From 105887ff8405be62d7ec39e53b71da9ae893ae31 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Wed, 2 Oct 2024 10:55:04 -0700 Subject: [PATCH] Dataflow: apply diff-informed filtering consistently --- .../codeql/dataflow/internal/DataFlowImpl.qll | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 1bebea93c486..f1b32d6a269d 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -167,7 +167,7 @@ module MakeImpl Lang> { private module SourceSinkFiltering { private import codeql.util.AlertFiltering - private module AlertFiltering = AlertFilteringImpl; + module AlertFiltering = AlertFilteringImpl; pragma[nomagic] private predicate isFilteredSource(Node source) { @@ -3511,6 +3511,19 @@ module MakeImpl Lang> { * included in the module `PathGraph`. */ predicate flowPath(PathNode source, PathNode sink) { + ( + // When there are both sources and sinks in the diff range, + // diff-informed dataflow falls back to computing all paths without + // any filtering. To prevent significant alert flip-flopping due to + // minor code changes triggering the fallback, we consistently apply + // source-or-sink filtering here to ensure that we return the same + // paths regardless of whether the fallback is triggered. + if Config::observeDiffInformedIncrementalMode() + then + AlertFiltering::filterByLocation(source.getLocation()) or + AlertFiltering::filterByLocation(sink.getLocation()) + else any() + ) and exists(PathNodeImpl flowsource, PathNodeImpl flowsink | source = flowsource and sink = flowsink |