Skip to content

Java: Support for With[out]Element for MaD. #13546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Aug 15, 2023
Merged

Java: Support for With[out]Element for MaD. #13546

merged 9 commits into from
Aug 15, 2023

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Jun 23, 2023
edited
Loading

In this PR we introduce WithoutElement and WithElement for Java MaD.

Assume that c is a callable and assume that A and B are access paths and assume we have a summary that defines that data can flow from A to B via c:

c : A -> B

In case A and B targets collections this summary also implies that there is flow from the elements in the source collection to the elements in the target collection.
That is

c : A -> B       =>       c : A.Element -> B.Element

However, in some cases we want to avoid exactly this.
One example could be List.clear().
Using WithoutElement it is now possible to define

clear : A.WithoutElement -> B

If the list itself is tainted then the taint is propagated via clear, but not the element taint.
That is,

clear : A.WithoutElement -> B      \equiv      clear : A -> B and not clear : A.Element -> B.Element

The dual WithElement is identical to an already existing construct

c : A.WithElement -> B      \equiv      c : A.Element -> B.Element

For completeness also note that

c : A -> B.      \equiv.      c : A.WithoutElement -> B and c : A.WithElement -> B

@github-actions github-actions bot added the Java label Jun 23, 2023
@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,682,184,76,,9,,,17
+    Java Standard Library,``java.*``,3,683,184,76,,9,,,17
-    Totals,,283,12766,2040,286,16,122,33,1,390
+    Totals,,283,12767,2040,286,16,122,33,1,390
  • Changes to framework-coverage-java.csv:
- java.util,44,,484,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440
+ java.util,44,,485,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,441

@michaelnebel michaelnebel force-pushed the java/withoutelement branch from e7cf024 to 500480b Compare July 4, 2023 08:53
@github-actions
Copy link
Contributor

github-actions bot commented Jul 4, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,683,197,76,,9,,,17
+    Java Standard Library,``java.*``,3,684,197,76,,9,,,17
-    Totals,,283,13593,2059,286,16,122,33,1,390
+    Totals,,283,13594,2059,286,16,122,33,1,390
  • Changes to framework-coverage-java.csv:
- java.util,44,,484,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440
+ java.util,44,,485,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,441

@michaelnebel michaelnebel force-pushed the java/withoutelement branch from 500480b to 37d7680 Compare July 4, 2023 09:44
@github-actions
Copy link
Contributor

github-actions bot commented Jul 4, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,683,197,76,,9,,,17
+    Java Standard Library,``java.*``,3,684,197,76,,9,,,17
-    Totals,,283,13593,2059,286,16,122,33,1,390
+    Totals,,283,13594,2059,286,16,122,33,1,390
  • Changes to framework-coverage-java.csv:
- java.util,44,,484,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440
+ java.util,44,,485,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,441

@github-actions
Copy link
Contributor

github-actions bot commented Jul 4, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,683,197,76,,9,,,17
+    Java Standard Library,``java.*``,3,684,197,76,,9,,,17
-    Totals,,283,13593,2059,286,16,122,33,1,390
+    Totals,,283,13594,2059,286,16,122,33,1,390
  • Changes to framework-coverage-java.csv:
- java.util,44,,484,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440
+ java.util,44,,485,,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,441

@michaelnebel michaelnebel added the no-change-note-required This PR does not need a change note label Jul 4, 2023
@michaelnebel michaelnebel marked this pull request as ready for review July 5, 2023 07:24
@michaelnebel michaelnebel requested a review from a team as a code owner July 5, 2023 07:24
@github-actions
Copy link
Contributor

github-actions bot commented Aug 1, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,689,205,80,,9,,,18
+    Java Standard Library,``java.*``,3,690,205,80,,9,,,18
-    Totals,,283,18451,2142,290,16,122,33,1,391
+    Totals,,283,18452,2142,290,16,122,33,1,391
  • Changes to framework-coverage-java.csv:
- java.util,45,,485,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,440
+ java.util,45,,486,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,441

jcogs33
jcogs33 reviewed Aug 2, 2023
View reviewed changes
Copy link
Contributor

@jcogs33 jcogs33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a few minor questions, but otherwise looks reasonable to me:

  • Should there potentially be a change note for this since data extensions for Java is in beta?
  • For my own understanding: What is the benefit of including the .WithElement option if .Element -> .Element is identical?

