Dataflow: wip test: adjust ffbl to account for call context.

aschackmull · aschackmull · commit 912c8fa25000 · 2024-02-21T12:07:02.000+01:00
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -720,7 +720,9 @@ module MakeImpl<InputSig Lang> {
        * the enclosing callable in order to reach a sink.
        */
       pragma[nomagic]
-      private predicate revFlow(NodeEx node, boolean toReturn) {
+      // private
+      additional
+      predicate revFlow(NodeEx node, boolean toReturn) {
         revFlow0(node, toReturn) and
         fwdFlow(node)
       }
@@ -1076,6 +1078,43 @@ module MakeImpl<InputSig Lang> {
       result = getAdditionalFlowIntoCallNodeTerm(arg.projectToNode(), p.projectToNode())
     }
 
+    pragma[nomagic]
+    private predicate returnCallEdge1(DataFlowCallable c, DataFlowCall call, NodeEx out) {
+      exists(RetNodeEx ret |
+        flowOutOfCallNodeCand1(call, ret, _, out) and c = ret.getEnclosingCallable()
+      )
+    }
+
+    private int simpleDispatchFanoutOnReturn(DataFlowCall call, NodeEx out) {
+      result =
+        strictcount(DataFlowCallable c | returnCallEdge1(c, call, out))
+    }
+
+    private int ctxDispatchFanoutOnReturn(NodeEx out, DataFlowCall ctx) {
+      exists(DataFlowCall call, DataFlowCallable c |
+        simpleDispatchFanoutOnReturn(call, out) > 1 and
+        not Stage1::revFlow(out, false) and
+        call.getEnclosingCallable() = c and
+        returnCallEdge1(c, ctx, _) and
+        mayBenefitFromCallContextExt(call, _) and
+        result = count(DataFlowCallable tgt |
+            tgt = viableImplInCallContextExt(call, ctx) and
+            returnCallEdge1(tgt, call, out)
+          )
+      )
+    }
+
+    private int ctxDispatchFanoutOnReturn(NodeEx out) {
+      result = max(DataFlowCall ctx | | ctxDispatchFanoutOnReturn(out, ctx))
+    }
+
+    private int dispatchFanoutOnReturn(NodeEx out) {
+      result = ctxDispatchFanoutOnReturn(out)
+      or
+      not exists(ctxDispatchFanoutOnReturn(out)) and
+      result = simpleDispatchFanoutOnReturn(_, out)
+    }
+
     /**
      * Gets the amount of forward branching on the origin of a cross-call path
      * edge in the graph of paths between sources and sinks that ignores call
@@ -1092,6 +1131,17 @@ module MakeImpl<InputSig Lang> {
         //   ) + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
     }
 
+    // pragma[nomagic]
+    // private int branch_out(NodeEx n1) {
+    //   result =
+    //     // strictcount(DataFlowCallable c | exists(NodeEx n |
+    //     //     flowOutOfCallNodeCand1(_, n1, _, n) or flowIntoCallNodeCand1(_, n1, n) | c = n.getEnclosingCallable())
+    //     //   ) + sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
+    //     strictcount(NodeEx n |
+    //         flowOutOfCallNodeCand1(_, n1, _, n) //or flowIntoCallNodeCand1(_, n1, n)
+    //       ) //+ sum(ParamNodeEx p1 | | getLanguageSpecificFlowIntoCallNodeCand1(n1, p1))
+    // }
+
     /**
      * Gets the amount of backward branching on the target of a cross-call path
      * edge in the graph of paths between sources and sinks that ignores call
@@ -1108,6 +1158,28 @@ module MakeImpl<InputSig Lang> {
         //   ) + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
     }
 
