hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20915 from hvitved/content-flow-ap-limit

Browse Source 
Shared: Improvements to content-sensitive model generation
This commit is contained in:
Tom Hvitved
2025-12-03 15:54:57 +01:00
committed by GitHub
parent 7fd4755e93 3ba256a72a
commit ca9d327280
5 changed files with 47 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -260,6 +260,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
)
}
int contentAccessPathLimitInternal() { result = 2 }
bindingset[d]
private string getFullyQualifiedName(Declaration d) {
exists(string qualifier, string name |

2
java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -218,6 +218,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
)
}
int contentAccessPathLimitInternal() { result = 2 }
predicate isField(DataFlow::ContentSet c) {
c instanceof DataFlowUtil::FieldContent or
c instanceof DataFlowUtil::SyntheticFieldContent

8
rust/ql/test/utils-tests/modelgenerator/option.rs
View File

@@ -299,8 +299,7 @@ impl<T> MyOption<T> {
}
// summary=<test::option::MyOption>::insert;Argument[0];Argument[self].Reference.Field[test::option::MyOption::MySome(0)];value;dfc-generated
// This summary is currently missing because of access path limit
// summary-MISSING=<test::option::MyOption>::insert;Argument[0];ReturnValue.Reference;value;dfc-generated
// summary=<test::option::MyOption>::insert;Argument[0];ReturnValue.Reference;value;dfc-generated
// The content of `self` is overwritten so it does not flow to the return value.
// SPURIOUS-summary=<test::option::MyOption>::insert;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated
pub fn insert(&mut self, value: T) -> &mut T {
@@ -311,8 +310,7 @@ impl<T> MyOption<T> {
}
// summary=<test::option::MyOption>::get_or_insert;Argument[0];Argument[self].Reference.Field[test::option::MyOption::MySome(0)];value;dfc-generated
// This summary is currently missing because of access path limit
// summary-MISSING=<test::option::MyOption>::get_or_insert;Argument[0];ReturnValue.Reference;value;dfc-generated
// summary=<test::option::MyOption>::get_or_insert;Argument[0];ReturnValue.Reference;value;dfc-generated
// summary=<test::option::MyOption>::get_or_insert;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated
pub fn get_or_insert(&mut self, value: T) -> &mut T {
self.get_or_insert_with(|| value)
@@ -328,7 +326,7 @@ impl<T> MyOption<T> {
// summary=<test::option::MyOption>::get_or_insert_with;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated
// summary=<test::option::MyOption>::get_or_insert_with;Argument[0].ReturnValue;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];value;dfc-generated
// SPURIOUS-summary=<test::option::MyOption>::get_or_insert_with;Argument[0];Argument[self].Reference.Field[test::option::MyOption::MySome(0)];value;dfc-generated
// summary=<test::option::MyOption>::get_or_insert_with;Argument[0].ReturnValue;ReturnValue.Reference;value;dfc-generated
pub fn get_or_insert_with<F>(&mut self, f: F) -> &mut T
where
F: FnOnce() -> T,

15
shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
View File

@@ -75,6 +75,9 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
/** Gets a limit on the number of reads out of sources and number of stores into sinks. */
default int accessPathLimit() { result = Lang::accessPathLimit() }
/** Gets the access path limit used in the internal invocation of the standard data flow library. */
default int accessPathLimitInternal() { result = Lang::accessPathLimit() }
/** Holds if `c` is relevant for reads out of sources or stores into sinks. */
default predicate isRelevantContent(ContentSet c) { any() }
}
@@ -110,7 +113,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
FlowFeature getAFeature() { result = ContentConfig::getAFeature() }
predicate accessPathLimit = ContentConfig::accessPathLimit/0;
predicate accessPathLimit = ContentConfig::accessPathLimitInternal/0;
// needed to record reads/stores inside summarized callables
predicate includeHiddenNodes() { any() }
@@ -274,6 +277,16 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
)
}
/**
* Gets the length of this access path.
*/
int length() {
this = TAccessPathNil() and
result = 0
or
result = this.getTail().length() + 1
}
/**
* Gets the content set at index `i` in this access path, if any.
*/

38
shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
View File

@@ -277,6 +277,16 @@ module MakeModelGeneratorFactory<
*/
predicate isAdditionalContentFlowStep(Lang::Node nodeFrom, Lang::Node nodeTo);
/**
* Gets the access path limit for content flow analysis.
*/
default int contentAccessPathLimit() { result = 2 }
/**
* Gets the internal access path limit for content flow analysis.
*/
default int contentAccessPathLimitInternal() { result = Lang::accessPathLimit() }
/**
* Holds if the content set `c` is field like.
*/
@@ -650,7 +660,10 @@ module MakeModelGeneratorFactory<
exists(Type t | t = n.(NodeExtended).getType() and not isRelevantType(t))
}
int accessPathLimit() { result = 2 }
predicate accessPathLimit = SummaryModelGeneratorInput::contentAccessPathLimit/0;
predicate accessPathLimitInternal =
SummaryModelGeneratorInput::contentAccessPathLimitInternal/0;
predicate isRelevantContent(DataFlow::ContentSet s) { isRelevantContent0(s) }
@@ -703,14 +716,17 @@ module MakeModelGeneratorFactory<
}
/**
* Holds if the access path `ap` is not a parameter or returnvalue of a callback
* stored in a field.
* Holds if `ap` is valid for generating summary models.
*
* That is, we currently don't include summaries that rely on parameters or return values
* of callbacks stored in fields.
* We currently don't include summaries that rely on parameters or return values
* of callbacks stored in fields, as those are not supported by the data flow
* library.
*
* We also exclude access paths with contents not supported by `printContent`.
*/
private predicate validateAccessPath(PropagateContentFlow::AccessPath ap) {
not (mentionsField(ap) and mentionsCallback(ap))
not (mentionsField(ap) and mentionsCallback(ap)) and
forall(int i | i in [0 .. ap.length() - 1] | exists(getContent(ap, i)))
}
private predicate apiFlow(
@@ -720,7 +736,9 @@ module MakeModelGeneratorFactory<
) {
PropagateContentFlow::flow(p, reads, returnNodeExt, stores, preservesValue) and
getEnclosingCallable(returnNodeExt) = api and
getEnclosingCallable(p) = api
getEnclosingCallable(p) = api and
validateAccessPath(reads) and
validateAccessPath(stores)
}
/**
@@ -763,9 +781,7 @@ module MakeModelGeneratorFactory<
PropagateContentFlow::AccessPath reads, ReturnNodeExt returnNodeExt,
PropagateContentFlow::AccessPath stores, boolean preservesValue
) {
PropagateContentFlow::flow(p, reads, returnNodeExt, stores, preservesValue) and
getEnclosingCallable(returnNodeExt) = api and
getEnclosingCallable(p) = api and
apiFlow(api, p, reads, returnNodeExt, stores, preservesValue) and
p = api.getARelevantParameterNode()
}
@@ -956,8 +972,6 @@ module MakeModelGeneratorFactory<
input = parameterNodeAsExactInput(p) + printReadAccessPath(reads) and
output = getExactOutput(returnNodeExt) + printStoreAccessPath(stores) and
input != output and
validateAccessPath(reads) and
validateAccessPath(stores) and
(
if mentionsField(reads) or mentionsField(stores)
then lift = false and api.isRelevant()