java/ql/lib/ext/java.util.model.yml Outdated
Comment on lines 425 to 430
# When `WithoutElement` is implemented, these should be changed to summary models of the form `Argument[this].WithoutElement -> Argument[this]`.
- ["java.util", "Collection", "removeIf", "(Predicate)", "summary", "manual"]
- ["java.util", "Iterator", "remove", "()", "summary", "manual"]
- ["java.util", "List", "clear", "()", "summary", "manual"]
- ["java.util", "List", "remove", "(Object)", "summary", "manual"]
- ["java.util", "Map", "clear", "()", "summary", "manual"]
- ["java.util", "Set", "clear", "()", "summary", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor request that you can ignore if you want 🙂: Would it make sense to update the rest of these models to use WithoutElement on this PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the current implementation we can't use WithoutElement and WithElement for anything else than collection content (not array content or dictionary content).
Would it maybe make more sense to include these as well for Java?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WithoutElement should still apply as-is to Set.clear(), right?

Copy link
Contributor Author

@michaelnebel michaelnebel Aug 7, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, right - I will introduce that summary and make a test.

A question about remove[If] neutrals. Since we are not tracking individual elements for collections in Java, we will not be able to re-write these using WithElement and WithoutElement. Should we move these neutrals to their proper location in the data extension files or should we have a summary instead (is it a better assumption that there is element flow via eg. List.remove as it only might remove a single element)?

@michaelnebel
Copy link
Contributor Author

I added a few minor questions, but otherwise looks reasonable to me:

  • Should there potentially be a change note for this since data extensions for Java is in beta?
  • For my own understanding: What is the benefit of including the .WithElement option if .Element -> .Element is identical?

I don't think that it is strictly needed with a change note as it is a non breaking change and since we are in private beta, but let us add one anyway (it can't hurt to advertise it a bit more).

The only "minor" benefit is that it might perform a bit better than .Element -> .Element and to make it consistent with the other languages.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 4, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,689,205,80,,9,,,18
+    Java Standard Library,``java.*``,3,690,205,80,,9,,,18
-    Totals,,283,18451,2142,290,16,122,33,1,391
+    Totals,,283,18452,2142,290,16,122,33,1,391
  • Changes to framework-coverage-java.csv:
- java.util,45,,485,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,440
+ java.util,45,,486,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,441

@aschackmull
Copy link
Contributor

The dual WithElement is identical to an already existing construct

c : A.WithElement -> B      \equiv      c : A.Element -> B.Element

That's not entirely correct. The WithElement version also states that the object identity is preserved while an Element to Element summary just states that a (possibly) new object with the same elements is returned. This makes a difference if the type that we're tracking for the input is stronger than the types at the input/output of the summary.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 7, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,689,205,80,,9,,,18
+    Java Standard Library,``java.*``,3,691,205,80,,9,,,18
-    Totals,,283,18451,2142,290,16,122,33,1,391
+    Totals,,283,18453,2142,290,16,122,33,1,391
  • Changes to framework-coverage-java.csv:
- java.util,45,,485,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,440
+ java.util,45,,487,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,442

@michaelnebel
Copy link
Contributor Author

The dual WithElement is identical to an already existing construct

c : A.WithElement -> B      \equiv      c : A.Element -> B.Element

That's not entirely correct. The WithElement version also states that the object identity is preserved while an Element to Element summary just states that a (possibly) new object with the same elements is returned. This makes a difference if the type that we're tracking for the input is stronger than the types at the input/output of the summary.

Hah, so what you are saying is that we infact should not use WithElement for (shallow)copy/clone like methods as they do not preserve object identity for the collection container object? 😸 (this defeats my example above).

@github-actions
Copy link
Contributor

github-actions bot commented Aug 8, 2023

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,689,201,76,,9,,,18
+    Java Standard Library,``java.*``,3,691,201,76,,9,,,18
-    Totals,,283,18451,2138,286,16,122,33,1,391
+    Totals,,283,18453,2138,286,16,122,33,1,391
  • Changes to framework-coverage-java.csv:
- java.util,45,,485,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,440
+ java.util,45,,487,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,45,442

@michaelnebel michaelnebel merged commit a95aad5 into github:main Aug 15, 2023
@michaelnebel michaelnebel deleted the java/withoutelement branch August 15, 2023 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvitved hvitved hvitved left review comments

@jcogs33 jcogs33 jcogs33 left review comments

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@atorralba atorralba atorralba left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@michaelnebel @aschackmull @hvitved @atorralba @jcogs33