Merge pull request #21592 from hvitved/dataflow/source-call-context-type-flow

Data flow: Add hook for preventing lambda dispatch in source call contexts
2026-04-23 07:45:17 +02:00 · 2026-04-09 13:44:42 +02:00
parent fb0ee5b987 d704b753c8
commit 33cc887be0
6 changed files with 86 additions and 3 deletions
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll
@@ -29,4 +29,8 @@ module CsharpDataFlow implements InputSig<Location> {
  predicate neverSkipInPathGraph(Node n) {
    exists(n.(AssignableDefinitionNode).getDefinition().getTargetAccess())
  }
+
+  DataFlowType getSourceContextParameterNodeType(Node p) {
+    exists(p) and result.isSourceContextParameterType()
+  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -1179,7 +1179,8 @@ private module Cached {
  cached
  newtype TDataFlowType =
    TGvnDataFlowType(Gvn::GvnType t) or
-    TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) }
+    TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) } or
+    TSourceContextParameterType()
 }

 import Cached
@@ -2394,6 +2395,8 @@ class DataFlowType extends TDataFlowType {

  Callable asDelegate() { this = TDelegateDataFlowType(result) }

+  predicate isSourceContextParameterType() { this = TSourceContextParameterType() }
+
  /**
   * Gets an expression that creates a delegate of this type.
   *
@@ -2412,6 +2415,9 @@ class DataFlowType extends TDataFlowType {
    result = this.asGvnType().toString()
    or
    result = this.asDelegate().toString()
+    or
+    this.isSourceContextParameterType() and
+    result = "<source context parameter type>"
  }
 }

@@ -2469,6 +2475,11 @@ private predicate compatibleTypesDelegateLeft(DataFlowType dt1, DataFlowType dt2
  )
 }

+pragma[nomagic]
+private predicate compatibleTypesSourceContextParameterTypeLeft(DataFlowType dt1, DataFlowType dt2) {
+  dt1.isSourceContextParameterType() and not exists(dt2.asDelegate())
+}
+
 /**
 * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
 * a node of type `t1` to a node of type `t2`.
@@ -2499,6 +2510,10 @@ predicate compatibleTypes(DataFlowType dt1, DataFlowType dt2) {
  compatibleTypesDelegateLeft(dt2, dt1)
  or
  dt1.asDelegate() = dt2.asDelegate()
+  or
+  compatibleTypesSourceContextParameterTypeLeft(dt1, dt2)
+  or
+  compatibleTypesSourceContextParameterTypeLeft(dt2, dt1)
 }

 pragma[nomagic]
@@ -2511,6 +2526,8 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) {
  uselessTypebound(t2)
  or
  compatibleTypesDelegateLeft(t1, t2)
+  or
+  compatibleTypesSourceContextParameterTypeLeft(t1, t2)
 }

 /**
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
@@ -536,6 +536,12 @@ public class HigherOrderParameters
    {
        a(o);
    }
+
+    private void CallApply()
+    {
+        // Test that this call to `Apply` does not interfere with the flow summaries generated for `Apply`
+        Apply(x => x, null);
+    }
 }

 public static class HigherOrderExtensionMethods