apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/src/summary/tests.rs

4574 lines
154 KiB
Rust
Raw Blame History

use super::*;
use smallvec::smallvec;
/// Test helper: build a [`SmallVec`] of one cap-only [`SinkSite`] for a
/// parameter, matching the pre-`SinkSite` shape `(idx, Cap)`. Source
/// coordinates stay default (`line=0, col=0`) since tests do not
/// exercise the primary-location attribution path at this layer.
fn cap_sites(cap: Cap) -> SmallVec<[SinkSite; 1]> {
smallvec![SinkSite::cap_only(cap)]
}
fn make(name: &str, src: u32, san: u32, sink: u32) -> FuncSummary {
FuncSummary {
name: name.into(),
file_path: "test.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: src,
sanitizer_caps: san,
sink_caps: sink,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
}
}
#[test]
fn merge_unions_conservatively() {
let a = make("foo", 0x01, 0x00, 0x00);
let b = FuncSummary {
sink_caps: 0x04,
propagating_params: vec![0],
tainted_sink_params: vec![0],
callees: vec!["bar".into()],
..make("foo", 0x00, 0x02, 0x00)
};
let merged = merge_summaries(vec![a, b], None);
let key = FuncKey {
lang: Lang::Rust,
namespace: "test.rs".into(),
name: "foo".into(),
arity: Some(0),
..Default::default()
};
let foo = merged.get(&key).unwrap();
assert_eq!(foo.source_caps, 0x01);
assert_eq!(foo.sanitizer_caps, 0x02);
assert_eq!(foo.sink_caps, 0x04);
assert!(foo.propagates_any());
assert_eq!(foo.propagating_params, vec![0]);
assert_eq!(foo.tainted_sink_params, vec![0]);
assert_eq!(foo.callees.len(), 1);
assert_eq!(foo.callees[0].name, "bar");
}
#[test]
fn same_lang_different_namespace_no_merge() {
let a = FuncSummary {
name: "helper".into(),
file_path: "file_a.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: Cap::all().bits(),
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let b = FuncSummary {
name: "helper".into(),
file_path: "file_b.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: Cap::SHELL_ESCAPE.bits(),
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let global = merge_summaries(vec![a, b], None);
// They should be stored under different FuncKeys
let key_a = FuncKey {
lang: Lang::Rust,
namespace: "file_a.rs".into(),
name: "helper".into(),
arity: Some(0),
..Default::default()
};
let key_b = FuncKey {
lang: Lang::Rust,
namespace: "file_b.rs".into(),
name: "helper".into(),
arity: Some(0),
..Default::default()
};
assert!(global.get(&key_a).is_some());
assert!(global.get(&key_b).is_some());
// source_caps NOT merged
assert_eq!(global.get(&key_a).unwrap().source_caps, Cap::all().bits());
assert_eq!(global.get(&key_b).unwrap().source_caps, 0);
}
#[test]
fn same_lang_same_namespace_merges() {
let a = FuncSummary {
name: "helper".into(),
file_path: "lib.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0x01,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let b = FuncSummary {
name: "helper".into(),
file_path: "lib.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0x02,
sink_caps: 0,
propagating_params: vec![0],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let global = merge_summaries(vec![a, b], None);
let key = FuncKey {
lang: Lang::Rust,
namespace: "lib.rs".into(),
name: "helper".into(),
arity: Some(0),
..Default::default()
};
let merged = global.get(&key).unwrap();
assert_eq!(merged.source_caps, 0x01);
assert_eq!(merged.sanitizer_caps, 0x02);
assert!(merged.propagates_any());
assert_eq!(merged.propagating_params, vec![0]);
}
#[test]
fn cross_lang_name_collision_stays_separate() {
let py = FuncSummary {
name: "process_data".into(),
file_path: "handler.py".into(),
lang: "python".into(),
param_count: 0,
param_names: vec![],
source_caps: Cap::all().bits(),
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let c = FuncSummary {
name: "process_data".into(),
file_path: "handler.c".into(),
lang: "c".into(),
param_count: 1,
param_names: vec!["s".into()],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![0],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let global = merge_summaries(vec![py, c], None);
let py_key = FuncKey {
lang: Lang::Python,
namespace: "handler.py".into(),
name: "process_data".into(),
arity: Some(0),
..Default::default()
};
let c_key = FuncKey {
lang: Lang::C,
namespace: "handler.c".into(),
name: "process_data".into(),
arity: Some(1),
..Default::default()
};
assert!(global.get(&py_key).is_some());
assert!(global.get(&c_key).is_some());
// Python's source_caps NOT merged into C
assert_eq!(global.get(&c_key).unwrap().source_caps, 0);
assert_eq!(global.get(&py_key).unwrap().source_caps, Cap::all().bits());
}
#[test]
fn lookup_same_lang_returns_all_matches() {
let a = FuncSummary {
name: "helper".into(),
file_path: "a.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 1,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let b = FuncSummary {
name: "helper".into(),
file_path: "b.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 2,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
let global = merge_summaries(vec![a, b], None);
let matches = global.lookup_same_lang(Lang::Rust, "helper");
assert_eq!(matches.len(), 2);
// No cross-language matches
let py_matches = global.lookup_same_lang(Lang::Python, "helper");
assert!(py_matches.is_empty());
}
#[test]
fn cap_bits_round_trip_serde() {
let summary = FuncSummary {
name: "dangerous".into(),
file_path: "test.rs".into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["input".into()],
source_caps: (Cap::SQL_QUERY | Cap::CODE_EXEC).bits(),
sanitizer_caps: Cap::CRYPTO.bits(),
sink_caps: (Cap::SSRF | Cap::DESERIALIZE).bits(),
propagating_params: vec![0],
propagates_taint: false,
tainted_sink_params: vec![0],
callees: vec!["query".into()],
..Default::default()
};
let json = serde_json::to_string(&summary).unwrap();
let back: FuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(back.source_caps, (Cap::SQL_QUERY | Cap::CODE_EXEC).bits());
assert_eq!(back.sanitizer_caps, Cap::CRYPTO.bits());
assert_eq!(back.sink_caps, (Cap::SSRF | Cap::DESERIALIZE).bits());
assert!(back.propagates_any());
assert_eq!(back.propagating_params, vec![0]);
// propagates_taint should NOT appear in serialized output
assert!(!json.contains("propagates_taint"));
}
/// Every new cap class persists across the serde JSON round-trip used
/// for SQLite blob storage and the `/debug` endpoint. Catches a
/// width-mismatch (cap bits truncated to u16) as a hard fail rather than
/// silent zeroing of the upper bits.
#[test]
fn new_cap_classes_round_trip_serde() {
let new_caps = Cap::LDAP_INJECTION
| Cap::XPATH_INJECTION
| Cap::HEADER_INJECTION
| Cap::OPEN_REDIRECT
| Cap::SSTI
| Cap::XXE
| Cap::PROTOTYPE_POLLUTION;
// Sanity: bit-width must accommodate every new cap.
assert_ne!(
new_caps.bits(),
0,
"every new cap must carry a non-zero bit"
);
assert_eq!(
new_caps.bits().count_ones(),
7,
"exactly seven bits must be set across the new caps"
);
// Bit collisions with existing caps would mask a finding.
let existing = Cap::ENV_VAR
| Cap::HTML_ESCAPE
| Cap::SHELL_ESCAPE
| Cap::URL_ENCODE
| Cap::JSON_PARSE
| Cap::FILE_IO
| Cap::FMT_STRING
| Cap::SQL_QUERY
| Cap::DESERIALIZE
| Cap::SSRF
| Cap::CODE_EXEC
| Cap::CRYPTO
| Cap::UNAUTHORIZED_ID
| Cap::DATA_EXFIL;
assert!(
(existing & new_caps).is_empty(),
"new caps must not collide"
);
let summary = FuncSummary {
name: "all_new_classes".into(),
file_path: "fixture.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: new_caps.bits(),
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
..Default::default()
};
// serde JSON round-trip (the on-disk SQLite format).
let json = serde_json::to_string(&summary).unwrap();
let back: FuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(back.sink_caps, new_caps.bits());
assert!(back.sink_caps().contains(Cap::LDAP_INJECTION));
assert!(back.sink_caps().contains(Cap::PROTOTYPE_POLLUTION));
// Cap registry must surface a rule id for each new cap.
for cap in [
Cap::LDAP_INJECTION,
Cap::XPATH_INJECTION,
Cap::HEADER_INJECTION,
Cap::OPEN_REDIRECT,
Cap::SSTI,
Cap::XXE,
Cap::PROTOTYPE_POLLUTION,
] {
let meta = crate::labels::cap_rule_meta(cap)
.unwrap_or_else(|| panic!("missing CAP_RULE_REGISTRY entry for {cap:?}"));
assert!(meta.rule_id.starts_with("taint-"));
assert!(!meta.title.is_empty());
assert!(!meta.description.is_empty());
}
}
#[test]
fn backward_compat_u8_json_deserializes() {
// Old u8-range values still deserialize correctly into u32 fields
let json = r#"{
"name": "old_func",
"file_path": "legacy.py",
"lang": "python",
"param_count": 0,
"param_names": [],
"source_caps": 127,
"sanitizer_caps": 2,
"sink_caps": 4,
"propagates_taint": false,
"tainted_sink_params": [],
"callees": []
}"#;
let summary: FuncSummary = serde_json::from_str(json).unwrap();
assert_eq!(summary.source_caps, 127);
assert_eq!(summary.sanitizer_caps, 2);
assert_eq!(summary.sink_caps, 4);
}
#[test]
fn merge_propagating_params_union() {
let a = FuncSummary {
propagating_params: vec![0],
..make("foo", 0, 0, 0)
};
let b = FuncSummary {
propagating_params: vec![1],
..make("foo", 0, 0, 0)
};
let merged = merge_summaries(vec![a, b], None);
let key = FuncKey {
lang: Lang::Rust,
namespace: "test.rs".into(),
name: "foo".into(),
arity: Some(0),
..Default::default()
};
let foo = merged.get(&key).unwrap();
assert_eq!(foo.propagating_params, vec![0, 1]);
assert!(foo.propagates_any());
}
#[test]
fn backward_compat_legacy_propagates_taint_json() {
// Old JSON with propagates_taint: true but no propagating_params
let json = r#"{
"name": "old_func",
"file_path": "legacy.py",
"lang": "python",
"param_count": 1,
"param_names": ["x"],
"source_caps": 0,
"sanitizer_caps": 0,
"sink_caps": 0,
"propagates_taint": true,
"tainted_sink_params": [],
"callees": []
}"#;
let summary: FuncSummary = serde_json::from_str(json).unwrap();
assert!(summary.propagates_taint);
assert!(summary.propagating_params.is_empty());
assert!(summary.propagates_any());
}
#[test]
fn propagating_params_round_trip_serde() {
let summary = FuncSummary {
propagating_params: vec![0, 2],
..make("foo", 0, 0, 0)
};
let json = serde_json::to_string(&summary).unwrap();
let back: FuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(back.propagating_params, vec![0, 2]);
assert!(back.propagates_any());
// propagates_taint must NOT appear in serialized output
assert!(!json.contains("propagates_taint"));
}
#[test]
fn snapshot_caps_detects_change() {
let a = FuncSummary {
source_caps: 0x01,
propagating_params: vec![0],
..make("foo", 0, 0, 0)
};
let b = make("bar", 0, 0, 0x04);
let mut gs = merge_summaries(vec![a, b], None);
let snap1 = gs.snapshot_caps();
// Mutate one summary by inserting a changed version.
let key = FuncKey {
lang: Lang::Rust,
namespace: "test.rs".into(),
name: "bar".into(),
arity: Some(0),
..Default::default()
};
let updated = FuncSummary {
sink_caps: 0x08,
..make("bar", 0, 0, 0)
};
gs.insert(key, updated);
let snap2 = gs.snapshot_caps();
assert_ne!(snap1, snap2, "snapshot should detect changed caps");
// Without further changes, snapshot should be stable.
let snap3 = gs.snapshot_caps();
assert_eq!(snap2, snap3, "snapshot should be stable without changes");
}
// ── SSA summary tests ───────────────────────────────────────────────────
use super::ssa_summary::{SsaFuncSummary, TaintTransform};
#[test]
fn ssa_summary_serde_round_trip_identity() {
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
}
#[test]
fn ssa_summary_serde_round_trip_strip_bits() {
let summary = SsaFuncSummary {
param_to_return: vec![(
0,
TaintTransform::StripBits(Cap::HTML_ESCAPE | Cap::URL_ENCODE),
)],
param_to_sink: vec![(1, cap_sites(Cap::SQL_QUERY))],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
}
#[test]
fn ssa_summary_serde_round_trip_add_bits() {
let summary = SsaFuncSummary {
param_to_return: vec![(2, TaintTransform::AddBits(Cap::CODE_EXEC))],
param_to_sink: vec![],
source_caps: Cap::ENV_VAR | Cap::FILE_IO,
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
}
#[test]
fn ssa_summary_serde_round_trip_all_variants() {
let summary = SsaFuncSummary {
param_to_return: vec![
(0, TaintTransform::Identity),
(1, TaintTransform::StripBits(Cap::SHELL_ESCAPE)),
(2, TaintTransform::AddBits(Cap::SSRF)),
],
param_to_sink: vec![
(0, cap_sites(Cap::SQL_QUERY)),
(1, cap_sites(Cap::CODE_EXEC | Cap::CRYPTO)),
],
source_caps: Cap::all(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
}
#[test]
fn global_summaries_insert_ssa_exact_key_replacement() {
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: Lang::Python,
namespace: "app.py".into(),
name: "process".into(),
arity: Some(1),
..Default::default()
};
let v1 = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
gs.insert_ssa(key.clone(), v1.clone());
assert_eq!(gs.get_ssa(&key), Some(&v1));
// Replace with a different summary, exact replacement, not union
let v2 = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::StripBits(Cap::HTML_ESCAPE))],
param_to_sink: vec![(0, cap_sites(Cap::SQL_QUERY))],
source_caps: Cap::ENV_VAR,
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
gs.insert_ssa(key.clone(), v2.clone());
assert_eq!(gs.get_ssa(&key), Some(&v2));
}
#[test]
fn global_summaries_merge_with_ssa_entries() {
let mut gs1 = GlobalSummaries::new();
let mut gs2 = GlobalSummaries::new();
let key_a = FuncKey {
lang: Lang::Python,
namespace: "a.py".into(),
name: "foo".into(),
arity: Some(1),
..Default::default()
};
let key_b = FuncKey {
lang: Lang::Python,
namespace: "b.py".into(),
name: "bar".into(),
arity: Some(2),
..Default::default()
};
let sum_a = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let sum_b = SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![(0, cap_sites(Cap::CODE_EXEC))],
source_caps: Cap::ENV_VAR,
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
gs1.insert_ssa(key_a.clone(), sum_a.clone());
gs2.insert_ssa(key_b.clone(), sum_b.clone());
gs1.merge(gs2);
assert_eq!(gs1.get_ssa(&key_a), Some(&sum_a));
assert_eq!(gs1.get_ssa(&key_b), Some(&sum_b));
}
#[test]
fn global_summaries_is_empty_considers_ssa() {
let mut gs = GlobalSummaries::new();
assert!(gs.is_empty());
let key = FuncKey {
lang: Lang::Rust,
namespace: "lib.rs".into(),
name: "f".into(),
arity: Some(1),
..Default::default()
};
gs.insert_ssa(
key,
SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
},
);
assert!(!gs.is_empty());
}
#[test]
fn ssa_summary_serde_round_trip_param_to_sink_param() {
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![(0, cap_sites(Cap::SQL_QUERY))],
source_caps: Cap::empty(),
param_to_sink_param: vec![(0, 0, Cap::SQL_QUERY), (1, 0, Cap::CODE_EXEC)],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
assert_eq!(back.param_to_sink_param.len(), 2);
assert_eq!(back.param_to_sink_param[0], (0, 0, Cap::SQL_QUERY));
assert_eq!(back.param_to_sink_param[1], (1, 0, Cap::CODE_EXEC));
}
#[test]
fn ssa_summary_backward_compat_missing_param_to_sink_param() {
// Old JSON without param_to_sink_param should deserialize with empty vec
let json = r#"{
"param_to_return": [[0, "Identity"]],
"param_to_sink": [],
"source_caps": 0
}"#;
let summary: SsaFuncSummary = serde_json::from_str(json).unwrap();
assert!(summary.param_to_sink_param.is_empty());
}
#[test]
fn ssa_summary_serde_round_trip_container_fields() {
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![0],
param_to_container_store: vec![(1, 0)],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
assert_eq!(back.param_container_to_return, vec![0]);
assert_eq!(back.param_to_container_store, vec![(1, 0)]);
}
#[test]
fn ssa_summary_backward_compat_missing_container_fields() {
// Old JSON without container fields should deserialize with empty vecs
let json = r#"{
"param_to_return": [[0, "Identity"]],
"param_to_sink": [],
"source_caps": 0
}"#;
let summary: SsaFuncSummary = serde_json::from_str(json).unwrap();
assert!(summary.param_container_to_return.is_empty());
assert!(summary.param_to_container_store.is_empty());
}
#[test]
fn ssa_summary_serde_round_trip_return_abstract() {
use crate::abstract_interp::{AbstractValue, BitFact, IntervalFact, PathFact, StringFact};
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: Some(AbstractValue {
interval: IntervalFact {
lo: Some(-2_147_483_648),
hi: Some(2_147_483_647),
},
string: StringFact::top(),
bits: BitFact::top(),
path: PathFact::top(),
}),
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
assert!(back.return_abstract.is_some());
let abs = back.return_abstract.unwrap();
assert_eq!(abs.interval.lo, Some(-2_147_483_648));
assert_eq!(abs.interval.hi, Some(2_147_483_647));
assert!(abs.string.is_top());
}
#[test]
fn ssa_summary_backward_compat_missing_return_abstract() {
// Old JSON without return_abstract should deserialize with None
let json = r#"{
"param_to_return": [],
"param_to_sink": [],
"source_caps": 0
}"#;
let summary: SsaFuncSummary = serde_json::from_str(json).unwrap();
assert_eq!(summary.return_abstract, None);
}
// ── CalleeSsaBody serde + GlobalSummaries body resolution ───────────────
/// Helper: build a minimal CalleeSsaBody with a given number of blocks.
