@@ -366,7 +366,7 @@ private module Stage1 {
366366 exists ( Node mid , Node node , TypedContent tc |
367367 not fullBarrier ( node , config ) and
368368 useFieldFlow ( config ) and
369- fwdFlow ( mid , config ) and
369+ fwdFlow ( mid , _ , config ) and
370370 store ( mid , tc , node , _) and
371371 c = tc .getContent ( )
372372 )
@@ -389,8 +389,8 @@ private module Stage1 {
389389 }
390390
391391 pragma [ nomagic]
392- private predicate fwdFlowOutFromArg ( DataFlowCall call , Node node , Configuration config ) {
393- fwdFlowOut ( call , node , true , config )
392+ private predicate fwdFlowOutFromArg ( DataFlowCall call , Node out , Configuration config ) {
393+ fwdFlowOut ( call , out , true , config )
394394 }
395395
396396 /**
@@ -584,21 +584,20 @@ private module Stage1 {
584584 revFlow ( node , toReturn , config ) and exists ( returnAp ) and exists ( ap )
585585 }
586586
587- private predicate throughFlowNodeCand1 ( Node node , Configuration config ) {
587+ private predicate throughFlowNodeCand ( Node node , Configuration config ) {
588588 revFlow ( node , true , config ) and
589589 fwdFlow ( node , true , config ) and
590- not fullBarrier ( node , config ) and
591590 not inBarrier ( node , config ) and
592591 not outBarrier ( node , config )
593592 }
594593
595594 /** Holds if flow may return from `callable`. */
596595 pragma [ nomagic]
597- private predicate returnFlowCallableNodeCand1 (
596+ private predicate returnFlowCallableNodeCand (
598597 DataFlowCallable callable , ReturnKindExt kind , Configuration config
599598 ) {
600599 exists ( ReturnNodeExt ret |
601- throughFlowNodeCand1 ( ret , config ) and
600+ throughFlowNodeCand ( ret , config ) and
602601 callable = ret .getEnclosingCallable ( ) and
603602 kind = ret .getKind ( )
604603 )
@@ -610,8 +609,8 @@ private module Stage1 {
610609 */
611610 predicate parameterMayFlowThrough ( ParameterNode p , DataFlowCallable c , Ap ap , Configuration config ) {
612611 exists ( ReturnKindExt kind |
613- throughFlowNodeCand1 ( p , config ) and
614- returnFlowCallableNodeCand1 ( c , kind , config ) and
612+ throughFlowNodeCand ( p , config ) and
613+ returnFlowCallableNodeCand ( c , kind , config ) and
615614 p .getEnclosingCallable ( ) = c and
616615 exists ( ap ) and
617616 // we don't expect a parameter to return stored in itself
@@ -803,7 +802,7 @@ private module Stage2 {
803802 CcNoCall ( ) { this = false }
804803 }
805804
806- Cc ccAny ( ) { result = false }
805+ Cc ccNone ( ) { result = false }
807806
808807 private class LocalCc = Unit ;
809808
@@ -859,7 +858,7 @@ private module Stage2 {
859858 predicate fwdFlow ( Node node , Cc cc , ApOption argAp , Ap ap , Configuration config ) {
860859 flowCand ( node , _, config ) and
861860 config .isSource ( node ) and
862- cc = ccAny ( ) and
861+ cc = ccNone ( ) and
863862 argAp = apNone ( ) and
864863 ap = getApNil ( node )
865864 or
@@ -878,15 +877,15 @@ private module Stage2 {
878877 fwdFlow ( mid , _, _, ap , config ) and
879878 flowCand ( node , _, unbind ( config ) ) and
880879 jumpStep ( mid , node , config ) and
881- cc = ccAny ( ) and
880+ cc = ccNone ( ) and
882881 argAp = apNone ( )
883882 )
884883 or
885884 exists ( Node mid , ApNil nil |
886885 fwdFlow ( mid , _, _, nil , config ) and
887886 flowCand ( node , _, unbind ( config ) ) and
888887 additionalJumpStep ( mid , node , config ) and
889- cc = ccAny ( ) and
888+ cc = ccNone ( ) and
890889 argAp = apNone ( ) and
891890 ap = getApNil ( node )
892891 )
@@ -970,13 +969,19 @@ private module Stage2 {
970969 )
971970 }
972971
972+ /**
973+ * Holds if flow may exit from `call` at `out` with access path `ap`. The
974+ * inner call context is `innercc`, but `ccOut` is just the call context
975+ * based on the return step. In the case of through-flow `ccOut` is discarded
976+ * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
977+ */
973978 pragma [ nomagic]
974979 private predicate fwdFlowOut (
975- DataFlowCall call , Node node , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
980+ DataFlowCall call , Node out , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
976981 ) {
977982 exists ( ReturnNodeExt ret , boolean allowsFieldFlow , DataFlowCallable inner |
978983 fwdFlow ( ret , innercc , argAp , ap , config ) and
979- flowOutOfCall ( call , ret , node , allowsFieldFlow , config ) and
984+ flowOutOfCall ( call , ret , out , allowsFieldFlow , config ) and
980985 inner = ret .getEnclosingCallable ( ) and
