Merge pull request #17687 from michaelnebel/modelgen/removeduplicatedf

C#/Java: Avoid `df` and `dfc` overlap in model generation.
2026-04-20 22:44:52 +02:00 · 2024-10-09 14:04:31 +02:00
parent ed39c465a6 5d4ceeebb5
commit 79871aa51e
2 changed files with 37 additions and 3 deletions
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
@@ -639,7 +639,7 @@ public class Inheritance
        public override string Prop { get { return tainted; } }
    }

-    public abstract class BaseContent 
+    public abstract class BaseContent
    {
        public abstract object GetValue();

@@ -961,3 +961,30 @@ public class Fanout
        return other + b2.GetValue();
    }
 }
+
+public class AvoidDuplicateLifted
+{
+    public class A
+    {
+        public object Prop { get; set; }
+
+        // contentbased-summary=Models;AvoidDuplicateLifted+A;true;GetValue;();;Argument[this].Property[Models.AvoidDuplicateLifted+A.Prop];ReturnValue;value;dfc-generated
+        // summary=Models;AvoidDuplicateLifted+A;true;GetValue;();;Argument[this];ReturnValue;taint;df-generated
+        public virtual object GetValue()
+        {
+            return Prop;
+        }
+    }
+
+    public class B : A
+    {
+        private object field;
+
+        // No content based summary as field is a dead synthetic field.
+        // summary=Models;AvoidDuplicateLifted+A;true;GetValue;();;Argument[this];ReturnValue;taint;df-generated
+        public override object GetValue()
+        {
+            return field;
+        }
+    }
+}
--- a/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
+++ b/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
@@ -881,7 +881,13 @@ module MakeModelGenerator<
  string captureMixedFlow(DataFlowSummaryTargetApi api, boolean lift) {
    result = ContentSensitive::captureFlow(api, lift)
    or
-    not exists(ContentSensitive::captureFlow(api, _)) and
+    not exists(DataFlowSummaryTargetApi api0 |
+      (api0 = api or api.lift() = api0) and
+      exists(ContentSensitive::captureFlow(api0, false))
+      or
+      api0.lift() = api.lift() and
+      exists(ContentSensitive::captureFlow(api0, true))
+    ) and
    result = captureFlow(api) and
    lift = true
  }
@@ -895,7 +901,8 @@ module MakeModelGenerator<
    not exists(DataFlowSummaryTargetApi api0, boolean lift |
      exists(captureMixedFlow(api0, lift)) and
      (
-        lift = false and api0 = api
+        lift = false and
+        (api0 = api or api0 = api.lift())
        or
        lift = true and api0.lift() = api.lift()
      )