Skip to content

Commit

Permalink
temp
Browse files Browse the repository at this point in the history
  • Loading branch information
@hvitved
hvitved committed Jan 29, 2024
1 parent dd8ab95 commit b4b45d6
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 37 deletions.
12 changes: 6 additions & 6 deletions csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,17 +31,17 @@ edges
| CollectionFlow.cs:25:58:25:61 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:25:67:25:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:25:67:25:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:25:67:25:73 | access to indexer : A |
| CollectionFlow.cs:27:59:27:62 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A |
| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | CollectionFlow.cs:27:68:27:85 | access to property Value : A |
| CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A |
| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | CollectionFlow.cs:27:68:27:85 | access to property Value : A |
| CollectionFlow.cs:29:60:29:63 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:29:69:29:79 | access to property Values : ICollection<T> [element] : A |
| CollectionFlow.cs:29:69:29:79 | access to property Values : ICollection<T> [element] : A | CollectionFlow.cs:29:69:29:87 | call to method First<T> : A |
| CollectionFlow.cs:31:58:31:61 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:31:67:31:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
| CollectionFlow.cs:31:67:31:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:31:67:31:75 | access to property Keys : ICollection<T> [element] : A |
| CollectionFlow.cs:31:67:31:75 | access to property Keys : ICollection<T> [element] : A | CollectionFlow.cs:31:67:31:83 | call to method First<T> : A |
| CollectionFlow.cs:33:57:33:60 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
| CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A |
| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | CollectionFlow.cs:33:66:33:81 | access to property Key : A |
| CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A |
| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | CollectionFlow.cs:33:66:33:81 | access to property Key : A |
| CollectionFlow.cs:35:49:35:52 | args : A[] [element] : A | CollectionFlow.cs:35:63:35:66 | access to parameter args : A[] [element] : A |
| CollectionFlow.cs:35:49:35:52 | args : null [element] : A | CollectionFlow.cs:35:63:35:66 | access to parameter args : null [element] : A |
| CollectionFlow.cs:35:63:35:66 | access to parameter args : A[] [element] : A | CollectionFlow.cs:35:63:35:69 | access to array element |
Expand Down Expand Up @@ -278,7 +278,7 @@ nodes
| CollectionFlow.cs:25:67:25:73 | access to indexer : A | semmle.label | access to indexer : A |
| CollectionFlow.cs:27:59:27:62 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A |
| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A |
| CollectionFlow.cs:27:68:27:85 | access to property Value : A | semmle.label | access to property Value : A |
| CollectionFlow.cs:29:60:29:63 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
| CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
Expand All @@ -290,7 +290,7 @@ nodes
| CollectionFlow.cs:31:67:31:83 | call to method First<T> : A | semmle.label | call to method First<T> : A |
| CollectionFlow.cs:33:57:33:60 | dict : Dictionary<T,T> [element, property Key] : A | semmle.label | dict : Dictionary<T,T> [element, property Key] : A |
| CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A |
| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A |
| CollectionFlow.cs:33:66:33:81 | access to property Key : A | semmle.label | access to property Key : A |
| CollectionFlow.cs:35:49:35:52 | args : A[] [element] : A | semmle.label | args : A[] [element] : A |
| CollectionFlow.cs:35:49:35:52 | args : null [element] : A | semmle.label | args : null [element] : A |
Expand Down
99 changes: 68 additions & 31 deletions shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
View file
Original file line number Diff line number Diff line change
Expand Up @@ -961,6 +961,12 @@ module MakeImpl<InputSig Lang> {
exists(ap)
}

pragma[nomagic]
additional predicate nodeMayFlowNotThrough(NodeEx node, Ap ap) {
revFlow(node, false) and
exists(ap)
}

pragma[nomagic]
predicate callMayFlowThroughRev(DataFlowCall call) {
exists(ArgNodeEx arg, boolean toReturn |
Expand Down Expand Up @@ -1265,6 +1271,9 @@ module MakeImpl<InputSig Lang> {
bindingset[p, argAp, node, ap]
predicate nodeMayFlowThrough(ParamNode p, ApApprox argAp, NodeEx node, ApApprox ap);

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, ApApprox ap);

bindingset[node, state, t0, ap, inSummaryCtx]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t, boolean inSummaryCtx);

