Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 11c0525

Browse files
aschackmullaschackmull
committed
Dataflow: Duplicate accesspath type info in partial flow.
1 parent fd36304 commit 11c0525

1 file changed

Lines changed: 57 additions & 46 deletions

File tree

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

Lines changed: 57 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -4004,17 +4004,18 @@ module Impl<FullStateConfigSig Config> {
40044004
private newtype TPartialPathNode =
40054005
TPartialPathNodeFwd(
40064006
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
4007-
TSummaryCtx3 sc3, PartialAccessPath ap
4007+
TSummaryCtx3 sc3, DataFlowType t, PartialAccessPath ap
40084008
) {
40094009
sourceNode(node, state) and
40104010
cc instanceof CallContextAny and
40114011
sc1 = TSummaryCtx1None() and
40124012
sc2 = TSummaryCtx2None() and
40134013
sc3 = TSummaryCtx3None() and
4014+
t = node.getDataFlowType() and
40144015
ap = TPartialNil(node.getDataFlowType()) and
40154016
exists(explorationLimit())
40164017
or
4017-
partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, ap) and
4018+
partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, t, ap) and
40184019
distSrc(node.getEnclosingCallable()) <= explorationLimit()
40194020
} or
40204021
TPartialPathNodeRev(
@@ -4042,9 +4043,9 @@ module Impl<FullStateConfigSig Config> {
40424043
pragma[nomagic]
40434044
private predicate partialPathNodeMk0(
40444045
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
4045-
TSummaryCtx3 sc3, PartialAccessPath ap
4046+
TSummaryCtx3 sc3, DataFlowType t, PartialAccessPath ap
40464047
) {
4047-
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap) and
4048+
partialPathStep(_, node, state, cc, sc1, sc2, sc3, t, ap) and
40484049
not fullBarrier(node) and
40494050
not stateBarrier(node, state) and
40504051
not clearsContentEx(node, ap.getHead().getContent()) and
@@ -4053,7 +4054,7 @@ module Impl<FullStateConfigSig Config> {
40534054
expectsContentEx(node, ap.getHead().getContent())
40544055
) and
40554056
if node.asNode() instanceof CastingNode
4056-
then compatibleTypes(node.getDataFlowType(), ap.getType())
4057+
then compatibleTypes(node.getDataFlowType(), t)
40574058
else any()
40584059
}
40594060

@@ -4113,11 +4114,7 @@ module Impl<FullStateConfigSig Config> {
41134114
private string ppType() {
41144115
this instanceof PartialPathNodeRev and result = ""
41154116
or
4116-
this.(PartialPathNodeFwd).getAp() instanceof PartialAccessPathNil and result = ""
4117-
or
4118-
exists(DataFlowType t |
4119-
t = this.(PartialPathNodeFwd).getAp().(PartialAccessPathCons).getType()
4120-
|
4117+
exists(DataFlowType t | t = this.(PartialPathNodeFwd).getType() |
41214118
// The `concat` becomes "" if `ppReprType` has no result.
41224119
result = concat(" : " + ppReprType(t))
41234120
)
@@ -4158,9 +4155,10 @@ module Impl<FullStateConfigSig Config> {
41584155
TSummaryCtx1 sc1;
41594156
TSummaryCtx2 sc2;
41604157
TSummaryCtx3 sc3;
4158+
DataFlowType t;
41614159
PartialAccessPath ap;
41624160

4163-
PartialPathNodeFwd() { this = TPartialPathNodeFwd(node, state, cc, sc1, sc2, sc3, ap) }
4161+
PartialPathNodeFwd() { this = TPartialPathNodeFwd(node, state, cc, sc1, sc2, sc3, t, ap) }
41644162

41654163
NodeEx getNodeEx() { result = node }
41664164

@@ -4174,11 +4172,13 @@ module Impl<FullStateConfigSig Config> {
41744172

41754173
TSummaryCtx3 getSummaryCtx3() { result = sc3 }
41764174

4175+
DataFlowType getType() { result = t }
4176+
41774177
PartialAccessPath getAp() { result = ap }
41784178

41794179
override PartialPathNodeFwd getASuccessor() {
41804180
partialPathStep(this, result.getNodeEx(), result.getState(), result.getCallContext(),
4181-
result.getSummaryCtx1(), result.getSummaryCtx2(), result.getSummaryCtx3(), result.getAp())
4181+
result.getSummaryCtx1(), result.getSummaryCtx2(), result.getSummaryCtx3(), result.getType(), result.getAp())
41824182
}
41834183

41844184
predicate isSource() {
@@ -4229,7 +4229,7 @@ module Impl<FullStateConfigSig Config> {
42294229

