Swift: Diff-informed queries: phase 3 (non-trivial locations)

[d10c]

This PR enables diff-informed mode on queries that select a location other than dataflow source or sink. This entails adding a non-trivial location override that returns the locations that are actually selected.

Prior work includes PRs like #19663, #19759, and #19817. This PR uses the same patch script as those PRs to find candidate queries to convert to diff-enabled. This is the final step in mass-enabling diff-informed queries on all the languages.

Commit-by-commit reviewing is recommended.

• I have split the commits that add/modify tests from the ones that enable/disable diff-informed queries.
• If the commit modifies a .qll file, in the commit message I've included links to the queries that depend on that .qll for easier reviewing.
• Feel free to delegate parts of the review to others who may be more specialized in certain languages.

[Copilot]

Pull Request Overview

This PR enables diff-informed mode on Swift security queries that select non-trivial locations (other than dataflow source or sink). The changes add location override predicates to handle cases where queries select locations that need special handling for diff-informed analysis.

• Adds observeDiffInformedIncrementalMode() predicate to four security query modules
• Implements getASelectedSinkLocation() predicate for queries that can support diff-informed mode
• Disables diff-informed mode for queries with location selection complexities

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
UnsafeWebViewFetchQuery.qll	Disables diff-informed mode due to secondary location use in select
InsecureTLSQuery.qll	Disables diff-informed mode due to Swift nodes with problematic locations
CleartextStoragePreferencesQuery.qll	Enables diff-informed mode with custom sink location handling
CleartextStorageDatabaseQuery.qll	Enables diff-informed mode with custom sink location handling

[Copilot]

The logic in getASelectedSinkLocation is duplicated across CleartextStoragePreferencesQuery.qll and CleartextStorageDatabaseQuery.qll. Consider extracting this common pattern into a shared utility predicate to improve maintainability.

[geoffw0]

Thanks for the links in the commit descriptions, they were a helpful shortcut.

[geoffw0]

Do you recall if there's any reason we don't give post-update nodes a Location (equal to that of the pre-update node)?

I may do a quick experiment with this (probably after your PR, to avoid complicating things).

[d10c]

I think it comes down to the use of UnknownLocation when an AstNode is synthesized.

[geoffw0]

OK, I'll have a very quick go at making a workaround, but as I say, lets not let it get in the way of this PR.

[geoffw0]

Yeah, it looks like there's no easy way to provide a location for such a node in Swift.

[geoffw0]

What's the issue here? The only unusual thing I can see in that query is selecting from three possible alert messages.

[d10c]

This issue is the second flow call (UnsafeWebViewFetchFlow::flowToExpr) in the third disjunct: we can't include it in the location override because of monotonic recursion, but if we exclude it then the --check-diff-informed test fails, as it usually does with these cases of secondary flows. So we can't make these queries diff-informed, but their incrementality story will be handled separately using overlay-informed dataflow.

[geoffw0]

Thanks for the explanation.