Java/C#: Move a couple of flow summary tweaks to the shared implementation.

Author: aschackmull

csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -446,7 +446,19 @@ module Private {
         summary(c, inputContents, outputContents, preservesValue) and
         pred = summaryNodeInputState(c, inputContents) and
         succ = summaryNodeOutputState(c, outputContents)
+      |
+        preservesValue = true
+        or
+        preservesValue = false and not summary(c, inputContents, outputContents, true)
       )
+      or
+      // If flow through a method updates a parameter from some input A, and that
+      // parameter also is returned through B, then we'd like a combined flow from A
+      // to B as well. As an example, this simplifies modeling of fluent methods:
+      // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+      // return value and taint flow from argument 0 to the qualifier, then this
+      // allows us to infer taint flow from argument 0 to the return value.
+      summaryPostUpdateNode(pred, succ) and preservesValue = true
     }
 
     /**

java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -150,14 +150,6 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
-  or
-  // If flow through a method updates a parameter from some input A, and that
-  // parameter also is returned through B, then we'd like a combined flow from A
-  // to B as well. As an example, this simplifies modeling of fluent methods:
-  // for `StringBuilder.append(x)` with a specified value flow from qualifier to
-  // return value and taint flow from argument 0 to the qualifier, then this
-  // allows us to infer taint flow from argument 0 to the return value.
-  node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 
 /**

java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -446,7 +446,19 @@ module Private {
         summary(c, inputContents, outputContents, preservesValue) and
         pred = summaryNodeInputState(c, inputContents) and
         succ = summaryNodeOutputState(c, outputContents)
+      |
+        preservesValue = true
+        or
+        preservesValue = false and not summary(c, inputContents, outputContents, true)
       )
+      or
+      // If flow through a method updates a parameter from some input A, and that
+      // parameter also is returned through B, then we'd like a combined flow from A
+      // to B as well. As an example, this simplifies modeling of fluent methods:
+      // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+      // return value and taint flow from argument 0 to the qualifier, then this
+      // allows us to infer taint flow from argument 0 to the return value.
+      summaryPostUpdateNode(pred, succ) and preservesValue = true
     }
 
     /**

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -57,8 +57,7 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false) and
-  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
 }
 
 /**