981986 checkCallContextReturn ( innercc , inner , call ) and
982987 ccOut = getCallContextReturn ( inner , call )
@@ -987,9 +992,9 @@ private module Stage2 {
987992
988993 pragma [ nomagic]
989994 private predicate fwdFlowOutFromArg (
990- DataFlowCall call , Node node , Ap argAp , Ap ap , Configuration config
995+ DataFlowCall call , Node out , Ap argAp , Ap ap , Configuration config
991996 ) {
992- fwdFlowOut ( call , node , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
997+ fwdFlowOut ( call , out , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
993998 }
994999
9951000 /**
@@ -1416,7 +1421,7 @@ private module Stage3 {
14161421 CcNoCall ( ) { this = false }
14171422 }
14181423
1419- Cc ccAny ( ) { result = false }
1424+ Cc ccNone ( ) { result = false }
14201425
14211426 private class LocalCc = Unit ;
14221427
@@ -1481,7 +1486,7 @@ private module Stage3 {
14811486 private predicate fwdFlow0 ( Node node , Cc cc , ApOption argAp , Ap ap , Configuration config ) {
14821487 flowCand ( node , _, config ) and
14831488 config .isSource ( node ) and
1484- cc = ccAny ( ) and
1489+ cc = ccNone ( ) and
14851490 argAp = apNone ( ) and
14861491 ap = getApNil ( node )
14871492 or
@@ -1500,15 +1505,15 @@ private module Stage3 {
15001505 fwdFlow ( mid , _, _, ap , config ) and
15011506 flowCand ( node , _, unbind ( config ) ) and
15021507 jumpStep ( mid , node , config ) and
1503- cc = ccAny ( ) and
1508+ cc = ccNone ( ) and
15041509 argAp = apNone ( )
15051510 )
15061511 or
15071512 exists ( Node mid , ApNil nil |
15081513 fwdFlow ( mid , _, _, nil , config ) and
15091514 flowCand ( node , _, unbind ( config ) ) and
15101515 additionalJumpStep ( mid , node , config ) and
1511- cc = ccAny ( ) and
1516+ cc = ccNone ( ) and
15121517 argAp = apNone ( ) and
15131518 ap = getApNil ( node )
15141519 )
@@ -1592,13 +1597,19 @@ private module Stage3 {
15921597 )
15931598 }
15941599
1600+ /**
1601+ * Holds if flow may exit from `call` at `out` with access path `ap`. The
1602+ * inner call context is `innercc`, but `ccOut` is just the call context
1603+ * based on the return step. In the case of through-flow `ccOut` is discarded
1604+ * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
1605+ */
15951606 pragma [ nomagic]
15961607 private predicate fwdFlowOut (
1597- DataFlowCall call , Node node , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
1608+ DataFlowCall call , Node out , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
15981609 ) {
15991610 exists ( ReturnNodeExt ret , boolean allowsFieldFlow , DataFlowCallable inner |
16001611 fwdFlow ( ret , innercc , argAp , ap , config ) and
1601- flowOutOfCall ( call , ret , node , allowsFieldFlow , config ) and
1612+ flowOutOfCall ( call , ret , out , allowsFieldFlow , config ) and
16021613 inner = ret .getEnclosingCallable ( ) and
16031614 checkCallContextReturn ( innercc , inner , call ) and
16041615 ccOut = getCallContextReturn ( inner , call )
@@ -1609,9 +1620,9 @@ private module Stage3 {
16091620
16101621 pragma [ nomagic]
16111622 private predicate fwdFlowOutFromArg (
1612- DataFlowCall call , Node node , Ap argAp , Ap ap , Configuration config
1623+ DataFlowCall call , Node out , Ap argAp , Ap ap , Configuration config
16131624 ) {
1614- fwdFlowOut ( call , node , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
1625+ fwdFlowOut ( call , out , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
16151626 }
16161627
16171628 /**
@@ -2096,7 +2107,7 @@ private module Stage4 {
20962107
20972108 class CcNoCall = CallContextNoCall ;
20982109
2099- Cc ccAny ( ) { result instanceof CallContextAny }
2110+ Cc ccNone ( ) { result instanceof CallContextAny }
21002111
21012112 private class LocalCc = LocalCallContext ;
21022113
@@ -2108,7 +2119,7 @@ private module Stage4 {
21082119
21092120 bindingset [ call, c]
21102121 private CcNoCall getCallContextReturn ( DataFlowCallable c , DataFlowCall call ) {
2111- if reducedViableImplInReturn ( c , call ) then result = TReturn ( c , call ) else result = ccAny ( )
2122+ if reducedViableImplInReturn ( c , call ) then result = TReturn ( c , call ) else result = ccNone ( )
21122123 }
21132124
21142125 bindingset [ innercc, inner, call]
@@ -2153,6 +2164,7 @@ private module Stage4 {
21532164 bindingset [ node, ap]
21542165 private predicate filter ( Node node , Ap ap ) { any ( ) }
21552166
2167+ // Type checking is not necessary here as it has already been done in stage 3.
