Merge pull request #12515 from aschackmull/java/neutral-dispatch

Java: Remove low-confidence dispatch to known neutrals.
2026-04-30 03:05:15 +02:00 · 2023-03-14 15:35:05 +01:00
parent c132891669 a9d2b936af
commit 30163e4f60
5 changed files with 16 additions and 1 deletions
--- a/java/ql/lib/change-notes/2023-03-14-neutral-dispatch.md
+++ b/java/ql/lib/change-notes/2023-03-14-neutral-dispatch.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom `List.contains` implementations when the best inferrable type at the call site is simply `List`.
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll
@@ -171,6 +171,8 @@ class SummarizedCallableBase extends TSummarizedCallableBase {

 class SummarizedCallable = Impl::Public::SummarizedCallable;

+class NeutralCallable = Impl::Public::NeutralCallable;
+
 /**
 * An adapter class to add the flow summaries specified on `SyntheticCallable`
 * to `SummarizedCallable`.
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -11,6 +11,8 @@ private module DispatchImpl {
  private predicate hasHighConfidenceTarget(Call c) {
    exists(SummarizedCallable sc | sc.getACall() = c and not sc.isAutoGenerated())
    or
+    exists(NeutralCallable nc | nc.getACall() = c and nc.isManual())
+    or
    exists(Callable srcTgt |
      srcTgt = VirtualDispatch::viableCallable(c) and
      not VirtualDispatch::lowConfidenceDispatchTarget(c, srcTgt)
--- a/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll
@@ -236,6 +236,12 @@ private VirtualMethodAccess objectToString(ObjNode n) {
  result.getQualifier() = n.asExpr() and sink(n)
 }

+/**
+ * Holds if `ma` is an `Object.toString()` call taking possibly improved type
+ * bounds into account.
+ */
+predicate objectToStringCall(VirtualMethodAccess ma) { ma = objectToString(_) }
+
 /**
 * Holds if the qualifier of the `Object.toString()` call `ma` might have type `t`.
 */
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -93,7 +93,8 @@ private module Dispatch {
      exists(RefType t | qualUnionType(ma, t, false) |
        lowConfidenceDispatchType(t.getSourceDeclaration())
      )
-    )
+    ) and
+    not ObjFlow::objectToStringCall(ma)
  }

  private predicate lowConfidenceDispatchType(SrcRefType t) {