Merge pull request github#12236 from MathiasVP/language-specific-field-flow-branch-limit-term

MathiasVP · web-flow · commit ff53e53e8c12 · 2023-03-06T16:59:09.000Z
Dataflow: Add a language specific term to `join` and `branch`
diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -565,3 +565,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu
     any()
   }
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -318,3 +318,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu
     // consistency alerts enough that most of them are interesting.
   }
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -414,3 +414,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu
     any()
   }
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -2374,3 +2374,12 @@ module Csv {
     )
   }
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -390,3 +390,12 @@ class ContentApprox = Unit;
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -478,3 +478,12 @@ predicate containerContent(Content c) {
   c instanceof MapKeyContent or
   c instanceof MapValueContent
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1008,3 +1008,12 @@ class ContentApprox = Unit;
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll
@@ -959,6 +959,17 @@ module Impl<FullStateConfigSig Config> {
     not inBarrier(p)
   }
 
+  /**
+   * Gets an additional term that is added to `branch` and `join` when deciding whether
+   * the amount of forward or backward branching is within the limit specified by the
+   * configuration.
+   */
+  pragma[nomagic]
+  private int getLanguageSpecificFlowIntoCallNodeCand1(ArgNodeEx arg, ParamNodeEx p) {
+    flowIntoCallNodeCand1(_, arg, p) and
+    result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
+  }
+
   /**
    * Gets the amount of forward branching on the origin of a cross-call path
    * edge in the graph of paths between sources and sinks that ignores call
@@ -968,6 +979,7 @@ module Impl<FullStateConfigSig Config> {
   private int branch(NodeEx n1) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n))
+        + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
   }
 
   /**
@@ -979,6 +991,7 @@ module Impl<FullStateConfigSig Config> {
   private int join(NodeEx n2) {
     result =
       strictcount(NodeEx n | flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2))
+        + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
   }
 
   /**
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -1498,3 +1498,12 @@ class AdditionalJumpStep extends Unit {
    */
   abstract predicate step(Node pred, Node succ);
 }
+
+/**
+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
+ * an additional forward or backwards branching factor that is not taken into account
+ * when calculating the (virtual) dispatch cost.
+ *
+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
+ */
+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

Original file line number	Diff line number	Diff line change
`@@ -565,3 +565,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu`
`565`	`565`	`any()`
`566`	`566`	`}`
`567`	`567`	`}`
	`568`	`+`
	`569`	`+/**`
	`570`	+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
	`571`	`+ * an additional forward or backwards branching factor that is not taken into account`
	`572`	`+ * when calculating the (virtual) dispatch cost.`
	`573`	`+ *`
	`574`	+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
	`575`	`+ */`
	`576`	`+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }`
Original file line number	Diff line number	Diff line change
`@@ -318,3 +318,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu`
`318`	`318`	`// consistency alerts enough that most of them are interesting.`
`319`	`319`	`}`
`320`	`320`	`}`
	`321`	`+`
	`322`	`+/**`
	`323`	+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
	`324`	`+ * an additional forward or backwards branching factor that is not taken into account`
	`325`	`+ * when calculating the (virtual) dispatch cost.`
	`326`	`+ *`
	`327`	+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
	`328`	`+ */`
	`329`	`+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }`
Original file line number	Diff line number	Diff line change
`@@ -414,3 +414,12 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu`
`414`	`414`	`any()`
`415`	`415`	`}`
`416`	`416`	`}`
	`417`	`+`
	`418`	`+/**`
	`419`	+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
	`420`	`+ * an additional forward or backwards branching factor that is not taken into account`
	`421`	`+ * when calculating the (virtual) dispatch cost.`
	`422`	`+ *`
	`423`	+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
	`424`	`+ */`
	`425`	`+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }`
Original file line number	Diff line number	Diff line change
`@@ -2374,3 +2374,12 @@ module Csv {`
`2374`	`2374`	`)`
`2375`	`2375`	`}`
`2376`	`2376`	`}`
	`2377`	`+`
	`2378`	`+/**`
	`2379`	+ * Gets an additional term that is added to the `join` and `branch` computations to reflect
	`2380`	`+ * an additional forward or backwards branching factor that is not taken into account`
	`2381`	`+ * when calculating the (virtual) dispatch cost.`
	`2382`	`+ *`
	`2383`	+ * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
	`2384`	`+ */`
	`2385`	`+int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }`