Skip to content

Commit e903d76

Browse files
MathiasVPMathiasVP
authored
Merge pull request #19443 from MathiasVP/generate-more-value-preserving-summaries-2
Shared: Generate more value-preserving flow summaries
2 parents 98ec375 + fcecc5a commit e903d76

35 files changed

+330
-208
lines changed

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,5 @@ import internal.CaptureModels
1010
import SummaryModels
1111

1212
from DataFlowSummaryTargetApi api, string flow
13-
where flow = ContentSensitive::captureFlow(api, _)
13+
where flow = ContentSensitive::captureFlow(api, _, _, _, _)
1414
select flow order by flow

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

+6-6
Original file line numberDiff line numberDiff line change
@@ -189,15 +189,15 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
189189
)
190190
}
191191

192-
string parameterAccess(Parameter p) { parameterContentAccessImpl(p, result) }
192+
string parameterApproximateAccess(Parameter p) { parameterContentAccessImpl(p, result) }
193193

194-
string parameterContentAccess(Parameter p) { parameterContentAccessImpl(p, result) }
194+
string parameterExactAccess(Parameter p) { parameterContentAccessImpl(p, result) }
195195

196196
bindingset[c]
197-
string paramReturnNodeAsOutput(Callable c, DataFlowPrivate::Position pos) {
197+
string paramReturnNodeAsExactOutput(Callable c, DataFlowPrivate::Position pos) {
198198
exists(Parameter p |
199199
p.isSourceParameterOf(c, pos) and
200-
result = parameterAccess(p)
200+
result = parameterExactAccess(p)
201201
)
202202
or
203203
pos.getArgumentIndex() = -1 and
@@ -206,8 +206,8 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
206206
}
207207

208208
bindingset[c]
209-
string paramReturnNodeAsContentOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
210-
result = paramReturnNodeAsOutput(c, pos)
209+
string paramReturnNodeAsApproximateOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
210+
result = paramReturnNodeAsExactOutput(c, pos)
211211
}
212212

213213
pragma[nomagic]

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql

+3-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,9 @@ import SummaryModels
44
import InlineModelsAsDataTest
55

66
module InlineMadTestConfig implements InlineMadTestConfigSig {
7-
string getCapturedModel(MadRelevantFunction c) { result = ContentSensitive::captureFlow(c, _) }
7+
string getCapturedModel(MadRelevantFunction c) {
8+
result = ContentSensitive::captureFlow(c, _, _, _, _)
9+
}
810

911
string getKind() { result = "contentbased-summary" }
1012
}

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import SummaryModels
44
import InlineModelsAsDataTest
55

66
module InlineMadTestConfig implements InlineMadTestConfigSig {
7-
string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c) }
7+
string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c, _) }
88

99
string getKind() { result = "heuristic-summary" }
1010
}

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp

+23-23
Original file line numberDiff line numberDiff line change
@@ -10,32 +10,32 @@ namespace Models {
1010
//No model as destructors are excluded from model generation.
1111
~BasicFlow() = default;
1212

13-
//heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];taint;df-generated
13+
//heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;df-generated
1414
//contentbased-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;dfc-generated
1515
BasicFlow* returnThis(int* input) {
1616
return this;
1717
}
1818

19-
//heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;taint;df-generated
20-
//heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];taint;df-generated
19+
//heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;df-generated
20+
//heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;df-generated
2121
//contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;dfc-generated
2222
//contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;dfc-generated
2323
int* returnParam0(int* input0, int* input1) {
2424
return input0;
2525
}
2626

27-
//heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;taint;df-generated
28-
//heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
27+
//heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;df-generated
28+
//heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;df-generated
2929
//contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;dfc-generated
3030
//contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
3131
int* returnParam1(int* input0, int* input1) {
3232
return input1;
3333
}
3434

35-
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;taint;df-generated
36-
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
37-
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;taint;df-generated
38-
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];taint;df-generated
35+
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;df-generated
36+
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;df-generated
37+
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;df-generated
38+
//heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];value;df-generated
3939
//contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;dfc-generated
4040
//contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
4141
//contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;dfc-generated
@@ -46,9 +46,9 @@ namespace Models {
4646