#[allow(dead_code)] // used by tests below
fn make_callee_body(
num_blocks: usize,
param_count: usize,
) -> crate::taint::ssa_transfer::CalleeSsaBody {
use crate::ssa::ir::*;
use smallvec::smallvec;
let mut blocks = Vec::new();
for i in 0..num_blocks {
blocks.push(SsaBlock {
id: BlockId(i as u32),
phis: vec![],
body: vec![SsaInst {
value: SsaValue(i as u32),
op: SsaOp::Const(Some("0".into())),
cfg_node: petgraph::graph::NodeIndex::new(0),
var_name: None,
span: (0, 0),
}],
terminator: if i + 1 < num_blocks {
Terminator::Goto(BlockId((i + 1) as u32))
} else {
Terminator::Return(Some(SsaValue(0)))
},
preds: smallvec![],
succs: smallvec![],
});
}
let value_defs: Vec<ValueDef> = (0..num_blocks)
.map(|i| ValueDef {
var_name: None,
cfg_node: petgraph::graph::NodeIndex::new(0),
block: BlockId(i as u32),
})
.collect();
crate::taint::ssa_transfer::CalleeSsaBody {
ssa: SsaBody {
blocks,
entry: BlockId(0),
value_defs,
cfg_node_map: std::collections::HashMap::new(),
exception_edges: vec![],
field_interner: crate::ssa::ir::FieldInterner::default(),
field_writes: std::collections::HashMap::new(),
synthetic_externals: std::collections::HashSet::new(),
slot_scoped_assigns: std::collections::HashSet::new(),
},
opt: crate::ssa::OptimizeResult {
const_values: std::collections::HashMap::new(),
type_facts: crate::ssa::type_facts::TypeFactResult {
facts: std::collections::HashMap::new(),
},
xml_parser_config: crate::ssa::xml_config::XmlParserConfigResult::default(),
xpath_config: crate::ssa::xpath_config::XPathConfigResult::default(),
alias_result: crate::ssa::alias::BaseAliasResult::empty(),
points_to: crate::ssa::heap::PointsToResult::empty(),
module_aliases: std::collections::HashMap::new(),
branches_pruned: 0,
copies_eliminated: 0,
dead_defs_removed: 0,
},
param_count,
node_meta: std::collections::HashMap::new(),
body_graph: None,
cross_package_imports: std::sync::Arc::new(std::collections::HashMap::new()),
}
}
#[test]
fn callee_body_serde_round_trip_empty() {
let body = make_callee_body(1, 0);
let json = serde_json::to_string(&body).unwrap();
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
assert_eq!(back.param_count, 0);
assert_eq!(back.ssa.blocks.len(), 1);
assert!(back.node_meta.is_empty());
}
#[test]
fn callee_body_serde_round_trip_multi_block() {
let body = make_callee_body(5, 2);
let json = serde_json::to_string(&body).unwrap();
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
assert_eq!(back.param_count, 2);
assert_eq!(back.ssa.blocks.len(), 5);
// Verify block structure survived round-trip
assert_eq!(back.ssa.entry, crate::ssa::ir::BlockId(0));
assert_eq!(back.ssa.value_defs.len(), 5);
}
#[test]
fn callee_body_serde_round_trip_with_node_meta() {
use crate::cfg::{NodeInfo, TaintMeta};
use crate::labels::{Cap, DataLabel};
use crate::taint::ssa_transfer::CrossFileNodeMeta;
let mut body = make_callee_body(2, 1);
body.node_meta.insert(
0,
CrossFileNodeMeta {
info: NodeInfo {
bin_op: Some(crate::cfg::BinOp::Add),
taint: TaintMeta {
labels: smallvec::smallvec![DataLabel::Sink(Cap::HTML_ESCAPE)],
..Default::default()
},
..Default::default()
},
},
);
body.node_meta.insert(
1,
CrossFileNodeMeta {
info: NodeInfo::default(),
},
);
let json = serde_json::to_string(&body).unwrap();
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
assert_eq!(back.node_meta.len(), 2);
let meta0 = &back.node_meta[&0];
assert_eq!(meta0.info.bin_op, Some(crate::cfg::BinOp::Add));
assert_eq!(meta0.info.taint.labels.len(), 1);
assert!(matches!(meta0.info.taint.labels[0], DataLabel::Sink(cap) if cap == Cap::HTML_ESCAPE));
assert!(back.node_meta[&1].info.taint.labels.is_empty());
}
#[test]
fn callee_body_serde_node_meta_skipped_when_empty() {
// Verify #[serde(skip_serializing_if)] works: empty node_meta not in JSON
let body = make_callee_body(1, 0);
let json = serde_json::to_string(&body).unwrap();
assert!(
!json.contains("node_meta"),
"empty node_meta should be omitted from JSON"
);
// But it should deserialize fine from JSON without node_meta field
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
assert!(back.node_meta.is_empty());
}
#[test]
fn callee_body_serde_with_all_ssa_op_variants() {
use crate::ssa::ir::*;
use smallvec::smallvec;
let mut body = make_callee_body(1, 0);
// Replace the single block's body with all SsaOp variants
let node = petgraph::graph::NodeIndex::new(0);
body.ssa.blocks[0].body = vec![
SsaInst {
value: SsaValue(0),
op: SsaOp::Const(Some("hello".into())),
cfg_node: node,
var_name: None,
span: (0, 5),
},
SsaInst {
value: SsaValue(1),
op: SsaOp::Const(None),
cfg_node: node,
var_name: None,
span: (0, 0),
},
SsaInst {
value: SsaValue(2),
op: SsaOp::Source,
cfg_node: node,
var_name: Some("src".into()),
span: (6, 10),
},
SsaInst {
value: SsaValue(3),
op: SsaOp::Param { index: 0 },
cfg_node: node,
var_name: Some("p0".into()),
span: (0, 0),
},
SsaInst {
value: SsaValue(4),
op: SsaOp::CatchParam,
cfg_node: node,
var_name: None,
span: (0, 0),
},
SsaInst {
value: SsaValue(5),
op: SsaOp::Nop,
cfg_node: node,
var_name: None,
span: (0, 0),
},
SsaInst {
value: SsaValue(6),
op: SsaOp::Assign(smallvec![SsaValue(0), SsaValue(1)]),
cfg_node: node,
var_name: None,
span: (0, 0),
},
SsaInst {
value: SsaValue(7),
op: SsaOp::Call {
callee: "foo".into(),
callee_text: None,
args: vec![smallvec![SsaValue(0)], smallvec![SsaValue(1)]],
receiver: Some(SsaValue(2)),
},
cfg_node: node,
var_name: None,
span: (11, 20),
},
];
body.ssa.blocks[0].phis = vec![SsaInst {
value: SsaValue(8),
op: SsaOp::Phi(smallvec![
(BlockId(0), SsaValue(0)),
(BlockId(1), SsaValue(1))
]),
cfg_node: node,
var_name: None,
span: (0, 0),
}];
let json = serde_json::to_string(&body).unwrap();
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
assert_eq!(back.ssa.blocks[0].body.len(), 8);
assert_eq!(back.ssa.blocks[0].phis.len(), 1);
// Spot check: Call op preserved
match &back.ssa.blocks[0].body[7].op {
SsaOp::Call {
callee,
args,
receiver,
..
} => {
assert_eq!(callee, "foo");
assert_eq!(args.len(), 2);
assert_eq!(*receiver, Some(SsaValue(2)));
}
other => panic!("expected Call, got {:?}", other),
}
// Spot check: Phi op preserved
match &back.ssa.blocks[0].phis[0].op {
SsaOp::Phi(ops) => {
assert_eq!(ops.len(), 2);
assert_eq!(ops[0], (BlockId(0), SsaValue(0)));
}
other => panic!("expected Phi, got {:?}", other),
}
}
#[test]
fn callee_body_serde_with_branch_terminator() {
use crate::constraint::lower::ConditionExpr;
use crate::ssa::ir::*;
let mut body = make_callee_body(3, 0);
// Set a Branch terminator with a condition
body.ssa.blocks[0].terminator = Terminator::Branch {
cond: petgraph::graph::NodeIndex::new(0),
true_blk: BlockId(1),
false_blk: BlockId(2),
condition: Some(Box::new(ConditionExpr::BoolTest { var: SsaValue(0) })),
};
let json = serde_json::to_string(&body).unwrap();
let back: crate::taint::ssa_transfer::CalleeSsaBody = serde_json::from_str(&json).unwrap();
match &back.ssa.blocks[0].terminator {
Terminator::Branch {
true_blk,
false_blk,
condition,
..
} => {
assert_eq!(*true_blk, BlockId(1));
assert_eq!(*false_blk, BlockId(2));
assert!(condition.is_some());
match condition.as_deref() {
Some(ConditionExpr::BoolTest { var }) => {
assert_eq!(*var, SsaValue(0));
}
other => panic!("expected BoolTest, got {:?}", other),
}
}
other => panic!("expected Branch, got {:?}", other),
}
}
// ── GlobalSummaries body resolution ──────────────────────────────────────
#[test]
fn global_summaries_insert_body_exact_key_replacement() {
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "helper.py".into(),
name: "transform".into(),
arity: Some(2),
..Default::default()
};
let body1 = make_callee_body(3, 2);
let body2 = make_callee_body(5, 2);
gs.insert_body(key.clone(), body1);
assert_eq!(gs.get_body(&key).unwrap().ssa.blocks.len(), 3);
// Second insert replaces (exact-key, no union)
gs.insert_body(key.clone(), body2);
assert_eq!(gs.get_body(&key).unwrap().ssa.blocks.len(), 5);
}
#[test]
fn global_summaries_get_body_not_found() {
let gs = GlobalSummaries::new();
let key = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "missing.py".into(),
name: "nope".into(),
arity: Some(0),
..Default::default()
};
assert!(gs.get_body(&key).is_none());
}
#[test]
fn global_summaries_merge_includes_bodies() {
let mut gs1 = GlobalSummaries::new();
let mut gs2 = GlobalSummaries::new();
let key1 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "a.py".into(),
name: "func_a".into(),
arity: Some(1),
..Default::default()
};
let key2 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "b.py".into(),
name: "func_b".into(),
arity: Some(2),
..Default::default()
};
// Need to also insert regular summaries so the by_lang_name index is populated
gs1.insert(key1.clone(), make("func_a", 0, 0, 0));
gs1.insert_body(key1.clone(), make_callee_body(2, 1));
gs2.insert(key2.clone(), make("func_b", 0, 0, 0));
gs2.insert_body(key2.clone(), make_callee_body(4, 2));
gs1.merge(gs2);
assert!(gs1.get_body(&key1).is_some());
assert!(gs1.get_body(&key2).is_some());
assert_eq!(gs1.get_body(&key1).unwrap().ssa.blocks.len(), 2);
assert_eq!(gs1.get_body(&key2).unwrap().ssa.blocks.len(), 4);
}
#[test]
fn global_summaries_resolve_callee_body_exact_match() {
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "util.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
gs.insert(key.clone(), make("helper", 0, 0, 0));
gs.insert_body(key.clone(), make_callee_body(3, 1));
// Resolve with matching lang/name/arity
let resolved = gs.resolve_callee_body(crate::symbol::Lang::Python, "helper", Some(1), "app.py");
assert!(resolved.is_some());
assert_eq!(resolved.unwrap().ssa.blocks.len(), 3);
}
#[test]
fn global_summaries_resolve_callee_body_not_found() {
let gs = GlobalSummaries::new();
let resolved =
gs.resolve_callee_body(crate::symbol::Lang::Python, "missing", Some(1), "app.py");
assert!(resolved.is_none());
}
#[test]
fn global_summaries_resolve_callee_body_ambiguous_returns_none() {
let mut gs = GlobalSummaries::new();
// Two functions with same name but different namespaces
let key1 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "a.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
let key2 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "b.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
gs.insert(key1.clone(), make("helper", 0, 0, 0));
gs.insert_body(key1.clone(), make_callee_body(2, 1));
gs.insert(key2.clone(), make("helper", 0, 0, 0));
gs.insert_body(key2.clone(), make_callee_body(4, 1));
// Resolution from a third namespace → ambiguous → None
let resolved = gs.resolve_callee_body(crate::symbol::Lang::Python, "helper", Some(1), "c.py");
assert!(
resolved.is_none(),
"ambiguous resolution should return None"
);
}
#[test]
fn global_summaries_resolve_callee_body_namespace_disambiguates() {
let mut gs = GlobalSummaries::new();
let key1 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "a.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
let key2 = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "b.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
gs.insert(key1.clone(), make("helper", 0, 0, 0));
gs.insert_body(key1.clone(), make_callee_body(2, 1));
gs.insert(key2.clone(), make("helper", 0, 0, 0));
gs.insert_body(key2.clone(), make_callee_body(4, 1));
// Resolution from a.py → namespace match → key1 (2 blocks)
let resolved = gs.resolve_callee_body(crate::symbol::Lang::Python, "helper", Some(1), "a.py");
assert!(resolved.is_some());
assert_eq!(resolved.unwrap().ssa.blocks.len(), 2);
}
#[test]
fn global_summaries_resolve_body_requires_body_present() {
let mut gs = GlobalSummaries::new();
// Insert summary but no body
let key = FuncKey {
lang: crate::symbol::Lang::Python,
namespace: "util.py".into(),
name: "helper".into(),
arity: Some(1),
..Default::default()
};
gs.insert(key.clone(), make("helper", 0, 0, 0));
gs.insert_ssa(
key.clone(),
SsaFuncSummary {
param_to_return: vec![],
param_to_sink: vec![],
source_caps: crate::labels::Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
},
);
// Don't insert body
// Resolution finds the key but no body
let resolved = gs.resolve_callee_body(crate::symbol::Lang::Python, "helper", Some(1), "app.py");
assert!(
resolved.is_none(),
"should return None when key resolves but no body stored"
);
}
// ── Identity-model regression tests ─────────────────────────────────────
// Each test below encodes one ambiguity the old `(file, name, arity)` key
// couldn't express. They guard the new `(lang, namespace, container, name,
// arity, disambig, kind)` model and the container-aware resolver.
