C#: Fix issues with summarized callables parameter types and other casting issues.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -12,14 +12,6 @@ private import semmle.code.csharp.dispatch.RuntimeCallable
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
-private predicate summarizedCallable(DataFlowCallable c) {
-  exists(c.asSummarizedCallable())
-  or
-  FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
-  or
-  c.asCallable() = interpretElement(_, _, _, _, _, _)
-}
-
 /**
  * Gets a source declaration of callable `c` that has a body or has
  * a flow summary.
@@ -29,9 +21,6 @@ private predicate summarizedCallable(DataFlowCallable c) {
  */
 DotNet::Callable getCallableForDataFlow(DotNet::Callable c) {
   exists(DotNet::Callable unboundDecl | unboundDecl = c.getUnboundDeclaration() |
-    summarizedCallable(TDotNetCallable(unboundDecl)) and
-    result = unboundDecl
-    or
     result.hasBody() and
     if unboundDecl.getFile().fromSource()
     then
@@ -329,9 +318,7 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
   override DataFlowCallable getARuntimeTarget() {
     result.asCallable() = getCallableForDataFlow(dc.getADynamicTarget())
     or
-    result.asCallable() = dc.getAStaticTarget().getUnboundDeclaration() and
-    summarizedCallable(result) and
-    not result.asCallable() instanceof RuntimeCallable
+    result.asSummarizedCallable() = dc.getAStaticTarget().getUnboundDeclaration()
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -19,7 +19,7 @@ private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 
 /** Gets the callable in which this node occurs. */
-DataFlowCallable nodeGetEnclosingCallable(Node n) { result.asCallable() = n.getEnclosingCallable() }
+DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallableImpl() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
 predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
@@ -980,7 +980,13 @@ private module ParameterNodes {
 
     override DataFlowCallable getEnclosingCallableImpl() { result = sc }
 
-    override Type getTypeImpl() { result instanceof ObjectType }
+    override Type getTypeImpl() {
+      exists(int i |
+        pos_.getPosition() = i and result = sc.asSummarizedCallable().getParameter(i).getType()
+      )
+      or
+      pos_.isThisParameter() and result = sc.asSummarizedCallable().getDeclaringType()
+    }
 
     override ControlFlow::Node getControlFlowNodeImpl() { none() }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -38,27 +38,29 @@ DataFlowType getContentType(Content c) {
   )
 }
 
-private DataFlowType getReturnTypeBase(DataFlowCallable c, ReturnKind rk) {
+private DataFlowType getReturnTypeBase(DotNet::Callable c, ReturnKind rk) {
   exists(Type t | result = Gvn::getGlobalValueNumber(t) |
     rk instanceof NormalReturnKind and
     (
-      t = c.asCallable().(Constructor).getDeclaringType()
+      t = c.(Constructor).getDeclaringType()
       or
-      not c.asCallable() instanceof Constructor and
-      t = c.asCallable().getReturnType()
+      not c instanceof Constructor and
+      t = c.getReturnType()
     )
     or
-    t = c.asCallable().getParameter(rk.(OutRefReturnKind).getPosition()).getType()
+    t = c.getParameter(rk.(OutRefReturnKind).getPosition()).getType()
   )
 }
 
 /** Gets the return type of kind `rk` for callable `c`. */
 bindingset[c]
 DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
-  result = getReturnTypeBase(c, rk)
+  result = getReturnTypeBase(c.asSummarizedCallable(), rk)
   or
   rk =
-    any(JumpReturnKind jrk | result = getReturnTypeBase(jrk.getTarget(), jrk.getTargetReturnKind()))
+    any(JumpReturnKind jrk |
+      result = getReturnTypeBase(jrk.getTarget().asCallable(), jrk.getTargetReturnKind())
+    )
 }
 
 /**