Data flow: Depth 1 call contexts in store/load matching

Author: hvitved

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -2559,23 +2559,25 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
 
         pragma[nomagic]
         private predicate revFlowThroughArg(
-          DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
-          Ap ap
+          DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, FlowState state, ReturnCtx returnCtx,
+          ApOption returnAp, Ap ap
         ) {
-          exists(ParamNodeEx p, Ap innerReturnAp |
+          exists(Ap innerReturnAp |
             revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp) and
             flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp)
           )
         }
 
         pragma[nomagic]
-        predicate callMayFlowThroughRev(DataFlowCall call) {
+        additional predicate callMayFlowThroughRev(DataFlowCall call, ParamNodeEx p) {
           exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
             revFlow(arg, state, returnCtx, returnAp, ap) and
-            revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap)
+            revFlowThroughArg(call, arg, p, state, returnCtx, returnAp, ap)
           )
         }
 
+        predicate callMayFlowThroughRev(DataFlowCall call) { callMayFlowThroughRev(call, _) }
+
         predicate callEdgeArgParam(
           DataFlowCall call, DataFlowCallable c, ArgNodeEx arg, ParamNodeEx p,
           boolean allowsFieldFlow, Ap ap
@@ -3416,24 +3418,51 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       private module StoreReadMatchingInput implements StoreReadMatchingInputSig {
         class NodeEx = NodeExAlias;
 
-        predicate nodeRange(NodeEx node, boolean fromArg) {
-          exists(PrevStage::Ap ap |
-            PrevStage::revFlowAp(node, ap) and
+        pragma[nomagic]
+        private DataFlowCallOption getAFlowThroughCallCtx(
+          NodeEx node, PrevStage::Ap ap, boolean fromArg
+        ) {
+          exists(PrevStage::Cc cc, ParamNodeOption summaryCtx, PrevStage::ApOption argAp |
+            PrevStage::fwdFlow(node, _, cc, summaryCtx, _, argAp, _, ap, _)
+          |
+            PrevStage::instanceofCcCall(cc) and
+            fromArg = true and
             (
-              ap = true
-              or
-              PrevStage::storeStepCand(node, ap, _, _, _, _)
+              summaryCtx instanceof TParamNodeNone and
+              result = TDataFlowCallNone()
               or
-              PrevStage::readStepCand(_, _, node)
+              exists(ParamNodeEx p, PrevStage::Ap argApSome |
+                summaryCtx = TParamNodeSome(p.asNode()) and
+                argAp = PrevStage::apSome(argApSome)
+              |
+                if
+                  PrevStage::parameterMayFlowThrough(p, argApSome) and
+                  PrevStage::callMayFlowThroughRev(_, p)
+                then
+                  exists(DataFlowCall call |
+                    PrevStage::callMayFlowThroughRev(call, p) and
+                    result = TDataFlowCallSome(call)
+                  )
+                else result = TDataFlowCallNone()
+              )
             )
+            or
+            PrevStage::instanceofCcNoCall(cc) and
+            fromArg = false and
+            result = TDataFlowCallNone()
+          )
+        }
+
+        predicate nodeRange(NodeEx node, boolean fromArg, DataFlowCallOption summaryCtx) {
+          exists(PrevStage::Ap ap |
+            PrevStage::revFlowAp(node, ap) and
+            summaryCtx = getAFlowThroughCallCtx(node, ap, fromArg)
           |
-            exists(PrevStage::Cc cc | PrevStage::fwdFlow(node, _, cc, _, _, _, _, ap, _) |
-              PrevStage::instanceofCcCall(cc) and
-              fromArg = true
-              or
-              PrevStage::instanceofCcNoCall(cc) and
-              fromArg = false
-            )
+            ap = true
+            or
+            PrevStage::storeStepCand(node, ap, _, _, _, _)
+            or
+            PrevStage::readStepCand(_, _, node)
           )
         }
 
@@ -3459,12 +3488,19 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           )
         }
 
-        predicate callEdgeArgParam(NodeEx arg, NodeEx param) {
-          PrevStage::callEdgeArgParam(_, _, arg, param, true, true)
+        predicate callEdgeArgParam(NodeEx arg, NodeEx param, DataFlowCallOption summaryCtx) {
+          exists(DataFlowCall call |
+            PrevStage::callEdgeArgParam(call, _, arg, param, true, true) and
+            summaryCtx = getAFlowThroughCallCtx(param, true, true)
+          |
+            summaryCtx = TDataFlowCallNone()
+            or
+            summaryCtx = TDataFlowCallSome(call)
+          )
         }
 
-        predicate callEdgeReturn(NodeEx ret, NodeEx out, boolean mayFlowThrough) {
-          PrevStage::callEdgeReturn(_, _, ret, _, out, true, true) and
+        predicate callEdgeReturn(DataFlowCall call, NodeEx ret, NodeEx out, boolean mayFlowThrough) {
+          PrevStage::callEdgeReturn(call, _, ret, _, out, true, true) and
           if flowThroughOutOfCall(ret, out) then mayFlowThrough = true else mayFlowThrough = false
         }