fn fs_with(
namespace: &str,
container: &str,
name: &str,
arity: usize,
kind: FuncKind,
disambig: Option<u32>,
sink_bits: u32,
) -> (FuncKey, FuncSummary) {
let key = FuncKey {
lang: Lang::Java,
namespace: namespace.into(),
container: container.into(),
name: name.into(),
arity: Some(arity),
disambig,
kind,
};
let summary = FuncSummary {
name: name.into(),
file_path: namespace.into(),
lang: "java".into(),
param_count: arity,
sink_caps: sink_bits,
container: container.into(),
disambig,
kind,
..Default::default()
};
(key, summary)
}
#[test]
fn same_name_methods_on_different_classes_stay_distinct() {
let mut gs = GlobalSummaries::new();
let (k1, s1) = fs_with(
"src/svc.java",
"OrderService",
"process",
1,
FuncKind::Method,
Some(100),
0x01,
);
let (k2, s2) = fs_with(
"src/svc.java",
"UserService",
"process",
1,
FuncKind::Method,
Some(500),
0x02,
);
gs.insert(k1.clone(), s1);
gs.insert(k2.clone(), s2);
assert_eq!(gs.get(&k1).unwrap().sink_caps, 0x01);
assert_eq!(gs.get(&k2).unwrap().sink_caps, 0x02);
let order = gs.resolve_callee_key_with_container(
"process",
Lang::Java,
"src/other.java",
Some("OrderService"),
Some(1),
);
assert_eq!(order, CalleeResolution::Resolved(k1));
let user = gs.resolve_callee_key_with_container(
"process",
Lang::Java,
"src/other.java",
Some("UserService"),
Some(1),
);
assert_eq!(user, CalleeResolution::Resolved(k2));
}
#[test]
fn free_function_and_method_with_same_name_resolve_separately() {
let mut gs = GlobalSummaries::new();
let (kf, sf) = fs_with(
"src/app.java",
"",
"process",
1,
FuncKind::Function,
Some(10),
0x10,
);
let (km, sm) = fs_with(
"src/app.java",
"Worker",
"process",
1,
FuncKind::Method,
Some(200),
0x20,
);
gs.insert(kf.clone(), sf);
gs.insert(km.clone(), sm);
let free =
gs.resolve_callee_key_with_container("process", Lang::Java, "src/app.java", None, Some(1));
let method = gs.resolve_callee_key_with_container(
"process",
Lang::Java,
"src/app.java",
Some("Worker"),
Some(1),
);
assert_eq!(method, CalleeResolution::Resolved(km));
// Without any qualifier, receiver, or receiver_type, a bare
// `process()` call is syntactically a free-function invocation, a
// method cannot be invoked that way from outside its class. The
// resolver's bare-call preference (step 5.5) picks the sole
// empty-container candidate deterministically.
assert_eq!(free, CalleeResolution::Resolved(kf));
}
#[test]
fn disambig_separates_same_name_closures_in_same_container() {
let mut gs = GlobalSummaries::new();
let (k1, s1) = fs_with(
"src/f.js",
"outer",
"<anon>",
0,
FuncKind::Closure,
Some(123),
0x01,
);
let (k2, s2) = fs_with(
"src/f.js",
"outer",
"<anon>",
0,
FuncKind::Closure,
Some(456),
0x02,
);
gs.insert(k1.clone(), s1);
gs.insert(k2.clone(), s2);
assert_ne!(k1, k2);
assert_eq!(gs.get(&k1).unwrap().sink_caps, 0x01);
assert_eq!(gs.get(&k2).unwrap().sink_caps, 0x02);
}
#[test]
fn interop_lookup_tolerates_missing_disambig() {
// Interop edges written by external configuration don't know byte offsets.
// `get_for_interop` should still find a single matching key when disambig
// is None and the rest of the identity uniquely identifies a summary.
let mut gs = GlobalSummaries::new();
let (k, s) = fs_with(
"lib.go",
"",
"fetch_env",
0,
FuncKind::Function,
Some(7777),
0x04,
);
// Go summaries are actually keyed with Lang::Go; use a distinct key here.
let go_key = FuncKey {
lang: Lang::Go,
namespace: "lib.go".into(),
container: String::new(),
name: "fetch_env".into(),
arity: Some(0),
disambig: Some(7777),
kind: FuncKind::Function,
};
let go_sum = FuncSummary {
name: "fetch_env".into(),
file_path: "lib.go".into(),
lang: "go".into(),
..s
};
gs.insert(go_key, go_sum);
let _ = k; // unused: only needed for symmetry with fs_with signature
let interop_query = FuncKey {
lang: Lang::Go,
namespace: "lib.go".into(),
container: String::new(),
name: "fetch_env".into(),
arity: Some(0),
disambig: None,
kind: FuncKind::Function,
};
let hit = gs
.get_for_interop(&interop_query)
.expect("interop lookup should tolerate missing disambig");
assert_eq!(hit.sink_caps, 0x04);
}
#[test]
fn interop_lookup_returns_none_when_disambig_none_matches_many() {
// If multiple summaries share (lang, ns, container, name, arity, kind)
// and only disambig distinguishes them, the relaxed interop lookup must
// return None rather than picking arbitrarily.
let mut gs = GlobalSummaries::new();
let mk = |disambig: u32, bits: u32| {
let k = FuncKey {
lang: Lang::Go,
namespace: "lib.go".into(),
container: String::new(),
name: "dup".into(),
arity: Some(0),
disambig: Some(disambig),
kind: FuncKind::Function,
};
let s = FuncSummary {
name: "dup".into(),
file_path: "lib.go".into(),
lang: "go".into(),
sink_caps: bits,
disambig: Some(disambig),
..Default::default()
};
(k, s)
};
let (k1, s1) = mk(1, 0x01);
let (k2, s2) = mk(2, 0x02);
gs.insert(k1, s1);
gs.insert(k2, s2);
let ambiguous_query = FuncKey {
lang: Lang::Go,
namespace: "lib.go".into(),
container: String::new(),
name: "dup".into(),
arity: Some(0),
disambig: None,
kind: FuncKind::Function,
};
assert!(
gs.get_for_interop(&ambiguous_query).is_none(),
"disambig=None must not pick arbitrarily when multiple keys match"
);
}
// ── CalleeSite metadata ─────────────────────────────────────────────────
#[test]
fn callee_site_bare_constructor() {
let site = CalleeSite::bare("helper");
assert_eq!(site.name, "helper");
assert_eq!(site.arity, None);
assert_eq!(site.receiver, None);
assert_eq!(site.qualifier, None);
assert_eq!(site.ordinal, 0);
}
#[test]
fn callee_site_str_into_coercion() {
// Tests that `"name".into()` still works for building callee lists in
// test code, despite the field now being `Vec<CalleeSite>`.
let v: Vec<CalleeSite> = vec!["foo".into(), "bar".into()];
assert_eq!(v.len(), 2);
assert_eq!(v[0].name, "foo");
assert_eq!(v[1].name, "bar");
}
#[test]
fn callee_site_structured_roundtrip() {
let summary = FuncSummary {
name: "parent".into(),
file_path: "x.rs".into(),
lang: "rust".into(),
param_count: 0,
callees: vec![
CalleeSite {
name: "obj.method".into(),
arity: Some(2),
receiver: Some("obj".into()),
qualifier: None,
ordinal: 1,
},
CalleeSite {
name: "env::var".into(),
arity: Some(1),
receiver: None,
qualifier: Some("env".into()),
ordinal: 2,
},
],
..Default::default()
};
let json = serde_json::to_string(&summary).unwrap();
let back: FuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(back.callees.len(), 2);
assert_eq!(back.callees[0].name, "obj.method");
assert_eq!(back.callees[0].arity, Some(2));
assert_eq!(back.callees[0].receiver.as_deref(), Some("obj"));
assert_eq!(back.callees[0].ordinal, 1);
assert_eq!(back.callees[1].qualifier.as_deref(), Some("env"));
}
#[test]
fn legacy_callees_string_array_deserializes() {
// Old on-disk rows stored callees as a plain Vec<String>.
// The custom deserializer must lift those into CalleeSite { name, .. }
// without other metadata so persisted indexes keep working.
let json = r#"{
"name": "legacy",
"file_path": "legacy.rs",
"lang": "rust",
"param_count": 0,
"param_names": [],
"source_caps": 0,
"sanitizer_caps": 0,
"sink_caps": 0,
"propagating_params": [],
"tainted_sink_params": [],
"callees": ["foo", "bar::baz"]
}"#;
let s: FuncSummary = serde_json::from_str(json).unwrap();
assert_eq!(s.callees.len(), 2);
assert_eq!(s.callees[0].name, "foo");
assert_eq!(s.callees[0].arity, None);
assert_eq!(s.callees[1].name, "bar::baz");
assert_eq!(s.callees[1].receiver, None);
}
#[test]
fn mixed_callee_form_deserializes() {
// Interop / partial-migration rows may mix legacy strings with
// structured entries in the same array, deserializer accepts both.
let json = r#"{
"name": "mixed",
"file_path": "m.rs",
"lang": "rust",
"param_count": 0,
"param_names": [],
"source_caps": 0,
"sanitizer_caps": 0,
"sink_caps": 0,
"propagating_params": [],
"tainted_sink_params": [],
"callees": [
"legacy_fn",
{"name": "new_fn", "arity": 3, "receiver": "obj"}
]
}"#;
let s: FuncSummary = serde_json::from_str(json).unwrap();
assert_eq!(s.callees.len(), 2);
assert_eq!(s.callees[0].name, "legacy_fn");
assert_eq!(s.callees[0].arity, None);
assert_eq!(s.callees[1].name, "new_fn");
assert_eq!(s.callees[1].arity, Some(3));
assert_eq!(s.callees[1].receiver.as_deref(), Some("obj"));
}
// ── Rust module-path resolution (qualified Rust paths) ──────────────────
/// Helper: build a Rust summary populated with module-path + use-map fields.
fn rust_summary_with_mod(
name: &str,
file_path: &str,
param_count: usize,
module_path: Option<&str>,
use_map: &[(&str, &str)],
wildcards: &[&str],
callees: Vec<CalleeSite>,
) -> FuncSummary {
let aliases: BTreeMap<String, String> = use_map
.iter()
.map(|(k, v)| ((*k).to_string(), (*v).to_string()))
.collect();
FuncSummary {
name: name.into(),
file_path: file_path.into(),
lang: "rust".into(),
param_count,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees,
module_path: module_path.map(str::to_string),
rust_use_map: if aliases.is_empty() {
None
} else {
Some(aliases)
},
rust_wildcards: if wildcards.is_empty() {
None
} else {
Some(wildcards.iter().map(|s| (*s).to_string()).collect())
},
..Default::default()
}
}
#[test]
fn rust_use_map_disambiguates_same_name_across_modules() {
// Two `validate` functions in different modules.
let token = rust_summary_with_mod(
"validate",
"/proj/src/auth/token.rs",
1,
Some("auth::token"),
&[],
&[],
vec![],
);
let session = rust_summary_with_mod(
"validate",
"/proj/src/auth/session.rs",
1,
Some("auth::session"),
&[],
&[],
vec![],
);
// Caller imports crate::auth::token::validate and calls `validate(x)`.
let caller = rust_summary_with_mod(
"handler",
"/proj/src/main.rs",
0,
Some(""),
&[("validate", "crate::auth::token::validate")],
&[],
vec![CalleeSite {
name: "validate".into(),
arity: Some(1),
..Default::default()
}],
);
let gs = merge_summaries(vec![token, session, caller], Some("/proj"));
// Pull the token key back out and verify exact-one resolution.
let caller_key = FuncKey {
lang: Lang::Rust,
namespace: "src/main.rs".into(),
name: "handler".into(),
arity: Some(0),
..Default::default()
};
let caller_sum = gs.get(&caller_key).expect("caller summary");
let use_map = crate::rust_resolve::RustUseMap {
aliases: caller_sum.rust_use_map.clone().unwrap_or_default(),
wildcards: caller_sum.rust_wildcards.clone().unwrap_or_default(),
};
let resolution = gs.resolve_callee_key_rust(
"validate",
None,
Some(1),
&caller_key.namespace,
Some(&use_map),
);
match resolution {
CalleeResolution::Resolved(k) => {
assert_eq!(k.namespace, "src/auth/token.rs");
assert_eq!(k.name, "validate");
}
other => panic!(
"expected token::validate to resolve uniquely, got {:?}",
other
),
}
}
#[test]
fn rust_use_map_qualified_call_via_module_alias() {
// `use crate::auth::token; token::validate(x);`
let token = rust_summary_with_mod(
"validate",
"/proj/src/auth/token.rs",
1,
Some("auth::token"),
&[],
&[],
vec![],
);
let caller = rust_summary_with_mod(
"handler",
"/proj/src/main.rs",
0,
Some(""),
&[("token", "crate::auth::token")],
&[],
vec![CalleeSite {
name: "token::validate".into(),
arity: Some(1),
qualifier: Some("crate::auth::token".into()),
..Default::default()
}],
);
let gs = merge_summaries(vec![token, caller], Some("/proj"));
let um = crate::rust_resolve::RustUseMap {
aliases: [("token".to_string(), "crate::auth::token".to_string())]
.into_iter()
.collect(),
wildcards: Vec::new(),
};
// The site's structured qualifier is the full `crate::auth::token`; the
// resolver's alias map matches the first segment.
let resolution =
gs.resolve_callee_key_rust("validate", Some("token"), Some(1), "src/main.rs", Some(&um));
match resolution {
CalleeResolution::Resolved(k) => {
assert_eq!(k.namespace, "src/auth/token.rs");
}
other => panic!("expected unique resolution, got {:?}", other),
}
}
#[test]
fn rust_wildcard_import_resolves_uniquely() {
let token = rust_summary_with_mod(
"validate",
"/proj/src/auth/token.rs",
1,
Some("auth::token"),
&[],
&[],
vec![],
);
let caller = rust_summary_with_mod(
"handler",
"/proj/src/main.rs",
0,
Some(""),
&[],
&["crate::auth::token"],
vec![CalleeSite {
name: "validate".into(),
arity: Some(1),
..Default::default()
}],
);
let gs = merge_summaries(vec![token, caller], Some("/proj"));
let um = crate::rust_resolve::RustUseMap {
aliases: BTreeMap::new(),
wildcards: vec!["crate::auth::token".to_string()],
};
let resolution =
gs.resolve_callee_key_rust("validate", None, Some(1), "src/main.rs", Some(&um));
match resolution {
CalleeResolution::Resolved(k) => {
assert_eq!(k.namespace, "src/auth/token.rs");
}
other => panic!("wildcard should resolve uniquely, got {:?}", other),
}
}
#[test]
fn rust_use_map_fallback_when_absent() {
// No use_map entry, falls through to generic same-language resolution,
// which for an unqualified caller in the same namespace still works.
let helper = rust_summary_with_mod("helper", "/proj/src/lib.rs", 0, Some(""), &[], &[], vec![]);
let caller = rust_summary_with_mod(
"caller",
"/proj/src/lib.rs",
0,
Some(""),
&[],
&[],
vec![CalleeSite {
name: "helper".into(),
arity: Some(0),
..Default::default()
}],
);
let gs = merge_summaries(vec![helper, caller], Some("/proj"));
let resolution = gs.resolve_callee_key_rust("helper", None, Some(0), "src/lib.rs", None);
assert!(matches!(resolution, CalleeResolution::Resolved(_)));
}
#[test]
fn rust_use_map_ambiguous_stays_ambiguous_without_hint() {
// Two modules define `validate`; no use-map on the caller, resolution
// should remain Ambiguous rather than silently picking one.
