Data flow: Earlier call-context based dispatch filtering

Author: hvitved

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -1145,11 +1145,21 @@ module MakeImpl<InputSig Lang> {
 
         class LocalCc;
 
-        bindingset[call, c, outercc]
-        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc);
+        DataFlowCallable viableImplCallContextReduced(DataFlowCall call, CcCall ctx);
 
-        bindingset[call, c, innercc]
-        CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc);
+        bindingset[call, ctx]
+        predicate viableImplNotCallContextReduced(DataFlowCall call, Cc ctx);
+
+        bindingset[call, c]
+        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c);
+
+        DataFlowCallable viableImplCallContextReducedReverse(DataFlowCall call, CcNoCall ctx);
+
+        bindingset[ctx]
+        predicate viableImplNotCallContextReducedReverse(CcNoCall ctx);
+
+        bindingset[call, c]
+        CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call);
 
         bindingset[node, cc]
         LocalCc getLocalCc(NodeEx node, Cc cc);
@@ -1191,21 +1201,24 @@ module MakeImpl<InputSig Lang> {
 
         pragma[nomagic]
         private predicate flowIntoCallApa(
-          DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, ApApprox apa
+          DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, DataFlowCallable c,
+          boolean allowsFieldFlow, ApApprox apa
         ) {
           flowIntoCall(call, arg, p, allowsFieldFlow) and
           PrevStage::revFlowAp(p, pragma[only_bind_into](apa)) and
-          PrevStage::revFlowAp(arg, pragma[only_bind_into](apa))
+          PrevStage::revFlowAp(arg, pragma[only_bind_into](apa)) and
+          c = p.getEnclosingCallable()
         }
 
         pragma[nomagic]
         private predicate flowOutOfCallApa(
-          DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
-          ApApprox apa
+          DataFlowCall call, RetNodeEx ret, DataFlowCallable c, ReturnKindExt kind, NodeEx out,
+          boolean allowsFieldFlow, ApApprox apa
         ) {
           flowOutOfCall(call, ret, kind, out, allowsFieldFlow) and
           PrevStage::revFlowAp(out, pragma[only_bind_into](apa)) and
-          PrevStage::revFlowAp(ret, pragma[only_bind_into](apa))
+          PrevStage::revFlowAp(ret, pragma[only_bind_into](apa)) and
+          c = ret.getEnclosingCallable()
         }
 
         pragma[nomagic]
@@ -1214,7 +1227,7 @@ module MakeImpl<InputSig Lang> {
           ApApprox argApa, ApApprox apa
         ) {
           exists(ReturnKindExt kind |
-            flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa) and
+            flowOutOfCallApa(call, ret, _, kind, out, allowsFieldFlow, apa) and
             PrevStage::callMayFlowThroughRev(call) and
             PrevStage::returnMayFlowThrough(ret, argApa, apa, kind) and
             matchesCall(ccc, call)
@@ -1332,16 +1345,7 @@ module MakeImpl<InputSig Lang> {
           )
           or
           // flow out of a callable
-          exists(
-            DataFlowCall call, RetNodeEx ret, boolean allowsFieldFlow, CcNoCall innercc,
-            DataFlowCallable inner
-          |
-            fwdFlow(ret, state, innercc, summaryCtx, argT, argAp, t, ap, apa) and
-            flowOutOfCallApa(call, ret, _, node, allowsFieldFlow, apa) and
-            inner = ret.getEnclosingCallable() and
-            cc = getCallContextReturn(inner, call, innercc) and
-            if allowsFieldFlow = false then ap instanceof ApNil else any()
-          )
+          fwdFlowOut(node, state, cc, summaryCtx, argT, argAp, t, ap, apa)
           or
           // flow through a callable
           exists(
@@ -1408,15 +1412,98 @@ module MakeImpl<InputSig Lang> {
           )
         }
 