42304230
private predicate partialPathStep(
42314231
PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
4232-
TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap
4232+
TSummaryCtx2 sc2, TSummaryCtx3 sc3, DataFlowType t, PartialAccessPath ap
42334233
) {
42344234
not isUnreachableInCallCached(node.asNode(), cc.(CallContextSpecificCall).getCall()) and
42354235
(
@@ -4239,6 +4239,7 @@ module Impl<FullStateConfigSig Config> {
42394239
sc1 = mid.getSummaryCtx1() and
42404240
sc2 = mid.getSummaryCtx2() and
42414241
sc3 = mid.getSummaryCtx3() and
4242+
t = mid.getType() and
42424243
ap = mid.getAp()
42434244
or
42444245
additionalLocalFlowStep(mid.getNodeEx(), node) and
@@ -4248,6 +4249,7 @@ module Impl<FullStateConfigSig Config> {
42484249
sc2 = mid.getSummaryCtx2() and
42494250
sc3 = mid.getSummaryCtx3() and
42504251
mid.getAp() instanceof PartialAccessPathNil and
4252+
t = node.getDataFlowType() and
42514253
ap = TPartialNil(node.getDataFlowType())
42524254
or
42534255
additionalLocalStateStep(mid.getNodeEx(), mid.getState(), node, state) and
@@ -4256,6 +4258,7 @@ module Impl<FullStateConfigSig Config> {
42564258
sc2 = mid.getSummaryCtx2() and
42574259
sc3 = mid.getSummaryCtx3() and
42584260
mid.getAp() instanceof PartialAccessPathNil and
4261+
t = node.getDataFlowType() and
42594262
ap = TPartialNil(node.getDataFlowType())
42604263
)
42614264
or
@@ -4265,6 +4268,7 @@ module Impl<FullStateConfigSig Config> {
42654268
sc1 = TSummaryCtx1None() and
42664269
sc2 = TSummaryCtx2None() and
42674270
sc3 = TSummaryCtx3None() and
4271+
t = mid.getType() and
42684272
ap = mid.getAp()
42694273
or
42704274
additionalJumpStep(mid.getNodeEx(), node) and
@@ -4274,6 +4278,7 @@ module Impl<FullStateConfigSig Config> {
42744278
sc2 = TSummaryCtx2None() and
42754279
sc3 = TSummaryCtx3None() and
42764280
mid.getAp() instanceof PartialAccessPathNil and
4281+
t = node.getDataFlowType() and
42774282
ap = TPartialNil(node.getDataFlowType())
42784283
or
42794284
additionalJumpStateStep(mid.getNodeEx(), mid.getState(), node, state) and
@@ -4282,32 +4287,33 @@ module Impl<FullStateConfigSig Config> {
42824287
sc2 = TSummaryCtx2None() and
42834288
sc3 = TSummaryCtx3None() and
42844289
mid.getAp() instanceof PartialAccessPathNil and
4290+
t = node.getDataFlowType() and
42854291
ap = TPartialNil(node.getDataFlowType())
42864292
or
4287-
partialPathStoreStep(mid, _, _, node, ap) and
4293+
partialPathStoreStep(mid, _, _, _, node, t, ap) and
42884294
state = mid.getState() and
42894295
cc = mid.getCallContext() and
42904296
sc1 = mid.getSummaryCtx1() and
42914297
sc2 = mid.getSummaryCtx2() and
42924298
sc3 = mid.getSummaryCtx3()
42934299
or
4294-
exists(PartialAccessPath ap0, TypedContent tc |
4295-
partialPathReadStep(mid, ap0, tc, node, cc) and
4300+
exists(DataFlowType t0, PartialAccessPath ap0, Content c |
4301+
partialPathReadStep(mid, t0, ap0, c, node, cc) and
42964302
state = mid.getState() and
42974303
sc1 = mid.getSummaryCtx1() and
42984304
sc2 = mid.getSummaryCtx2() and
42994305
sc3 = mid.getSummaryCtx3() and
4300-
apConsFwd(ap, tc, ap0)
4306+
apConsFwd(t, ap, c, t0, ap0)
43014307
)
43024308
or
4303-
partialPathIntoCallable(mid, node, state, _, cc, sc1, sc2, sc3, _, ap)
4309+
partialPathIntoCallable(mid, node, state, _, cc, sc1, sc2, sc3, _, t, ap)
43044310
or
4305-
partialPathOutOfCallable(mid, node, state, cc, ap) and
4311+
partialPathOutOfCallable(mid, node, state, cc, t, ap) and
43064312
sc1 = TSummaryCtx1None() and
43074313
sc2 = TSummaryCtx2None() and
43084314
sc3 = TSummaryCtx3None()
43094315
or
4310-
partialPathThroughCallable(mid, node, state, cc, ap) and
4316+
partialPathThroughCallable(mid, node, state, cc, t, ap) and
43114317
sc1 = mid.getSummaryCtx1() and
43124318
sc2 = mid.getSummaryCtx2() and
43134319
sc3 = mid.getSummaryCtx3()
@@ -4318,55 +4324,58 @@ module Impl<FullStateConfigSig Config> {
43184324

