github
diff --git a/‎change-notes/1.22/analysis-cpp.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.22/analysis-cpp.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.22/analysis-java.md‎
Lines changed: 1 addition & 1 deletion b/‎change-notes/1.22/analysis-java.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/identical-files.json‎
Lines changed: 11 additions & 0 deletions b/‎config/identical-files.json‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Element.qll‎
Lines changed: 2 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/Element.qll‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow2.qll‎
Lines changed: 0 additions & 23 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow2.qll‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow3.qll‎
Lines changed: 0 additions & 23 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow3.qll‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow4.qll‎
Lines changed: 0 additions & 23 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/DataFlow4.qll‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll‎
Lines changed: 5 additions & 250 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll‎
Lines changed: 5 additions & 250 deletions
@@ -25,6 +25,8 @@
 - The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
 - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`".  This may improve performance when using `Element.toString()` or its descendants.
 - The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
+- The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
 - Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition.  This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it.
 - The `semmle.code.cpp.models` library now models data flow through `std::swap`.
 - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
+- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
@@ -41,5 +41,6 @@
   - The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument
   - The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations
 * The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`
+* The data-flow library (and taint-tracking library) now supports flow through fields. All existing configurations will have field-flow enabled by default, but it can be disabled by adding `override int fieldFlowBranchLimit() { result = 0 }` to the configuration class. Field assignments, `this.Foo = x`, object initializers, `new C() { Foo = x }`, and field initializers `int Foo = 0` are supported.
 
 ## Changes to autobuilder
@@ -16,4 +16,4 @@
   removes false positives that arose from paths through impossible `toString()`
   calls.
 * The library `VCS.qll` and all queries that imported it have been removed.
-
+* The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.java.dataflow.TaintTracking2` to access the new name.
@@ -25,6 +25,17 @@
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll"
   ],
+  "TaintTracking::Configuration Java/C++/C#": [
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
+  ],
   "IR Instruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
 
@@ -206,7 +206,8 @@ class Element extends ElementBase {
     namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or
     initialisers(underlyingElement(this), unresolveElement(result), _, _) or
     exprconv(unresolveElement(result), underlyingElement(this)) or
-    param_decl_bind(underlyingElement(this),_,unresolveElement(result))
+    param_decl_bind(underlyingElement(this),_,unresolveElement(result)) or
+    using_container(unresolveElement(result),underlyingElement(this))
   }
 
   /** Gets the closest `Element` enclosing this one. */
 
@@ -12,27 +12,4 @@ import cpp
 
 module DataFlow2 {
   import semmle.code.cpp.dataflow.internal.DataFlowImpl2
-
-  /**
-   * This class exists to prevent mutual recursion between the user-overridden
-   * member predicates of `Configuration` and the rest of the data-flow library.
-   * Good performance cannot be guaranteed in the presence of such recursion, so
-   * it should be replaced by using more than one copy of the data flow library.
-   * Four copies are available: `DataFlow` through `DataFlow4`.
-   */
-  private abstract
-  class ConfigurationRecursionPrevention extends Configuration {
-    bindingset[this]
-    ConfigurationRecursionPrevention() { any() }
-
-    override predicate hasFlow(Node source, Node sink) {
-      strictcount(Node n | this.isSource(n)) < 0
-      or
-      strictcount(Node n | this.isSink(n)) < 0
-      or
-      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-      or
-      super.hasFlow(source, sink)
-    }
-  }
 }
@@ -12,27 +12,4 @@ import cpp
 
 module DataFlow3 {
   import semmle.code.cpp.dataflow.internal.DataFlowImpl3
-
-  /**
-   * This class exists to prevent mutual recursion between the user-overridden
-   * member predicates of `Configuration` and the rest of the data-flow library.
-   * Good performance cannot be guaranteed in the presence of such recursion, so
-   * it should be replaced by using more than one copy of the data flow library.
-   * Four copies are available: `DataFlow` through `DataFlow4`.
-   */
-  private abstract
-  class ConfigurationRecursionPrevention extends Configuration {
-    bindingset[this]
-    ConfigurationRecursionPrevention() { any() }
-
-    override predicate hasFlow(Node source, Node sink) {
-      strictcount(Node n | this.isSource(n)) < 0
-      or
-      strictcount(Node n | this.isSink(n)) < 0
-      or
-      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-      or
-      super.hasFlow(source, sink)
-    }
-  }
 }
@@ -12,27 +12,4 @@ import cpp
 
