github · MathiasVP · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026
@@ -6,6 +6,7 @@ private import cpp as Cpp
 private import codeql.dataflow.internal.FlowSummaryImpl
 private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific as DataFlowImplSpecific
 private import semmle.code.cpp.dataflow.ExternalFlow
@@ -20,8 +21,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
 
   class SinkBase = Void;
 
+  class FlowSummaryCallBase = CallInstruction;
+
   predicate callableFromSource(SummarizedCallableBase c) { exists(c.getBlock()) }
 
+  FlowSummaryCallBase getASourceCall(SummarizedCallableBase sc) {
+    result.getStaticCallTarget() = sc
+  }
+
+  DataFlowCallable getSummarizedCallableAsDataFlowCallable(SummarizedCallableBase c) {
+    result.asSummarizedCallable() = c
+  }
+
+  DataFlowCallable getSourceCallEnclosingCallable(FlowSummaryCallBase call) {
+    result.asSourceCallable() = call.getEnclosingFunction()
+  }
+
   ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
 
   ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
@@ -30,6 +45,10 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
     arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
   }
 
+  ParameterPosition getFlowSummaryParameterPosition(ReturnKind rk) {
+    result = TFlowSummaryPosition(rk)
+  }
+
   string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
 
   string encodeArgumentPosition(ArgumentPosition pos) { result = pos.toString() }
@@ -102,10 +121,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
 private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl
 
 private module StepsInput implements Impl::Private::StepsInputSig {
+  Impl::Private::SummaryNode getSummaryNode(Node n) {
+    result = n.(FlowSummaryNode).getSummaryNode()
+  }
+
   DataFlowCall getACall(Public::SummarizedCallable sc) {
     result.getStaticCallTarget().getUnderlyingCallable() = sc
   }
 
+  Node getSourceOutNode(Input::FlowSummaryCallBase call, ReturnKind rk) {
+    exists(IndirectReturnOutNode out | result = out |
+      out.getCallInstruction() = call and
+      pragma[only_bind_out](rk.(NormalReturnKind).getIndirectionIndex()) =
+        pragma[only_bind_out](out.getIndirectionIndex())
+    )
+  }
+
   DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
 
   Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }

@@ -1534,12 +1534,8 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
     result = this.getSummaryNode().getSummarizedCallable()
   }
 
-  /**
-   * Gets the enclosing callable. For a `FlowSummaryNode` this is always the
-   * summarized function this node is part of.
-   */
   override DataFlowCallable getEnclosingCallable() {
-    result.asSummarizedCallable() = this.getSummarizedCallable()
+    result = FlowSummaryImpl::Private::getEnclosingCallable(this.getSummaryNode())
   }
 
   override Location getLocationImpl() { result = this.getSummarizedCallable().getLocation() }

@@ -561,6 +561,21 @@ class SummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
   }
 }
 
+/** An argument node that re-enters return output as input to a flow summary. */
+private class FlowSummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
+  private CallInstruction callInstruction;
+  private ReturnKind rk;
+
+  FlowSummaryArgumentNode() {
+    this.getSummaryNode() = FlowSummaryImpl::Private::summaryArgumentNode(callInstruction, rk)
+  }
+
+  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    call.asCallInstruction() = callInstruction and
+    pos = TFlowSummaryPosition(rk)
+  }
+}
+
 /** A parameter position represented by an integer. */
 class ParameterPosition = Position;
 
@@ -616,6 +631,18 @@ class IndirectionPosition extends Position, TIndirectionPosition {
   final override int getIndirectionIndex() { result = indirectionIndex }
 }
 
+class FlowSummaryPosition extends Position, TFlowSummaryPosition {
+  ReturnKind rk;
+
+  FlowSummaryPosition() { this = TFlowSummaryPosition(rk) }
+
+  override string toString() { result = "write to: " + rk.toString() }
+
+  override int getArgumentIndex() { none() }
+
+  final override int getIndirectionIndex() { result = rk.getIndirectionIndex() }
+}
+
 newtype TPosition =
   TDirectPosition(int argumentIndex) {
     exists(any(CallInstruction c).getArgument(argumentIndex))
@@ -634,7 +661,8 @@ newtype TPosition =
       p = f.getParameter(argumentIndex) and
       indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
     )
-  }
+  } or
+  TFlowSummaryPosition(ReturnKind rk) { FlowSummaryImpl::Private::relevantFlowSummaryPosition(rk) }
 
 private newtype TReturnKind =
   TNormalReturnKind(int indirectionIndex) {

@@ -158,7 +158,7 @@ private module Cached {
     model = ""
     or
     // models-as-data summarized flow
-    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
       nodeTo.(FlowSummaryNode).getSummaryNode(), true, model)
   }
 

@@ -67,7 +67,7 @@ private module Cached {
     model = ""
     or
     // models-as-data summarized flow
-    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
       nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
     or
     // object->field conflation for content that is a `TaintInheritingContent`.