Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 80ef3b3

Browse files
jketemajketema
committed
Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow
2 parents 18d3801 + 222c9a6 commit 80ef3b3

547 files changed

Lines changed: 8052 additions & 2418 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/labeler.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,3 +43,11 @@ documentation:
4343
"QL-for-QL":
4444
- ql/**/*
4545
- .github/workflows/ql-for-ql*
46+
47+
# Since these are all shared files that need to be synced, just pick _one_ copy of each.
48+
"DataFlow Library":
49+
- "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
50+
- "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
51+
- "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
52+
- "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
53+
- "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"

change-notes/1.20/analysis-javascript.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@
5252
| Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
5353
| Unsafe dynamic method access | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
5454
| Unused parameter | Fewer false positive results | This query no longer flags parameters with leading underscore. |
55-
| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
55+
| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implicitly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
5656
| Unvalidated dynamic method call | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
5757
| Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
5858
| Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |

change-notes/1.23/analysis-cpp.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
1919
| Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
2020
| Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
2121
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
22-
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. |
22+
| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
2323
| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
2424
| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
2525
| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |

change-notes/1.24/analysis-javascript.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@
9191

9292
## Changes to libraries
9393

94-
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
94+
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimic this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
9595
* An extensible model of the `EventEmitter` pattern has been implemented.
9696
* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
9797
that combine taint-tracking and flow labels.

cpp/ql/lib/change-notes/2022-10-22-format-literal.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@
44
* variable), and `v` is an integer in the range `[0 .. m-1]`.
55
*/
66

7+
/*
8+
* The main recursion has base cases in both `ssaModulus` (for guarded reads) and `semExprModulus`
9+
* (for constant values). The most interesting recursive case is `phiModulusRankStep`, which
10+
* handles phi inputs.
11+
*/
12+
713
private import ModulusAnalysisSpecific::Private
814
private import experimental.semmle.code.cpp.semantic.Semantic
915
private import ConstantAnalysis
@@ -162,20 +168,37 @@ private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod
162168
*/
163169
pragma[nomagic]
164170
private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
171+
/*
172+
* base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
173+
* class for the phi node.
174+
*/
175+
165176
rix = 0 and
166177
phiModulusInit(phi, b, val, mod)
167178
or
168179
exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
169180
mod != 1 and
170181
val = remainder(v1, mod)
171182
|
183+
/*
184+
* Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
185+
* congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
186+
* the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
187+
*/
188+
172189
exists(int v2, int m2 |
173190
rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
174191
phiModulusRankStep(phi, b, v1, m1, rix - 1) and
175192
ssaModulus(inp, edge, b, v2, m2) and
176193
mod = m1.gcd(m2).gcd(v1 - v2)
177194
)
178195
or
196+
/*
197+
* Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
198+
* congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
199+
* common denominator of `m1` and `m2`.
200+
*/
201+
179202
exists(int m2 |
180203
rankedPhiInput(phi, inp, edge, rix) and
181204
phiModulusRankStep(phi, b, v1, m1, rix - 1) and

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1125,12 +1125,12 @@ class FormatLiteral extends Literal {
11251125
exists(int dot, int afterdot |
11261126
(if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
11271127
(
1128-
(
1129-
if this.hasExplicitPrecision(n)
1130-
then afterdot = this.getPrecision(n)
1131-
else not this.hasImplicitPrecision(n)
1132-
) and
1133-
afterdot = 6
1128+
if this.hasExplicitPrecision(n)
1129+
then afterdot = this.getPrecision(n)
1130+
else (
1131+
not this.hasImplicitPrecision(n) and
1132+
afterdot = 6
1133+
)
11341134
) and
11351135
len = 1 + 309 + dot + afterdot
11361136
) and
@@ -1140,12 +1140,12 @@ class FormatLiteral extends Literal {
11401140
exists(int dot, int afterdot |
11411141
(if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
11421142
(
1143-
(
1144-
if this.hasExplicitPrecision(n)
1145-
then afterdot = this.getPrecision(n)
1146-
else not this.hasImplicitPrecision(n)
1147-
) and
1148-
afterdot = 6
1143+
if this.hasExplicitPrecision(n)
1144+
then afterdot = this.getPrecision(n)
1145+
else (
1146+
not this.hasImplicitPrecision(n) and
1147+
afterdot = 6
1148+
)
11491149
) and
11501150
len = 1 + 1 + dot + afterdot + 1 + 1 + 3
11511151
) and
@@ -1155,12 +1155,12 @@ class FormatLiteral extends Literal {
11551155
exists(int dot, int afterdot |
11561156
(if this.getPrecision(n) = 0 then dot = 0 else dot = 1) and
11571157
(
1158-
(
1159-
if this.hasExplicitPrecision(n)
1160-
then afterdot = this.getPrecision(n)
1161-
else not this.hasImplicitPrecision(n)
1162-
) and
1163-
afterdot = 6
1158+
if this.hasExplicitPrecision(n)
1159+
then afterdot = this.getPrecision(n)
1160+
else (
1161+
not this.hasImplicitPrecision(n) and
1162+
afterdot = 6
1163+
)
11641164
) and
11651165
// note: this could be displayed in the style %e or %f;
11661166
// however %f is only used when 'P > X >= -4'

