|
2 | 2 |
|
3 | 3 | The following changes in version 1.23 affect C/C++ analysis in all applications. |
4 | 4 |
|
5 | | -## General improvements |
6 | | - |
7 | 5 | ## New queries |
8 | 6 |
|
9 | 7 | | **Query** | **Tags** | **Purpose** | |
10 | 8 | |-----------------------------|-----------|--------------------------------------------------------------------| |
11 | | -| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail. This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). | |
12 | | -| Signed overflow check (`cpp/signed-overflow-check`) | correctness, security | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. | |
13 | | -| Pointer overflow check (`cpp/pointer-overflow-check`) | correctness, security | Finds overflow checks that rely on pointer addition to overflow, which has undefined behavior. Example: `ptr + a < ptr`. | |
| 9 | +| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail. This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). Results are not shown on LGTM by default. | |
| 10 | +| Pointer overflow check (`cpp/pointer-overflow-check`) | correctness, security | Finds overflow checks that rely on pointer addition to overflow, which has undefined behavior. Example: `ptr + a < ptr`. Results are shown on LGTM by default. | |
| 11 | +| Signed overflow check (`cpp/signed-overflow-check`) | correctness, security | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. Results are shown on LGTM by default. | |
| 12 | + |
14 | 13 |
|
15 | 14 | ## Changes to existing queries |
16 | 15 |
|
17 | 16 | | **Query** | **Expected impact** | **Change** | |
18 | 17 | |----------------------------|------------------------|------------------------------------------------------------------| |
19 | | -| Query name (`query id`) | Expected impact | Message. | |
| 18 | +| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. | |
20 | 19 | | Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. | |
21 | 20 | | Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. | |
22 | 21 | | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). | |
| 22 | +| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. | |
23 | 23 | | Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. | |
24 | | -| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. | |
25 | | -| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. | |
26 | | -| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. | |
27 | | -| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. | |
28 | | -| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. | |
29 | | -| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands explicitly specified argument numbers in format strings, such as the `1$` in `%1$s`. | |
| 24 | +| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. | |
| 25 | +| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. | |
| 26 | +| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positive results involving template classes and functions have been fixed. | |
| 27 | +| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands explicitly-specified argument numbers in format strings, such as the `1$` in `%1$s`. | |
30 | 28 |
|
31 | 29 | ## Changes to libraries |
32 | 30 |
|
33 | | -* The data-flow library has been extended with a new feature to aid debugging. |
34 | | - Instead of specifying `isSink(Node n) { any() }` on a configuration to |
35 | | - explore the possible flow from a source, it is recommended to use the new |
36 | | - `Configuration::hasPartialFlow` predicate, as this gives a more complete |
37 | | - picture of the partial flow paths from a given source. The feature is |
38 | | - disabled by default and can be enabled for individual configurations by |
39 | | - overriding `int explorationLimit()`. |
40 | | -* The data-flow library now supports flow out of C++ reference parameters. |
41 | | -* The data-flow library now allows flow through the address-of operator (`&`). |
42 | | -* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a |
43 | | - definition of `x` when `x` is a variable of pointer type. It no longer |
44 | | - considers deep paths such as `f(&x.myField)` to be definitions of `x`. These |
45 | | - changes are in line with the user expectations we've observed. |
46 | | -* The data-flow library now makes it easier to specify barriers/sanitizers |
47 | | - arising from guards by overriding the predicate |
48 | | - `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking |
49 | | - configurations respectively. |
50 | | -* There is now a `DataFlow::localExprFlow` predicate and a |
51 | | - `TaintTracking::localExprTaint` predicate to make it easy to use the most |
52 | | - common case of local data flow and taint: from one `Expr` to another. |
| 31 | +* The data-flow library in `semmle.code.cpp.dataflow.DataFlow` and |
| 32 | + `semmle.code.cpp.dataflow.TaintTracking` have had extensive changes: |
| 33 | + * Data flow through fields is now more complete and reliable. |
| 34 | + * The data-flow library has been extended with a new feature to aid debugging. |
| 35 | + Previously, to explore the possible flow from all sources you could specify `isSink(Node n) { any() }` on a configuration. |
| 36 | + Now you can use the new `Configuration::hasPartialFlow` predicate, |
| 37 | + which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink. |
| 38 | + The feature is disabled by default and can be enabled for individual configurations by overriding `int explorationLimit()`. |
| 39 | + * There is now flow out of C++ reference parameters. |
| 40 | + * There is now flow through the address-of operator (`&`). |
| 41 | + * The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a |
| 42 | + definition of `x` when `x` is a variable of pointer type. It no longer |
| 43 | + considers deep paths such as `f(&x.myField)` to be definitions of `x`. These |
| 44 | + changes are in line with the user expectations we've observed. |
| 45 | + * It's now easier to specify barriers/sanitizers |
| 46 | + arising from guards by overriding the predicate |
| 47 | + `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking |
| 48 | + configurations respectively. |
| 49 | + * There is now a `DataFlow::localExprFlow` predicate and a |
| 50 | + `TaintTracking::localExprTaint` predicate to make it easy to use the most |
| 51 | + common case of local data flow and taint: from one `Expr` to another. |
53 | 52 | * The member predicates of the `FunctionInput` and `FunctionOutput` classes have been renamed for |
54 | | - clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates |
| 53 | + clarity (for example, `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates |
55 | 54 | have been deprecated, and will be removed in a future release. Code that uses the old member |
56 | 55 | predicates should be updated to use the corresponding new member predicate. |
57 | | -* The predicates `Declaration.hasStdName()` and `Declaration.hasGlobalOrStdName` |
58 | | - have been added, simplifying handling of C++ standard library functions. |
| 56 | +* The predicate `Declaration.hasGlobalOrStdName` has been added, making it |
| 57 | + easier to recognize C library functions called from C++. |
59 | 58 | * The control-flow graph is now computed in QL, not in the extractor. This can |
60 | | - lead to regressions (or improvements) in how queries are optimized because |
| 59 | + lead to changes in how queries are optimized because |
61 | 60 | optimization in QL relies on static size estimates, and the control-flow edge |
62 | 61 | relations will now have different size estimates than before. |
63 | 62 | * Support has been added for non-type template arguments. This means that the |
64 | 63 | return type of `Declaration::getTemplateArgument()` and |
65 | | - `Declaration::getATemplateArgument` have changed to `Locatable`. See the |
66 | | - documentation for `Declaration::getTemplateArgument()` and |
67 | | - `Declaration::getTemplateArgumentKind()` for details. |
| 64 | + `Declaration::getATemplateArgument` have changed to `Locatable`. For details, see the |
| 65 | + CodeQL library documentation for `Declaration::getTemplateArgument()` and |
| 66 | + `Declaration::getTemplateArgumentKind()`. |
0 commit comments