Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data flow: Synthesize parameter return nodes #16394

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Data flow: Synthesize parameter return nodes #16394

wants to merge 3 commits into from

Conversation

hvitved
Copy link
Contributor

@hvitved hvitved commented May 2, 2024
edited

This PR adds synthetic return nodes for flow that returns from methods via a parameter. For example, in

class C
{
    public string Field;
}

public void TaintField(C c) // (1)
{
    c.Field = "taint"; // (2)
}

void M(C c)
{
    c.TaintField(); // (3)
    Sink(c.Field);
}

we would previously have a direct flow step from [post] c at (2) to [post] c at (3), whereas now we first have a step from [post] c at (2) to c [Return] at (1), and then from c [Return] at (1) to [post] c at (3).

The motivation for adding the extra node is two-fold: Firstly, it may help with generating fewer subpaths, and secondly it will be easier to follow flow path explanations (especially when the parameter write happens in a large method).

@hvitved hvitved force-pushed the dataflow/synth-param-ret-node branch 3 times, most recently from 7b3811a to c14d652 Compare May 6, 2024 12:24
@github-actions github-actions bot removed the Python label May 6, 2024
@hvitved hvitved force-pushed the dataflow/synth-param-ret-node branch from c14d652 to 4b024f8 Compare May 6, 2024 12:31
@hvitved hvitved added the depends on internal PR This PR should only be merged in sync with an internal Semmle PR label May 6, 2024
@hvitved hvitved marked this pull request as ready for review May 6, 2024 13:02
@hvitved hvitved requested review from a team as code owners May 6, 2024 13:02
@hvitved hvitved requested a review from aschackmull May 6, 2024 13:02
aschackmull
aschackmull reviewed May 15, 2024
View reviewed changes
csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll

/**
* Gets the MaD string representation of the the return node `node`.
* Gets the MaD string represention of return through parameter at position
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Gets the MaD string represention of return through parameter at position
* Gets the MaD string representation of return through parameter at position

aschackmull
aschackmull reviewed May 15, 2024
View reviewed changes
java/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
/**
* Gets the MaD string represention of the the return node `node`.
* Gets the MaD string represention of return through parameter at position
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Gets the MaD string represention of return through parameter at position
* Gets the MaD string representation of return through parameter at position

aschackmull
aschackmull reviewed May 15, 2024
View reviewed changes
shared/dataflow/change-notes/2024-05-06-param-return-nodes.md
---
category: minorAnalysis
---
* The data flow library now adds intermediate nodes when data flows out of a function via a parameter, in order to make path explanations easier to follow. The intermediate nodes have the same location as the underlying parameter, but must be accessed via `PathNode.asParameterReturnNode` instead of `PathNode.asNode`. `@kind path-problem` queries may have their expected test-output changed as a consequence.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we usually comment on the latter aspect.

Suggested change
* The data flow library now adds intermediate nodes when data flows out of a function via a parameter, in order to make path explanations easier to follow. The intermediate nodes have the same location as the underlying parameter, but must be accessed via `PathNode.asParameterReturnNode` instead of `PathNode.asNode`. `@kind path-problem` queries may have their expected test-output changed as a consequence.
* The data flow library now adds intermediate nodes when data flows out of a function via a parameter, in order to make path explanations easier to follow. The intermediate nodes have the same location as the underlying parameter, but must be accessed via `PathNode.asParameterReturnNode` instead of `PathNode.asNode`.

aschackmull
aschackmull reviewed May 15, 2024
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# C++ DataFlow Library depends on internal PR This PR should only be merged in sync with an internal Semmle PR documentation Go Java Ruby Swift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hvitved @aschackmull @RasmusWL