Merge pull request github#8317 from hvitved/typetracker/jump-step

Ruby/Python: Clear call contexts after jump steps in type tracking

Author: hvitved

python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll

@@ -34,7 +34,8 @@ private module Cached {
     CallStep() or
     ReturnStep() or
     StoreStep(ContentName content) or
-    LoadStep(ContentName content)
+    LoadStep(ContentName content) or
+    JumpStep()
 
   /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */
   cached
@@ -49,6 +50,9 @@ private module Cached {
       step = LoadStep(content) and result = MkTypeTracker(hasCall, "")
       or
       exists(string p | step = StoreStep(p) and content = "" and result = MkTypeTracker(hasCall, p))
+      or
+      step = JumpStep() and
+      result = MkTypeTracker(false, content)
     )
   }
 
@@ -67,6 +71,9 @@ private module Cached {
       )
       or
       step = StoreStep(content) and result = MkTypeBackTracker(hasReturn, "")
+      or
+      step = JumpStep() and
+      result = MkTypeBackTracker(false, content)
     )
   }
 
@@ -110,12 +117,17 @@ class StepSummary extends TStepSummary {
     exists(string content | this = StoreStep(content) | result = "store " + content)
     or
     exists(string content | this = LoadStep(content) | result = "load " + content)
+    or
+    this instanceof JumpStep and result = "jump"
   }
 }
 
 pragma[noinline]
 private predicate smallstepNoCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) {
   jumpStep(nodeFrom, nodeTo) and
+  summary = JumpStep()
+  or
+  levelStep(nodeFrom, nodeTo) and
   summary = LevelStep()
   or
   exists(string content |

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll

@@ -14,6 +14,9 @@ predicate simpleLocalFlowStep = DataFlowPrivate::simpleLocalFlowStep/2;
 
 predicate jumpStep = DataFlowPrivate::jumpStep/2;
 
+/** Holds if there is a level step from `pred` to `succ`. */
+predicate levelStep(Node pred, Node succ) { none() }
+
 /**
  * Gets the name of a possible piece of content. For Python, this is currently only attribute names,
  * using the name of the attribute for the corresponding content.

ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll

@@ -34,7 +34,8 @@ private module Cached {
     CallStep() or
     ReturnStep() or
     StoreStep(ContentName content) or
-    LoadStep(ContentName content)
+    LoadStep(ContentName content) or
+    JumpStep()
 
   /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */
   cached
@@ -49,6 +50,9 @@ private module Cached {
       step = LoadStep(content) and result = MkTypeTracker(hasCall, "")
       or
       exists(string p | step = StoreStep(p) and content = "" and result = MkTypeTracker(hasCall, p))
+      or
+      step = JumpStep() and
+      result = MkTypeTracker(false, content)
     )
   }
 
@@ -67,6 +71,9 @@ private module Cached {
       )
       or
       step = StoreStep(content) and result = MkTypeBackTracker(hasReturn, "")
+      or
+      step = JumpStep() and
+      result = MkTypeBackTracker(false, content)
     )
   }
 
@@ -110,12 +117,17 @@ class StepSummary extends TStepSummary {
     exists(string content | this = StoreStep(content) | result = "store " + content)
     or
     exists(string content | this = LoadStep(content) | result = "load " + content)
+    or
+    this instanceof JumpStep and result = "jump"
   }
 }
 
 pragma[noinline]
 private predicate smallstepNoCall(Node nodeFrom, TypeTrackingNode nodeTo, StepSummary summary) {
   jumpStep(nodeFrom, nodeTo) and
+  summary = JumpStep()
+  or
+  levelStep(nodeFrom, nodeTo) and
   summary = LevelStep()
   or
   exists(string content |

ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll

@@ -15,6 +15,9 @@ predicate simpleLocalFlowStep = DataFlowPrivate::localFlowStepTypeTracker/2;
 
 predicate jumpStep = DataFlowPrivate::jumpStep/2;
 
+/** Holds if there is a level step from `pred` to `succ`. */
+predicate levelStep(Node pred, Node succ) { none() }
+
 /**
  * Gets the name of a possible piece of content. This will usually include things like
  *