21562168 bindingset [ ap, contentType]
21572169 private predicate typecheckStore ( Ap ap , DataFlowType contentType ) { any ( ) }
21582170
@@ -2180,7 +2192,7 @@ private module Stage4 {
21802192 private predicate fwdFlow0 ( Node node , Cc cc , ApOption argAp , Ap ap , Configuration config ) {
21812193 flowCand ( node , _, config ) and
21822194 config .isSource ( node ) and
2183- cc = ccAny ( ) and
2195+ cc = ccNone ( ) and
21842196 argAp = apNone ( ) and
21852197 ap = getApNil ( node )
21862198 or
@@ -2199,15 +2211,15 @@ private module Stage4 {
21992211 fwdFlow ( mid , _, _, ap , config ) and
22002212 flowCand ( node , _, unbind ( config ) ) and
22012213 jumpStep ( mid , node , config ) and
2202- cc = ccAny ( ) and
2214+ cc = ccNone ( ) and
22032215 argAp = apNone ( )
22042216 )
22052217 or
22062218 exists ( Node mid , ApNil nil |
22072219 fwdFlow ( mid , _, _, nil , config ) and
22082220 flowCand ( node , _, unbind ( config ) ) and
22092221 additionalJumpStep ( mid , node , config ) and
2210- cc = ccAny ( ) and
2222+ cc = ccNone ( ) and
22112223 argAp = apNone ( ) and
22122224 ap = getApNil ( node )
22132225 )
@@ -2291,13 +2303,19 @@ private module Stage4 {
22912303 )
22922304 }
22932305
2306+ /**
2307+ * Holds if flow may exit from `call` at `out` with access path `ap`. The
2308+ * inner call context is `innercc`, but `ccOut` is just the call context
2309+ * based on the return step. In the case of through-flow `ccOut` is discarded
2310+ * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
2311+ */
22942312 pragma [ nomagic]
22952313 private predicate fwdFlowOut (
2296- DataFlowCall call , Node node , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
2314+ DataFlowCall call , Node out , Cc innercc , Cc ccOut , ApOption argAp , Ap ap , Configuration config
22972315 ) {
22982316 exists ( ReturnNodeExt ret , boolean allowsFieldFlow , DataFlowCallable inner |
22992317 fwdFlow ( ret , innercc , argAp , ap , config ) and
2300- flowOutOfCall ( call , ret , node , allowsFieldFlow , config ) and
2318+ flowOutOfCall ( call , ret , out , allowsFieldFlow , config ) and
23012319 inner = ret .getEnclosingCallable ( ) and
23022320 checkCallContextReturn ( innercc , inner , call ) and
23032321 ccOut = getCallContextReturn ( inner , call )
@@ -2308,9 +2326,9 @@ private module Stage4 {
23082326
23092327 pragma [ nomagic]
23102328 private predicate fwdFlowOutFromArg (
2311- DataFlowCall call , Node node , Ap argAp , Ap ap , Configuration config
2329+ DataFlowCall call , Node out , Ap argAp , Ap ap , Configuration config
23122330 ) {
2313- fwdFlowOut ( call , node , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
2331+ fwdFlowOut ( call , out , any ( CcCall ccc ) , _, apSome ( argAp ) , ap , config )
23142332 }
23152333
23162334 /**
0 commit comments