temp

hvitved · hvitved · commit b4b45d604f7f · 2024-01-29T10:50:32.000+01:00
diff --git a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected
@@ -31,17 +31,17 @@ edges
 | CollectionFlow.cs:25:58:25:61 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:25:67:25:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:25:67:25:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:25:67:25:73 | access to indexer : A |
 | CollectionFlow.cs:27:59:27:62 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
-| CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A |
-| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | CollectionFlow.cs:27:68:27:85 | access to property Value : A |
+| CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A |
+| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | CollectionFlow.cs:27:68:27:85 | access to property Value : A |
 | CollectionFlow.cs:29:60:29:63 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:29:69:29:79 | access to property Values : ICollection<T> [element] : A |
 | CollectionFlow.cs:29:69:29:79 | access to property Values : ICollection<T> [element] : A | CollectionFlow.cs:29:69:29:87 | call to method First<T> : A |
 | CollectionFlow.cs:31:58:31:61 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:31:67:31:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
 | CollectionFlow.cs:31:67:31:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:31:67:31:75 | access to property Keys : ICollection<T> [element] : A |
 | CollectionFlow.cs:31:67:31:75 | access to property Keys : ICollection<T> [element] : A | CollectionFlow.cs:31:67:31:83 | call to method First<T> : A |
 | CollectionFlow.cs:33:57:33:60 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
-| CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A |
-| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | CollectionFlow.cs:33:66:33:81 | access to property Key : A |
+| CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A |
+| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | CollectionFlow.cs:33:66:33:81 | access to property Key : A |
 | CollectionFlow.cs:35:49:35:52 | args : A[] [element] : A | CollectionFlow.cs:35:63:35:66 | access to parameter args : A[] [element] : A |
 | CollectionFlow.cs:35:49:35:52 | args : null [element] : A | CollectionFlow.cs:35:63:35:66 | access to parameter args : null [element] : A |
 | CollectionFlow.cs:35:63:35:66 | access to parameter args : A[] [element] : A | CollectionFlow.cs:35:63:35:69 | access to array element |
@@ -278,7 +278,7 @@ nodes
 | CollectionFlow.cs:25:67:25:73 | access to indexer : A | semmle.label | access to indexer : A |
 | CollectionFlow.cs:27:59:27:62 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:27:68:27:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
-| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A |
+| CollectionFlow.cs:27:68:27:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A |
 | CollectionFlow.cs:27:68:27:85 | access to property Value : A | semmle.label | access to property Value : A |
 | CollectionFlow.cs:29:60:29:63 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:29:69:29:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
@@ -290,7 +290,7 @@ nodes
 | CollectionFlow.cs:31:67:31:83 | call to method First<T> : A | semmle.label | call to method First<T> : A |
 | CollectionFlow.cs:33:57:33:60 | dict : Dictionary<T,T> [element, property Key] : A | semmle.label | dict : Dictionary<T,T> [element, property Key] : A |
 | CollectionFlow.cs:33:66:33:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
-| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A |
+| CollectionFlow.cs:33:66:33:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A |
 | CollectionFlow.cs:33:66:33:81 | access to property Key : A | semmle.label | access to property Key : A |
 | CollectionFlow.cs:35:49:35:52 | args : A[] [element] : A | semmle.label | args : A[] [element] : A |
 | CollectionFlow.cs:35:49:35:52 | args : null [element] : A | semmle.label | args : null [element] : A |
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -961,6 +961,12 @@ module MakeImpl<InputSig Lang> {
         exists(ap)
       }
 
+      pragma[nomagic]
+      additional predicate nodeMayFlowNotThrough(NodeEx node, Ap ap) {
+        revFlow(node, false) and
+        exists(ap)
+      }
+
       pragma[nomagic]
       predicate callMayFlowThroughRev(DataFlowCall call) {
         exists(ArgNodeEx arg, boolean toReturn |
@@ -1265,6 +1271,9 @@ module MakeImpl<InputSig Lang> {
         bindingset[p, argAp, node, ap]
         predicate nodeMayFlowThrough(ParamNode p, ApApprox argAp, NodeEx node, ApApprox ap);
 
+        bindingset[node, ap]
+        predicate nodeMayFlowNotThrough(NodeEx node, ApApprox ap);
+
         bindingset[node, state, t0, ap, inSummaryCtx]
         predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t, boolean inSummaryCtx);
 
