github
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/FlowSummary.qll‎
Lines changed: 12 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/FlowSummary.qll‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll‎
Lines changed: 3 additions & 0 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll‎
Lines changed: 39 additions & 25 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll‎
Lines changed: 39 additions & 25 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummarySpecific.qll‎
Lines changed: 24 additions & 2 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummarySpecific.qll‎
Lines changed: 24 additions & 2 deletions
@@ -8,6 +8,7 @@ private import internal.FlowSummarySpecific::Private
 private import internal.DataFlowPublic as DataFlowPublic
 // import all instances below
 private import semmle.code.csharp.dataflow.LibraryTypeDataFlow
+private import semmle.code.csharp.frameworks.EntityFramework
 
 class SummarizableCallable = Impl::Public::SummarizableCallable;
 
@@ -135,6 +136,17 @@ module SummaryOutput {
     result = TDelegateSummaryOutput(i, j) and
     hasDelegateArgumentPosition2(c, i, j)
   }
+
+  /**
+   * Gets an output specification that specifies the `output` of `target` as the
+   * output. That is, data will flow into one callable and out of another callable
+   * (`target`).
+   *
+   * `output` is limited to (this) parameters and ordinary returns.
+   */
+  SummaryOutput jump(SummarizableCallable target, SummaryOutput output) {
+    result = TJumpSummaryOutput(target, toReturnKind(output))
+  }
 }
 
 class SummarizedCallable = Impl::Public::SummarizedCallable;
 
@@ -21,6 +21,9 @@ DotNet::Callable getCallableForDataFlow(DotNet::Callable c) {
     result = sourceDecl and
     result instanceof SummarizedCallable
     or
+    result = sourceDecl and
+    FlowSummaryImpl::Private::summary(_, _, _, SummaryOutput::jump(result, _), _, _)
+    or
     result.hasBody() and
     if sourceDecl.getFile().fromSource()
     then
 
@@ -469,12 +469,9 @@ private predicate overridesOrImplementsSourceDecl(Property p1, Property p2) {
 private predicate fieldOrPropertyRead(Expr e1, Content c, FieldOrPropertyRead e2) {
   e1 = e2.getQualifier() and
   exists(FieldOrProperty ret | c = ret.getContent() |
-    ret.isFieldLike() and
     ret = e2.getTarget()
     or
-    exists(ContentList cl, Property target |
-      FlowSummaryImpl::Private::summary(_, _, _, _, cl, _) and
-      cl.contains(ret.getContent()) and
+    exists(Property target |
       target.getGetter() = e2.(PropertyCall).getARuntimeTarget() and
       overridesOrImplementsSourceDecl(target, ret)
     )
@@ -640,6 +637,10 @@ private module Cached {
         output = SummaryOutput::delegate(delegateIndex, parameterIndex)
       )
     } or
+    TSummaryJumpNode(SummarizedCallable c, SummarizableCallable target, ReturnKind rk) {
+      FlowSummaryImpl::Private::summary(c, _, _,
+        FlowSummarySpecific::Private::TJumpSummaryOutput(target, rk), _, _)
+    } or
     TParamsArgumentNode(ControlFlow::Node callCfn) {
       callCfn = any(Call c | isParamsArg(c, _, _)).getAControlFlowNode()
     }
@@ -685,8 +686,19 @@ private module Cached {
    * taken into account.
    */
   cached
-  predicate jumpStepImpl(ExprNode pred, ExprNode succ) {
+  predicate jumpStepImpl(Node pred, Node succ) {
     pred.(NonLocalJumpNode).getAJumpSuccessor(true) = succ
+    or
+    exists(FieldOrProperty fl, FieldOrPropertyRead flr |
+      fl.isStatic() and
+      fl.isFieldLike() and
+      fl.getAnAssignedValue() = pred.asExpr() and
+      fl.getAnAccess() = flr and
+      flr = succ.asExpr() and
+      flr.hasNonlocalValue()
+    )
+    or
+    succ = pred.(SummaryJumpNode).getAJumpTarget()
   }
 
   cached
@@ -1613,6 +1625,28 @@ private class SummaryInternalNode extends SummaryNodeImpl, TSummaryInternalNode
   override string toStringImpl() { result = "[summary] " + state + " in " + c }
 }
 
