From 789e2e48cff835087d0adbd265abb155217ef907 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 18 Aug 2021 09:17:49 +0200 Subject: [PATCH 1/5] C#: Remove temporary dispatch restriction --- csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll index 37ed99c37bb..f06fbca375d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll +++ b/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll @@ -508,7 +508,7 @@ private module Internal { override RuntimeCallable getADynamicTarget() { result = getAViableInherited() or - result = getAViableOverrider() and strictcount(getAViableOverrider()) < 1000 + result = getAViableOverrider() or // Simple case: target method cannot be overridden result = getAStaticTarget() and From 7fc536db1521165ee9adcd69695e3ed78a43bcdb Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 17 Aug 2021 13:09:45 +0200 Subject: [PATCH 2/5] Data flow: Add precise call contexts to stage 2 --- .../csharp/dataflow/internal/DataFlowImpl.qll | 29 ++++++++++--------- .../dataflow/internal/DataFlowImplCommon.qll | 22 +++++++++++--- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index 5c2dbb30084..f2c742a52ae 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -2117,7 +2118,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll index 728f7b56c42..f588a25a176 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll @@ -786,13 +786,18 @@ private module Cached { } /** - * Holds if the call context `call` either improves virtual dispatch in - * `callable` or if it allows us to prune unreachable nodes in `callable`. + * Holds if the call context `call` improves virtual dispatch in `callable`. */ cached - predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) { reducedViableImplInCallContext(_, callable, call) - or + } + + /** + * Holds if the call context `call` allows us to prune unreachable nodes in `callable`. + */ + cached + predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) { exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call)) } @@ -846,6 +851,15 @@ private module Cached { TAccessPathFrontSome(AccessPathFront apf) } +/** + * Holds if the call context `call` either improves virtual dispatch in + * `callable` or if it allows us to prune unreachable nodes in `callable`. + */ +predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + recordDataFlowCallSiteDispatch(call, callable) or + recordDataFlowCallSiteUnreachable(call, callable) +} + /** * A `Node` at which a cast can occur such that the type should be checked. */ From 136c8b5192f43ea226c08a4771e4f3598f3ceb14 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 25 Aug 2021 11:02:45 +0200 Subject: [PATCH 3/5] Data flow: Improve `callMayFlowThroughFwd` join order Before: ``` [2021-08-25 09:56:29] (1395s) Tuple counts for DataFlowImpl2::Stage3::callMayFlowThroughFwd#ff/2@111fb3: 15495496 ~5% {5} r1 = SCAN DataFlowImpl2::Stage3::fwdFlowOutFromArg#fffff#reorder_0_2_4_1_3 OUTPUT In.3, In.4, In.2 'config', In.0 'call', In.1 1450611958 ~6335% {5} r2 = JOIN r1 WITH DataFlowImpl2::Stage3::fwdFlow#fffff_03412#join_rhs ON FIRST 3 OUTPUT Lhs.3 'call', Lhs.4, Lhs.2 'config', Rhs.3, Rhs.4 7043648 ~20415% {2} r3 = JOIN r2 WITH DataFlowImpl2::Stage3::fwdFlowIsEntered#fffff#reorder_0_3_4_1_2 ON FIRST 5 OUTPUT Lhs.0 'call', Lhs.2 'config' return r3 ``` After: ``` [2021-08-25 10:57:02] (2652s) Tuple counts for DataFlowImpl2::Stage3::callMayFlowThroughFwd#ff/2@d3e27b: 15495496 ~0% {6} r1 = SCAN DataFlowImpl2::Stage3::fwdFlowOutFromArg#fffff#reorder_0_2_4_1_3 OUTPUT In.0 'call', In.1, In.2 'config', In.3, In.4, In.2 'config' 9236888 ~22% {7} r2 = JOIN r1 WITH DataFlowImpl2::Stage3::fwdFlowIsEntered#fffff#reorder_0_3_4_1_2 ON FIRST 3 OUTPUT Lhs.3, Rhs.3, Rhs.4, Lhs.4, Lhs.5, Lhs.0 'call', Lhs.2 'config' 7043648 ~20415% {2} r3 = JOIN r2 WITH DataFlowImpl2::Stage3::fwdFlow#fffff ON FIRST 5 OUTPUT Lhs.5 'call', Lhs.6 'config' return r3 ``` --- .../csharp/dataflow/internal/DataFlowImpl.qll | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index f2c742a52ae..bd6ca5e996b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -1170,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1858,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2616,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } From c3ecae503ba85620442e0635e14b83a758e3f63e Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 1 Sep 2021 19:57:44 +0200 Subject: [PATCH 4/5] Data flow: Sync files --- .../cpp/dataflow/internal/DataFlowImpl.qll | 50 +++++++++---------- .../cpp/dataflow/internal/DataFlowImpl2.qll | 50 +++++++++---------- .../cpp/dataflow/internal/DataFlowImpl3.qll | 50 +++++++++---------- .../cpp/dataflow/internal/DataFlowImpl4.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImplCommon.qll | 22 ++++++-- .../dataflow/internal/DataFlowImplLocal.qll | 50 +++++++++---------- .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 50 +++++++++---------- .../ir/dataflow/internal/DataFlowImpl2.qll | 50 +++++++++---------- .../ir/dataflow/internal/DataFlowImpl3.qll | 50 +++++++++---------- .../ir/dataflow/internal/DataFlowImpl4.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImplCommon.qll | 22 ++++++-- .../dataflow/internal/DataFlowImpl2.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImpl3.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImpl4.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImpl5.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl2.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl3.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl4.