+        pragma[nomagic]
+        private predicate fwdFlowIn0(
+          DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, ParamNodeOption summaryCtx,
+          TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa
+        ) {
+          fwdFlow(arg, state, outercc, summaryCtx, argT, argAp, t, ap, apa) and
+          flowIntoCallApa(call, arg, _, _, _, _)
+        }
+
+        pragma[nomagic]
+        private predicate fwdFlowInCallContextReduced(
+          DataFlowCall call, ArgNodeEx arg, FlowState state, CcCall outercc,
+          ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa,
+          DataFlowCallable inner
+        ) {
+          fwdFlowIn0(call, arg, state, outercc, summaryCtx, argT, argAp, t, ap, apa) and
+          inner = viableImplCallContextReduced(call, outercc)
+        }
+
+        pragma[nomagic]
+        private predicate fwdFlowInNotCallContextReduced(
+          DataFlowCall call, ArgNodeEx arg, FlowState state, Cc outercc, ParamNodeOption summaryCtx,
+          TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa
+        ) {
+          fwdFlowIn0(call, arg, state, outercc, summaryCtx, argT, argAp, t, ap, apa) and
+          viableImplNotCallContextReduced(call, outercc)
+        }
+
         pragma[nomagic]
         private predicate fwdFlowIn(
           DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
           ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa
         ) {
-          exists(ArgNodeEx arg, boolean allowsFieldFlow |
-            fwdFlow(arg, state, outercc, summaryCtx, argT, argAp, t, ap, apa) and
-            flowIntoCallApa(call, arg, p, allowsFieldFlow, apa) and
-            innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+          exists(ArgNodeEx arg, boolean allowsFieldFlow, DataFlowCallable inner |
+            fwdFlowInCallContextReduced(call, arg, state, outercc, summaryCtx, argT, argAp, t, ap,
+              apa, inner)
+            or
+            fwdFlowInNotCallContextReduced(call, arg, state, outercc, summaryCtx, argT, argAp, t,
+              ap, apa)
+          |
+            flowIntoCallApa(call, arg, p, inner, allowsFieldFlow, apa) and
+            innercc = getCallContextCall(call, inner) and
+            if allowsFieldFlow = false then ap instanceof ApNil else any()
+          )
+        }
+
+        pragma[nomagic]
+        private predicate fwdFlowOut0(
+          RetNodeEx ret, FlowState state, CcNoCall innercc, ParamNodeOption summaryCtx,
+          TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa, DataFlowCallable inner
+        ) {
+          fwdFlow(ret, state, innercc, summaryCtx, argT, argAp, t, ap, apa) and
+          inner = ret.getEnclosingCallable()
+        }
+
+        pragma[nomagic]
+        private predicate fwdFlowOutCallContextReduced(
+          DataFlowCall call, RetNodeEx ret, FlowState state, CcNoCall innercc,
+          ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa,
+          DataFlowCallable inner
+        ) {
+          fwdFlowOut0(ret, state, innercc, summaryCtx, argT, argAp, t, ap, apa, inner) and
+          inner = viableImplCallContextReducedReverse(call, innercc)
+        }
+
+        pragma[nomagic]
+        private predicate fwdFlowOutNotCallContextReduced(
+          RetNodeEx ret, FlowState state, CcNoCall innercc, ParamNodeOption summaryCtx,
+          TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa, DataFlowCallable inner
+        ) {
+          fwdFlowOut0(ret, state, innercc, summaryCtx, argT, argAp, t, ap, apa, inner) and
+          viableImplNotCallContextReducedReverse(innercc)
+        }
+
+        // inline to reduce number of iterations
+        pragma[inline]
+        private predicate fwdFlowOut(
+          NodeEx out, FlowState state, CcNoCall outercc, ParamNodeOption summaryCtx, TypOption argT,
+          ApOption argAp, Typ t, Ap ap, ApApprox apa
+        ) {
+          exists(
+            DataFlowCall call, RetNodeEx ret, boolean allowsFieldFlow, CcNoCall innercc,
+            DataFlowCallable inner
+          |
+            fwdFlowOutCallContextReduced(call, ret, state, innercc, summaryCtx, argT, argAp, t, ap,
+              apa, inner)
+            or
+            fwdFlowOutNotCallContextReduced(ret, state, innercc, summaryCtx, argT, argAp, t, ap,
+              apa, inner)
+          |
+            flowOutOfCallApa(call, ret, inner, _, out, allowsFieldFlow, apa) and
+            outercc = getCallContextReturn(inner, call) and
             if allowsFieldFlow = false then ap instanceof ApNil else any()
           )
         }
@@ -1518,7 +1605,7 @@ module MakeImpl<InputSig Lang> {
           DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap
         ) {
           exists(ApApprox argApa, Typ argT |
-            flowIntoCallApa(call, pragma[only_bind_into](arg), pragma[only_bind_into](p),
+            flowIntoCallApa(call, pragma[only_bind_into](arg), pragma[only_bind_into](p), _,
               allowsFieldFlow, argApa) and
             fwdFlow(arg, _, _, _, _, _, pragma[only_bind_into](argT), pragma[only_bind_into](argAp),
               argApa) and
@@ -1529,24 +1616,23 @@ module MakeImpl<InputSig Lang> {
         }
 
         pragma[nomagic]
-        private predicate flowIntoCallAp(
-          DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap ap
-        ) {
-          exists(ApApprox apa |
-            flowIntoCallApa(call, arg, p, allowsFieldFlow, apa) and
-            fwdFlow(arg, _, _, _, _, _, _, ap, apa)
+        private predicate flowIntoCallAp(DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, Ap ap) {
+          exists(ApApprox apa, boolean allowsFieldFlow |
+            flowIntoCallApa(call, arg, p, _, allowsFieldFlow, apa) and
+            fwdFlow(arg, _, _, _, _, _, _, ap, apa) and
+            if allowsFieldFlow = false then ap instanceof ApNil else any()
           )
         }
 
         pragma[nomagic]
         private predicate flowOutOfCallAp(
-          DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
-          Ap ap
+          DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, Ap ap
         ) {
-          exists(ApApprox apa |
-            flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa) and
+          exists(ApApprox apa, boolean allowsFieldFlow |
+            flowOutOfCallApa(call, ret, _, _, out, allowsFieldFlow, apa) and
             fwdFlow(ret, _, _, _, _, _, _, ap, apa) and
-            pos = ret.getReturnPosition()
+            pos = ret.getReturnPosition() and
+            if allowsFieldFlow = false then ap instanceof ApNil else any()
           )
         }
 