let token = rust_summary_with_mod(
"validate",
"/proj/src/auth/token.rs",
1,
Some("auth::token"),
&[],
&[],
vec![],
);
let session = rust_summary_with_mod(
"validate",
"/proj/src/auth/session.rs",
1,
Some("auth::session"),
&[],
&[],
vec![],
);
let caller = rust_summary_with_mod(
"handler",
"/proj/src/main.rs",
0,
Some(""),
&[],
&[],
vec![CalleeSite {
name: "validate".into(),
arity: Some(1),
..Default::default()
}],
);
let gs = merge_summaries(vec![token, session, caller], Some("/proj"));
let resolution = gs.resolve_callee_key_rust("validate", None, Some(1), "src/main.rs", None);
assert!(matches!(resolution, CalleeResolution::Ambiguous(_)));
}
// ── Serde round-trip / backward compatibility ────────────────────────────
#[test]
fn pre_rust_fields_json_deserializes_with_defaults() {
// A summary JSON written before the Rust `module_path`/`rust_use_map`/
// `rust_wildcards` fields existed must still deserialise cleanly with
// all three defaulting to `None`.
let legacy_json = r#"{
"name": "old",
"file_path": "src/lib.rs",
"lang": "rust",
"param_count": 1,
"param_names": ["x"],
"source_caps": 0,
"sanitizer_caps": 0,
"sink_caps": 0,
"propagating_params": [0],
"tainted_sink_params": [],
"callees": []
}"#;
let s: FuncSummary = serde_json::from_str(legacy_json).unwrap();
assert_eq!(s.name, "old");
assert!(s.module_path.is_none());
assert!(s.rust_use_map.is_none());
assert!(s.rust_wildcards.is_none());
}
#[test]
fn rust_fields_roundtrip_through_json() {
let mut aliases = BTreeMap::new();
aliases.insert(
"validate".to_string(),
"crate::auth::token::validate".to_string(),
);
let s = FuncSummary {
name: "handler".into(),
file_path: "src/main.rs".into(),
lang: "rust".into(),
param_count: 0,
param_names: vec![],
source_caps: 0,
sanitizer_caps: 0,
sink_caps: 0,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: vec![],
callees: vec![],
module_path: Some(String::new()),
rust_use_map: Some(aliases.clone()),
rust_wildcards: Some(vec!["crate::auth::session".to_string()]),
..Default::default()
};
let json = serde_json::to_string(&s).unwrap();
let back: FuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(back.module_path.as_deref(), Some(""));
assert_eq!(back.rust_use_map.unwrap(), aliases);
assert_eq!(
back.rust_wildcards.unwrap(),
vec!["crate::auth::session".to_string()]
);
}
// ── Qualified-first callee resolution (adversarial) ─────────────────────
//
// Each test here stages a same-leaf-name collision that the old leaf-only
// resolver would either silently pick wrong or flag as ambiguous. Under
// the new `CalleeQuery` path, qualified identity (receiver type /
// namespace qualifier / caller container) must win before any bare-leaf
// fallback kicks in.
fn method_summary(
namespace: &str,
container: &str,
name: &str,
arity: usize,
sink_bits: u32,
) -> (FuncKey, FuncSummary) {
fs_with(
namespace,
container,
name,
arity,
FuncKind::Method,
Some((namespace.len() + container.len() + name.len()) as u32),
sink_bits,
)
}
fn free_summary(
namespace: &str,
name: &str,
arity: usize,
sink_bits: u32,
) -> (FuncKey, FuncSummary) {
fs_with(
namespace,
"",
name,
arity,
FuncKind::Function,
Some((namespace.len() + name.len()) as u32),
sink_bits,
)
}
#[test]
fn query_prefers_receiver_type_over_leaf_collision() {
// Two classes in different files both expose `send/1`. A free
// function also named `send/1` sits in yet another file to make the
// leaf-name index ambiguous. The caller lives outside all three.
let mut gs = GlobalSummaries::new();
let (k_http, s_http) = method_summary("src/http.java", "HttpClient", "send", 1, 0x01);
let (k_queue, s_queue) = method_summary("src/queue.java", "MessageQueue", "send", 1, 0x02);
let (k_free, s_free) = free_summary("src/util.java", "send", 1, 0x04);
gs.insert(k_http.clone(), s_http);
gs.insert(k_queue.clone(), s_queue);
gs.insert(k_free.clone(), s_free);
// With `receiver_type = HttpClient`, resolution MUST land on the
// HttpClient method even though `MessageQueue::send/1` and the free
// function `send/1` would both match the leaf name.
let resolved = gs.resolve_callee(&CalleeQuery {
name: "send",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("HttpClient"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(resolved, CalleeResolution::Resolved(k_http.clone()));
// Old behaviour-parity regression: `resolve_callee_key_with_container`
// (now a thin wrapper) used to treat `MessageQueue` as an authoritative
// qualifier that *only* picked on exact match. The new resolver must
// still do that, swap to `MessageQueue` and we get its method back.
let resolved_queue = gs.resolve_callee(&CalleeQuery {
name: "send",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("MessageQueue"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(resolved_queue, CalleeResolution::Resolved(k_queue));
// And the leaf-name index *does* know about the free function: no
// hint → ambiguous (not a silent mis-resolve).
let bare = gs.resolve_callee_key("send", Lang::Java, "src/app.java", Some(1));
match bare {
CalleeResolution::Ambiguous(cands) => {
assert_eq!(cands.len(), 3);
assert!(cands.contains(&k_http));
assert!(cands.contains(&k_free));
}
other => panic!("bare leaf lookup with 3 candidates must be Ambiguous, got {other:?}"),
}
}
#[test]
fn query_authoritative_receiver_miss_does_not_fall_through_to_leaf() {
// When `receiver_type = HttpClient` is supplied but no
// `HttpClient::send` exists, the resolver MUST NOT silently pick a
// same-leaf collision in another container, that would be the
// classic "resolved by leaf name" bug the refactor aims to prevent.
let mut gs = GlobalSummaries::new();
let (k_queue, s_queue) = method_summary("src/queue.java", "MessageQueue", "send", 1, 0x02);
let (k_free, s_free) = free_summary("src/util.java", "send", 1, 0x04);
gs.insert(k_queue.clone(), s_queue);
gs.insert(k_free.clone(), s_free);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "send",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("HttpClient"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
match resolved {
CalleeResolution::Ambiguous(cands) => {
// Candidates list reports the leaf-name matches so callers
// can diagnose, but we refused to pick one of them.
assert!(cands.contains(&k_queue));
assert!(cands.contains(&k_free));
}
other => panic!(
"authoritative receiver_type miss must return Ambiguous (never silently resolve to a \
different container), got {other:?}"
),
}
}
#[test]
fn query_namespace_qualifier_resolves_env_var_style_call() {
// Rust / C++-style namespace qualifiers should land on the module
// that exposes the leaf, even when same-leaf functions live in
// unrelated modules.
let mut gs = GlobalSummaries::new();
let (k_env, s_env) = fs_with(
"src/env.rs",
"env",
"var",
1,
FuncKind::Function,
Some(1),
0x01,
);
// Force the insertion to use Rust lang by shadowing fs_with's Java default.
let k_env = FuncKey {
lang: Lang::Rust,
..k_env
};
let s_env = FuncSummary {
lang: "rust".into(),
..s_env
};
let (k_other, s_other) = fs_with(
"src/other.rs",
"config",
"var",
1,
FuncKind::Function,
Some(2),
0x02,
);
let k_other = FuncKey {
lang: Lang::Rust,
..k_other
};
let s_other = FuncSummary {
lang: "rust".into(),
..s_other
};
gs.insert(k_env.clone(), s_env);
gs.insert(k_other.clone(), s_other);
// `env::var` → namespace_qualifier = "env" → env::var wins.
let resolved = gs.resolve_callee(&CalleeQuery {
name: "var",
caller_lang: Lang::Rust,
caller_namespace: "src/consumer.rs",
caller_container: None,
receiver_type: None,
namespace_qualifier: Some("env"),
receiver_var: None,
arity: Some(1),
});
assert_eq!(resolved, CalleeResolution::Resolved(k_env.clone()));
// `config::var` → namespace_qualifier = "config" → config::var wins.
let resolved_cfg = gs.resolve_callee(&CalleeQuery {
name: "var",
caller_lang: Lang::Rust,
caller_namespace: "src/consumer.rs",
caller_container: None,
receiver_type: None,
namespace_qualifier: Some("config"),
receiver_var: None,
arity: Some(1),
});
assert_eq!(resolved_cfg, CalleeResolution::Resolved(k_other));
// Bare `var(...)` call (no qualifier) across namespaces → Ambiguous.
let bare = gs.resolve_callee_key("var", Lang::Rust, "src/consumer.rs", Some(1));
assert!(matches!(bare, CalleeResolution::Ambiguous(_)));
}
#[test]
fn query_caller_container_resolves_self_call() {
// Bare `helper()` from inside `OrderService::place` must resolve to
// the `OrderService::helper` method rather than a same-name helper
// exposed by an unrelated class in a different file.
let mut gs = GlobalSummaries::new();
let (k_order, s_order) = method_summary("src/order.java", "OrderService", "helper", 0, 0xA);
let (k_user, s_user) = method_summary("src/user.java", "UserService", "helper", 0, 0xB);
gs.insert(k_order.clone(), s_order);
gs.insert(k_user.clone(), s_user);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/order.java",
caller_container: Some("OrderService"),
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(resolved, CalleeResolution::Resolved(k_order.clone()));
// Swap the caller to `UserService` and we should land on its helper.
let resolved_user = gs.resolve_callee(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/user.java",
caller_container: Some("UserService"),
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(resolved_user, CalleeResolution::Resolved(k_user));
// With no caller-container hint (free call from module-level code),
// the resolver must not pick either class's helper blindly.
let no_hint = gs.resolve_callee(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/main.java",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert!(matches!(no_hint, CalleeResolution::Ambiguous(_)));
}
#[test]
fn query_leaf_same_namespace_still_resolves_intra_file_calls() {
// Two definitions share a leaf name but live in different files.
// A same-namespace call (intra-file) must resolve to the local one
// without requiring any structured hint, this is the common case
// for bare top-level function calls.
let mut gs = GlobalSummaries::new();
let (k_a, s_a) = free_summary("src/a.js", "helper", 1, 0x01);
let (k_b, s_b) = free_summary("src/b.js", "helper", 1, 0x02);
gs.insert(k_a.clone(), s_a);
gs.insert(k_b.clone(), s_b);
// Caller in a.js → resolves to a.js::helper.
let resolved = gs.resolve_callee(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/a.js",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(resolved, CalleeResolution::Resolved(k_a));
// Caller in a third file → ambiguous (we refuse to guess).
let cross = gs.resolve_callee(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/c.js",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
match cross {
CalleeResolution::Ambiguous(cands) => {
assert_eq!(cands.len(), 2);
assert!(cands.contains(&k_b));
}
other => panic!("cross-file bare leaf should be Ambiguous, got {other:?}"),
}
}
#[test]
fn query_arity_filter_is_hard() {
// Same container and leaf, different arities, resolution must
// honour the arity filter before any qualifier-based tie-break.
let mut gs = GlobalSummaries::new();
let (k_1arg, s_1arg) = method_summary("src/svc.py", "Svc", "render", 1, 0x01);
let (k_2arg, s_2arg) = method_summary("src/svc.py", "Svc", "render", 2, 0x02);
gs.insert(k_1arg.clone(), s_1arg);
gs.insert(k_2arg.clone(), s_2arg);
let one = gs.resolve_callee(&CalleeQuery {
name: "render",
caller_lang: Lang::Java,
caller_namespace: "src/caller.py",
caller_container: None,
receiver_type: Some("Svc"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(one, CalleeResolution::Resolved(k_1arg));
let two = gs.resolve_callee(&CalleeQuery {
name: "render",
caller_lang: Lang::Java,
caller_namespace: "src/caller.py",
caller_container: None,
receiver_type: Some("Svc"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(2),
});
assert_eq!(two, CalleeResolution::Resolved(k_2arg));
// With a non-existent arity, arity filter prunes everything and we
// get NotFound, not a "closest match" guess.
let mismatched = gs.resolve_callee(&CalleeQuery {
name: "render",
caller_lang: Lang::Java,
caller_namespace: "src/caller.py",
caller_container: None,
receiver_type: Some("Svc"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(5),
});
match mismatched {
CalleeResolution::NotFound | CalleeResolution::Ambiguous(_) => {}
CalleeResolution::Resolved(k) => {
panic!("arity mismatch must not resolve; got {k:?}")
}
}
}
#[test]
fn query_receiver_var_is_soft_tiebreak_not_primary() {
// Adversarial case: a variable named "obj" exists and a class
// happens to also be called "obj". The old resolver used the
// variable name as container_hint #1, which could mis-pick when
// the qualified index had a coincidental hit. The new resolver
// treats `receiver_var` as a *soft* tie-break, it only fires
// after same-namespace unique-leaf resolution fails.
let mut gs = GlobalSummaries::new();
let (k_same_ns, s_same_ns) = free_summary("src/app.js", "method", 1, 0xAA);
let (k_other_class, s_other_class) = method_summary("src/other.js", "obj", "method", 1, 0xBB);
gs.insert(k_same_ns.clone(), s_same_ns);
gs.insert(k_other_class.clone(), s_other_class);
// Caller lives in app.js → intra-file unique-leaf wins, regardless
// of the variable-named `obj` coincidence in other.js.
let intra = gs.resolve_callee(&CalleeQuery {
name: "method",
caller_lang: Lang::Java,
caller_namespace: "src/app.js",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: Some("obj"),
arity: Some(1),
});
assert_eq!(intra, CalleeResolution::Resolved(k_same_ns));
// Caller in a third file where no same-namespace match exists →
// receiver_var tie-break fires and picks `obj::method`.
let cross = gs.resolve_callee(&CalleeQuery {
name: "method",
caller_lang: Lang::Java,
caller_namespace: "src/elsewhere.js",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: Some("obj"),
arity: Some(1),
});
assert_eq!(cross, CalleeResolution::Resolved(k_other_class));
}
#[test]
fn query_qualifier_miss_refuses_to_guess_leaf() {
// `namespace_qualifier = "Missing"` does not exist as a container.