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

Lines changed: 31 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -16,15 +16,36 @@
1616
import cpp
1717
import semmle.code.cpp.commons.Exclusions
1818

19-
/** Gets the sub-expression of 'e' with the earliest-starting Location */
19+
/**
20+
* Gets a child of `e`, including conversions but excluding call arguments.
21+
*/
22+
pragma[inline]
23+
Expr getAChildWithConversions(Expr e) {
24+
result.getParentWithConversions() = e and
25+
not result = any(Call c).getAnArgument()
26+
}
27+
28+
/**
29+
* Gets the left-most column position of any transitive child of `e` (including
30+
* conversions but excluding call arguments).
31+
*/
32+
int getCandidateColumn(Expr e) {
33+
result = e.getLocation().getStartColumn() or
34+
result = getCandidateColumn(getAChildWithConversions(e))
35+
}
36+
37+
/**
38+
* Gets the transitive child of `e` (including conversions but excluding call
39+
* arguments) at the left-most column position, preferring less deeply nested
40+
* expressions if there is a choice.
41+
*/
2042
Expr normalizeExpr(Expr e) {
21-
result =
22-
min(Expr child |
23-
child.getParentWithConversions*() = e.getFullyConverted() and
24-
not child.getParentWithConversions*() = any(Call c).getAnArgument()
25-
|
26-
child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
27-
)
43+
e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
44+
result = e
45+
or
46+
not e.getLocation().getStartColumn() = min(getCandidateColumn(e)) and
47+
result = normalizeExpr(getAChildWithConversions(e)) and
48+
result.getLocation().getStartColumn() = min(getCandidateColumn(e))
2849
}
2950

3051
predicate isParenthesized(CommaExpr ce) {
@@ -43,8 +64,8 @@ from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
4364
where
4465
ce.fromSource() and
4566
not isFromMacroDefinition(ce) and
46-
left = normalizeExpr(ce.getLeftOperand()) and
47-
right = normalizeExpr(ce.getRightOperand()) and
67+
left = normalizeExpr(ce.getLeftOperand().getFullyConverted()) and
68+
right = normalizeExpr(ce.getRightOperand().getFullyConverted()) and
4869
leftLoc = left.getLocation() and
4970
rightLoc = right.getLocation() and
5071
not isParenthesized(ce) and

cpp/ql/test/TestUtilities/InlineExpectationsTest.qll

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,7 @@ abstract class InlineExpectationsTest extends string {
137137
final predicate hasFailureMessage(FailureLocatable element, string message) {
138138
exists(ActualResult actualResult |
139139
actualResult.getTest() = this and
140+
actualResult.getTag() = this.getARelevantTag() and
140141
element = actualResult and
141142
(
142143
exists(FalseNegativeExpectation falseNegative |
@@ -150,9 +151,18 @@ abstract class InlineExpectationsTest extends string {
150151
)
151152
)
152153
or
154+
exists(ActualResult actualResult |
155+
actualResult.getTest() = this and
156+
not actualResult.getTag() = this.getARelevantTag() and
157+
element = actualResult and
158+
message =
159+
"Tag mismatch: Actual result with tag '" + actualResult.getTag() +
160+
"' that is not part of getARelevantTag()"
161+
)
162+
or
153163
exists(ValidExpectation expectation |
154164
not exists(ActualResult actualResult | expectation.matchesActualResult(actualResult)) and
155-
expectation.getTag() = getARelevantTag() and
165+
expectation.getTag() = this.getARelevantTag() and
156166
element = expectation and
157167
(
158168
expectation instanceof GoodExpectation and

cpp/ql/test/library-tests/printf/formatAttribute/AttributeFormattingFunction.cpp

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
2+
typedef void *va_list;
3+
4+
int myPrintf(const char *format, ...) __attribute__((format(printf, 1, 2)));
5+
int mySprintf(char *buffer, const char *format, ...) __attribute__((format(__printf__, 2, 3)));
6+
int myVprintf(const char *format, va_list arg) __attribute__((format(printf, 1, 0)));

0 commit comments

Comments
 (0)