Skip to content

Shared: Improvements to content-sensitive model generation #20915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Shared: Improvements to content-sensitive model generation #20915

wants to merge 1 commit into from
+29 −17

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Nov 26, 2025
edited
Loading

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 26, 2025
View reviewed changes
@hvitved hvitved mentioned this pull request Nov 26, 2025
Merged
@hvitved hvitved force-pushed the content-flow-ap-limit branch from 6fb68ee to 8b5dbe2 Compare December 1, 2025 19:57
@github-actions github-actions bot added the Rust Pull requests that update Rust code label Dec 1, 2025
@hvitved hvitved changed the title Shared: Do not apply accessPathLimit in content flow Shared: Improvements to content-sensitive model generation Dec 1, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 1, 2025
View reviewed changes
shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
FlowFeature getAFeature() { result = ContentConfig::getAFeature() }

predicate accessPathLimit = ContentConfig::accessPathLimit/0;
predicate accessPathLimit = ContentConfig::accessPathLimitInternal/0;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
@hvitved hvitved force-pushed the content-flow-ap-limit branch from 8b5dbe2 to 666855d Compare December 1, 2025 20:23
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Dec 2, 2025
@hvitved hvitved marked this pull request as ready for review December 2, 2025 14:42
@hvitved hvitved requested review from a team as code owners December 2, 2025 14:42
Copilot finished reviewing on behalf of hvitved December 2, 2025 14:45
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves content-sensitive model generation by distinguishing between the access path limit used internally and the limit used for generating models, enabling better filtering of invalid access paths.

  • Introduced separate accessPathLimit() and accessPathLimitInternal() to allow different limits for internal data flow analysis versus model generation
  • Enhanced validateAccessPath() to exclude models with unsupported content types by validating all content in access paths
  • Refactored validation to occur earlier in the pipeline by moving validateAccessPath checks into the apiFlow predicate before counting models per parameter

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll Enhanced validateAccessPath documentation and logic; refactored validation to occur in apiFlow predicate before model counting
shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll Added accessPathLimitInternal() method and length() method for access paths to support internal vs external limit distinction
rust/ql/test/utils-tests/modelgenerator/option.rs Updated test expectations to reflect newly generated summaries that were previously missing due to access path limits

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

michaelnebel
michaelnebel reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should also run DCA (at least for C# model generation) to check the impact on performance and number of models generated?

shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
default int accessPathLimit() { result = Lang::accessPathLimit() }

/** Gets the access path limit used in the internal invocation of the standard data flow library. */
default int accessPathLimitInternal() { result = Lang::accessPathLimit() }
Copy link
Contributor

@michaelnebel michaelnebel Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this needed?

Copy link
Contributor Author

@hvitved hvitved Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not currently used, but I thought I'd add it in case e.g. C# model generation blows up, in which case we can revert it back to 2.

@hvitved hvitved added the C# label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

C# DataFlow Library no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hvitved @michaelnebel