Java: Disregard heap parameter in any-argument and any-parameter specs.

Author: aschackmull

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -1222,14 +1222,18 @@ module Private {
           node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ArgumentPosition apos, ParameterPosition ppos |
           node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
           parameterMatch(ppos, apos)
         |
-          c = "Parameter" or parseParam(c, apos)
+          c = "Parameter" and not heapParameter(ppos)
+          or
+          parseParam(c, apos)
         )
         or
         c = "ReturnValue" and
@@ -1259,7 +1263,9 @@ module Private {
           node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ReturnNodeExt ret |

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -300,6 +300,12 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
   )
 }
 
+/**
+ * Holds if `pos` is the position of the `heap` parameter, and thus should not
+ * be included by models that specify "any argument" or "any parameter".
+ */
+predicate heapParameter(ParameterPosition pos) { none() }
+
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]
 ArgumentPosition parseParamBody(string s) {

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -1222,14 +1222,18 @@ module Private {
           node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ArgumentPosition apos, ParameterPosition ppos |
           node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
           parameterMatch(ppos, apos)
         |
-          c = "Parameter" or parseParam(c, apos)
+          c = "Parameter" and not heapParameter(ppos)
+          or
+          parseParam(c, apos)
         )
         or
         c = "ReturnValue" and
@@ -1259,7 +1263,9 @@ module Private {
           node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ReturnNodeExt ret |

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -251,6 +251,12 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
   )
 }
 
+/**
+ * Holds if `pos` is the position of the `heap` parameter, and thus should not
+ * be included by models that specify "any argument" or "any parameter".
+ */
+predicate heapParameter(ParameterPosition pos) { none() }
+
 /**
  * Holds if specification component `c` parses as return value `n` or a range
  * containing `n`.

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -1222,14 +1222,18 @@ module Private {
           node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ArgumentPosition apos, ParameterPosition ppos |
           node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
           parameterMatch(ppos, apos)
         |
-          c = "Parameter" or parseParam(c, apos)
+          c = "Parameter" and not heapParameter(ppos)
+          or
+          parseParam(c, apos)
         )
         or
         c = "ReturnValue" and
@@ -1259,7 +1263,9 @@ module Private {
           node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ReturnNodeExt ret |

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -319,6 +319,12 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
   )
 }
 
+/**
+ * Holds if `pos` is the position of the `heap` parameter, and thus should not
+ * be included by models that specify "any argument" or "any parameter".
+ */
+predicate heapParameter(ParameterPosition pos) { pos = -2 }
+
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]
 ArgumentPosition parseParamBody(string s) {

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll

@@ -1222,14 +1222,18 @@ module Private {
           node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ArgumentPosition apos, ParameterPosition ppos |
           node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
           parameterMatch(ppos, apos)
         |
-          c = "Parameter" or parseParam(c, apos)
+          c = "Parameter" and not heapParameter(ppos)
+          or
+          parseParam(c, apos)
         )
         or
         c = "ReturnValue" and
@@ -1259,7 +1263,9 @@ module Private {
           node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ReturnNodeExt ret |

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImplSpecific.qll

@@ -241,6 +241,12 @@ private module UnusedSourceSinkInterpretation {
 
   /** Provides additional source specification logic. */
   predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode node) { none() }
+
+  /**
+   * Holds if `pos` is the position of the `heap` parameter, and thus should not
+   * be included by models that specify "any argument" or "any parameter".
+   */
+  predicate heapParameter(ParameterPosition pos) { none() }
 }
 
 import UnusedSourceSinkInterpretation

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll

@@ -1222,14 +1222,18 @@ module Private {
           node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ArgumentPosition apos, ParameterPosition ppos |
           node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
           parameterMatch(ppos, apos)
         |
-          c = "Parameter" or parseParam(c, apos)
+          c = "Parameter" and not heapParameter(ppos)
+          or
+          parseParam(c, apos)
         )
         or
         c = "ReturnValue" and
@@ -1259,7 +1263,9 @@ module Private {
           node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
           parameterMatch(ppos, apos)
         |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" and not heapParameter(ppos)
+          or
+          parseArg(c, ppos)
         )
         or
         exists(ReturnNodeExt ret |

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -289,6 +289,12 @@ private module UnusedSourceSinkInterpretation {
 
   /** Provides additional source specification logic. */
   predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode node) { none() }
+
+  /**
+   * Holds if `pos` is the position of the `heap` parameter, and thus should not
+   * be included by models that specify "any argument" or "any parameter".
+   */
+  predicate heapParameter(ParameterPosition pos) { none() }
 }
 
 import UnusedSourceSinkInterpretation