4747
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;df-generated
4848
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;df-generated
49-
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];taint;df-generated
50-
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;taint;df-generated
51-
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];taint;df-generated
49+
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;df-generated
50+
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;value;df-generated
51+
//heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];value;df-generated
5252
//contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;dfc-generated
5353
//contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;dfc-generated
5454
//contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;dfc-generated
@@ -79,14 +79,14 @@ namespace Models {
7979
struct TemplatedFlow {
8080
T tainted;
8181

82-
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];taint;df-generated
82+
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;df-generated
8383
//contentbased-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;dfc-generated
8484
TemplatedFlow<T>* template_returnThis(T input) {
8585
return this;
8686
}
8787

88-
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;taint;df-generated
89-
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
88+
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;df-generated
89+
//heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;df-generated
9090
//contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;dfc-generated
9191
//contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
9292
T* template_returnParam0(T* input0, T* input1) {
@@ -105,8 +105,8 @@ namespace Models {
105105
return tainted;
106106
}
107107

108-
//heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;taint;df-generated
109-
//heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
108+
//heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;df-generated
109+
//heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;df-generated
110110
//contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;dfc-generated
111111
//contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
112112
template<typename U>
@@ -130,7 +130,7 @@ namespace Models {
130130
}
131131

132132
//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
133-
//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
133+
//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;df-generated
134134
//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;df-generated
135135
//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;dfc-generated
136136
//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
@@ -145,13 +145,13 @@ static int static_toplevel_function(int* p) {
145145
}
146146

147147
struct NonFinalStruct {
148-
//heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
148+
//heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;df-generated
149149
//contentbased-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
150150
virtual int public_not_final_member_function(int x) {
151151
return x;
152152
}
153153

154-
//heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
154+
//heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;df-generated
155155
//contentbased-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
156156
virtual int public_final_member_function(int x) final {
157157
return x;
@@ -171,13 +171,13 @@ struct NonFinalStruct {
171171
};
172172

173173
struct FinalStruct final {
174-
//heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
174+
//heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;df-generated
175175
//contentbased-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
176176
virtual int public_not_final_member_function_2(int x) {
177177
return x;
178178
}
179179

180-
//heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
180+
//heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;df-generated
181181
//contentbased-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
182182
virtual int public_final_member_function_2(int x) final {
183183
return x;
@@ -211,7 +211,7 @@ struct HasInt {
211211
//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;dfc-generated
212212
//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;df-generated
213213
//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;df-generated
214-
//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];taint;df-generated
214+
//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;df-generated
215215
int copy_struct(HasInt *out, const HasInt *in) {
216216
*out = *in;
217217
return 1;

csharp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,5 @@ import internal.CaptureModels
1010
import SummaryModels
1111

1212
from DataFlowSummaryTargetApi api, string flow
13-
where flow = ContentSensitive::captureFlow(api, _)
13+
where flow = ContentSensitive::captureFlow(api, _, _, _, _)
1414
select flow order by flow

csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ import PartialFlow::PartialPathGraph
1515

1616
int explorationLimit() { result = 3 }
1717

18-
module PartialFlow = Heuristic::PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
18+
module PartialFlow = Heuristic::PropagateTaintFlow::FlowExplorationFwd<explorationLimit/0>;
1919

2020
from
2121
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,

csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql

+5-6
Original file line numberDiff line numberDiff line change
@@ -11,16 +11,15 @@
1111
import csharp
1212
import utils.modelgenerator.internal.CaptureModels
1313
import SummaryModels
14-
import Heuristic
15-
import PropagateFlow::PathGraph
14+
import Heuristic::PropagateTaintFlow::PathGraph
1615