@@ -1627,10 +1713,9 @@ module MakeImpl<InputSig Lang> {
           )
           or
           // flow into a callable
-          exists(ParamNodeEx p, boolean allowsFieldFlow |
+          exists(ParamNodeEx p |
             revFlow(p, state, TReturnCtxNone(), returnAp, ap) and
-            flowIntoCallAp(_, node, p, allowsFieldFlow, ap) and
-            (if allowsFieldFlow = false then ap instanceof ApNil else any()) and
+            flowIntoCallAp(_, node, p, ap) and
             returnCtx = TReturnCtxNone()
           )
           or
@@ -1680,10 +1765,9 @@ module MakeImpl<InputSig Lang> {
           DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state,
           ReturnCtx returnCtx, ApOption returnAp, Ap ap
         ) {
-          exists(NodeEx out, boolean allowsFieldFlow |
+          exists(NodeEx out |
             revFlow(out, state, returnCtx, returnAp, ap) and
-            flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap) and
-            if allowsFieldFlow = false then ap instanceof ApNil else any()
+            flowOutOfCallAp(call, ret, pos, out, ap)
           )
         }
 
@@ -1872,11 +1956,23 @@ module MakeImpl<InputSig Lang> {
       bindingset[node, cc]
       LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
 
-      bindingset[call, c, outercc]
-      CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
+      DataFlowCallable viableImplCallContextReduced(DataFlowCall call, CcCall ctx) { none() }
+
+      bindingset[call, ctx]
+      predicate viableImplNotCallContextReduced(DataFlowCall call, Cc ctx) { any() }
+
+      bindingset[call, c]
+      CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c) { any() }
+
+      DataFlowCallable viableImplCallContextReducedReverse(DataFlowCall call, CcNoCall ctx) {
+        none()
+      }
 
-      bindingset[call, c, innercc]
-      CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
+      bindingset[ctx]
+      predicate viableImplNotCallContextReducedReverse(CcNoCall ctx) { any() }
+
+      bindingset[call, c]
+      CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call) { any() }
     }
 
     private module Level1CallContext {
@@ -1899,9 +1995,17 @@ module MakeImpl<InputSig Lang> {
         bindingset[node, cc]
         LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
 
-        bindingset[call, c, outercc]
-        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-          checkCallContextCall(outercc, call, c) and
+        DataFlowCallable viableImplCallContextReduced(DataFlowCall call, CcCall ctx) {
+          result = prunedViableImplInCallContext(call, ctx)
+        }
+
+        bindingset[call, ctx]
+        predicate viableImplNotCallContextReduced(DataFlowCall call, Cc ctx) {
+          noPrunedViableImplInCallContext(call, ctx)
+        }
+
+        bindingset[call, c]
+        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c) {
           if recordDataFlowCallSiteDispatch(call, c)
           then result = TSpecificCall(call)
           else result = TSomeCall()
@@ -1918,18 +2022,34 @@ module MakeImpl<InputSig Lang> {
               node.getEnclosingCallable())
         }
 
-        bindingset[call, c, outercc]
-        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-          checkCallContextCall(outercc, call, c) and
+        DataFlowCallable viableImplCallContextReduced(DataFlowCall call, CcCall ctx) {
+          result = prunedViableImplInCallContext(call, ctx)
+        }
+
+        bindingset[call, ctx]
+        predicate viableImplNotCallContextReduced(DataFlowCall call, Cc ctx) {
+          noPrunedViableImplInCallContext(call, ctx)
+        }
+
+        bindingset[call, c]
+        CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c) {
           if recordDataFlowCallSite(call, c)
           then result = TSpecificCall(call)
           else result = TSomeCall()
         }
       }
 
-      bindingset[call, c, innercc]
-      CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-        checkCallContextReturn(innercc, c, call) and
+      DataFlowCallable viableImplCallContextReducedReverse(DataFlowCall call, CcNoCall ctx) {
+        result = prunedViableImplInCallContextReverse(call, ctx)
+      }
+
+      bindingset[ctx]
+      predicate viableImplNotCallContextReducedReverse(CcNoCall ctx) {
+        ctx instanceof CallContextAny
+      }
+
+      bindingset[call, c]
+      CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call) {
         if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
       }
     }