+/** A data-flow node used to model flow summaries with jumps. */
+private class SummaryJumpNode extends SummaryNodeImpl, TSummaryJumpNode {
+  private SummarizedCallable c;
+  private SummarizableCallable target;
+  private ReturnKind rk;
+
+  SummaryJumpNode() { this = TSummaryJumpNode(c, target, rk) }
+
+  /** Gets a jump target of this node. */
+  OutNode getAJumpTarget() { target = viableCallable(result.getCall(rk)) }
+
+  override Callable getEnclosingCallableImpl() { result = c }
+
+  override DotNet::Type getTypeImpl() { result = target.getReturnType() }
+
+  override ControlFlow::Node getControlFlowNodeImpl() { none() }
+
+  override Location getLocationImpl() { result = c.getLocation() }
+
+  override string toStringImpl() { result = "[summary] jump to " + target }
+}
+
 /** A field or a property. */
 class FieldOrProperty extends Assignable, Modifiable {
   FieldOrProperty() {
@@ -1669,26 +1703,6 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead
   }
 }
 
-/** A write to a static field/property. */
-private class StaticFieldLikeJumpNode extends NonLocalJumpNode, ExprNode {
-  FieldOrProperty fl;
-  FieldOrPropertyRead flr;
-  ExprNode succ;
-
-  StaticFieldLikeJumpNode() {
-    fl.isStatic() and
-    fl.isFieldLike() and
-    fl.getAnAssignedValue() = this.getExpr() and
-    fl.getAnAccess() = flr and
-    flr = succ.getExpr() and
-    flr.hasNonlocalValue()
-  }
-
-  override ExprNode getAJumpSuccessor(boolean preservesValue) {
-    result = succ and preservesValue = true
-  }
-}
-
 predicate jumpStep = jumpStepImpl/2;
 
 private class StoreStepConfiguration extends ControlFlowReachabilityConfiguration {
 
@@ -4,13 +4,13 @@
 
 private import csharp
 private import semmle.code.csharp.frameworks.system.linq.Expressions
+private import DataFlowDispatch
 
 module Private {
   private import Public
   private import DataFlowPrivate as DataFlowPrivate
   private import DataFlowPublic as DataFlowPublic
   private import FlowSummaryImpl as Impl
-  private import DataFlowDispatch
   private import semmle.code.csharp.Unification
 
   class Content = DataFlowPublic::Content;
@@ -56,7 +56,19 @@ module Private {
     TParameterSummaryOutput(int i) {
       i in [-1, any(SummarizableCallable c).getAParameter().getPosition()]
     } or
-    TDelegateSummaryOutput(int i, int j) { hasDelegateArgumentPosition2(_, i, j) }
+    TDelegateSummaryOutput(int i, int j) { hasDelegateArgumentPosition2(_, i, j) } or
+    TJumpSummaryOutput(SummarizableCallable target, ReturnKind rk) {
+      rk instanceof NormalReturnKind and
+      (
+        target instanceof Constructor or
+        not target.getReturnType() instanceof VoidType
+      )
+      or
+      rk instanceof QualifierReturnKind and
+      not target.(Modifiable).isStatic()
+      or
+      exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
+    }
 
   /** Gets the return kind that matches `sink`, if any. */
   ReturnKind toReturnKind(SummaryOutput output) {
@@ -92,6 +104,11 @@ module Private {
       output = TDelegateSummaryOutput(i, j) and
       result = DataFlowPrivate::TSummaryDelegateArgumentNode(c, i, j)
     )
+    or
+    exists(SummarizableCallable target, ReturnKind rk |
+      output = TJumpSummaryOutput(target, rk) and
+      result = DataFlowPrivate::TSummaryJumpNode(c, target, rk)
+    )
   }
 
   /** Gets the internal summary node for the given values. */
@@ -151,6 +168,11 @@ module Public {
         this = TDelegateSummaryOutput(delegateIndex, parameterIndex) and
         result = "parameter " + parameterIndex + " of delegate parameter " + delegateIndex
       )
+      or
+      exists(SummarizableCallable target, ReturnKind rk |
+        this = TJumpSummaryOutput(target, rk) and
+        result = "jump to " + target + " (" + rk + ")"
+      )
     }
   }
 }