Shared: Support flow summaries from ReturnValues

[MathiasVP]

The std::string class in C++ is mutable so you can do:

std::string s("hello");
s[0] = 'H';

This is just a regular assignment where the left-hand side is a reference to the internal buffer. Historically, to support this in C++ taint-tracking we've specified "reverse flows":

codeql/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

Lines 384 to 386 in b8c78fd

	// reverse flow from returned reference to the qualifier
	input.isReturnValueDeref() and
	output.isQualifierObject()

So when an assignment flows from the right-hand side to the left-hand side (i.e., to the returned reference (actually to the indirections of the reference, but nevermind)) the "reverse flow" model transfers flow to the qualifier.

We'd obviously like to get rid of all these old models and replace them with flow summaries. However, flow summaries do not allow for these reverse flow summaries. This PR fixes that so that we can model this using a summary such as ReturnValue[*] -> Argument[this].

Most of the work is in bb2ec12. We add a new summary node (which is expected to be lifted to a proper ArgumentNode by each language) along with a new parameter/argument position to transfer the value into the summarized callable. 662f522 shows how the new predicates are instantiated for C/C++.

Commit-by-commit review recommended.

This PR doesn't actually add any real models to C/C++. However, I have a local branch where I've checked on DCA that the performance of these changes are fine.

[Copilot]

Pull request overview

Extends the shared flow-summary infrastructure to support “reverse-flow” style summaries where writes through an indirect ReturnValue[*] can be modeled as flowing back into parameters/receiver state (e.g., C++ std::string::operator[]-style patterns). This enables replacing legacy reverse-flow models with flow summaries like ReturnValue[*] -> Argument[this].

Changes:

• Adds shared support for flow summaries originating from return kinds via FlowSummaryCallBase, plus plumbing to map return-kinds to synthetic parameter positions.
• Updates multiple language-specific flow-summary integrations to the new summaryLocalStep(Node pred, SummaryNode succ, ...) API and adds StepsInputSig.getSummaryNode.
• Adds/updates C++ external-model tests and models to exercise reverse-flow via ReturnValue[*].

Show a summary per file

File	Description
swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll	Implements StepsInputSig.getSummaryNode adapter for Swift flow summaries.
swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll	Core shared implementation: adds call base + return-kind-as-input support and new summary local-step plumbing.
rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll	Updates flow-summary local step hookup to pass Node directly.
rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for Rust integration.
rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll	Updates flow-summary local step hookup to pass Node directly.
ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for Ruby integration.
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for Python integration.
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll	Adds FlowSummaryCallBase type alias for JS integration.
javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll	Implements StepsInputSig.getSummaryNode for JS flow-summary steps.
javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll	Updates flow-summary local step hookup to pass Node directly.
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for Java integration.
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll	Updates flow-summary local step hookup to pass Node directly.
go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll	Updates flow-summary local step hookup to pass Node directly.
go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for Go integration.
go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll	Updates flow-summary local step hookup to pass Node directly.
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll	Adds FlowSummaryCallBase and implements getSummaryNode for C# integration.
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll	Updates flow-summary local step hookup to pass Node directly.
cpp/ql/test/library-tests/dataflow/external-models/test.cpp	Adds test cases exercising reverse-flow via assignments through reference returns.
cpp/ql/test/library-tests/dataflow/external-models/sources.expected	Updates golden source results for added reverse-flow test cases.
cpp/ql/test/library-tests/dataflow/external-models/sinks.expected	Updates golden sink results for added reverse-flow test cases.
cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml	Adds external flow-summary models using ReturnValue[*] for reverse-flow scenarios.
cpp/ql/test/library-tests/dataflow/external-models/flow.expected	Updates golden flow edges/nodes to reflect new summary-node behavior.
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll	Updates flow-summary local step hookup to pass Node directly.
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll	Updates flow-summary local step hookup to pass Node directly.
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll	Adds a synthetic argument node/position for flow summaries representing indirect-return writes.
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll	Routes enclosing-callable resolution through shared flow-summary infrastructure.
cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll	Implements C/C++ instantiation of new shared hooks (call base, return-kind parameter position, out-node mapping).

Review details

• Files reviewed: 36/36 changed files
• Comments generated: 1
• Review effort level: Low