+    // pragma[nomagic]
+    // private int join_out(NodeEx n2) {
+    //   result =
+    //     // strictcount(DataFlowCallable c | exists(NodeEx n |
+    //     //     flowOutOfCallNodeCand1(_, n, _, n2) or flowIntoCallNodeCand1(_, n, n2) | c = n.getEnclosingCallable())
+    //     //   ) + sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
+    //     strictcount(NodeEx n |
+    //         flowOutOfCallNodeCand1(_, n, _, n2) //or flowIntoCallNodeCand1(_, n, n2)
+    //       ) //+ sum(ArgNodeEx arg2 | | getLanguageSpecificFlowIntoCallNodeCand1(arg2, n2))
+    // }
+
+    // pragma[nomagic]
+    // private int join_out_v2(NodeEx n2) {
+    //   result =
+    //     strictcount(DataFlowCallable c | exists(NodeEx n |
+    //         flowOutOfCallNodeCand1(_, n, _, n2) and c = n.getEnclosingCallable())
+    //       )
+    //     // strictcount(NodeEx n |
+    //     //     flowOutOfCallNodeCand1(_, n, _, n2)
+    //     //   )
+    // }
+
     /**
      * Holds if data can flow out of `call` from `ret` to `out`, either
      * through a `ReturnNode` or through an argument that has been mutated, and
@@ -1121,15 +1193,93 @@ module MakeImpl<InputSig Lang> {
     ) {
       flowOutOfCallNodeCand1(call, ret, kind, out) and
       exists(int j | //b, int j |
-        // b = branch(ret) and
-        j = join(out) and
-        // if b.minimum(j) <= Config::fieldFlowBranchLimit()
+        j = dispatchFanoutOnReturn(out) and
+        j > 0 and
         if j <= Config::fieldFlowBranchLimit()
+
+      // exists(int b, int j |
+      //   b = branch(ret) and
+      //   j = join(out) and
+      //   if b.minimum(j) <= Config::fieldFlowBranchLimit()
+
+      // exists(int j | //b, int j |
+      //   // b = branch(ret) and
+      //   j = join_out_v2(out) and
+      //   // if b.minimum(j) <= Config::fieldFlowBranchLimit()
+      //   if j <= Config::fieldFlowBranchLimit()
+
         then allowsFieldFlow = true
         else allowsFieldFlow = false
       )
     }
 
+    // pragma[nomagic]
+    // private predicate flowOutOfCallNodeCand1_v2(
+    //   DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow
+    // ) {
+    //   flowOutOfCallNodeCand1(call, ret, kind, out) and
+    //   // exists(int b, int j |
+    //   //   b = branch_out(ret) and
+    //   //   j = join_out(out) and
+    //   //   if b.minimum(j) <= Config::fieldFlowBranchLimit()
+    //   exists(int j | //b, int j |
+    //     // b = branch(ret) and
+    //     j = join_out_v2(out) and
+    //     // if b.minimum(j) <= Config::fieldFlowBranchLimit()
+    //     if j <= Config::fieldFlowBranchLimit()
+    //     then allowsFieldFlow = true
+    //     else allowsFieldFlow = false
+    //   )
+    // }
+
+    // pragma[nomagic]
+    // predicate hasSummary(NodeEx out) {
+    //   exists(RetNodeEx ret |
+    //     flowOutOfCallNodeCand1(_, ret, _, out) and
+    //     ret.toString().matches("[summary]%")
+    //   )
+    // }
+
+    // predicate cmp(int d, string allow) {
+    //   d = strictcount(DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out |
+    //     exists(boolean aff1, boolean aff2 |
+    //       flowOutOfCallNodeCand1(call, ret, kind, out, aff1) and
+    //       flowOutOfCallNodeCand1_v2(call, ret, kind, out, aff2) and
+    //       aff1 != aff2
+    //       and if aff2 = true then allow = "add" else allow = "remove"
+    //     )
+    //   )
+    // }
+
+    // predicate cmplist(DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, string allow, int b1, int j1, int j2) {
+    //     exists(boolean aff1, boolean aff2 |
+    //       flowOutOfCallNodeCand1(call, ret, kind, out, aff1) and
+    //       flowOutOfCallNodeCand1_v2(call, ret, kind, out, aff2) and
+    //       aff1 != aff2
+    //       and if aff2 = true then allow = "add" else allow = "remove"
+    //     )
+    //     and b1 = branch(ret) and j1 = join(out) and j2 = join_out_v2(out)
+    //     and not hasSummary(out)
+    // }
+
+    // predicate cmplist_2(DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, string allow, int b1, int j1, int j2, int j3) {
+    //     exists(boolean aff1, boolean aff2 |
+    //       flowOutOfCallNodeCand1(call, ret, kind, out, aff1) and
+    //       flowOutOfCallNodeCand1_v2(call, ret, kind, out, aff2)
+    //       |
+    //       // aff1 = false and aff2 = true and allow = "add"
+    //       // or
+    //       aff1 = true and aff2 = false and allow = "keep"
+    //       or
+    //       aff1 = false and aff2 = false and allow = "add cc"
+    //     )
+    //     and b1 = branch(ret) and j1 = join(out) and j2 = join_out_v2(out)
+    //     and j3 = dispatchFanoutOnReturn(out)
+    //     // and not hasSummary(out)
+    //     // and reducedViableImplInReturn(ret.getEnclosingCallable(), call)
+    //     and j3 <= 2
+    // }
+
     /**
      * Holds if data can flow into `call` and that this step is part of a
      * path from a source to a sink. The `allowsFieldFlow` flag indicates whether
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
@@ -794,8 +794,10 @@ module MakeImplCommon<InputSig Lang> {
        * Holds if the set of viable implementations that can be called by `call`
        * might be improved by knowing the call context.
        */
-      pragma[nomagic]
-      private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
+      // pragma[nomagic]
+      // private
+      cached
+      predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
         (
           mayBenefitFromCallContext(call)
           or
