Fix models for min and max and improve tests

owen-mc · owen-mc · commit ab5e1f8a69a7 · 2024-05-14T14:40:56.000+01:00
Although the documentation makes them look variadic (and generic), they
are actually special-cased in the compiler. Like all built-in functions
they don't have a signature type, but the type of `min(a, b, c)` is
`func(int, int, int) int` and not `func(int, ...int) int`.

Go doesn't allow open-ended ranges for argument indices in
models-as-data specifications (though Ruby and Python do), so I've used
`1..1000`.
diff --git a/go/ql/lib/ext/builtin.model.yml b/go/ql/lib/ext/builtin.model.yml
@@ -6,7 +6,5 @@ extensions:
       - ["", "", False, "append", "", "", "Argument[0].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
       - ["", "", False, "append", "", "", "Argument[1].ArrayElement", "ReturnValue.ArrayElement", "value", "manual"]
       - ["", "", False, "copy", "", "", "Argument[1].ArrayElement", "Argument[0].ArrayElement", "value", "manual"]
-      - ["", "", False, "max", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "max", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "min", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
-      - ["", "", False, "min", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "max", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "min", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected
@@ -34,3 +34,9 @@ invalidModelRow
 | test.go:170:17:170:20 | arg1 | qltest |
 | test.go:170:23:170:26 | arg2 | qltest |
 | test.go:170:29:170:32 | arg3 | qltest |
+| test.go:173:10:173:26 | call to max | qltest |
+| test.go:174:10:174:26 | call to max | qltest |
+| test.go:175:10:175:26 | call to max | qltest |
+| test.go:176:10:176:26 | call to min | qltest |
+| test.go:177:10:177:26 | call to min | qltest |
+| test.go:178:10:178:26 | call to min | qltest |
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
@@ -14,3 +14,21 @@ invalidModelRow
 | test.go:74:13:74:25 | type assertion | test.go:74:12:74:40 | call to StepQualRes |
 | test.go:78:3:78:15 | type assertion | test.go:77:6:77:11 | definition of taint6 |
 | test.go:81:34:81:36 | src | test.go:81:12:81:37 | call to StepArgResNoQual |
+| test.go:173:14:173:19 | srcInt | test.go:173:10:173:26 | call to max |
+| test.go:173:22:173:22 | 0 | test.go:173:10:173:26 | call to max |
+| test.go:173:25:173:25 | 1 | test.go:173:10:173:26 | call to max |
+| test.go:174:14:174:14 | 0 | test.go:174:10:174:26 | call to max |
+| test.go:174:17:174:22 | srcInt | test.go:174:10:174:26 | call to max |
+| test.go:174:25:174:25 | 1 | test.go:174:10:174:26 | call to max |
+| test.go:175:14:175:14 | 0 | test.go:175:10:175:26 | call to max |
+| test.go:175:17:175:17 | 1 | test.go:175:10:175:26 | call to max |
+| test.go:175:20:175:25 | srcInt | test.go:175:10:175:26 | call to max |
+| test.go:176:14:176:19 | srcInt | test.go:176:10:176:26 | call to min |
+| test.go:176:22:176:22 | 0 | test.go:176:10:176:26 | call to min |
+| test.go:176:25:176:25 | 1 | test.go:176:10:176:26 | call to min |
+| test.go:177:14:177:14 | 0 | test.go:177:10:177:26 | call to min |
+| test.go:177:17:177:22 | srcInt | test.go:177:10:177:26 | call to min |
+| test.go:177:25:177:25 | 1 | test.go:177:10:177:26 | call to min |
+| test.go:178:14:178:14 | 0 | test.go:178:10:178:26 | call to min |
+| test.go:178:17:178:17 | 1 | test.go:178:10:178:26 | call to min |
+| test.go:178:20:178:25 | srcInt | test.go:178:10:178:26 | call to min |
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
@@ -168,4 +168,12 @@ func simpleflow() {
 	arg3 := src
 	arg4 := src
 	b.SinkManyArgs(arg1, arg2, arg3, arg4) // $ hasValueFlow="arg1" hasValueFlow="arg2" hasValueFlow="arg3"
+
+	var srcInt int = src.(int)
+	b.Sink1(max(srcInt, 0, 1)) // $ hasValueFlow="call to max"
+	b.Sink1(max(0, srcInt, 1)) // $ hasValueFlow="call to max"
+	b.Sink1(max(0, 1, srcInt)) // $ hasValueFlow="call to max"
+	b.Sink1(min(srcInt, 0, 1)) // $ hasValueFlow="call to min"
+	b.Sink1(min(0, srcInt, 1)) // $ hasValueFlow="call to min"
+	b.Sink1(min(0, 1, srcInt)) // $ hasValueFlow="call to min"
 }
diff --git a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
@@ -127,10 +127,12 @@
 | main.go:64:7:64:18 | call to min | main.go:64:2:64:2 | definition of a |
 | main.go:64:11:64:11 | x | main.go:64:7:64:18 | call to min |
 | main.go:64:14:64:14 | y | main.go:64:7:64:18 | call to min |
+| main.go:64:17:64:17 | z | main.go:64:7:64:18 | call to min |
 | main.go:65:2:65:2 | definition of b | main.go:66:12:66:12 | b |
 | main.go:65:7:65:18 | call to max | main.go:65:2:65:2 | definition of b |
 | main.go:65:11:65:11 | x | main.go:65:7:65:18 | call to max |
 | main.go:65:14:65:14 | y | main.go:65:7:65:18 | call to max |
+| main.go:65:17:65:17 | z | main.go:65:7:65:18 | call to max |
 | strings.go:8:12:8:12 | argument corresponding to s | strings.go:8:12:8:12 | definition of s |
 | strings.go:8:12:8:12 | definition of s | strings.go:9:24:9:24 | s |
 | strings.go:8:12:8:12 | definition of s | strings.go:10:27:10:27 | s |
