Merge pull request #19114 from michaelnebel/csharp/modelgenparammodifiers

C#: Correct printing of returns via out/ref parameters in model generation.

Author: michaelnebel

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -233,6 +233,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CsharpDat
     result = ParamReturnNodeAsOutput<parameterContentAccess/1>::paramReturnNodeAsOutput(c, pos)
   }
 
+  ParameterPosition getReturnKindParamPosition(ReturnKind kind) {
+    kind.(OutRefReturnKind).getPosition() = result.getPosition()
+  }
+
   Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
     result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asCallable(_)
   }

csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs

@@ -1034,3 +1034,40 @@ public override object GetValue()
         }
     }
 }
+
+public class ParameterModifiers
+{
+    // contentbased-summary=Models;ParameterModifiers;false;Copy;(System.Object,System.Object);;Argument[0];Argument[1];value;dfc-generated
+    // summary=Models;ParameterModifiers;false;Copy;(System.Object,System.Object);;Argument[0];Argument[1];taint;df-generated
+    public void Copy(object key, out object value)
+    {
+        value = key;
+    }
+
+    // contentbased-summary=Models;ParameterModifiers;false;CopyToRef;(System.Object,System.Object);;Argument[0];Argument[1];value;dfc-generated
+    // summary=Models;ParameterModifiers;false;CopyToRef;(System.Object,System.Object);;Argument[0];Argument[1];taint;df-generated
+    public void CopyToRef(object key, ref object value)
+    {
+        value = key;
+    }
+
+    // No summaries as we disregard flow from a parameter to itself.
+    // neutral=Models;ParameterModifiers;RefParamFlowToSelf;(System.Object,System.Boolean);summary;df-generated
+    public void RefParamFlowToSelf(ref object value, bool b)
+    {
+        value = b ? value : null;
+    }
+
+    // neutral=Models;ParameterModifiers;RefParamUse;(System.Object);summary;df-generated
+    public void RefParamUse(ref object value)
+    {
+        var b = value is null;
+    }
+
+    // contentbased-summary=Models;ParameterModifiers;false;InReturn;(System.Object);;Argument[0];ReturnValue;value;dfc-generated
+    // summary=Models;ParameterModifiers;false;InReturn;(System.Object);;Argument[0];ReturnValue;taint;df-generated
+    public object InReturn(in object v)
+    {
+        return v;
+    }
+}

shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll

@@ -221,6 +221,11 @@ signature module ModelGeneratorInputSig<LocationSig Location, InputSig<Location>
    */
   string printContent(Lang::ContentSet c);
 
+  /**
+   * Gets the parameter position of the return kind, if any.
+   */
+  default Lang::ParameterPosition getReturnKindParamPosition(Lang::ReturnKind node) { none() }
+
   /**
    * Holds if it is irrelevant to generate models for `api` based on data flow analysis.
    *
@@ -301,6 +306,14 @@ module MakeModelGenerator<
      * Gets the kind of the return node.
      */
     DataFlow::ReturnKindExt getKind() { result = kind }
+
+    /**
+     * Gets the parameter position of the return node, if any.
+     */
+    DataFlow::ParameterPosition getPosition() {
+      result = this.getKind().(DataFlow::ParamUpdateReturnKind).getPosition() or
+      result = getReturnKindParamPosition(this.getKind().(DataFlow::ValueReturnKind).getKind())
+    }
   }
 
   bindingset[c]
@@ -309,10 +322,11 @@ module MakeModelGenerator<
   private module PrintReturnNodeExt<printCallableParamSig/2 printCallableParam> {
     string getOutput(ReturnNodeExt node) {
       node.getKind() instanceof DataFlow::ValueReturnKind and
+      not exists(node.getPosition()) and
       result = "ReturnValue"
       or
       exists(DataFlow::ParameterPosition pos |
-        pos = node.getKind().(DataFlow::ParamUpdateReturnKind).getPosition() and
+        pos = node.getPosition() and
         result = printCallableParam(returnNodeEnclosingCallable(node), pos)
       )
     }