// We have two leaf candidates. The resolver must NOT fall back
// and pick one of them silently. (It may return the leaf set
// as Ambiguous for diagnostics.)
let mut gs = GlobalSummaries::new();
let (k_a, s_a) = free_summary("src/a.go", "run", 1, 0x1);
let (k_b, s_b) = free_summary("src/b.go", "run", 1, 0x2);
gs.insert(k_a.clone(), s_a);
gs.insert(k_b.clone(), s_b);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "run",
caller_lang: Lang::Java,
caller_namespace: "src/caller.go",
caller_container: None,
receiver_type: None,
namespace_qualifier: Some("Missing"),
receiver_var: None,
arity: Some(1),
});
match resolved {
CalleeResolution::Ambiguous(cands) => {
assert_eq!(cands.len(), 2);
assert!(cands.contains(&k_a));
assert!(cands.contains(&k_b));
}
CalleeResolution::Resolved(k) => {
panic!("unresolved qualifier must not silently pick a leaf-only match; got {k:?}")
}
CalleeResolution::NotFound => panic!("candidates exist — should be Ambiguous not NotFound"),
}
}
#[test]
fn legacy_wrapper_preserves_test_contract() {
// The old `resolve_callee_key_with_container` entry point is kept as
// a thin wrapper. The pre-refactor tests
// (`same_name_methods_on_different_classes_stay_distinct` and
// `free_function_and_method_with_same_name_resolve_separately`)
// already cover the happy paths; this test pins the *contract* of
// the wrapper itself so we do not drift: a container hint is
// treated as a non-authoritative namespace qualifier and falls
// through to leaf lookup when it misses.
let mut gs = GlobalSummaries::new();
let (k_a, s_a) = free_summary("src/a.java", "only", 1, 0x1);
gs.insert(k_a.clone(), s_a);
// container_hint doesn't match any container, but the leaf name has
// exactly one candidate, the wrapper should still resolve.
let resolved = gs.resolve_callee_key_with_container(
"only",
Lang::Java,
"src/caller.java",
Some("NonExistent"),
Some(1),
);
assert_eq!(resolved, CalleeResolution::Resolved(k_a));
}
// ── Adversarial: same-name identity collisions in the SAME file ─────────
//
// These tests target the most error-prone identity cases: two or more
// definitions that share `(lang, namespace, name, arity)` but differ in
// `container`. The resolver must either resolve to the exact container
// target or refuse to guess, silently falling back to a same-leaf
// collision in a different container is a correctness bug, and mis-
// ordering the resolution steps can cause either false positives (wrong
// summary picked) or false negatives (missed flow because Ambiguous
// took a confident hint off the table).
#[test]
fn same_file_two_classes_same_method_typed_receiver_picks_exact() {
// Two classes in the SAME file, both defining `run/1` with
// incompatible security behaviour: `Safe::run` is a sanitizer-ish
// passthrough (no sink bits) while `Unsafe::run` is a shell sink.
// When the caller has a typed receiver (via type inference), the
// resolver must pick the exact class, the wrong pick would either
// miss the Unsafe sink or wrongly flag the Safe path.
let mut gs = GlobalSummaries::new();
let (k_safe, s_safe) = method_summary("src/app.java", "Safe", "run", 1, 0x00);
let (k_unsafe, s_unsafe) =
method_summary("src/app.java", "Unsafe", "run", 1, Cap::SHELL_ESCAPE.bits());
gs.insert(k_safe.clone(), s_safe);
gs.insert(k_unsafe.clone(), s_unsafe);
let unsafe_call = gs.resolve_callee(&CalleeQuery {
name: "run",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("Unsafe"),
namespace_qualifier: None,
receiver_var: Some("u"),
arity: Some(1),
});
assert_eq!(
unsafe_call,
CalleeResolution::Resolved(k_unsafe.clone()),
"typed receiver `Unsafe` MUST land on Unsafe::run, not Safe::run"
);
let safe_call = gs.resolve_callee(&CalleeQuery {
name: "run",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("Safe"),
namespace_qualifier: None,
receiver_var: Some("s"),
arity: Some(1),
});
assert_eq!(
safe_call,
CalleeResolution::Resolved(k_safe.clone()),
"typed receiver `Safe` MUST land on Safe::run, not Unsafe::run"
);
// Sink-cap sanity: if the resolver ever silently swapped them the
// cap mismatch would show up here.
assert_eq!(gs.get(&k_safe).unwrap().sink_caps, 0x00);
assert_eq!(
gs.get(&k_unsafe).unwrap().sink_caps,
Cap::SHELL_ESCAPE.bits()
);
}
#[test]
fn same_file_two_classes_same_method_untyped_receiver_is_ambiguous_not_wrong() {
// Same setup as above, but the caller only has a variable-name
// receiver (no type facts). `receiver_var` is a SOFT hint, and in
// the common case `s`/`u` don't match any container. The resolver
// MUST refuse to pick one arbitrarily; returning `Safe::run` when
// the call was `u.run(...)` would be a silent false negative of the
// worst kind (wrong summary pickup).
let mut gs = GlobalSummaries::new();
let (k_safe, s_safe) = method_summary("src/app.java", "Safe", "run", 1, 0x00);
let (k_unsafe, s_unsafe) =
method_summary("src/app.java", "Unsafe", "run", 1, Cap::SHELL_ESCAPE.bits());
gs.insert(k_safe.clone(), s_safe);
gs.insert(k_unsafe.clone(), s_unsafe);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "run",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: Some("u"),
arity: Some(1),
});
match resolved {
CalleeResolution::Ambiguous(cands) => {
assert!(cands.contains(&k_safe));
assert!(cands.contains(&k_unsafe));
}
CalleeResolution::Resolved(k) => panic!(
"same-file same-name two-class collision with only a soft `receiver_var` MUST NOT \
pick a specific summary — got {k:?}"
),
CalleeResolution::NotFound => {
panic!("candidates exist in the same file — must be Ambiguous, not NotFound")
}
}
}
#[test]
fn same_file_free_function_and_method_bare_call_prefers_free_function() {
// Classic "I wrote a top-level helper AND a method with the same
// name in the same file" trap. A bare `process()` call, no
// receiver, no qualifier, caller outside any container, is
// syntactically a FREE function call; the method cannot be invoked
// this way. The resolver MUST resolve to the free function, not
// return Ambiguous.
//
// NOTE: this test was FAILING under the pre-fix resolver, which
// returned Ambiguous because step 4's same-namespace narrowing
// still saw two candidates and step 6 had no qualified hint to
// tie-break on.
let mut gs = GlobalSummaries::new();
let (k_free, s_free) = free_summary("src/app.java", "process", 1, 0x0F);
let (k_method, s_method) = method_summary("src/app.java", "Worker", "process", 1, 0xF0);
gs.insert(k_free.clone(), s_free);
gs.insert(k_method.clone(), s_method);
// Caller is a top-level free function (caller_container = None).
let bare = gs.resolve_callee(&CalleeQuery {
name: "process",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
bare,
CalleeResolution::Resolved(k_free.clone()),
"bare `process()` from a top-level caller must resolve to the FREE function \
in the same file, not get lost in Ambiguous"
);
// Cap sanity: if we accidentally resolved to `Worker::process` the
// sink caps would leak and downstream taint would flag the wrong
// flow. Pin the exact resolution, not just Resolved-vs-Ambiguous.
if let CalleeResolution::Resolved(k) = bare {
assert_eq!(gs.get(&k).unwrap().sink_caps, 0x0F);
}
}
#[test]
fn same_file_method_calling_sibling_free_function_resolves_to_free() {
// Variant of the previous test with the caller LIVING INSIDE a
// class whose own container does NOT define `process`. Bare
// `process()` inside `Runner::kick()` must still resolve to the
// file-local free function, not get lost in Ambiguous because the
// caller_container hint (`Runner`) misses both candidates.
let mut gs = GlobalSummaries::new();
let (k_free, s_free) = free_summary("src/app.java", "process", 1, 0x0F);
let (k_method, s_method) = method_summary("src/app.java", "Worker", "process", 1, 0xF0);
// Runner::kick exists only so caller_container("Runner") is a real
// container name in the global summaries. It is NOT a candidate.
let (k_kick, s_kick) = method_summary("src/app.java", "Runner", "kick", 0, 0x00);
gs.insert(k_free.clone(), s_free);
gs.insert(k_method.clone(), s_method);
gs.insert(k_kick, s_kick);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "process",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: Some("Runner"),
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
match resolved {
CalleeResolution::Resolved(k) => {
assert_eq!(
k, k_free,
"bare `process()` inside Runner::kick must land on the free function; \
picking Worker::process would be wrong-summary pickup"
);
}
// Ambiguous is also wrong: syntactically this CANNOT be
// Worker::process (no receiver, no this in the caller's
// container), so the resolver has enough information to pick
// the free function.
other => panic!(
"bare `process()` from Runner::kick should resolve to the free function; got {other:?}"
),
}
}
#[test]
fn same_file_method_calling_own_container_sibling_prefers_self_class() {
// Inverse of the previous: caller is INSIDE `Worker::other()` and
// calls bare `process()`. Both a free `process` AND `Worker::process`
// exist in the file. The caller's own container resolution (step 3)
// must prefer `Worker::process`, otherwise intra-class self calls
// would get misresolved to a free function with possibly different
// security behaviour.
let mut gs = GlobalSummaries::new();
let (k_free, s_free) = free_summary("src/app.java", "process", 1, 0x0F);
let (k_method, s_method) = method_summary("src/app.java", "Worker", "process", 1, 0xF0);
gs.insert(k_free.clone(), s_free);
gs.insert(k_method.clone(), s_method);
let resolved = gs.resolve_callee(&CalleeQuery {
name: "process",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: Some("Worker"),
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
resolved,
CalleeResolution::Resolved(k_method),
"self-call from Worker::other() must resolve to Worker::process, not the free function"
);
}
#[test]
fn same_file_nested_container_same_method_disambiguates_by_container() {
// Two nested definitions: `Outer::foo/1` and `Outer::Inner::foo/1`
// both live in the same file. The fully qualified container names
// must be distinct keys and the resolver must pick each one exactly
// when the container hint is given. A bug that stripped nested
// container suffixes or used only the outermost name would collapse
// them and mis-resolve.
let mut gs = GlobalSummaries::new();
let (k_outer, s_outer) = method_summary("src/nested.java", "Outer", "foo", 1, 0x01);
let (k_inner, s_inner) = method_summary("src/nested.java", "Outer::Inner", "foo", 1, 0x02);
gs.insert(k_outer.clone(), s_outer);
gs.insert(k_inner.clone(), s_inner);
// Exact qualified hint "Outer::Inner" must land on the inner one.
let inner = gs.resolve_callee(&CalleeQuery {
name: "foo",
caller_lang: Lang::Java,
caller_namespace: "src/nested.java",
caller_container: None,
receiver_type: Some("Outer::Inner"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
inner,
CalleeResolution::Resolved(k_inner.clone()),
"`Outer::Inner` receiver_type must pick the NESTED foo — picking `Outer::foo` would be \
wrong-summary pickup driven by prefix collapse"
);
// Exact qualified hint "Outer" must land on the outer one, not the
// nested one (nested container starts with "Outer::" but is not
// equal to "Outer").
let outer = gs.resolve_callee(&CalleeQuery {
name: "foo",
caller_lang: Lang::Java,
caller_namespace: "src/nested.java",
caller_container: None,
receiver_type: Some("Outer"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
outer,
CalleeResolution::Resolved(k_outer),
"`Outer` receiver_type must pick only Outer::foo — not Outer::Inner::foo via prefix match"
);
// Exact cap pinning, guards against merge_summaries accidentally
// unioning caps across the two nested keys.
assert_eq!(gs.get(&k_inner).unwrap().sink_caps, 0x02);
}
#[test]
fn same_file_same_name_different_security_behaviour_no_cap_leak() {
// Three `validate/1` entries in the same file: a sanitizer
// passthrough (free function), an HTML-escape sanitizer in one
// class, and a shell-exec sink in another class. These must end
// up as three distinct keys with their caps preserved exactly ,
// no merge of sink caps into the sanitizer entry, no cross-leak
// via `by_lang_name` fallback.
let mut gs = GlobalSummaries::new();
let (k_free, mut s_free) = free_summary("src/val.py", "validate", 1, 0x00);
s_free.sanitizer_caps = Cap::all().bits();
let (k_html, mut s_html) = method_summary("src/val.py", "HtmlGuard", "validate", 1, 0x00);
s_html.sanitizer_caps = Cap::HTML_ESCAPE.bits();
let (k_shell, s_shell) = method_summary(
"src/val.py",
"ShellRunner",
"validate",
1,
Cap::SHELL_ESCAPE.bits(),
);
gs.insert(k_free.clone(), s_free);
gs.insert(k_html.clone(), s_html);
gs.insert(k_shell.clone(), s_shell);
// Each key retrieved independently must yield exactly its own caps.
assert_eq!(gs.get(&k_free).unwrap().sink_caps, 0x00);
assert_eq!(gs.get(&k_free).unwrap().sanitizer_caps, Cap::all().bits());
assert_eq!(gs.get(&k_html).unwrap().sink_caps, 0x00);
assert_eq!(
gs.get(&k_html).unwrap().sanitizer_caps,
Cap::HTML_ESCAPE.bits()
);
assert_eq!(
gs.get(&k_shell).unwrap().sink_caps,
Cap::SHELL_ESCAPE.bits()
);
assert_eq!(gs.get(&k_shell).unwrap().sanitizer_caps, 0x00);
// Each `receiver_type` hint must land on its OWN container.
for (hint, expected) in [("HtmlGuard", &k_html), ("ShellRunner", &k_shell)] {
let r = gs.resolve_callee(&CalleeQuery {
name: "validate",
caller_lang: Lang::Java,
caller_namespace: "src/val.py",
caller_container: None,
receiver_type: Some(hint),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
r,
CalleeResolution::Resolved(expected.clone()),
"receiver_type `{hint}` must pick its own container's validate"
);
}
}
// ── Tightened-merge regression tests ────────────────────────────────────
// These guard the identity-collision split added to `insert`, `insert_ssa`,
// and `insert_body`. Each scenario encodes an "underspecified identity"
// (typically `disambig: None` from legacy/interop/DB-loaded summaries) where
// the old code silently collapsed structurally distinct functions.
/// Build a minimal `FuncSummary` with `disambig: None`, mirrors the shape
/// produced by legacy JSON rows / interop configs that don't know byte
/// offsets. `file_path` is left blank so namespace normalisation doesn't
/// separate the two otherwise-identical keys.
fn legacy_summary(
file_path: &str,
name: &str,
param_count: usize,
param_names: Vec<String>,
kind: FuncKind,
container: &str,
sink: u32,
) -> FuncSummary {
FuncSummary {
name: name.into(),
file_path: file_path.into(),
lang: "java".into(),
param_count,
param_names,
sink_caps: sink,
container: container.into(),
disambig: None,
kind,
..Default::default()
}
}
#[test]
fn insert_mismatched_module_path_does_not_silently_merge() {
// Two Rust summaries with the same leaf key but different
// `module_path` (e.g. produced by loading a stale DB alongside a
// freshly-scanned file, or by two different scan_root anchors).
