Data flow: Add FeatureEscapesSourceCallContext(OrEqualSourceSinkCallContext) flow feature#21404
Merged
hvitved merged 4 commits intogithub:mainfrom Mar 5, 2026
Merged
Conversation
2e494c1 to
79dfb75
Compare
FeatureNoEnclosingCallStack(Strict) featureFeatureEscapesSourceCallContext(OrEqualSourceSinkCallContext) flow feature
b4f38a0 to
04fdc29
Compare
…Context)` flow feature
…CallContextOrEqualSourceSinkCallContext`
04fdc29 to
4474e25
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the shared global data flow implementation with two new flow features to constrain results based on whether flow escapes the source call context, and updates the Rust AccessAfterLifetime query to use these features for simpler and faster filtering.
Changes:
- Add
FeatureEscapesSourceCallContextandFeatureEscapesSourceCallContextOrEqualSourceSinkCallContextas new flow configuration features in shared dataflow internals. - Update shared dataflow internals to track and enforce the new “escapes source call context” constraint during flow computation.
- Simplify Rust
AccessAfterLifetime.qlby relying on the new flow feature and adjust Rust tests/expected output accordingly.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll | Adds Stage 1 predicate plumbing for the new escape-context feature. |
| shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll | Defines the new flow feature types and public feature classes. |
| shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | Implements summary-context handling to enforce the new feature during dataflow. |
| shared/dataflow/change-notes/2026-03-04-flow-feature-escapes-source-call-context.md | Adds changelog entry documenting the new flow features. |
| rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql | Switches the query to use the new flow feature and removes ad-hoc filtering logic. |
| rust/ql/test/query-tests/security/CWE-825/lifetime.rs | Updates inline expectations to reflect the new/changed result. |
| rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected | Updates expected output to match new analysis results. |
shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
Outdated
Show resolved
Hide resolved
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll
Outdated
Show resolved
Hide resolved
aschackmull
reviewed
Mar 4, 2026
aschackmull
reviewed
Mar 4, 2026
aschackmull
reviewed
Mar 4, 2026
aschackmull
reviewed
Mar 4, 2026
shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
Outdated
Show resolved
Hide resolved
aschackmull
reviewed
Mar 4, 2026
Contributor
aschackmull
left a comment
There was a problem hiding this comment.
A few nits, otherwise LGTM.
2536be0 to
db491fc
Compare
aschackmull
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds two new flow features
FeatureEscapesSourceCallContextandFeatureEscapesSourceCallContextOrEqualSourceSinkCallContext.The former implies that the sink must be reached from the source by escaping the source call context, that is, flow must either return from the callable containing the source or use a jump-step before reaching the sink. The latter is the disjunction of the former and the existing
FeatureEqualSourceSinkCallContextflow feature.This allows us to greatly simplify the Rust query
AccessAfterLifetime.ql, in addition to improving performance and precision of said query, since filtering of results now happen as part of the data flow computation instead of an ad-hoc after-the-fact filter.DCA for all languages except Rust is uneventful, and for Rust it shows that we achieve a significant speedup.