Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.

Author: aschackmull

java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll

@@ -149,8 +149,9 @@ class SummarizedCallableBase extends TSummarizedCallableBase {
     or
     result = this.asSyntheticCallable().getParameterType(pos)
     or
-    exists(SyntheticCallable sc | sc = this.asSyntheticCallable() |
-      Impl::Private::summaryParameterNodeRange(this, pos) and
+    exists(SyntheticCallable sc, Impl::Private::SummaryNode p | sc = this.asSyntheticCallable() |
+      Impl::Private::summaryParameterNode(p, pos) and
+      this = p.getSummarizedCallable() and
       not exists(sc.getParameterType(pos)) and
       result instanceof TypeObject
     )

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowNodes.qll

@@ -54,12 +54,7 @@ private module Cached {
         fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
       )
     } or
-    TSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
-      FlowSummaryImpl::Private::summaryNodeRange(c, state)
-    } or
-    TSummaryParameterNode(SummarizedCallable c, int pos) {
-      FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
-    } or
+    TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
     TFieldValueNode(Field f)
 
   cached
@@ -378,8 +373,7 @@ module Private {
     result.asCallable() = n.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
     result.asCallable() = n.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
     result = nodeGetEnclosingCallable(n.(ImplicitPostUpdateNode).getPreUpdateNode()) or
-    n = TSummaryInternalNode(result.asSummarizedCallable(), _) or
-    n = TSummaryParameterNode(result.asSummarizedCallable(), _) or
+    result.asSummarizedCallable() = n.(FlowSummaryNode).getSummarizedCallable() or
     result.asFieldScope() = n.(FieldValueNode).getField()
   }
 
@@ -407,7 +401,7 @@ module Private {
       or
       this = getInstanceArgument(_)
       or
-      this.(SummaryNode).isArgumentOf(_, _)
+      this.(FlowSummaryNode).isArgumentOf(_, _)
     }
 
     /**
@@ -424,7 +418,7 @@ module Private {
       or
       pos = -1 and this = getInstanceArgument(call.asCall())
       or
-      this.(SummaryNode).isArgumentOf(call, pos)
+      this.(FlowSummaryNode).isArgumentOf(call, pos)
     }
 
     /** Gets the call in which this node is an argument. */
@@ -435,7 +429,7 @@ module Private {
   class ReturnNode extends Node {
     ReturnNode() {
       exists(ReturnStmt ret | this.asExpr() = ret.getResult()) or
-      this.(SummaryNode).isReturn()
+      this.(FlowSummaryNode).isReturn()
     }
 
     /** Gets the kind of this returned value. */
@@ -447,61 +441,61 @@ module Private {
     OutNode() {
       this.asExpr() instanceof MethodAccess
       or
-      this.(SummaryNode).isOut(_)
+      this.(FlowSummaryNode).isOut(_)
     }
 
     /** Gets the underlying call. */
     DataFlowCall getCall() {
       result.asCall() = this.asExpr()
       or
-      this.(SummaryNode).isOut(result)
+      this.(FlowSummaryNode).isOut(result)
     }
   }
 
   /**
    * A data-flow node used to model flow summaries.
    */
-  class SummaryNode extends Node, TSummaryInternalNode {
-    private SummarizedCallable c;
-    private FlowSummaryImpl::Private::SummaryNodeState state;
+  class FlowSummaryNode extends Node, TFlowSummaryNode {
+    FlowSummaryImpl::Private::SummaryNode getSummaryNode() { this = TFlowSummaryNode(result) }
 
-    SummaryNode() { this = TSummaryInternalNode(c, state) }
+    SummarizedCallable getSummarizedCallable() {
+      result = this.getSummaryNode().getSummarizedCallable()
+    }
 
-    override Location getLocation() { result = c.getLocation() }
+    override Location getLocation() { result = this.getSummarizedCallable().getLocation() }
 
-    override string toString() { result = "[summary] " + state + " in " + c }
+    override string toString() { result = this.getSummaryNode().toString() }
 
     /** Holds if this summary node is the `i`th argument of `call`. */
     predicate isArgumentOf(DataFlowCall call, int i) {
-      FlowSummaryImpl::Private::summaryArgumentNode(call, this, i)
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this.getSummaryNode(), i)
     }
 
     /** Holds if this summary node is a return node. */
-    predicate isReturn() { FlowSummaryImpl::Private::summaryReturnNode(this, _) }
+    predicate isReturn() { FlowSummaryImpl::Private::summaryReturnNode(this.getSummaryNode(), _) }
 
     /** Holds if this summary node is an out node for `call`. */
-    predicate isOut(DataFlowCall call) { FlowSummaryImpl::Private::summaryOutNode(call, this, _) }
-  }
-
-  SummaryNode getSummaryNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
-    result = TSummaryInternalNode(c, state)
+    predicate isOut(DataFlowCall call) {
+      FlowSummaryImpl::Private::summaryOutNode(call, this.getSummaryNode(), _)
+    }
   }
 
-  class SummaryParameterNode extends ParameterNode, TSummaryParameterNode {
-    private SummarizedCallable sc;
-    private int pos_;
-
-    SummaryParameterNode() { this = TSummaryParameterNode(sc, pos_) }
-
-    override Location getLocation() { result = sc.getLocation() }
+  class SummaryParameterNode extends ParameterNode, FlowSummaryNode {
+    SummaryParameterNode() {
+      FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), _)
+    }
 