// `module_path` is not part of `FuncKey` but identifies the defining
// crate module; two distinct modules with the same file path relative
// to different scan roots must stay separate.
let mut gs = GlobalSummaries::new();
let a = FuncSummary {
name: "validate".into(),
file_path: "src/lib.rs".into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["x".into()],
sink_caps: Cap::SHELL_ESCAPE.bits(),
disambig: None,
module_path: Some("auth::token".into()),
..Default::default()
};
let b = FuncSummary {
name: "validate".into(),
file_path: "src/lib.rs".into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["x".into()],
sink_caps: Cap::SQL_QUERY.bits(),
disambig: None,
module_path: Some("billing::invoice".into()),
..Default::default()
};
let k = a.func_key(None);
assert_eq!(
k,
b.func_key(None),
"pre-fix: both summaries would land on the same key"
);
gs.insert(k.clone(), a);
gs.insert(k.clone(), b);
let hits = gs.lookup_same_lang(Lang::Rust, "validate");
assert_eq!(
hits.len(),
2,
"different module_path summaries must stay distinct — got {hits:?}"
);
let auth = hits
.iter()
.find(|(_, s)| s.module_path.as_deref() == Some("auth::token"))
.expect("auth::token summary preserved");
let billing = hits
.iter()
.find(|(_, s)| s.module_path.as_deref() == Some("billing::invoice"))
.expect("billing::invoice summary preserved");
// Cross-contamination guard: the two crates must not have their
// caps unioned, that's the observable failure mode of a silent
// merge.
assert_eq!(auth.1.sink_caps, Cap::SHELL_ESCAPE.bits());
assert_eq!(billing.1.sink_caps, Cap::SQL_QUERY.bits());
assert_eq!(auth.1.sink_caps & Cap::SQL_QUERY.bits(), 0);
assert_eq!(billing.1.sink_caps & Cap::SHELL_ESCAPE.bits(), 0);
}
#[test]
fn insert_mismatched_kind_does_not_silently_merge() {
// A free function and a method with the same name, arity, namespace,
// and container ("" vs "") can't actually occur, but kind alone
// mismatching does happen in interop configs where a getter is
// described as a function. Make sure the two end up distinct.
let mut gs = GlobalSummaries::new();
let f = legacy_summary(
"src/a.java",
"size",
0,
vec![],
FuncKind::Function,
"Widget",
0,
);
let g = legacy_summary(
"src/a.java",
"size",
0,
vec![],
FuncKind::Getter,
"Widget",
Cap::SHELL_ESCAPE.bits(),
);
gs.insert(f.func_key(None), f);
gs.insert(g.func_key(None), g);
// Two distinct keys in the same-lang index.
let hits = gs.lookup_same_lang(Lang::Java, "size");
assert_eq!(hits.len(), 2);
// The getter's sink caps must not have been unioned into the
// function, that would be a security-relevant leak.
let func_hit = hits
.iter()
.find(|(k, _)| k.kind == FuncKind::Function)
.expect("function summary kept separate");
assert_eq!(
func_hit.1.sink_caps, 0,
"function's sink caps must not absorb the getter's SHELL_ESCAPE"
);
}
#[test]
fn insert_mismatched_param_names_does_not_silently_merge() {
// Two overloads in Java/C++ with the same arity but different
// parameter types/names, a classic case where arity-only identity
// collapses distinct functions. Neither summary ships a disambig
// because it was loaded from legacy JSON.
let mut gs = GlobalSummaries::new();
let a = legacy_summary(
"src/app.java",
"handle",
1,
vec!["msg".into()],
FuncKind::Function,
"",
0,
);
let b = legacy_summary(
"src/app.java",
"handle",
1,
vec!["event".into()],
FuncKind::Function,
"",
Cap::SHELL_ESCAPE.bits(),
);
gs.insert(a.func_key(None), a);
gs.insert(b.func_key(None), b);
let hits = gs.lookup_same_lang(Lang::Java, "handle");
assert_eq!(
hits.len(),
2,
"same name + arity + kind but different param_names → distinct functions"
);
// Exactly one carries the sink cap.
let sinky: Vec<_> = hits
.iter()
.filter(|(_, s)| s.sink_caps == Cap::SHELL_ESCAPE.bits())
.collect();
assert_eq!(sinky.len(), 1);
}
#[test]
fn insert_synthetic_disambig_bit_set_only_for_collisions() {
// A single legacy-style insert with `disambig: None` must NOT gain a
// synthetic disambig, we only rekey to resolve collisions, never
// speculatively. This prevents downstream lookups keyed with
// `disambig: None` from spuriously missing legitimately-single
// summaries.
let mut gs = GlobalSummaries::new();
let sole = legacy_summary(
"src/only.java",
"alone",
0,
vec![],
FuncKind::Function,
"",
Cap::SHELL_ESCAPE.bits(),
);
let key = sole.func_key(None);
gs.insert(key.clone(), sole);
assert_eq!(key.disambig, None);
assert!(gs.get(&key).is_some(), "unique legacy insert keeps its key");
}
#[test]
fn insert_compatible_refinement_still_unions() {
// Two summaries describing the same function (structurally identical
// head, differing only on behaviour fields) must still union, the
// tightened check doesn't regress the classic parallel-fold merge.
let mut gs = GlobalSummaries::new();
let a = FuncSummary {
name: "f".into(),
file_path: "src/x.rs".into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["x".into()],
source_caps: Cap::ENV_VAR.bits(),
container: "".into(),
disambig: None,
kind: FuncKind::Function,
..Default::default()
};
let b = FuncSummary {
name: "f".into(),
file_path: "src/x.rs".into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["x".into()],
sink_caps: Cap::SHELL_ESCAPE.bits(),
container: "".into(),
disambig: None,
kind: FuncKind::Function,
..Default::default()
};
let k = a.func_key(None);
gs.insert(k.clone(), a);
gs.insert(k.clone(), b);
let merged = gs.get(&k).expect("compatible summaries still merge");
assert_eq!(merged.source_caps, Cap::ENV_VAR.bits());
assert_eq!(merged.sink_caps, Cap::SHELL_ESCAPE.bits());
// Single entry, no accidental split for the compatible case.
let hits = gs.lookup_same_lang(Lang::Rust, "f");
assert_eq!(hits.len(), 1);
}
#[test]
fn insert_body_param_count_mismatch_rekeys() {
// Two CalleeSsaBody instances arrive at the same FuncKey (both
// `disambig: None`) but claim different `param_count`. Silently
// replacing would lose the first body and mis-route future cross-
// file symex resolutions to the second.
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: Lang::Python,
namespace: "mod.py".into(),
name: "run".into(),
arity: Some(2),
..Default::default()
};
gs.insert_body(key.clone(), make_callee_body(2, 2));
// Incoming body with a different param_count, must not overwrite.
gs.insert_body(key.clone(), make_callee_body(5, 4));
// Invariant 1: the original body stays at the original key (not
// silently replaced by the param_count=4 body).
let head = gs.get_body(&key).expect("original 2-param body kept");
assert_eq!(head.param_count, 2);
// Invariant 2: the conflicting body is preserved under a synthetic
// disambig, not dropped. Reconstruct the expected synth disambig
// using the same formula as `reconcile_body_key`.
let mut found_conflicting = false;
let base = (4u32).wrapping_mul(0x9E37_79B9);
for probe in 0u32..1024 {
let synth = base.wrapping_add(probe);
let synth_key = FuncKey {
disambig: Some(0x8000_0000 | (synth & 0x7FFF_FFFF)),
..key.clone()
};
if let Some(body) = gs.get_body(&synth_key)
&& body.param_count == 4
{
found_conflicting = true;
break;
}
}
assert!(
found_conflicting,
"the 4-param body must be preserved under a synthetic disambig key"
);
}
#[test]
fn insert_ssa_arity_overflow_rekeys() {
// Key claims arity 1, but the incoming SSA summary references
// param index 3, structurally impossible for the same function.
// The fix must split so the key arity invariant is preserved.
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: Lang::Python,
namespace: "mod.py".into(),
name: "f".into(),
arity: Some(1),
..Default::default()
};
let legit = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
..Default::default()
};
gs.insert_ssa(key.clone(), legit.clone());
assert_eq!(
gs.get_ssa(&key).unwrap().param_to_return,
vec![(0, TaintTransform::Identity)]
);
// Bad-arity incoming summary, must not overwrite the legitimate one.
let overflowing = SsaFuncSummary {
param_to_return: vec![(3, TaintTransform::Identity)],
param_to_sink: vec![(2, cap_sites(Cap::SQL_QUERY))],
..Default::default()
};
gs.insert_ssa(key.clone(), overflowing);
// Original summary still exactly intact at the original key.
let kept = gs.get_ssa(&key).expect("legit summary not overwritten");
assert_eq!(kept.param_to_return, vec![(0, TaintTransform::Identity)]);
assert!(kept.param_to_sink.is_empty());
}
/// Audit gap A.2.1.G1 reproducer: a summary whose only param-index
/// references come from synthetic SSA `Param` ops for external
/// captures (free identifiers, module imports, unresolved method
/// names) lands at the original key when no existing entry occupies
/// it.
///
/// This is the case `lower_to_ssa` produces for Java instance/static
/// methods that reference free identifiers (e.g. `f.close()` where
/// `close` is treated as an external capture, the synthetic Param 0
/// then leaks into `param_to_return`/`param_to_sink`). Without the
/// audit-gap fix, `reconcile_ssa_summary_key` would synthesise a
/// disambig and the analysis's `summaries.get_ssa(caller_key)` lookup
/// (consuming `typed_call_receivers` at the FuncSummary-aligned key)
/// would miss.
#[test]
fn insert_ssa_arity_overflow_keeps_original_key_when_no_collision() {
// Single-file fresh insert: no prior entry at `key` to protect, so
// the synthetic-Param overflow is treated as the function's own
// signal and lands at the original FuncKey.
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: Lang::Java,
namespace: "Reader.java".into(),
container: "Reader".into(),
name: "read".into(),
arity: Some(0),
..Default::default()
};
let summary = SsaFuncSummary {
// Synthetic Param-0 for the external `close` identifier inside
// the static `read()` body, `param_count == 0` per the source-
// level signature.
param_to_return: vec![(0, TaintTransform::Identity)],
typed_call_receivers: vec![(1, "FileHandle".to_string())],
..Default::default()
};
gs.insert_ssa(key.clone(), summary.clone());
let kept = gs
.get_ssa(&key)
.expect("Reader::read SSA must be reachable at the FuncSummary-aligned key");
assert_eq!(kept.typed_call_receivers, summary.typed_call_receivers);
// The synthetic Param-0 reference is preserved verbatim, pass-2
// analysis still aligns it with the caller's implicit-uses
// argument group at the same index.
assert_eq!(kept.param_to_return, summary.param_to_return);
}
/// Companion to `insert_ssa_arity_overflow_keeps_original_key_when_no_collision`:
/// when both rounds of an iterative scan produce summaries whose
/// param-index references overflow the FuncKey arity (the same
/// synthetic-Param signal each round), the second-round insert must
/// land at the original key (last-writer-wins for the same function),
/// not split off into a synthetic disambig.
#[test]
fn insert_ssa_arity_overflow_iterative_rescan_stays_at_original_key() {
let mut gs = GlobalSummaries::new();
let key = FuncKey {
lang: Lang::Java,
namespace: "Reader.java".into(),
container: "Reader".into(),
name: "read".into(),
arity: Some(0),
..Default::default()
};
let round1 = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
typed_call_receivers: vec![(1, "FileHandle".to_string())],
..Default::default()
};
gs.insert_ssa(key.clone(), round1);
// Iteration 2 of the scan loop produces the same shape with
// refined typed_call_receivers (e.g. a new constructor type
// discovered cross-file).
let round2 = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
typed_call_receivers: vec![(1, "FileHandle".to_string()), (2, "Cache".to_string())],
..Default::default()
};
gs.insert_ssa(key.clone(), round2.clone());
let kept = gs
.get_ssa(&key)
.expect("iterative-rescan summary must stay at the original key");
assert_eq!(kept.typed_call_receivers, round2.typed_call_receivers);
assert_eq!(kept.param_to_return, round2.param_to_return);
}
// ── Primary sink-location attribution, SinkSite round-trips ────────────
#[test]
fn sink_site_serde_round_trip_solo() {
let site = SinkSite {
file_rel: "src/auth/token.rs".into(),
line: 42,
col: 9,
snippet: "Command::new(\"sh\").arg(cmd).status()".into(),
cap: Cap::CODE_EXEC | Cap::SHELL_ESCAPE,
from_chain: false,
};
let json = serde_json::to_string(&site).unwrap();
let back: SinkSite = serde_json::from_str(&json).unwrap();
assert_eq!(site, back);
}
#[test]
fn sink_site_serde_round_trip_cap_only_defaults() {
// Extraction paths without tree access produce cap-only sites. The
// `skip_serializing_if` default attributes let the JSON drop empty
// fields, and deserialisation must recover the same value.
let site = SinkSite::cap_only(Cap::SQL_QUERY);
let json = serde_json::to_string(&site).unwrap();
// Zero/empty fields are dropped by `skip_serializing_if`.
assert!(!json.contains("\"line\""));
assert!(!json.contains("\"col\""));
assert!(!json.contains("\"file_rel\""));
assert!(!json.contains("\"snippet\""));
let back: SinkSite = serde_json::from_str(&json).unwrap();
assert_eq!(site, back);
}
#[test]
fn ssa_summary_serde_round_trip_with_sink_sites() {
use smallvec::smallvec;
let site_a = SinkSite {
file_rel: "db.py".into(),
line: 10,
col: 4,
snippet: "cursor.execute(sql)".into(),
cap: Cap::SQL_QUERY,
from_chain: false,
};
let site_b = SinkSite {
file_rel: "exec.py".into(),
line: 33,
col: 12,
snippet: "subprocess.call(cmd, shell=True)".into(),
cap: Cap::CODE_EXEC | Cap::SHELL_ESCAPE,
from_chain: false,
};
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![
(0, smallvec![site_a.clone(), site_b.clone()]),
(1, smallvec![site_b.clone()]),
],
source_caps: Cap::empty(),
..Default::default()
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
// Cap-derivation helpers still produce the expected unions.
let caps = back.param_to_sink_caps();
assert_eq!(caps.len(), 2);
assert!(
caps.iter()
.any(|&(i, c)| i == 0 && c == (site_a.cap | site_b.cap))
);
assert!(caps.iter().any(|&(i, c)| i == 1 && c == site_b.cap));
assert_eq!(back.total_param_sink_caps(), site_a.cap | site_b.cap);
}
#[test]
fn ssa_summary_deserialize_legacy_param_to_sink_missing_defaults_empty() {
// Legacy summaries omitted the new field entirely. The
// `#[serde(default)]` attribute must carry the missing field through as
// an empty vec rather than erroring out.
let json = r#"{
"param_to_return": [],
"source_caps": 0
}"#;
let back: SsaFuncSummary = serde_json::from_str(json).unwrap();
assert!(back.param_to_sink.is_empty());
assert_eq!(back.total_param_sink_caps(), Cap::empty());
}
#[test]
fn func_summary_deserialize_legacy_param_to_sink_missing_defaults_empty() {
let json = r#"{
"name": "legacy",
"file_path": "app.py",
"lang": "python",
"param_count": 1,
"param_names": ["data"],
"source_caps": 0,
"sanitizer_caps": 0,
"sink_caps": 0,
"tainted_sink_params": []
}"#;
let back: FuncSummary = serde_json::from_str(json).unwrap();
assert!(back.param_to_sink.is_empty());
}
#[test]
fn merge_unions_sink_sites_with_dedup() {
use smallvec::smallvec;
let key = FuncKey {
lang: Lang::Python,
namespace: "svc.py".into(),
name: "run".into(),
arity: Some(1),
..Default::default()
};
let site_a = SinkSite {
file_rel: "svc.py".into(),
line: 10,
col: 1,
snippet: "execute(sql)".into(),
cap: Cap::SQL_QUERY,
from_chain: false,
};
let site_b = SinkSite {
file_rel: "svc.py".into(),
line: 20,
col: 4,
snippet: "os.system(cmd)".into(),
cap: Cap::CODE_EXEC,
from_chain: false,
};
let mut left = FuncSummary {
name: "run".into(),
file_path: "svc.py".into(),
lang: "python".into(),
param_count: 1,
param_names: vec!["x".into()],
param_to_sink: vec![(0, smallvec![site_a.clone()])],
..Default::default()
};
let right = FuncSummary {
name: "run".into(),
file_path: "svc.py".into(),
lang: "python".into(),
param_count: 1,
param_names: vec!["x".into()],
// Mix a duplicate of site_a (same file/line/col/cap) with a new site.
param_to_sink: vec![(0, smallvec![site_a.clone(), site_b.clone()])],
..Default::default()
};
let mut gs = GlobalSummaries::new();
gs.insert(key.clone(), left.clone());
gs.insert(key.clone(), right);
let merged = gs.get(&key).unwrap();
assert_eq!(merged.param_to_sink.len(), 1);
let (_, sites) = &merged.param_to_sink[0];
// Exactly two distinct sites survive; the duplicate was deduped.
assert_eq!(sites.len(), 2);
assert!(sites.iter().any(|s| s.dedup_key() == site_a.dedup_key()));
assert!(sites.iter().any(|s| s.dedup_key() == site_b.dedup_key()));
// Idempotent: re-inserting the original left introduces no new sites.
