Skip to content

Shared: Generate more value-preserving flow summaries #19443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
May 14, 2025
Merged

Shared: Generate more value-preserving flow summaries #19443

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
607a1e4
Shared: Generate value-preserving summaries when possible.
MathiasVP Apr 28, 2025
cd47379
C#: Fixup queries and accept test changes.
MathiasVP Apr 29, 2025
07641e4
Java: Fixup queries and accept test changes.
MathiasVP Apr 29, 2025
7751973
Rust: Fixup queries.
MathiasVP Apr 29, 2025
d8eafbb
C++: Fixup queries and accept test changes.
MathiasVP Apr 29, 2025
d5bc95d
Merge branch 'main' into generate-more-value-preserving-summaries-2
MathiasVP May 2, 2025
54f0eed
Shared: Rename 'asLiftedTaintModel' to 'asLiftedModel'.
MathiasVP May 2, 2025
4d2f2b8
Shared/Java/C#/Rust/C++: Rename 'captureHeuristicFlow' to 'captureFlow'.
MathiasVP May 2, 2025
37bc2bf
Shared: Deduplicate flow summaries.
MathiasVP May 2, 2025
bce5f25
C++/C#/Java/Rust: Fixup tests.
MathiasVP May 2, 2025
6437168
Shared: Fix QLDoc to make QL4QL happy.
MathiasVP May 8, 2025
6c9f248
Shared: Avoid generating taint based heuristic summaries when a conte…
michaelnebel May 13, 2025
a94cffa
Shared: Adjust the printing of heuristic value summaries (and fix a m…
michaelnebel May 13, 2025
09dc3c8
C#: Update model generator implementation and test expected output.
michaelnebel May 13, 2025
ee83ca9
Java: Update model generator implementation and test expected output.
michaelnebel May 13, 2025
6712cce
Rust: Update model generator implementation.
michaelnebel May 13, 2025
fcecc5a
Cpp: Update model generator implementation.
michaelnebel May 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Shared: Adjust the printing of heuristic value summaries (and fix a m… 
…inor issue with output printing in captureSink).
  • Loading branch information
@michaelnebel @MathiasVP
michaelnebel authored and MathiasVP committed May 13, 2025
commit a94cffa27ef8e9b3e80cfe7f1003516da2f5a260
63 changes: 33 additions & 30 deletions shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
View file
Original file line number Diff line number Diff line change
@@ -73,14 +73,14 @@ signature module ModelGeneratorCommonInputSig<LocationSig Location, InputSig<Loc
* `pos` of callable `c`.
*/
bindingset[c]
string paramReturnNodeAsOutput(Callable c, Lang::ParameterPosition p);
string paramReturnNodeAsApproximateOutput(Callable c, Lang::ParameterPosition p);

/**
* Gets the MaD string representation of return through parameter at position
* `pos` of callable `c` when used in content flow.
*/
bindingset[c]
string paramReturnNodeAsContentOutput(Callable c, Lang::ParameterPosition pos);
string paramReturnNodeAsExactOutput(Callable c, Lang::ParameterPosition pos);

/**
* Gets the enclosing callable of `ret`.
@@ -95,13 +95,13 @@ signature module ModelGeneratorCommonInputSig<LocationSig Location, InputSig<Loc
/**
* Gets the MaD string representation of the parameter `p`.
*/
string parameterAccess(Parameter p);
string parameterApproximateAccess(Parameter p);

/**
* Gets the MaD string representation of the parameter `p`
* when used in content flow.
*/
string parameterContentAccess(Parameter p);
string parameterExactAccess(Parameter p);

/**
* Gets the MaD string representation of the qualifier.
@@ -226,8 +226,12 @@ module MakeModelGeneratorFactory<
containerContent(c)
}

private string getOutput(ReturnNodeExt node) {
result = PrintReturnNodeExt<paramReturnNodeAsOutput/2>::getOutput(node)
private string getApproximateOutput(ReturnNodeExt node) {
result = PrintReturnNodeExt<paramReturnNodeAsApproximateOutput/2>::getOutput(node)
}

private string getExactOutput(ReturnNodeExt node) {
result = PrintReturnNodeExt<paramReturnNodeAsExactOutput/2>::getOutput(node)
}