@@ -1333,29 +1342,19 @@ module MakeImpl<InputSig Lang> {
           NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ArgTypOption argT,
           ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa
         ) {
-          exists(ParamNodeOption summaryCtx0, ApOption argAp0, boolean inSummaryCtx |
-            fwdFlow0(node, state, cc, summaryCtx0, argT, argAp0, t0, ap, apa) and
+          exists(boolean inSummaryCtx |
+            fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and
             PrevStage::revFlow(node, state, apa) and
             (
               exists(ParamNode p, ApApprox argApa |
-                summaryCtx0 = TParamNodeSome(p) and
-                argAp0 = apSome(any(Ap argAp1 | argApa = getApprox(argAp1)))
-              |
-                if Param::nodeMayFlowThrough(p, argApa, node, apa)
-                then
-                  summaryCtx = summaryCtx0 and
-                  argAp = argAp0 and
-                  inSummaryCtx = true
-                else (
-                  summaryCtx = TParamNodeNone() and
-                  argAp = apNone() and
-                  inSummaryCtx = false
-                )
+                summaryCtx = TParamNodeSome(p) and
+                argAp = apSome(any(Ap argAp1 | argApa = getApprox(argAp1))) and
+                Param::nodeMayFlowThrough(p, argApa, node, apa) and
+                inSummaryCtx = true
               )
               or
-              summaryCtx0 = TParamNodeNone() and
-              summaryCtx = summaryCtx0 and
-              argAp = argAp0 and
+              summaryCtx = TParamNodeNone() and
+              Param::nodeMayFlowNotThrough(node, apa) and
               inSummaryCtx = false
             ) and
             filter(node, state, t0, ap, t, inSummaryCtx)
@@ -1414,18 +1413,17 @@ module MakeImpl<InputSig Lang> {
           or
           // flow into a callable
           exists(Typ t0 | fwdFlowIn(node, apa, state, cc, t0, ap) |
-            if PrevStage::parameterMayFlowThrough(node, apa)
-            then
-              summaryCtx = TParamNodeSome(node.asNode()) and
-              argT = ArgTypOption::some(toArgTyp(t)) and
-              argAp = apSome(ap) and
-              t = t0 // getNodeTyp(node)
-            else (
-              summaryCtx = TParamNodeNone() and
-              argT instanceof ArgTypOption::None and
-              argAp = apNone() and
-              t = t0
-            )
+            PrevStage::parameterMayFlowThrough(node, apa) and
+            summaryCtx = TParamNodeSome(node.asNode()) and
+            argT = ArgTypOption::some(toArgTyp(t)) and
+            argAp = apSome(ap) and
+            t = t0 // getNodeTyp(node)
+            or
+            Param::nodeMayFlowNotThrough(node, apa) and
+            summaryCtx = TParamNodeNone() and
+            argT instanceof ArgTypOption::None and
+            argAp = apNone() and
+            t = t0
           )
           or
           // flow out of a callable
@@ -2373,6 +2371,13 @@ module MakeImpl<InputSig Lang> {
           )
         }
 
+        pragma[nomagic]
+        additional predicate nodeMayFlowNotThrough(NodeEx node, Ap ap) {
+          revFlow(pragma[only_bind_into](node), _,
+            [TReturnCtxNone().(TReturnCtx), TReturnCtxNoFlowThrough()], _,
+            pragma[only_bind_into](ap))
+        }
+
         pragma[nomagic]
         private predicate revFlowThroughArg(
           DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
@@ -2682,6 +2687,11 @@ module MakeImpl<InputSig Lang> {
         exists(argAp)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       pragma[nomagic]
       private predicate expectsContentCand(NodeEx node) {
         exists(Content c |
@@ -3009,6 +3019,11 @@ module MakeImpl<InputSig Lang> {
         PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       pragma[nomagic]
       private predicate expectsContentCand(NodeEx node, Ap ap) {
         exists(Content c |
@@ -3090,6 +3105,11 @@ module MakeImpl<InputSig Lang> {
         PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       pragma[nomagic]
       private predicate expectsContentCand(NodeEx node, Ap ap) {
         exists(Content c |
@@ -3136,6 +3156,7 @@ module MakeImpl<InputSig Lang> {
     private predicate strengthenType(
       NodeEx node, DataFlowType t0, DataFlowType t, boolean inSummaryCtx
     ) {
+      exists(inSummaryCtx) and
       if castingNodeEx(node)
       then
         exists(DataFlowType nt | nt = node.getDataFlowType() |
@@ -3196,6 +3217,11 @@ module MakeImpl<InputSig Lang> {
         PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       pragma[nomagic]
       private predicate clearSet(NodeEx node, ContentSet c) {
         PrevStage::revFlow(node) and
@@ -3295,6 +3321,11 @@ module MakeImpl<InputSig Lang> {
         PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       pragma[nomagic]
       private predicate clearSet(NodeEx node, ContentSet c) {
         PrevStage::revFlow(node) and
@@ -3582,6 +3613,11 @@ module MakeImpl<InputSig Lang> {
         PrevStage::nodeMayFlowThrough(p, argAp, node, ap)
       }
 
+      bindingset[node, ap]
+      predicate nodeMayFlowNotThrough(NodeEx node, PrevStage::Ap ap) {
+        PrevStage::nodeMayFlowNotThrough(node, ap)
+      }
+
       bindingset[node, state, t0, ap, inSummaryCtx]
       predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t, boolean inSummaryCtx) {
         strengthenType(node, t0, t, inSummaryCtx) and
@@ -4557,7 +4593,8 @@ module MakeImpl<InputSig Lang> {
         (
           sc = TSummaryCtxSome(p, state, t, ap)
           or
-          not exists(TSummaryCtxSome(p, state, t, ap)) and
+          // not exists(TSummaryCtxSome(p, state, t, ap)) and
+          Stage5::nodeMayFlowNotThrough(p, ap.getApprox()) and
           sc = TSummaryCtxNone() and
           // When the call contexts of source and sink needs to match then there's
           // never any reason to enter a callable except to find a summary. See also