left.param_to_sink = vec![(0, smallvec![site_a.clone()])];
gs.insert(key.clone(), left);
let merged = gs.get(&key).unwrap();
assert_eq!(merged.param_to_sink[0].1.len(), 2);
}
// ── Per-return-path decomposition ───────────────────────────────────────
use super::ssa_summary::{
MAX_RETURN_PATHS, ReturnPathTransform, merge_return_paths, union_param_return_paths,
};
fn rpt(transform: TaintTransform, hash: u64, kt: u8, kf: u8) -> ReturnPathTransform {
ReturnPathTransform {
transform,
path_predicate_hash: hash,
known_true: kt,
known_false: kf,
abstract_contribution: None,
}
}
#[test]
fn cf4_return_path_transform_serde_round_trip() {
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
param_to_sink: vec![],
source_caps: Cap::empty(),
param_to_sink_param: vec![],
param_container_to_return: vec![],
param_to_container_store: vec![],
return_type: None,
return_abstract: None,
source_to_callback: vec![],
receiver_to_return: None,
receiver_to_sink: Cap::empty(),
abstract_transfer: vec![],
param_return_paths: vec![(
0,
smallvec![
rpt(TaintTransform::Identity, 0x1234, 0b001, 0),
rpt(
TaintTransform::StripBits(Cap::HTML_ESCAPE),
0x5678,
0,
0b010
),
],
)],
points_to: Default::default(),
field_points_to: Default::default(),
return_path_facts: smallvec::SmallVec::new(),
typed_call_receivers: vec![],
validated_params_to_return: smallvec::SmallVec::new(),
param_to_gate_filters: vec![],
entry_kind: None,
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
// Missing-field backwards compat: older JSON without `param_return_paths`
// deserialises cleanly with an empty vector.
let legacy = r#"{"param_to_return":[],"source_caps":0}"#;
let legacy_back: SsaFuncSummary = serde_json::from_str(legacy).unwrap();
assert!(legacy_back.param_return_paths.is_empty());
}
#[test]
fn cf4_merge_return_paths_dedup_by_key() {
let mut existing: SmallVec<[ReturnPathTransform; 2]> = SmallVec::new();
let incoming = [
rpt(TaintTransform::Identity, 1, 0, 0),
rpt(TaintTransform::StripBits(Cap::HTML_ESCAPE), 2, 0, 0),
rpt(TaintTransform::Identity, 1, 0, 0), // dup of first
];
merge_return_paths(&mut existing, &incoming);
assert_eq!(existing.len(), 2, "duplicate path hash+transform collapsed");
assert!(
existing
.iter()
.any(|e| matches!(e.transform, TaintTransform::Identity) && e.path_predicate_hash == 1)
);
assert!(existing.iter().any(
|e| matches!(&e.transform, TaintTransform::StripBits(b) if *b == Cap::HTML_ESCAPE)
&& e.path_predicate_hash == 2
));
}
#[test]
fn cf4_merge_return_paths_caps_at_max() {
let mut existing: SmallVec<[ReturnPathTransform; 2]> = SmallVec::new();
let many: Vec<ReturnPathTransform> = (0..(MAX_RETURN_PATHS as u64 + 3))
.map(|i| rpt(TaintTransform::StripBits(Cap::HTML_ESCAPE), i + 10, 0, 0))
.collect();
merge_return_paths(&mut existing, &many);
assert_eq!(
existing.len(),
1,
"overflow collapses to a single Top-predicate entry"
);
// Joined entry has no predicate gate (hash=0) and conservatively takes
// the intersection of all strip bits, which here is HTML_ESCAPE.
let joined = &existing[0];
assert_eq!(joined.path_predicate_hash, 0);
assert!(matches!(
&joined.transform,
TaintTransform::StripBits(b) if *b == Cap::HTML_ESCAPE
));
}
#[test]
fn cf4_merge_return_paths_overflow_with_mixed_kinds() {
let mut existing: SmallVec<[ReturnPathTransform; 2]> = SmallVec::new();
let mut many: Vec<ReturnPathTransform> = (0..(MAX_RETURN_PATHS as u64 + 1))
.map(|i| rpt(TaintTransform::StripBits(Cap::HTML_ESCAPE), i + 10, 0, 0))
.collect();
// One identity path forces the join to degrade to Identity (nothing
// stripped on every path).
many.push(rpt(TaintTransform::Identity, 99, 0, 0));
merge_return_paths(&mut existing, &many);
assert_eq!(existing.len(), 1);
assert!(matches!(existing[0].transform, TaintTransform::Identity));
}
#[test]
fn cf4_merge_return_paths_joins_abstract_contribution_on_collision() {
use crate::abstract_interp::{AbstractValue, BitFact, IntervalFact, PathFact, StringFact};
let av_a = AbstractValue {
interval: IntervalFact::exact(0),
string: StringFact::top(),
bits: BitFact::top(),
path: PathFact::top(),
};
let av_b = AbstractValue {
interval: IntervalFact::exact(10),
string: StringFact::top(),
bits: BitFact::top(),
path: PathFact::top(),
};
let mut first = rpt(TaintTransform::Identity, 42, 0, 0);
first.abstract_contribution = Some(av_a.clone());
let mut second = rpt(TaintTransform::Identity, 42, 0, 0);
second.abstract_contribution = Some(av_b.clone());
let mut existing: SmallVec<[ReturnPathTransform; 2]> = SmallVec::new();
merge_return_paths(&mut existing, &[first]);
merge_return_paths(&mut existing, &[second]);
assert_eq!(existing.len(), 1, "same key, merged");
// The abstract_contribution is the join of the two inputs.
let joined = existing[0].abstract_contribution.as_ref().unwrap();
let expected = av_a.join(&av_b);
assert_eq!(joined, &expected);
}
#[test]
fn cf4_union_param_return_paths_by_index() {
let mut existing: Vec<(usize, SmallVec<[ReturnPathTransform; 2]>)> =
vec![(0, smallvec![rpt(TaintTransform::Identity, 1, 0, 0)])];
let incoming: Vec<(usize, SmallVec<[ReturnPathTransform; 2]>)> = vec![
(
0,
smallvec![rpt(TaintTransform::StripBits(Cap::HTML_ESCAPE), 2, 0, 0)],
),
(1, smallvec![rpt(TaintTransform::Identity, 3, 0, 0)]),
];
union_param_return_paths(&mut existing, &incoming);
assert_eq!(existing.len(), 2);
let (_, p0) = existing.iter().find(|(i, _)| *i == 0).unwrap();
assert_eq!(p0.len(), 2, "per-param merge preserves both predicates");
let (_, p1) = existing.iter().find(|(i, _)| *i == 1).unwrap();
assert_eq!(p1.len(), 1);
}
#[test]
fn cf4_ssa_summary_fits_arity_keeps_out_of_range_path_idx_at_original_key() {
// A path whose param index exceeds the key's arity is treated as a
// synthetic external-capture artefact (audit gap A.2.1.G1, see
// `project_typed_callgraph_audit_gap_ssa_disambig.md`). When no
// existing entry sits at the key, `insert_ssa` keeps the (untrimmed)
// summary at the original key so the SSA FuncKey stays aligned with
// the matching FuncSummary FuncKey, the analysis's
// `summaries.get_ssa(caller_key)` lookup (consuming
// `typed_call_receivers`) depends on this alignment.
let bad = SsaFuncSummary {
param_return_paths: vec![(5, smallvec![rpt(TaintTransform::Identity, 1, 0, 0)])],
..Default::default()
};
let key = FuncKey {
lang: Lang::Rust,
namespace: "test.rs".into(),
name: "helper".into(),
arity: Some(2), // too small for idx 5, synthetic-Param marker
..Default::default()
};
let mut gs = GlobalSummaries::new();
gs.insert_ssa(key.clone(), bad);
let kept = gs
.get_ssa(&key)
.expect("synthetic-Param summary inserted at original key");
assert_eq!(kept.param_return_paths.len(), 1);
assert_eq!(kept.param_return_paths[0].0, 5);
}
// ── Parameter-granularity points-to summary ─────────────────────────────
#[test]
fn cf6_ssa_summary_serde_round_trip_with_points_to() {
use crate::summary::points_to::{AliasKind, AliasPosition, PointsToSummary};
let mut pts = PointsToSummary::empty();
pts.insert(
AliasPosition::Param(0),
AliasPosition::Param(1),
AliasKind::MayAlias,
);
pts.insert(
AliasPosition::Param(0),
AliasPosition::Return,
AliasKind::MayAlias,
);
let summary = SsaFuncSummary {
param_to_return: vec![(0, TaintTransform::Identity)],
points_to: pts.clone(),
..Default::default()
};
let json = serde_json::to_string(&summary).unwrap();
let back: SsaFuncSummary = serde_json::from_str(&json).unwrap();
assert_eq!(summary, back);
assert_eq!(back.points_to, pts);
}
#[test]
fn cf6_ssa_summary_legacy_json_without_points_to_deserialises() {
// Older on-disk JSON predates points-to tracking. The serde(default) on
// `points_to` must let those rows load cleanly with an empty
// alias graph.
let legacy = r#"{
"param_to_return": [[0, "Identity"]],
"source_caps": 0,
"param_to_sink": []
}"#;
let back: SsaFuncSummary = serde_json::from_str(legacy).unwrap();
assert!(back.points_to.edges.is_empty());
assert!(!back.points_to.overflow);
}
#[test]
fn cf6_ssa_summary_fits_arity_keeps_out_of_range_points_to_idx_at_original_key() {
// Same arity-overflow handling as `cf4_ssa_summary_fits_arity_*`
// for the points-to channel: when the summary references a
// synthetic-Param index beyond `key.arity` and no existing entry
// occupies the key, `insert_ssa` preserves the FuncKey-aligned
// identity by inserting at the original key (audit gap A.2.1.G1).
use crate::summary::points_to::{AliasKind, AliasPosition, PointsToSummary};
let mut pts = PointsToSummary::empty();
pts.insert(
AliasPosition::Param(7),
AliasPosition::Return,
AliasKind::MayAlias,
);
let bad = SsaFuncSummary {
points_to: pts,
..Default::default()
};
let key = FuncKey {
lang: Lang::Rust,
namespace: "test.rs".into(),
name: "helper".into(),
arity: Some(2),
..Default::default()
};
let mut gs = GlobalSummaries::new();
gs.insert_ssa(key.clone(), bad);
let kept = gs
.get_ssa(&key)
.expect("synthetic-Param points_to summary inserted at original key");
assert_eq!(kept.points_to.max_param_index(), Some(7));
}
/// two `findById`
/// definitions on different containers must remain structurally
/// disjoint after [`merge_summaries`], no cap union may leak
/// across them. The FuncKey identity model already keys on
/// `(lang, namespace, container, name, arity, ...)` so this is
/// supposed to be true today; the test pins it down so a future
/// refactor can't silently widen the merge granularity.
///
/// Concretely: `Repository::findById` is parameterised (no
/// `SQL_QUERY` sink cap), `UnsafeCache::findById` runs a string-
/// concatenated query (carries `Cap::SQL_QUERY`). After merge,
/// each FuncKey must own only its own caps, Repository must NOT
/// inherit Cache's `SQL_QUERY` bit.
#[test]
fn cross_file_devirt_does_not_union_unrelated_findbyids() {
use crate::labels::Cap;
use crate::symbol::FuncKey;
fn method_summary(name: &str, container: &str, file: &str, sink_caps: u32) -> FuncSummary {
FuncSummary {
name: name.into(),
file_path: file.into(),
lang: "rust".into(),
param_count: 1,
param_names: vec!["id".into()],
source_caps: 0,
sanitizer_caps: 0,
sink_caps,
propagating_params: vec![],
propagates_taint: false,
tainted_sink_params: if sink_caps != 0 { vec![0] } else { vec![] },
callees: vec![],
container: container.into(),
..Default::default()
}
}
let safe_repo = method_summary("findById", "Repository", "src/repo.rs", 0);
let unsafe_cache = method_summary(
"findById",
"UnsafeCache",
"src/cache.rs",
Cap::SQL_QUERY.bits(),
);
let gs = merge_summaries(vec![safe_repo, unsafe_cache], None);
// Two distinct keys must coexist, no merge collision.
let repo_key = FuncKey {
lang: Lang::Rust,
namespace: "src/repo.rs".into(),
container: "Repository".into(),
name: "findById".into(),
arity: Some(1),
..Default::default()
};
let cache_key = FuncKey {
lang: Lang::Rust,
namespace: "src/cache.rs".into(),
container: "UnsafeCache".into(),
name: "findById".into(),
arity: Some(1),
..Default::default()
};
let repo_sum = gs.get(&repo_key).expect("Repository::findById missing");
let cache_sum = gs.get(&cache_key).expect("UnsafeCache::findById missing");
// Sink caps stay on their own owner, the whole point of
// devirtualisation. Repository must not have inherited the
// SQL_QUERY bit from UnsafeCache.
assert_eq!(
repo_sum.sink_caps, 0,
"Repository::findById inherited a sink cap from UnsafeCache::findById — \
the per-FuncKey identity model has been broken (sink_caps bits = {:#x})",
repo_sum.sink_caps,
);
assert_eq!(
cache_sum.sink_caps,
Cap::SQL_QUERY.bits(),
"UnsafeCache::findById lost its own sink cap during merge"
);
// Same invariant on tainted_sink_params, must not bleed across.
assert!(
repo_sum.tainted_sink_params.is_empty(),
"Repository::findById inherited tainted_sink_params from UnsafeCache: {:?}",
repo_sum.tainted_sink_params,
);
assert_eq!(cache_sum.tainted_sink_params, vec![0]);
}
/// Cross-file router-dep resolution: parent `__init__.py` declares
/// `Security(...)` deps on a router and lifts them onto a child via
/// `<parent>.include_router(<child_module>.<child_var>, ...)`. The
/// resolution must produce a `<child_var> → Vec<(CallSite, scoped)>`
/// map for the child file's `module_id`, and absent edges must yield
/// empty.
#[test]
fn resolve_cross_file_router_deps_lifts_parent_security_dep_onto_child_router() {
use crate::auth_analysis::model::CallSite;
use crate::auth_analysis::router_facts::{PerFileRouterFacts, RouterIncludeEdge};
let mut gs = GlobalSummaries::new();
// Parent (__init__.py) declares scoped Security on `authenticated_router`
// and emits two include_router edges (task_instances + dag_runs).
let parent_callsite = CallSite {
name: "require_auth".into(),
args: Vec::new(),
span: (0, 0),
args_value_refs: Vec::new(),
};
let mut parent_facts = PerFileRouterFacts::default();
parent_facts.local_router_deps.insert(
"authenticated_router".into(),
vec![(parent_callsite.clone(), true)],
);
parent_facts.include_router_edges.push(RouterIncludeEdge {
parent_var: "authenticated_router".into(),
child_module_id: "task_instances".into(),
child_var: "router".into(),
});
parent_facts.include_router_edges.push(RouterIncludeEdge {
parent_var: "authenticated_router".into(),
child_module_id: "dag_runs".into(),
child_var: "router".into(),
});
gs.insert_router_facts("routes::__init__".into(), parent_facts);
// Child (task_instances.py) declares a bare router → expects to
// inherit the parent's deps via the cross-file resolution.
gs.insert_router_facts("task_instances".into(), PerFileRouterFacts::default());
// Resolve for task_instances → should get one entry under `router`
// carrying the require_auth (scoped=true) dep.
let resolved = gs.resolve_cross_file_router_deps("task_instances");
let deps = resolved.get("router").expect("router child resolved");
assert_eq!(deps.len(), 1);
assert_eq!(deps[0].0.name, "require_auth");
assert!(deps[0].1, "scoped flag preserved");
// dag_runs has the same parent → same lift.
let resolved_dag = gs.resolve_cross_file_router_deps("dag_runs");
assert_eq!(resolved_dag.get("router").map(|v| v.len()), Some(1));
// Unrelated module → no lift.
let resolved_other = gs.resolve_cross_file_router_deps("nonexistent");
assert!(resolved_other.is_empty());
}
/// Edge: parent without local deps for the named var emits nothing —
/// the resolver requires both an edge AND a non-empty parent dep list.