43194325
pragma[inline]
43204326
private predicate partialPathStoreStep(
4321-
PartialPathNodeFwd mid, PartialAccessPath ap1, TypedContent tc, NodeEx node,
4322-
PartialAccessPath ap2
4327+
PartialPathNodeFwd mid, DataFlowType t1, PartialAccessPath ap1, Content c, NodeEx node,
4328+
DataFlowType t2, PartialAccessPath ap2
43234329
) {
4324-
exists(NodeEx midNode, DataFlowType contentType |
4330+
exists(NodeEx midNode, DataFlowType contentType, TypedContent tc |
43254331
midNode = mid.getNodeEx() and
4332+
t1 = mid.getType() and
43264333
ap1 = mid.getAp() and
4327-
storeEx(midNode, tc, _, node, contentType, _) and
4334+
storeEx(midNode, tc, c, node, contentType, t2) and
43284335
ap2.getHead() = tc and
43294336
ap2.len() = unbindInt(ap1.len() + 1) and
4330-
compatibleTypes(ap1.getType(), contentType)
4337+
compatibleTypes(t1, contentType)
43314338
)
43324339
}
43334340

43344341
pragma[nomagic]
4335-
private predicate apConsFwd(PartialAccessPath ap1, TypedContent tc, PartialAccessPath ap2) {
4336-
partialPathStoreStep(_, ap1, tc, _, ap2)
4342+
private predicate apConsFwd(DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2) {
4343+
partialPathStoreStep(_, t1, ap1, c, _, t2, ap2)
43374344
}
43384345

43394346
pragma[nomagic]
43404347
private predicate partialPathReadStep(
4341-
PartialPathNodeFwd mid, PartialAccessPath ap, TypedContent tc, NodeEx node, CallContext cc
4348+
PartialPathNodeFwd mid, DataFlowType t, PartialAccessPath ap, Content c, NodeEx node, CallContext cc
43424349
) {
43434350
exists(NodeEx midNode |
43444351
midNode = mid.getNodeEx() and
4352+
t = mid.getType() and
43454353
ap = mid.getAp() and
4346-
read(midNode, tc.getContent(), node) and
4347-
ap.getHead() = tc and
4354+
read(midNode, c, node) and
4355+
ap.getHead().getContent() = c and
43484356
cc = mid.getCallContext()
43494357
)
43504358
}
43514359

43524360
private predicate partialPathOutOfCallable0(
43534361
PartialPathNodeFwd mid, ReturnPosition pos, FlowState state, CallContext innercc,
4354-
PartialAccessPath ap
4362+
DataFlowType t, PartialAccessPath ap
43554363
) {
43564364
pos = mid.getNodeEx().(RetNodeEx).getReturnPosition() and
43574365
state = mid.getState() and
43584366
innercc = mid.getCallContext() and
43594367
innercc instanceof CallContextNoCall and
4368+
t = mid.getType() and
43604369
ap = mid.getAp()
43614370
}
43624371

43634372
pragma[nomagic]
43644373
private predicate partialPathOutOfCallable1(
43654374
PartialPathNodeFwd mid, DataFlowCall call, ReturnKindExt kind, FlowState state,
4366-
CallContext cc, PartialAccessPath ap
4375+
CallContext cc, DataFlowType t, PartialAccessPath ap
43674376
) {
43684377
exists(ReturnPosition pos, DataFlowCallable c, CallContext innercc |
4369-
partialPathOutOfCallable0(mid, pos, state, innercc, ap) and
4378+
partialPathOutOfCallable0(mid, pos, state, innercc, t, ap) and
43704379
c = pos.getCallable() and
43714380
kind = pos.getKind() and
43724381
resolveReturn(innercc, c, call)
@@ -4376,10 +4385,10 @@ module Impl<FullStateConfigSig Config> {
43764385
}
43774386