Expand Down Expand Up @@ -1333,29 +1342,19 @@ module MakeImpl<InputSig Lang> {
NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ArgTypOption argT,
ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa
) {
exists(ParamNodeOption summaryCtx0, ApOption argAp0, boolean inSummaryCtx |
fwdFlow0(node, state, cc, summaryCtx0, argT, argAp0, t0, ap, apa) and
exists(boolean inSummaryCtx |
fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and
PrevStage::revFlow(node, state, apa) and
(
exists(ParamNode p, ApApprox argApa |
summaryCtx0 = TParamNodeSome(p) and
argAp0 = apSome(any(Ap argAp1 | argApa = getApprox(argAp1)))
|
if Param::nodeMayFlowThrough(p, argApa, node, apa)
then
summaryCtx = summaryCtx0 and
argAp = argAp0 and
inSummaryCtx = true
else (
summaryCtx = TParamNodeNone() and
argAp = apNone() and
inSummaryCtx = false
)
summaryCtx = TParamNodeSome(p) and
argAp = apSome(any(Ap argAp1 | argApa = getApprox(argAp1))) and
Param::nodeMayFlowThrough(p, argApa, node, apa) and
inSummaryCtx = true
)
or
summaryCtx0 = TParamNodeNone() and
summaryCtx = summaryCtx0 and
argAp = argAp0 and
summaryCtx = TParamNodeNone() and
Param::nodeMayFlowNotThrough(node, apa) and
inSummaryCtx = false
) and
filter(node, state, t0, ap, t, inSummaryCtx)
Expand Down Expand Up @@ -1414,18 +1413,17 @@ module MakeImpl<InputSig Lang> {
or
// flow into a callable
exists(Typ t0 | fwdFlowIn(node, apa, state, cc, t0, ap) |
if PrevStage::parameterMayFlowThrough(node, apa)
then
summaryCtx = TParamNodeSome(node.asNode()) and
argT = ArgTypOption::some(toArgTyp(t)) and
argAp = apSome(ap) and
t = t0 // getNodeTyp(node)
else (
summaryCtx = TParamNodeNone() and
argT instanceof ArgTypOption::None and
argAp = apNone() and
t = t0
)
PrevStage::parameterMayFlowThrough(node, apa) and
summaryCtx = TParamNodeSome(node.asNode()) and
argT = ArgTypOption::some(toArgTyp(t)) and
argAp = apSome(ap) and
t = t0 // getNodeTyp(node)
or
Param::nodeMayFlowNotThrough(node, apa) and
summaryCtx = TParamNodeNone() and
argT instanceof ArgTypOption::None and
argAp = apNone() and
t = t0
)
or
// flow out of a callable
Expand Down Expand Up @@ -2373,6 +2371,13 @@ module MakeImpl<InputSig Lang> {
)
}

pragma[nomagic]
additional predicate nodeMayFlowNotThrough(NodeEx node, Ap ap) {
revFlow(pragma[only_bind_into](node), _,
[TReturnCtxNone().(TReturnCtx), TReturnCtxNoFlowThrough()], _,
pragma[only_bind_into](ap))
}

pragma[nomagic]
private predicate revFlowThroughArg(
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Expand Down Expand Up @@ -2682,6 +2687,11 @@ module MakeImpl<InputSig Lang> {
exists(argAp)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

pragma[nomagic]
private predicate expectsContentCand(NodeEx node) {
exists(Content c |
Expand Down Expand Up @@ -3009,6 +3019,11 @@ module MakeImpl<InputSig Lang> {
PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

pragma[nomagic]
private predicate expectsContentCand(NodeEx node, Ap ap) {
exists(Content c |
Expand Down Expand Up @@ -3090,6 +3105,11 @@ module MakeImpl<InputSig Lang> {
PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

pragma[nomagic]
private predicate expectsContentCand(NodeEx node, Ap ap) {
exists(Content c |
Expand Down Expand Up @@ -3136,6 +3156,7 @@ module MakeImpl<InputSig Lang> {
private predicate strengthenType(
NodeEx node, DataFlowType t0, DataFlowType t, boolean inSummaryCtx
) {
exists(inSummaryCtx) and
if castingNodeEx(node)
then
exists(DataFlowType nt | nt = node.getDataFlowType() |
Expand Down Expand Up @@ -3196,6 +3217,11 @@ module MakeImpl<InputSig Lang> {
PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

pragma[nomagic]
private predicate clearSet(NodeEx node, ContentSet c) {
PrevStage::revFlow(node) and
Expand Down Expand Up @@ -3295,6 +3321,11 @@ module MakeImpl<InputSig Lang> {
PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

pragma[nomagic]
private predicate clearSet(NodeEx node, ContentSet c) {
PrevStage::revFlow(node) and
Expand Down Expand Up @@ -3582,6 +3613,11 @@ module MakeImpl<InputSig Lang> {
PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
}

bindingset[node, ap]
predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
PrevStage::nodeMayFlowNotThrough(node, ap)
}

bindingset[node, state, t0, ap, inSummaryCtx]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t, boolean inSummaryCtx) {
strengthenType(node, t0, t, inSummaryCtx) and
Expand Down Expand Up @@ -4557,7 +4593,8 @@ module MakeImpl<InputSig Lang> {
(
sc = TSummaryCtxSome(p, state, t, ap)
or
not exists(TSummaryCtxSome(p, state, t, ap)) and
// not exists(TSummaryCtxSome(p, state, t, ap)) and
Stage5::nodeMayFlowNotThrough(p, ap.getApprox()) and
sc = TSummaryCtxNone() and
// When the call contexts of source and sink needs to match then there's
// never any reason to enter a callable except to find a summary. See also
Expand Down

0 comments on commit b4b45d6

Please sign in to comment.