 module DataFlow4 {
   import semmle.code.cpp.dataflow.internal.DataFlowImpl4
-
-  /**
-   * This class exists to prevent mutual recursion between the user-overridden
-   * member predicates of `Configuration` and the rest of the data-flow library.
-   * Good performance cannot be guaranteed in the presence of such recursion, so
-   * it should be replaced by using more than one copy of the data flow library.
-   * Four copies are available: `DataFlow` through `DataFlow4`.
-   */
-  private abstract
-  class ConfigurationRecursionPrevention extends Configuration {
-    bindingset[this]
-    ConfigurationRecursionPrevention() { any() }
-
-    override predicate hasFlow(Node source, Node sink) {
-      strictcount(Node n | this.isSource(n)) < 0
-      or
-      strictcount(Node n | this.isSink(n)) < 0
-      or
-      strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-      or
-      super.hasFlow(source, sink)
-    }
-  }
 }
@@ -9,259 +9,14 @@
  */
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.dataflow.DataFlow2
-import semmle.code.cpp.models.interfaces.DataFlow
-import semmle.code.cpp.models.interfaces.Taint
 
 module TaintTracking {
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
+  private import semmle.code.cpp.dataflow.TaintTracking2
 
   /**
-   * A configuration of interprocedural taint tracking analysis. This defines
-   * sources, sinks, and any other configurable aspect of the analysis. Each
-   * use of the taint tracking library must define its own unique extension of
-   * this abstract class.
-   *
-   * A taint-tracking configuration is a special data flow configuration
-   * (`DataFlow::Configuration`) that allows for flow through nodes that do not
-   * necessarily preserve values but are still relevant from a taint-tracking
-   * perspective. (For example, string concatenation, where one of the operands
-   * is tainted.)
-   *
-   * To create a configuration, extend this class with a subclass whose
-   * characteristic predicate is a unique singleton string. For example, write
-   *
-   * ```
-   * class MyAnalysisConfiguration extends TaintTracking::Configuration {
-   *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
-   *   // Override `isSource` and `isSink`.
-   *   // Optionally override `isSanitizer`.
-   *   // Optionally override `isSanitizerEdge`.
-   *   // Optionally override `isAdditionalTaintStep`.
-   * }
-   * ```
-   *
-   * Then, to query whether there is flow between some `source` and `sink`,
-   * write
-   *
-   * ```
-   * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
-   * ```
-   *
-   * Multiple configurations can coexist, but it is unsupported to depend on a
-   * `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
-   * overridden predicates that define sources, sinks, or additional steps.
-   * Instead, the dependency should go to a `TaintTracking::Configuration2` or
-   * a `DataFlow{2,3,4}::Configuration`.
+   * DEPRECATED: Use TaintTracking2::Configuration instead.
    */
-  abstract class Configuration extends DataFlow::Configuration {
-    bindingset[this]
-    Configuration() { any() }
-
-    /** Holds if `source` is a taint source. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /** Holds if `sink` is a taint sink. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /**
-     * Holds if taint should not flow into `node`.
-     */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    /** Holds if data flow from `node1` to `node2` is prohibited. */
-    predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      none()
-    }
-
-    /**
-     * Holds if the additional taint propagation step
-     * from `source` to `target` must be taken into account in the analysis.
-     * This step will only be followed if `target` is not in the `isSanitizer`
-     * predicate.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node source,
-                                    DataFlow::Node target)
-    { none() }
-
-    final override
-    predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /** DEPRECATED: use `isSanitizerEdge` instead. */
-    override deprecated
-    predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      this.isSanitizerEdge(node1, node2)
-    }
-
-    final override
-    predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
-      this.isAdditionalTaintStep(source, target)
-      or
-      localTaintStep(source, target)
-    }
-  }
-
-  /**
-   * A taint-tracking configuration that is backed by the `DataFlow2` library
-   * instead of `DataFlow`. Use this class when taint-tracking configurations
-   * or data-flow configurations must depend on each other.
-   *
-   * See `TaintTracking::Configuration` for the full documentation.
-   */
-  abstract class Configuration2 extends DataFlow2::Configuration {
-    bindingset[this]
-    Configuration2() { any() }
-
-    /** Holds if `source` is a taint source. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSource(DataFlow::Node source);
-
-    /** Holds if `sink` is a taint sink. */
-    // overridden to provide taint-tracking specific qldoc
-    abstract override predicate isSink(DataFlow::Node sink);
-
-    /**
-     * Holds if taint should not flow into `node`.
-     */
-    predicate isSanitizer(DataFlow::Node node) { none() }
-
-    /** Holds if data flow from `node1` to `node2` is prohibited. */
-    predicate isSanitizerEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      none()