43784387
private predicate partialPathOutOfCallable(
4379-
PartialPathNodeFwd mid, NodeEx out, FlowState state, CallContext cc, PartialAccessPath ap
4388+
PartialPathNodeFwd mid, NodeEx out, FlowState state, CallContext cc, DataFlowType t, PartialAccessPath ap
43804389
) {
43814390
exists(ReturnKindExt kind, DataFlowCall call |
4382-
partialPathOutOfCallable1(mid, call, kind, state, cc, ap)
4391+
partialPathOutOfCallable1(mid, call, kind, state, cc, t, ap)
43834392
|
43844393
out.asNode() = kind.getAnOutNode(call)
43854394
)
@@ -4388,13 +4397,14 @@ module Impl<FullStateConfigSig Config> {
43884397
pragma[noinline]
43894398
private predicate partialPathIntoArg(
43904399
PartialPathNodeFwd mid, ParameterPosition ppos, FlowState state, CallContext cc,
4391-
DataFlowCall call, PartialAccessPath ap
4400+
DataFlowCall call, DataFlowType t, PartialAccessPath ap
43924401
) {
43934402
exists(ArgNode arg, ArgumentPosition apos |
43944403
arg = mid.getNodeEx().asNode() and
43954404
state = mid.getState() and
43964405
cc = mid.getCallContext() and
43974406
arg.argumentOf(call, apos) and
4407+
t = mid.getType() and
43984408
ap = mid.getAp() and
43994409
parameterMatch(ppos, apos)
44004410
)
@@ -4403,19 +4413,19 @@ module Impl<FullStateConfigSig Config> {
44034413
pragma[nomagic]
44044414
private predicate partialPathIntoCallable0(
44054415
PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, FlowState state,
4406-
CallContext outercc, DataFlowCall call, PartialAccessPath ap
4416+
CallContext outercc, DataFlowCall call, DataFlowType t, PartialAccessPath ap
44074417
) {
4408-
partialPathIntoArg(mid, pos, state, outercc, call, ap) and
4418+
partialPathIntoArg(mid, pos, state, outercc, call, t, ap) and
44094419
callable = resolveCall(call, outercc)
44104420
}
44114421

44124422
private predicate partialPathIntoCallable(
44134423
PartialPathNodeFwd mid, ParamNodeEx p, FlowState state, CallContext outercc,
44144424
CallContextCall innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3,
4415-
DataFlowCall call, PartialAccessPath ap
4425+
DataFlowCall call, DataFlowType t, PartialAccessPath ap
44164426
) {
44174427
exists(ParameterPosition pos, DataFlowCallable callable |
4418-
partialPathIntoCallable0(mid, callable, pos, state, outercc, call, ap) and
4428+
partialPathIntoCallable0(mid, callable, pos, state, outercc, call, t, ap) and
44194429
p.isParameterOf(callable, pos) and
44204430
sc1 = TSummaryCtx1Param(p) and
44214431
sc2 = TSummaryCtx2Some(state) and
@@ -4430,7 +4440,7 @@ module Impl<FullStateConfigSig Config> {
44304440
pragma[nomagic]
44314441
private predicate paramFlowsThroughInPartialPath(
44324442
ReturnKindExt kind, FlowState state, CallContextCall cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
4433-
TSummaryCtx3 sc3, PartialAccessPath ap
4443+
TSummaryCtx3 sc3, DataFlowType t, PartialAccessPath ap
44344444
) {
44354445
exists(PartialPathNodeFwd mid, RetNodeEx ret |
44364446
mid.getNodeEx() = ret and
@@ -4440,26 +4450,27 @@ module Impl<FullStateConfigSig Config> {
44404450
sc1 = mid.getSummaryCtx1() and
44414451
sc2 = mid.getSummaryCtx2() and
44424452
sc3 = mid.getSummaryCtx3() and
4453+
t = mid.getType() and
44434454
ap = mid.getAp()
44444455
)
44454456
}
44464457

44474458
pragma[noinline]
44484459
private predicate partialPathThroughCallable0(
44494460
DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, FlowState state,
4450-
CallContext cc, PartialAccessPath ap
4461+
CallContext cc, DataFlowType t, PartialAccessPath ap
44514462
) {
44524463
exists(CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3 |
4453-
partialPathIntoCallable(mid, _, _, cc, innercc, sc1, sc2, sc3, call, _) and
4454-
paramFlowsThroughInPartialPath(kind, state, innercc, sc1, sc2, sc3, ap)
4464+
partialPathIntoCallable(mid, _, _, cc, innercc, sc1, sc2, sc3, call, _, _) and
4465+
paramFlowsThroughInPartialPath(kind, state, innercc, sc1, sc2, sc3, t, ap)
44554466
)
44564467
}
44574468

44584469
private predicate partialPathThroughCallable(
4459-
PartialPathNodeFwd mid, NodeEx out, FlowState state, CallContext cc, PartialAccessPath ap
4470+
PartialPathNodeFwd mid, NodeEx out, FlowState state, CallContext cc, DataFlowType t, PartialAccessPath ap
44604471
) {
44614472
exists(DataFlowCall call, ReturnKindExt kind |
4462-
partialPathThroughCallable0(call, mid, kind, state, cc, ap) and
4473+
partialPathThroughCallable0(call, mid, kind, state, cc, t, ap) and
44634474
out.asNode() = kind.getAnOutNode(call)
44644475
)
44654476
}

0 commit comments

Comments
 (0)