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl5.qll | 50 +++++++++---------- .../java/dataflow/internal/DataFlowImpl6.qll | 50 +++++++++---------- .../dataflow/internal/DataFlowImplCommon.qll | 22 ++++++-- .../DataFlowImplForSerializability.qll | 50 +++++++++---------- .../dataflow/new/internal/DataFlowImpl.qll | 50 +++++++++---------- .../dataflow/new/internal/DataFlowImpl2.qll | 50 +++++++++---------- .../dataflow/new/internal/DataFlowImpl3.qll | 50 +++++++++---------- .../dataflow/new/internal/DataFlowImpl4.qll | 50 +++++++++---------- .../new/internal/DataFlowImplCommon.qll | 22 ++++++-- 28 files changed, 648 insertions(+), 640 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll index 728f7b56c42..f588a25a176 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll @@ -786,13 +786,18 @@ private module Cached { } /** - * Holds if the call context `call` either improves virtual dispatch in - * `callable` or if it allows us to prune unreachable nodes in `callable`. + * Holds if the call context `call` improves virtual dispatch in `callable`. */ cached - predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) { reducedViableImplInCallContext(_, callable, call) - or + } + + /** + * Holds if the call context `call` allows us to prune unreachable nodes in `callable`. + */ + cached + predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) { exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call)) } @@ -846,6 +851,15 @@ private module Cached { TAccessPathFrontSome(AccessPathFront apf) } +/** + * Holds if the call context `call` either improves virtual dispatch in + * `callable` or if it allows us to prune unreachable nodes in `callable`. + */ +predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + recordDataFlowCallSiteDispatch(call, callable) or + recordDataFlowCallSiteUnreachable(call, callable) +} + /** * A `Node` at which a cast can occur such that the type should be checked. */ diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll index 728f7b56c42..f588a25a176 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll @@ -786,13 +786,18 @@ private module Cached { } /** - * Holds if the call context `call` either improves virtual dispatch in - * `callable` or if it allows us to prune unreachable nodes in `callable`. + * Holds if the call context `call` improves virtual dispatch in `callable`. */ cached - predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) { reducedViableImplInCallContext(_, callable, call) - or + } + + /** + * Holds if the call context `call` allows us to prune unreachable nodes in `callable`. + */ + cached + predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) { exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call)) } @@ -846,6 +851,15 @@ private module Cached { TAccessPathFrontSome(AccessPathFront apf) } +/** + * Holds if the call context `call` either improves virtual dispatch in + * `callable` or if it allows us to prune unreachable nodes in `callable`. + */ +predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + recordDataFlowCallSiteDispatch(call, callable) or + recordDataFlowCallSiteUnreachable(call, callable) +} + /** * A `Node` at which a cast can occur such that the type should be checked. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll index 728f7b56c42..f588a25a176 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @@ -786,13 +786,18 @@ private module Cached { } /** - * Holds if the call context `call` either improves virtual dispatch in - * `callable` or if it allows us to prune unreachable nodes in `callable`. + * Holds if the call context `call` improves virtual dispatch in `callable`. */ cached - predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) { reducedViableImplInCallContext(_, callable, call) - or + } + + /** + * Holds if the call context `call` allows us to prune unreachable nodes in `callable`. + */ + cached + predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) { exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call)) } @@ -846,6 +851,15 @@ private module Cached { TAccessPathFrontSome(AccessPathFront apf) } +/** + * Holds if the call context `call` either improves virtual dispatch in + * `callable` or if it allows us to prune unreachable nodes in `callable`. + */ +predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + recordDataFlowCallSiteDispatch(call, callable) or + recordDataFlowCallSiteUnreachable(call, callable) +} + /** * A `Node` at which a cast can occur such that the type should be checked. */ diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 5c2dbb30084..bd6ca5e996b 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -923,28 +923,29 @@ private module Stage2 { ApOption apSome(Ap ap) { result = TBooleanSome(ap) } - class Cc = boolean; + class Cc = CallContext; - class CcCall extends Cc { - CcCall() { this = true } + class CcCall = CallContextCall; - /** Holds if this call context may be `call`. */ - predicate matchesCall(DataFlowCall call) { any() } - } + class CcNoCall = CallContextNoCall; - class CcNoCall extends Cc { - CcNoCall() { this = false } - } - - Cc ccNone() { result = false } + Cc ccNone() { result instanceof CallContextAny } private class LocalCc = Unit; bindingset[call, c, outercc] - private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() } + private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { + checkCallContextCall(outercc, call, c) and + if recordDataFlowCallSiteDispatch(call, c) + then result = TSpecificCall(call) + else result = TSomeCall() + } bindingset[call, c, innercc] - private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() } + private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { + checkCallContextReturn(innercc, c, call) and + if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone() + } bindingset[node, cc, config] private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() } @@ -1169,11 +1170,10 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -1857,11 +1857,10 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } @@ -2117,7 +2116,7 @@ private module Stage3 { private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) { exists(AccessPathFront apf | Stage3::revFlow(node, true, _, apf, config) and - Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config) + Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config) ) } @@ -2615,11 +2614,10 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, - pragma[only_bind_into](config)) and + fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), + pragma[only_bind_out](ap), pragma[only_bind_out](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0, - pragma[only_bind_into](config)) + fwdFlowIsEntered(call, cc, argAp, argAp0, config) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll index 728f7b56c42..f588a25a176 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll @@ -786,13 +786,18 @@ private module Cached { } /** - * Holds if the call context `call` either improves virtual dispatch in - * `callable` or if it allows us to prune unreachable nodes in `callable`. + * Holds if the call context `call` improves virtual dispatch in `callable`. */ cached - predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) { reducedViableImplInCallContext(_, callable, call) - or + } + + /** + * Holds if the call context `call` allows us to prune unreachable nodes in `callable`. + */ + cached + predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) { exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call)) } @@ -846,6 +851,15 @@ private module Cached { TAccessPathFrontSome(AccessPathFront apf) } +/** + * Holds if the call context `call` either improves virtual dispatch in + * `callable` or if it allows us to prune unreachable nodes in `callable`. + */ +predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) { + recordDataFlowCallSiteDispatch(call, callable) or + recordDataFlowCallSiteUnreachable(call, callable) +} + /** * A `Node` at which a cast can occur such that the type should be checked. */ From 296d10fe2ab10cc193ef9f4a9513c9bc176744df Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 1 Sep 2021 12:02:37 +0200 Subject: [PATCH 5/5] Data flow: Adjust `callMayFlowThroughFwd` pragmas --- .../cpp/dataflow/internal/DataFlowImpl.qll | 24 ++++++++++++------- .../cpp/dataflow/internal/DataFlowImpl2.qll | 24 ++++++++++++------- .../cpp/dataflow/internal/DataFlowImpl3.qll | 24 ++++++++++++------- .../cpp/dataflow/internal/DataFlowImpl4.qll | 24 ++++++++++++------- .../dataflow/internal/DataFlowImplLocal.qll | 24 ++++++++++++------- .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 24 ++++++++++++------- .../ir/dataflow/internal/DataFlowImpl2.qll | 24 ++++++++++++------- .../ir/dataflow/internal/DataFlowImpl3.qll | 24 ++++++++++++------- .../ir/dataflow/internal/DataFlowImpl4.qll | 24 ++++++++++++------- .../csharp/dataflow/internal/DataFlowImpl.qll | 24 ++++++++++++------- .../dataflow/internal/DataFlowImpl2.qll | 24 ++++++++++++------- .../dataflow/internal/DataFlowImpl3.qll | 24 ++++++++++++------- .../dataflow/internal/DataFlowImpl4.qll | 24 ++++++++++++------- .../dataflow/internal/DataFlowImpl5.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl2.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl3.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl4.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl5.qll | 24 ++++++++++++------- .../java/dataflow/internal/DataFlowImpl6.qll | 24 ++++++++++++------- .../DataFlowImplForSerializability.qll | 24 ++++++++++++------- .../dataflow/new/internal/DataFlowImpl.qll | 24 ++++++++++++------- .../dataflow/new/internal/DataFlowImpl2.qll | 24 ++++++++++++------- .../dataflow/new/internal/DataFlowImpl3.qll | 24 ++++++++++++------- .../dataflow/new/internal/DataFlowImpl4.qll | 24 ++++++++++++------- 25 files changed, 375 insertions(+), 225 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index bd6ca5e996b..eca066439fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index bd6ca5e996b..eca066439fc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index bd6ca5e996b..eca066439fc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index bd6ca5e996b..eca066439fc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index bd6ca5e996b..eca066439fc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index bd6ca5e996b..eca066439fc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll index bd6ca5e996b..eca066439fc 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll index bd6ca5e996b..eca066439fc 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index bd6ca5e996b..eca066439fc 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index bd6ca5e996b..eca066439fc 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index bd6ca5e996b..eca066439fc 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -1170,10 +1170,12 @@ private module Stage2 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -1857,10 +1859,12 @@ private module Stage3 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) } @@ -2614,10 +2618,12 @@ private module Stage4 { pragma[nomagic] private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) { exists(Ap argAp0, NodeEx out, Cc cc, ApOption argAp, Ap ap | - fwdFlow(pragma[only_bind_out](out), pragma[only_bind_out](cc), pragma[only_bind_out](argAp), - pragma[only_bind_out](ap), pragma[only_bind_out](config)) and + fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap, + pragma[only_bind_into](config)) and fwdFlowOutFromArg(call, out, argAp0, ap, config) and - fwdFlowIsEntered(call, cc, argAp, argAp0, config) + fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc), + pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0), + pragma[only_bind_into](config)) ) }