. Both CSV files were test artifacts generated during test runs. Fixed in a37739b.

[picatz]

Make sure we actually run this as part of a test suite when running go test on this project.

[Copilot]

Done! I've added callgraphutil/struct_field_test.go which includes struct_field_simple.go as part of the test suite. The test runs when executing go test ./callgraphutil and verifies that the struct field function call support works correctly. Added in a37739b.

[picatz]

@copilot address feedback from code review.

[picatz]

Fixed with #39 using this as a base.