#[test]
fn resolve_cross_file_router_deps_skips_edges_with_no_parent_deps() {
use crate::auth_analysis::router_facts::{PerFileRouterFacts, RouterIncludeEdge};
let mut gs = GlobalSummaries::new();
let mut parent = PerFileRouterFacts::default();
parent.include_router_edges.push(RouterIncludeEdge {
parent_var: "ghost_router".into(),
child_module_id: "child".into(),
child_var: "router".into(),
});
gs.insert_router_facts("parent".into(), parent);
let resolved = gs.resolve_cross_file_router_deps("child");
assert!(resolved.is_empty());
}
/// Multiple parents declaring different deps for the same child
/// accumulate without duplication. Same dep declared twice (one
/// from each parent) must dedup by (callee.name, scoped).
#[test]
fn resolve_cross_file_router_deps_dedups_duplicate_parent_deps() {
use crate::auth_analysis::model::CallSite;
use crate::auth_analysis::router_facts::{PerFileRouterFacts, RouterIncludeEdge};
let cs = CallSite {
name: "require_auth".into(),
args: Vec::new(),
span: (0, 0),
args_value_refs: Vec::new(),
};
let mut gs = GlobalSummaries::new();
// Parent A: include_router(child.router) with `require_auth` dep.
let mut p_a = PerFileRouterFacts::default();
p_a.local_router_deps
.insert("router_a".into(), vec![(cs.clone(), true)]);
p_a.include_router_edges.push(RouterIncludeEdge {
parent_var: "router_a".into(),
child_module_id: "child".into(),
child_var: "router".into(),
});
gs.insert_router_facts("parent_a".into(), p_a);
// Parent B: SAME dep, different parent file.
let mut p_b = PerFileRouterFacts::default();
p_b.local_router_deps
.insert("router_b".into(), vec![(cs, true)]);
p_b.include_router_edges.push(RouterIncludeEdge {
parent_var: "router_b".into(),
child_module_id: "child".into(),
child_var: "router".into(),
});
gs.insert_router_facts("parent_b".into(), p_b);
let resolved = gs.resolve_cross_file_router_deps("child");
let deps = resolved.get("router").expect("router resolved");
assert_eq!(deps.len(), 1, "duplicate (callee, scoped) deduplicated");
}
// ── the analysis ────────────────────
//
// `GlobalSummaries::resolve_callee_widened` is the runtime counterpart of
// the call-graph builder's `TypeHierarchyIndex::resolve_with_hierarchy`.
// These tests pin the contract that *every* concrete implementer is
// reachable when the receiver type is statically a super-class / trait /
// interface, with the explicit fall-throughs that preserve today's
// behaviour when no fan-out applies.
mod hierarchy_widened_tests {
use super::*;
/// Build a minimal `(FuncKey, FuncSummary)` for a method on the
/// given container with optional `hierarchy_edges` carried through.
fn java_method(
namespace: &str,
container: &str,
name: &str,
arity: usize,
sink_bits: u32,
hierarchy_edges: Vec<(String, String)>,
) -> (FuncKey, FuncSummary) {
let (key, mut summary) = fs_with(
namespace,
container,
name,
arity,
FuncKind::Method,
Some((namespace.len() + container.len() + name.len()) as u32),
sink_bits,
);
summary.hierarchy_edges = hierarchy_edges;
(key, summary)
}
/// A1, no hierarchy installed. Widening collapses to today's
/// single-result behaviour: one key in / one key out.
#[test]
fn widened_without_hierarchy_returns_single_resolved() {
let mut gs = GlobalSummaries::new();
let (k, s) = java_method("src/http.java", "HttpClient", "send", 1, 0x01, vec![]);
gs.insert(k.clone(), s);
// Hierarchy is intentionally NOT installed.
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "send",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("HttpClient"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(widened, vec![k]);
}
/// A2, hierarchy installed but the receiver type has no recorded
/// sub-types. Falls through to today's single-result behaviour.
#[test]
fn widened_no_subtypes_returns_single() {
let mut gs = GlobalSummaries::new();
let (k, s) = java_method("src/http.java", "HttpClient", "send", 1, 0x01, vec![]);
gs.insert(k.clone(), s);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "send",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("HttpClient"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(widened, vec![k]);
}
/// A3, hierarchy with one sub-type implementer. Widening returns
/// both the direct receiver match and the sub-type's match.
#[test]
fn widened_one_subtype_returns_two_keys() {
let mut gs = GlobalSummaries::new();
// Carrier: ILogger -> ConsoleLogger edge.
let (k_iface, s_iface) = java_method(
"src/logger.java",
"ILogger",
"log",
1,
0x00,
vec![("ConsoleLogger".to_string(), "ILogger".to_string())],
);
let (k_impl, s_impl) =
java_method("src/logger.java", "ConsoleLogger", "log", 1, 0x01, vec![]);
gs.insert(k_iface.clone(), s_iface);
gs.insert(k_impl.clone(), s_impl);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "log",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("ILogger"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(
widened.len(),
2,
"expected ILogger + ConsoleLogger fan-out, got {widened:?}"
);
assert!(widened.contains(&k_iface));
assert!(widened.contains(&k_impl));
}
/// A4, hierarchy with multiple sub-types: every implementer's
/// matching method is in the result, deduplicated.
#[test]
fn widened_multiple_subtypes_returns_all() {
let mut gs = GlobalSummaries::new();
// Three impls + one interface. The interface itself has no
// body so we omit a method on it (that is the more common
// shape, a pure interface plus concrete classes).
let edges = vec![
("FileLogger".to_string(), "ILogger".to_string()),
("NetLogger".to_string(), "ILogger".to_string()),
("StdLogger".to_string(), "ILogger".to_string()),
];
let (k_file, s_file) = java_method(
"src/file_logger.java",
"FileLogger",
"log",
1,
0x01,
edges.clone(),
);
let (k_net, s_net) =
java_method("src/net_logger.java", "NetLogger", "log", 1, 0x02, vec![]);
let (k_std, s_std) =
java_method("src/std_logger.java", "StdLogger", "log", 1, 0x04, vec![]);
gs.insert(k_file.clone(), s_file);
gs.insert(k_net.clone(), s_net);
gs.insert(k_std.clone(), s_std);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "log",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("ILogger"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(widened.len(), 3, "expected three impls, got {widened:?}");
assert!(widened.contains(&k_file));
assert!(widened.contains(&k_net));
assert!(widened.contains(&k_std));
}
/// A5, the arity filter must apply across the whole fan-out, not
/// just the direct-receiver leg. An implementer with a different
/// arity must not leak into the result.
#[test]
fn widened_arity_filter_applies_across_fanout() {
let mut gs = GlobalSummaries::new();
let edges = vec![
("OneArg".to_string(), "IBase".to_string()),
("TwoArg".to_string(), "IBase".to_string()),
];
let (k_one, s_one) = java_method("src/one.java", "OneArg", "do_it", 1, 0x01, edges.clone());
let (k_two, s_two) = java_method("src/two.java", "TwoArg", "do_it", 2, 0x02, vec![]);
gs.insert(k_one.clone(), s_one);
gs.insert(k_two.clone(), s_two);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "do_it",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("IBase"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(1),
});
assert_eq!(widened, vec![k_one], "arity-2 impl must be filtered out");
}
/// A6, fan-out is bounded at `MAX_HIERARCHY_FANOUT`. Build a
/// hierarchy with more impls than the cap allows and assert the
/// result is exactly capped (and that early impls are preserved
///, the cap drops the *tail*, not the head).
#[test]
fn widened_caps_at_max_hierarchy_fanout() {
let cap = GlobalSummaries::MAX_HIERARCHY_FANOUT;
let mut gs = GlobalSummaries::new();
// Build cap+3 impls so we can assert the tail truncates and a
// deterministic prefix remains.
let extra = 3;
let total = cap + extra;
let edges: Vec<(String, String)> = (0..total)
.map(|i| (format!("Impl{i:02}"), "IBase".to_string()))
.collect();
// Carrier, first impl carries every edge so the index is
// populated in one shot.
let (k0, s0) = java_method("src/impl00.java", "Impl00", "run", 0, 0x01, edges);
gs.insert(k0.clone(), s0);
for i in 1..total {
let (k, s) = java_method(
&format!("src/impl{i:02}.java"),
&format!("Impl{i:02}"),
"run",
0,
0x01,
vec![],
);
gs.insert(k, s);
}
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "run",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("IBase"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(
widened.len(),
cap,
"fan-out must cap at MAX_HIERARCHY_FANOUT={cap}, got {}",
widened.len()
);
}
/// A7, when hierarchy widening produces no candidates AND the
/// receiver_type lookup is authoritative (Step 1), the secondary
/// fall-through goes through `resolve_callee` which returns
/// Ambiguous/NotFound rather than silently picking an unrelated
/// leaf, exactly the "subset of today's targets, never a
/// superset" rule. Test asserts the empty result is preserved.
#[test]
fn widened_empty_does_not_silently_pick_unrelated_leaf() {
let mut gs = GlobalSummaries::new();
// Edge: IUnused has a sub Used, but neither declares
// `something`. An unrelated free function `something` exists
// in the same namespace, under today's authoritative
// receiver_type rules, that function MUST NOT be picked when
// the call is annotated with receiver_type "IUnused".
let edges = vec![("Used".to_string(), "IUnused".to_string())];
let (k_carrier, s_carrier) =
java_method("src/util.java", "Used", "carrier", 0, 0x00, edges);
let (k_free, s_free) = free_summary("src/app.java", "something", 0, 0x01);
gs.insert(k_carrier, s_carrier);
gs.insert(k_free, s_free);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "something",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("IUnused"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert!(
widened.is_empty(),
"receiver_type IUnused with no matching method must NOT silently \
pick an unrelated free function — got {widened:?}"
);
}
/// A7b, when hierarchy widening produces nothing AND today's
/// `resolve_callee` *does* resolve (no receiver_type, just bare
/// leaf or qualifier hint), the fallback returns the single key.
/// This pins the secondary-fallback contract on the path where it
/// actually matters (no authoritative receiver_type).
#[test]
fn widened_falls_through_when_resolve_callee_resolves() {
let mut gs = GlobalSummaries::new();
let (k_free, s_free) = free_summary("src/app.java", "helper", 0, 0x01);
gs.insert(k_free.clone(), s_free);
gs.install_hierarchy();
// No receiver_type → first branch of `resolve_callee_widened`
// is the single-result fallback path.
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(widened, vec![k_free]);
}
/// A8, receiver_type is None → no widening; behaves identically
/// to `resolve_callee` (single-result wrap).
#[test]
fn widened_no_receiver_type_collapses_to_resolve_callee() {
let mut gs = GlobalSummaries::new();
let (k_free, s_free) = free_summary("src/app.java", "helper", 0, 0x01);
gs.insert(k_free.clone(), s_free);
gs.install_hierarchy();
let widened = gs.resolve_callee_widened(&CalleeQuery {
name: "helper",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: None,
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(widened, vec![k_free]);
}
/// A9, `merge()` must invalidate the cached hierarchy index so a
/// post-merge call to `resolve_callee_widened` doesn't look up a
/// stale view. Since `install_hierarchy` is required after merges,
/// the test asserts: post-merge, before reinstall, fan-out must
/// fall through to single-result behaviour.
#[test]
fn merge_invalidates_hierarchy_cache() {
let mut gs_a = GlobalSummaries::new();
let edges = vec![("Sub".to_string(), "Super".to_string())];
let (k_super, s_super) = java_method("src/super.java", "Super", "m", 0, 0x00, edges);
let (k_sub, s_sub) = java_method("src/sub.java", "Sub", "m", 0, 0x01, vec![]);
gs_a.insert(k_super.clone(), s_super);
gs_a.insert(k_sub.clone(), s_sub);
gs_a.install_hierarchy();
// Before merge: fan-out works.
let pre_merge = gs_a.resolve_callee_widened(&CalleeQuery {
name: "m",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("Super"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(pre_merge.len(), 2);
// Merge in an empty `gs_b`, should invalidate the cached
// hierarchy.
gs_a.merge(GlobalSummaries::new());
assert!(
gs_a.hierarchy().is_none(),
"merge() must clear the cached hierarchy"
);
// After merge, before reinstall: the resolver must fall back
// to single-result behaviour (no fan-out).
let post_merge_no_install = gs_a.resolve_callee_widened(&CalleeQuery {
name: "m",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("Super"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(post_merge_no_install.len(), 1);
assert_eq!(post_merge_no_install[0], k_super);
// After reinstall: fan-out is restored.
gs_a.install_hierarchy();
let post_merge_reinstalled = gs_a.resolve_callee_widened(&CalleeQuery {
name: "m",
caller_lang: Lang::Java,
caller_namespace: "src/app.java",
caller_container: None,
receiver_type: Some("Super"),
namespace_qualifier: None,
receiver_var: None,
arity: Some(0),
});
assert_eq!(post_merge_reinstalled.len(), 2);
assert!(post_merge_reinstalled.contains(&k_super));
assert!(post_merge_reinstalled.contains(&k_sub));
}
}
#[test]
fn cross_package_imports_round_trip_via_global_summaries() {
use crate::symbol::{FuncKey, FuncKind, Lang};
let mut gs = GlobalSummaries::new();
let mut map: std::collections::HashMap<String, FuncKey> = std::collections::HashMap::new();
map.insert(
"escape".to_string(),
FuncKey {
lang: Lang::TypeScript,
namespace: "packages/util/src/escape.ts".to_string(),
container: String::new(),
name: "escape".to_string(),
arity: None,
disambig: None,
kind: FuncKind::Function,
},
);
let arc = std::sync::Arc::new(map);
gs.insert_cross_package_imports("apps/api/handler.ts".to_string(), arc.clone());
assert_eq!(gs.cross_package_imports_len(), 1);
let looked_up = gs
.get_cross_package_imports("apps/api/handler.ts")
.expect("namespace lookup must hit");
assert_eq!(looked_up.len(), 1);
assert!(looked_up.contains_key("escape"));
assert!(gs.get_cross_package_imports("missing").is_none());
// Inserting an empty map is a no-op so the index does not get
// polluted with bookkeeping rows when a file's resolver produces
// no resolved bindings.
gs.insert_cross_package_imports(
"apps/api/no_imports.ts".to_string(),
std::sync::Arc::new(std::collections::HashMap::new()),
);
assert_eq!(gs.cross_package_imports_len(), 1);
}
#[test]
fn cross_package_imports_merged_across_thread_local_summaries() {
use crate::symbol::{FuncKey, FuncKind, Lang};
let mut gs_a = GlobalSummaries::new();
let mut map_a: std::collections::HashMap<String, FuncKey> = std::collections::HashMap::new();
map_a.insert(
"escape".to_string(),
FuncKey {
lang: Lang::TypeScript,
namespace: "packages/util/src/escape.ts".to_string(),
container: String::new(),
name: "escape".to_string(),
arity: None,
disambig: None,
kind: FuncKind::Function,
},
);
gs_a.insert_cross_package_imports(
"apps/api/handler_a.ts".to_string(),
std::sync::Arc::new(map_a),
);
let mut gs_b = GlobalSummaries::new();
let mut map_b: std::collections::HashMap<String, FuncKey> = std::collections::HashMap::new();
map_b.insert(
"format".to_string(),
FuncKey {
lang: Lang::TypeScript,
namespace: "packages/util/src/format.ts".to_string(),
container: String::new(),
name: "format".to_string(),
arity: None,
disambig: None,
kind: FuncKind::Function,
},
);
gs_b.insert_cross_package_imports(
"apps/api/handler_b.ts".to_string(),
std::sync::Arc::new(map_b),
);
gs_a.merge(gs_b);
assert_eq!(gs_a.cross_package_imports_len(), 2);
assert!(
gs_a.get_cross_package_imports("apps/api/handler_a.ts")
.is_some()
);
assert!(
gs_a.get_cross_package_imports("apps/api/handler_b.ts")
.is_some()
);
}
Reference in a new issue View git blame Copy permalink