-    }
-
-    /**
-     * Holds if the additional taint propagation step
-     * from `source` to `target` must be taken into account in the analysis.
-     * This step will only be followed if `target` is not in the `isSanitizer`
-     * predicate.
-     */
-    predicate isAdditionalTaintStep(DataFlow::Node source,
-                                    DataFlow::Node target)
-    { none() }
-
-    final override
-    predicate isBarrier(DataFlow::Node node) { isSanitizer(node) }
-
-    /** DEPRECATED: use `isSanitizerEdge` instead. */
-    override deprecated
-    predicate isBarrierEdge(DataFlow::Node node1, DataFlow::Node node2) {
-      this.isSanitizerEdge(node1, node2)
-    }
-
-    final override
-    predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node target) {
-      this.isAdditionalTaintStep(source, target)
-      or
-      localTaintStep(source, target)
-    }
-  }
-
-  /**
-   * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
-   * (intra-procedural) step.
-   */
-  predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // Taint can flow into using ordinary data flow.
-    DataFlow::localFlowStep(nodeFrom, nodeTo)
-    or
-    // Taint can flow through expressions that alter the value but preserve
-    // more than one bit of it _or_ expressions that follow data through
-    // pointer indirections.
-    exists(Expr exprFrom, Expr exprTo |
-      exprFrom = nodeFrom.asExpr() and
-      exprTo = nodeTo.asExpr()
-    |
-      exprFrom = exprTo.getAChild() and
-      not noParentExprFlow(exprFrom, exprTo) and
-      not noFlowFromChildExpr(exprTo)
-      or
-      // Taint can flow from the `x` variable in `x++` to all subsequent
-      // accesses to the unmodified `x` variable.
-      //
-      // `DataFlow` without taint specifies flow from `++x` and `x += 1` into the
-      // variable `x` and thus into subsequent accesses because those expressions
-      // compute the same value as `x`. This is not the case for `x++`, which
-      // computes a different value, so we have to add that ourselves for taint
-      // tracking. The flow from expression `x` into `x++` etc. is handled in the
-      // case above.
-      exprTo = DataFlow::getAnAccessToAssignedVariable(
-        exprFrom.(PostfixCrementOperation)
-      )
-    )
-    or
-    // Taint can flow through modeled functions
-    exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
-  }
-
-  /**
-   * Holds if taint may propagate from `source` to `sink` in zero or more local
-   * (intra-procedural) steps.
-   */
-  predicate localTaint(DataFlow::Node source, DataFlow::Node sink) {
-    localTaintStep*(source, sink)
-  }
-
-  /**
-   * Holds if we do not propagate taint from `fromExpr` to `toExpr`
-   * even though `toExpr` is the AST parent of `fromExpr`.
-   */
-  private predicate noParentExprFlow(Expr fromExpr, Expr toExpr) {
-    fromExpr = toExpr.(ConditionalExpr).getCondition()
-    or
-    fromExpr = toExpr.(CommaExpr).getLeftOperand()
-    or
-    fromExpr = toExpr.(AssignExpr).getLValue() // LHS of `=`
-  }
-
-  /**
-   * Holds if we do not propagate taint from a child of `e` to `e` itself.
-   */
-  private predicate noFlowFromChildExpr(Expr e) {
-    e instanceof ComparisonOperation
-    or
-    e instanceof LogicalAndExpr
-    or
-    e instanceof LogicalOrExpr
-    or
-    e instanceof Call
-    or
-    e instanceof SizeofOperator
-    or
-    e instanceof AlignofOperator
-  }
-
-  private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
-    exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-      call.getTarget() = f and
-      argOut = call.getArgument(argOutIndex) and
-      outModel.isOutParameterPointer(argOutIndex) and
-      exists(int argInIndex, FunctionInput inModel |
-        f.hasDataFlow(inModel, outModel)
-      |
-        // Taint flows from a pointer to a dereference, which DataFlow does not handle
-        // memcpy(&dest_var, tainted_ptr, len)
-        inModel.isInParameterPointer(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-    )
-    or
-    exists(TaintFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-      call.getTarget() = f and
-      argOut = call.getArgument(argOutIndex) and
-      outModel.isOutParameterPointer(argOutIndex) and
-      exists(int argInIndex, FunctionInput inModel |
-        f.hasTaintFlow(inModel, outModel)
-      |
-        inModel.isInParameterPointer(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-        or
-        inModel.isInParameterPointer(argInIndex) and
-        call.passesByReference(argInIndex, exprIn)
-        or
-        inModel.isInParameter(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-    )
-  }
+  deprecated
+  class Configuration2 = TaintTracking2::Configuration;
 }
Original file line number	Diff line number	Diff line change
`@@ -206,7 +206,8 @@ class Element extends ElementBase {`
`206`	`206`	`namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or`
`207`	`207`	`initialisers(underlyingElement(this), unresolveElement(result), _, _) or`
`208`	`208`	`exprconv(unresolveElement(result), underlyingElement(this)) or`
`209`		`- param_decl_bind(underlyingElement(this),_,unresolveElement(result))`
	`209`	`+ param_decl_bind(underlyingElement(this),_,unresolveElement(result)) or`
	`210`	`+ using_container(unresolveElement(result),underlyingElement(this))`
`210`	`211`	`}`
`211`	`212`
`212`	`213`	/** Gets the closest `Element` enclosing this one. */