TypeFlow: Simplify interface.

Author: aschackmull

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TypeFlow.qll

@@ -159,7 +159,7 @@ private module Input implements TypeFlowInput<Location> {
     )
   }
 
-  predicate joinStep(TypeFlowNode n1, TypeFlowNode n2) {
+  predicate step(TypeFlowNode n1, TypeFlowNode n2) {
     // instruction -> phi
     getAnUltimateLocalDefinition(n2.asInstruction()) = n1.asInstruction()
     or
@@ -179,6 +179,8 @@ private module Input implements TypeFlowInput<Location> {
       n1.asInstruction() = arg and
       n2.asInstruction() = p
     )
+    or
+    instructionStep(n1.asInstruction(), n2.asInstruction())
   }
 
   /**
@@ -199,10 +201,6 @@ private module Input implements TypeFlowInput<Location> {
     i2.(PointerArithmeticInstruction).getLeft() = i1
   }
 
-  predicate uniqStep(TypeFlowNode n1, TypeFlowNode n2) {
-    instructionStep(n1.asInstruction(), n2.asInstruction())
-  }
-
   predicate isNullValue(TypeFlowNode n) { n.isNullValue() }
 
   private newtype TType =
@@ -245,11 +243,7 @@ private module Input implements TypeFlowInput<Location> {
 
   pragma[nomagic]
   private predicate upcastCand(TypeFlowNode n, Type t1, Type t2) {
-    exists(TypeFlowNode next |
-      uniqStep(n, next)
-      or
-      joinStep(n, next)
-    |
+    exists(TypeFlowNode next | step(n, next) |
       n.getType() = t1 and
       next.getType() = t2 and
       t1 != t2

java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll

@@ -84,10 +84,11 @@ private module Input implements TypeFlowInput<Location> {
   }
 
   /**
-   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is not
-   * necessarily functionally determined by `n2`.
+   * Holds if data can flow from `n1` to `n2` in one step.
+   *
+   * For a given `n2`, this predicate must include all possible `n1` that can flow to `n2`.
    */
-  predicate joinStep(TypeFlowNode n1, TypeFlowNode n2) {
+  predicate step(TypeFlowNode n1, TypeFlowNode n2) {
     n2.asExpr().(ChooseExpr).getAResultExpr() = n1.asExpr()
     or
     exists(Field f, Expr e |
@@ -112,13 +113,7 @@ private module Input implements TypeFlowInput<Location> {
       // skip trivial recursion
       not arg = n2.asSsa().getAUse()
     )
-  }
-
-  /**
-   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is
-   * functionally determined by `n2`.
-   */
-  predicate uniqStep(TypeFlowNode n1, TypeFlowNode n2) {
+    or
     n2.asExpr() = n1.asField().getAnAccess()
     or
     n2.asExpr() = n1.asSsa().getAUse()
@@ -169,7 +164,7 @@ private module Input implements TypeFlowInput<Location> {
    */
   pragma[nomagic]
   private predicate upcastCand(TypeFlowNode n, RefType t1, RefType t1e, RefType t2, RefType t2e) {
-    exists(TypeFlowNode next | uniqStep(n, next) or joinStep(n, next) |
+    exists(TypeFlowNode next | step(n, next) |
       n.getType() = t1 and
       next.getType() = t2 and
       t1.getErasure() = t1e and

shared/typeflow/codeql/typeflow/TypeFlow.qll

@@ -28,16 +28,11 @@ signature module TypeFlowInput<LocationSig Location> {
   }
 
   /**
-   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is not
-   * necessarily functionally determined by `n2`.
-   */
-  predicate joinStep(TypeFlowNode n1, TypeFlowNode n2);
-
-  /**
-   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is
-   * functionally determined by `n2`.
+   * Holds if data can flow from `n1` to `n2` in one step.
+   *
+   * For a given `n2`, this predicate must include all possible `n1` that can flow to `n2`.
    */
-  predicate uniqStep(TypeFlowNode n1, TypeFlowNode n2);
+  predicate step(TypeFlowNode n1, TypeFlowNode n2);
 
   /** Holds if `n` represents a `null` value. */
   predicate isNullValue(TypeFlowNode n);

shared/typeflow/codeql/typeflow/internal/TypeFlowImpl.qll

@@ -5,8 +5,20 @@ private import codeql.util.Unit
 module TypeFlow<LocationSig Location, TypeFlowInput<Location> I> {
   private import I
 
+  /**
+   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is
+   * functionally determined by `n2`.
+   */
+  private predicate uniqStep(TypeFlowNode n1, TypeFlowNode n2) { n1 = unique(TypeFlowNode n | step(n, n2)) }
+
+  /**
+   * Holds if data can flow from `n1` to `n2` in one step, and `n1` is not
+   * functionally determined by `n2`.
+   */
+  private predicate joinStep(TypeFlowNode n1, TypeFlowNode n2) { step(n1, n2) and not uniqStep(n1, n2) }
+
   /** Holds if `null` is the only value that flows to `n`. */
-  predicate isNull(TypeFlowNode n) {
+  private predicate isNull(TypeFlowNode n) {
     isNullValue(n)
     or
     exists(TypeFlowNode mid | isNull(mid) and uniqStep(mid, n))