diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 89a35b00fa6..caa3841bc33 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index 89a35b00fa6..caa3841bc33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 89a35b00fa6..caa3841bc33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 89a35b00fa6..caa3841bc33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 89a35b00fa6..caa3841bc33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll index 89a35b00fa6..caa3841bc33 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll index 89a35b00fa6..caa3841bc33 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 89a35b00fa6..caa3841bc33 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 89a35b00fa6..caa3841bc33 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll index 89a35b00fa6..caa3841bc33 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 89a35b00fa6..caa3841bc33 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) { diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll index 89a35b00fa6..caa3841bc33 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll @@ -1673,10 +1673,24 @@ private module Stage2 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -2495,10 +2509,24 @@ private module Stage3 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3322,10 +3350,24 @@ private module Stage4 { storeStepFwd(_, ap, tc, _, _, config) } - predicate consCand(TypedContent tc, Ap ap, Configuration config) { + private predicate revConsCand(TypedContent tc, Ap ap, Configuration config) { storeStepCand(_, ap, tc, _, _, config) } + private predicate validAp(Ap ap, Configuration config) { + revFlow(_, _, _, _, ap, config) and ap instanceof ApNil + or + exists(TypedContent head, Ap tail | + consCand(head, tail, config) and + ap = apCons(head, tail) + ) + } + + predicate consCand(TypedContent tc, Ap ap, Configuration config) { + revConsCand(tc, ap, config) and + validAp(ap, config) + } + pragma[noinline] private predicate parameterFlow( ParamNodeEx p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config @@ -3394,17 +3436,27 @@ private Configuration unbindConf(Configuration conf) { exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c)) } -private predicate nodeMayUseSummary( - NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +pragma[nomagic] +private predicate nodeMayUseSummary0( + NodeEx n, DataFlowCallable c, FlowState state, AccessPathApprox apa, Configuration config ) { - exists(DataFlowCallable c, AccessPathApprox apa0 | - Stage4::parameterMayFlowThrough(_, c, apa, _) and + exists(AccessPathApprox apa0 | + Stage4::parameterMayFlowThrough(_, c, _, _) and Stage4::revFlow(n, state, true, _, apa0, config) and Stage4::fwdFlow(n, state, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and n.getEnclosingCallable() = c ) } +private predicate nodeMayUseSummary( + NodeEx n, FlowState state, AccessPathApprox apa, Configuration config +) { + exists(DataFlowCallable c | + Stage4::parameterMayFlowThrough(_, c, apa, _) and + nodeMayUseSummary0(n, c, state, apa, config) + ) +} + private newtype TSummaryCtx = TSummaryCtxNone() or TSummaryCtxSome(ParamNodeEx p, FlowState state, AccessPath ap) {