Merge pull request #16561 from aschackmull/java/typeflow-effectively-private

Java: Improve dispatch through TypeFlow of effectively private calls.
2026-04-27 09:45:15 +02:00 · 2024-05-31 15:11:18 +02:00
parent 01c1acd43f 70d3be0a3a
commit 06ce40c687
3 changed files with 20 additions and 4 deletions
--- a/java/ql/lib/change-notes/2024-05-23-typeflow-precision.md
+++ b/java/ql/lib/change-notes/2024-05-23-typeflow-precision.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The precision of virtual dispatch has been improved. This increases precision in general for all data flow queries. 
--- a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
@@ -63,12 +63,24 @@ private module Input implements TypeFlowInput<Location> {

  class Type = RefType;

+  private SrcCallable viableCallable_v1(Call c) {
+    result = viableImpl_v1(c)
+    or
+    c instanceof ConstructorCall and result = c.getCallee().getSourceDeclaration()
+  }
+
  /**
-   * Holds if `arg` is an argument for the parameter `p` in a private callable.
+   * Holds if `arg` is an argument for the parameter `p` in a sufficiently
+   * private callable that the closed-world assumption applies.
   */
  private predicate privateParamArg(Parameter p, Argument arg) {
-    p.getAnArgument() = arg and
-    p.getCallable().isPrivate()
+    exists(SrcCallable c, Call call |
+      c = p.getCallable() and
+      not c.isImplicitlyPublic() and
+      not p.isVarargs() and
+      c = viableCallable_v1(call) and
+      call.getArgument(pragma[only_bind_into](pragma[only_bind_out](p.getPosition()))) = arg
+    )
  }

  /**