1716
from
18-
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
19-
DataFlow::Node p, DataFlow::Node returnNodeExt
17+
Heuristic::PropagateTaintFlow::PathNode source, Heuristic::PropagateTaintFlow::PathNode sink,
18+
DataFlowSummaryTargetApi api, DataFlow::Node p, DataFlow::Node returnNodeExt
2019
where
21-
PropagateFlow::flowPath(source, sink) and
20+
Heuristic::PropagateTaintFlow::flowPath(source, sink) and
2221
p = source.getNode() and
2322
returnNodeExt = sink.getNode() and
24-
exists(captureThroughFlow0(api, p, returnNodeExt))
23+
Heuristic::captureThroughFlow0(api, p, returnNodeExt)
2524
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
2625
"parameter", sink.getNode(), "return value"

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

+6-6
Original file line numberDiff line numberDiff line change
@@ -124,13 +124,13 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Locatio
124124

125125
string qualifierString() { result = "Argument[this]" }
126126

127-
string parameterAccess(CS::Parameter p) {
127+
string parameterApproximateAccess(CS::Parameter p) {
128128
if Collections::isCollectionType(p.getType())
129129
then result = "Argument[" + p.getPosition() + "].Element"
130130
else result = "Argument[" + p.getPosition() + "]"
131131
}
132132

133-
string parameterContentAccess(CS::Parameter p) { result = "Argument[" + p.getPosition() + "]" }
133+
string parameterExactAccess(CS::Parameter p) { result = "Argument[" + p.getPosition() + "]" }
134134

135135
private signature string parameterAccessSig(Parameter p);
136136

@@ -145,13 +145,13 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Locatio
145145
}
146146

147147
bindingset[c]
148-
string paramReturnNodeAsOutput(CS::Callable c, ParameterPosition pos) {
149-
result = ParamReturnNodeAsOutput<parameterAccess/1>::paramReturnNodeAsOutput(c, pos)
148+
string paramReturnNodeAsApproximateOutput(CS::Callable c, ParameterPosition pos) {
149+
result = ParamReturnNodeAsOutput<parameterApproximateAccess/1>::paramReturnNodeAsOutput(c, pos)
150150
}
151151

152152
bindingset[c]
153-
string paramReturnNodeAsContentOutput(Callable c, ParameterPosition pos) {
154-
result = ParamReturnNodeAsOutput<parameterContentAccess/1>::paramReturnNodeAsOutput(c, pos)
153+
string paramReturnNodeAsExactOutput(Callable c, ParameterPosition pos) {
154+
result = ParamReturnNodeAsOutput<parameterExactAccess/1>::paramReturnNodeAsOutput(c, pos)
155155
}
156156

157157
ParameterPosition getReturnKindParamPosition(ReturnKind kind) {

csharp/ql/src/utils/modelgenerator/internal/CaptureTypeBasedSummaryModels.qll

+1-1
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ private predicate localTypeParameter(Callable callable, TypeParameter tp) {
3939
*/
4040
private predicate parameter(Callable callable, string input, TypeParameter tp) {
4141
exists(Parameter p |
42-
input = ModelGeneratorInput::parameterAccess(p) and
42+
input = ModelGeneratorInput::parameterApproximateAccess(p) and
4343
p = callable.getAParameter() and
4444
(
4545
// Parameter of type tp

csharp/ql/test/utils/modelgenerator/dataflow/CaptureContentSummaryModels.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import SummaryModels
44
import utils.test.InlineMadTest
55

66
module InlineMadTestConfig implements InlineMadTestConfigSig {
7-
string getCapturedModel(Callable c) { result = ContentSensitive::captureFlow(c, _) }
7+
string getCapturedModel(Callable c) { result = ContentSensitive::captureFlow(c, _, _, _, _) }
88

99
string getKind() { result = "contentbased-summary" }
1010
}

csharp/ql/test/utils/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import SummaryModels
44
import utils.test.InlineMadTest
55

66
module InlineMadTestConfig implements InlineMadTestConfigSig {
7-
string getCapturedModel(Callable c) { result = Heuristic::captureFlow(c) }
7+
string getCapturedModel(Callable c) { result = Heuristic::captureFlow(c, _) }
88

99
string getKind() { result = "heuristic-summary" }
1010
}

0 commit comments

Comments
 (0)