/**
@@ -320,6 +324,16 @@ module MakeModelGeneratorFactory<
DataFlowSummaryTargetApi() { not isUninterestingForDataFlowModels(this) }
}

/**
* Gets the MaD string representation of the parameter `p`
* when used in exact flow.
*/
private string parameterNodeAsExactInput(DataFlow::ParameterNode p) {
result = parameterExactAccess(asParameter(p))
or
result = qualifierString() and p instanceof InstanceParameterNode
}

/**
* Provides classes and predicates related to capturing summary models
* based on heuristic data flow.
@@ -336,8 +350,8 @@ module MakeModelGeneratorFactory<
/**
* Gets the MaD string representation of the parameter node `p`.
*/
string parameterNodeAsInput(DataFlow::ParameterNode p) {
result = parameterAccess(asParameter(p))
private string parameterNodeAsApproximateInput(DataFlow::ParameterNode p) {
result = parameterApproximateAccess(asParameter(p))
or
result = qualifierString() and p instanceof InstanceParameterNode
}
@@ -545,16 +559,19 @@ module MakeModelGeneratorFactory<
ReturnNodeExt returnNodeExt, string output, boolean preservesValue
) {
(
PropagateDataFlow::flow(p, returnNodeExt) and preservesValue = true
PropagateDataFlow::flow(p, returnNodeExt) and
input = parameterNodeAsExactInput(p) and
output = getExactOutput(returnNodeExt) and
preservesValue = true
or
not PropagateDataFlow::flow(p, returnNodeExt) and
PropagateTaintFlow::flow(p, returnNodeExt) and
input = parameterNodeAsApproximateInput(p) and
output = getApproximateOutput(returnNodeExt) and
preservesValue = false
) and
getEnclosingCallable(p) = api and
getEnclosingCallable(returnNodeExt) = api and
input = parameterNodeAsInput(p) and
output = getOutput(returnNodeExt) and
input != output
}

@@ -651,20 +668,6 @@ module MakeModelGeneratorFactory<
private module ContentModelPrinting =
Printing::ModelPrintingSummary<ContentModelPrintingInput>;

private string getContentOutput(ReturnNodeExt node) {
result = PrintReturnNodeExt<paramReturnNodeAsContentOutput/2>::getOutput(node)
}

/**
* Gets the MaD string representation of the parameter `p`
* when used in content flow.
*/
private string parameterNodeAsContentInput(DataFlow::ParameterNode p) {
result = parameterContentAccess(asParameter(p))
or
result = qualifierString() and p instanceof InstanceParameterNode
}

private string getContent(PropagateContentFlow::AccessPath ap, int i) {
result = "." + printContent(ap.getAtIndex(i))
}
@@ -740,8 +743,8 @@ module MakeModelGeneratorFactory<
PropagateContentFlow::AccessPath stores
|
apiFlow(this, parameter, reads, returnNodeExt, stores, _) and
input = parameterNodeAsContentInput(parameter) + printReadAccessPath(reads) and
output = getContentOutput(returnNodeExt) + printStoreAccessPath(stores)
input = parameterNodeAsExactInput(parameter) + printReadAccessPath(reads) and
output = getExactOutput(returnNodeExt) + printStoreAccessPath(stores)
)
) <= 3
}
@@ -948,8 +951,8 @@ module MakeModelGeneratorFactory<
PropagateContentFlow::AccessPath reads, PropagateContentFlow::AccessPath stores
|
apiRelevantContentFlow(api, p, reads, returnNodeExt, stores, preservesValue) and
input = parameterNodeAsContentInput(p) + printReadAccessPath(reads) and
output = getContentOutput(returnNodeExt) + printStoreAccessPath(stores) and
input = parameterNodeAsExactInput(p) + printReadAccessPath(reads) and
output = getExactOutput(returnNodeExt) + printStoreAccessPath(stores) and
input != output and
validateAccessPath(reads) and
validateAccessPath(stores) and
@@ -1174,7 +1177,7 @@ module MakeModelGeneratorFactory<
sourceNode(source, kind) and
api = getEnclosingCallable(sink) and
not irrelevantSourceSinkApi(getEnclosingCallable(source), api) and
result = ModelPrintingSourceOrSink::asSourceModel(api, getOutput(sink), kind)
result = ModelPrintingSourceOrSink::asSourceModel(api, getExactOutput(sink), kind)
)
}
}