Merge pull request #19443 from MathiasVP/generate-more-value-preserving-summaries-2

Shared: Generate more value-preserving flow summaries
2026-04-25 00:35:20 +02:00 · 2025-05-14 09:12:28 +01:00
parent 98ec3753fd fcecc5a3af
commit e903d76fa0
35 changed files with 331 additions and 209 deletions
--- a/csharp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+++ b/csharp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
@@ -10,5 +10,5 @@ import internal.CaptureModels
 import SummaryModels

 from DataFlowSummaryTargetApi api, string flow
-where flow = ContentSensitive::captureFlow(api, _)
+where flow = ContentSensitive::captureFlow(api, _, _, _, _)
 select flow order by flow
--- a/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
+++ b/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
@@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph

 int explorationLimit() { result = 3 }

-module PartialFlow = Heuristic::PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
+module PartialFlow = Heuristic::PropagateTaintFlow::FlowExplorationFwd<explorationLimit/0>;

 from
  PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
--- a/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
+++ b/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
@@ -11,16 +11,15 @@
 import csharp
 import utils.modelgenerator.internal.CaptureModels
 import SummaryModels
-import Heuristic
-import PropagateFlow::PathGraph
+import Heuristic::PropagateTaintFlow::PathGraph

 from
-  PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
-  DataFlow::Node p, DataFlow::Node returnNodeExt
+  Heuristic::PropagateTaintFlow::PathNode source, Heuristic::PropagateTaintFlow::PathNode sink,
+  DataFlowSummaryTargetApi api, DataFlow::Node p, DataFlow::Node returnNodeExt
 where
-  PropagateFlow::flowPath(source, sink) and
+  Heuristic::PropagateTaintFlow::flowPath(source, sink) and
  p = source.getNode() and
  returnNodeExt = sink.getNode() and
-  exists(captureThroughFlow0(api, p, returnNodeExt))
+  Heuristic::captureThroughFlow0(api, p, returnNodeExt)
 select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
  "parameter", sink.getNode(), "return value"
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -124,13 +124,13 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Locatio

  string qualifierString() { result = "Argument[this]" }

-  string parameterAccess(CS::Parameter p) {
+  string parameterApproximateAccess(CS::Parameter p) {
    if Collections::isCollectionType(p.getType())
    then result = "Argument[" + p.getPosition() + "].Element"
    else result = "Argument[" + p.getPosition() + "]"
  }

-  string parameterContentAccess(CS::Parameter p) { result = "Argument[" + p.getPosition() + "]" }
+  string parameterExactAccess(CS::Parameter p) { result = "Argument[" + p.getPosition() + "]" }

  private signature string parameterAccessSig(Parameter p);

@@ -145,13 +145,13 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Locatio
  }

  bindingset[c]
-  string paramReturnNodeAsOutput(CS::Callable c, ParameterPosition pos) {
-    result = ParamReturnNodeAsOutput<parameterAccess/1>::paramReturnNodeAsOutput(c, pos)
+  string paramReturnNodeAsApproximateOutput(CS::Callable c, ParameterPosition pos) {
+    result = ParamReturnNodeAsOutput<parameterApproximateAccess/1>::paramReturnNodeAsOutput(c, pos)
  }

  bindingset[c]
-  string paramReturnNodeAsContentOutput(Callable c, ParameterPosition pos) {
-    result = ParamReturnNodeAsOutput<parameterContentAccess/1>::paramReturnNodeAsOutput(c, pos)
+  string paramReturnNodeAsExactOutput(Callable c, ParameterPosition pos) {
+    result = ParamReturnNodeAsOutput<parameterExactAccess/1>::paramReturnNodeAsOutput(c, pos)
  }

  ParameterPosition getReturnKindParamPosition(ReturnKind kind) {
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureTypeBasedSummaryModels.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureTypeBasedSummaryModels.qll
@@ -39,7 +39,7 @@ private predicate localTypeParameter(Callable callable, TypeParameter tp) {
 */
 private predicate parameter(Callable callable, string input, TypeParameter tp) {
  exists(Parameter p |
-    input = ModelGeneratorInput::parameterAccess(p) and
+    input = ModelGeneratorInput::parameterApproximateAccess(p) and
    p = callable.getAParameter() and
    (
      // Parameter of type tp