-    override string toString() { result = "[summary param] " + pos_ + " in " + sc }
+    private int getPosition() {
+      FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), result)
+    }
 
     override predicate isParameterOf(DataFlowCallable c, int pos) {
-      c.asSummarizedCallable() = sc and pos = pos_
+      c.asSummarizedCallable() = this.getSummarizedCallable() and pos = this.getPosition()
     }
 
-    Type getTypeImpl() { result = sc.getParameterType(pos_) }
+    Type getTypeImpl() {
+      result = this.getSummarizedCallable().getParameterType(this.getPosition())
+    }
   }
 }
 
@@ -523,10 +517,12 @@ private class MallocNode extends Node, TMallocNode {
   ClassInstanceExpr getClassInstanceExpr() { result = cie }
 }
 
-private class SummaryPostUpdateNode extends SummaryNode, PostUpdateNode {
-  private Node pre;
+private class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode {
+  private FlowSummaryNode pre;
 
-  SummaryPostUpdateNode() { FlowSummaryImpl::Private::summaryPostUpdateNode(this, pre) }
+  SummaryPostUpdateNode() {
+    FlowSummaryImpl::Private::summaryPostUpdateNode(this.getSummaryNode(), pre.getSummaryNode())
+  }
 
   override Node getPreUpdateNode() { result = pre }
 }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -85,7 +85,8 @@ predicate jumpStep(Node node1, Node node2) {
   any(AdditionalValueStep a).step(node1, node2) and
   node1.getEnclosingCallable() != node2.getEnclosingCallable()
   or
-  FlowSummaryImpl::Private::Steps::summaryJumpStep(node1, node2)
+  FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
+    node2.(FlowSummaryNode).getSummaryNode())
 }
 
 /**
@@ -114,7 +115,8 @@ predicate storeStep(Node node1, Content f, Node node2) {
   or
   f instanceof ArrayContent and arrayStoreStep(node1, node2)
   or
-  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, f, node2)
+  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), f,
+    node2.(FlowSummaryNode).getSummaryNode())
 }
 
 /**
@@ -145,7 +147,8 @@ predicate readStep(Node node1, Content f, Node node2) {
   or
   f instanceof CollectionContent and collectionReadStep(node1, node2)
   or
-  FlowSummaryImpl::Private::Steps::summaryReadStep(node1, f, node2)
+  FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), f,
+    node2.(FlowSummaryNode).getSummaryNode())
 }
 
 /**
@@ -160,15 +163,15 @@ predicate clearsContent(Node n, Content c) {
     c.(FieldContent).getField() = fa.getField()
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
+  FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(FlowSummaryNode).getSummaryNode(), c)
 }
 
 /**
  * Holds if the value that is being tracked is expected to be stored inside content `c`
  * at node `n`.
  */
 predicate expectsContent(Node n, ContentSet c) {
-  FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c)
+  FlowSummaryImpl::Private::Steps::summaryExpectsContent(n.(FlowSummaryNode).getSummaryNode(), c)
 }
 
 /**
@@ -200,7 +203,7 @@ pragma[noinline]
 DataFlowType getNodeType(Node n) {
   result = getErasedRepr(n.getTypeBound())
   or
-  result = FlowSummaryImpl::Private::summaryNodeType(n)
+  result = FlowSummaryImpl::Private::summaryNodeType(n.(FlowSummaryNode).getSummaryNode())
 }
 
 /** Gets a string representation of a type returned by `getErasedRepr`. */
@@ -268,7 +271,7 @@ class DataFlowExpr = Expr;
 
 private newtype TDataFlowCall =
   TCall(Call c) or
-  TSummaryCall(SummarizedCallable c, Node receiver) {
+  TSummaryCall(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
   }
 
@@ -318,12 +321,12 @@ class SrcCall extends DataFlowCall, TCall {
 /** A synthesized call inside a `SummarizedCallable`. */
 class SummaryCall extends DataFlowCall, TSummaryCall {
   private SummarizedCallable c;
-  private Node receiver;
+  private FlowSummaryImpl::Private::SummaryNode receiver;
 
   SummaryCall() { this = TSummaryCall(c, receiver) }
 
   /** Gets the data flow node that this call targets. */
-  Node getReceiver() { result = receiver }
+  FlowSummaryImpl::Private::SummaryNode getReceiver() { result = receiver }
 
   override DataFlowCallable getEnclosingCallable() { result.asSummarizedCallable() = c }
 
@@ -383,10 +386,7 @@ predicate forceHighPrecision(Content c) {
 }
 
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) {
-  n instanceof SummaryNode or
-  n instanceof SummaryParameterNode
-}
+predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
 
 class LambdaCallKind = Method; // the "apply" method in the functional interface
 
@@ -404,7 +404,7 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
-  receiver = call.(SummaryCall).getReceiver() and
+  receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver() and
   getNodeDataFlowType(receiver)
       .getSourceDeclaration()
       .(FunctionalInterface)

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -183,7 +183,8 @@ private predicate simpleLocalFlowStep0(Node node1, Node node2) {
     node1.(ArgumentNode).argumentOf(any(DataFlowCall c | c.asCall() = ma), argNo)
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(),
+    node2.(FlowSummaryNode).getSummaryNode(), true)
 }
 
 /**