Java: expose support for more general BarrierGuards.

aschackmull · aschackmull · commit 9cd2247b91d4 · 2025-12-10T12:23:52.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -375,24 +375,48 @@ class ContentSet instanceof Content {
 }
 
 /**
- * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
+ * Holds if the guard `g` validates the expression `e` upon evaluating to `gv`.
  *
  * The expression `e` is expected to be a syntactic part of the guard `g`.
  * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
  * the argument `x`.
  */
-signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
+signature predicate valueGuardChecksSig(Guard g, Expr e, GuardValue gv);
 
 /**
  * Provides a set of barrier nodes for a guard that validates an expression.
  *
  * This is expected to be used in `isBarrier`/`isSanitizer` definitions
  * in data flow and taint tracking.
  */
-module BarrierGuard<guardChecksSig/3 guardChecks> {
+module BarrierGuardValue<valueGuardChecksSig/3 guardChecks> {
   /** Gets a node that is safely guarded by the given guard check. */
   Node getABarrierNode() {
     SsaFlow::asNode(result) =
       SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
   }
 }
+
+/**
+ * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
+ *
+ * The expression `e` is expected to be a syntactic part of the guard `g`.
+ * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
+ * the argument `x`.
+ */
+signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates an expression.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module BarrierGuard<guardChecksSig/3 guardChecks> {
+  private predicate guardChecks0(Guard g, Expr e, GuardValue gv) {
+    guardChecks(g, e, gv.asBooleanValue())
+  }
+
+  /** Gets a node that is safely guarded by the given guard check. */
+  Node getABarrierNode() { result = BarrierGuardValue<guardChecks0/3>::getABarrierNode() }
+}
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll
@@ -564,14 +564,14 @@ private module Cached {
       DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo)
     }
 
-    signature predicate guardChecksSig(Guards::Guard g, Expr e, boolean branch);
+    signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::GuardValue gv);
 
     cached // nothing is actually cached
     module BarrierGuard<guardChecksSig/3 guardChecks> {
       private predicate guardChecksAdjTypes(
         Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv
       ) {
-        guardChecks(g, e, gv.asBooleanValue())
+        guardChecks(g, e, gv)
       }
 
       private predicate guardChecksWithWrappers(

Original file line number	Diff line number	Diff line change
`@@ -564,14 +564,14 @@ private module Cached {`
`564`	`564`	`DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo)`
`565`	`565`	`}`
`566`	`566`
`567`		`- signature predicate guardChecksSig(Guards::Guard g, Expr e, boolean branch);`
	`567`	`+ signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::GuardValue gv);`
`568`	`568`
`569`	`569`	`cached // nothing is actually cached`
`570`	`570`	`module BarrierGuard<guardChecksSig/3 guardChecks> {`
`571`	`571`	`private predicate guardChecksAdjTypes(`
`572`	`572`	`Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv`
`573`	`573`	`) {`
`574`		`- guardChecks(g, e, gv.asBooleanValue())`
	`574`	`+ guardChecks(g, e, gv)`
`575`	`575`	`}`
`576`	`576`
`577`	`577`	`private predicate guardChecksWithWrappers(`