Merge branch 'master' into overflowcalc

2026-05-03 20:58:03 +02:00 · 2019-12-16 13:48:38 +00:00
parent 2faae4dcb1 8b1892d900
commit 0da826f0c3
573 changed files with 31122 additions and 21221 deletions
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -16,7 +16,7 @@ private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.security.TaintTracking

 predicate hasUpperBound(VariableAccess offsetExpr) {
-  exists(BasicBlock controlled, LocalScopeVariable offsetVar, SsaDefinition def |
+  exists(BasicBlock controlled, StackVariable offsetVar, SsaDefinition def |
    controlled.contains(offsetExpr) and
    linearBoundControls(controlled, def, offsetVar) and
    offsetExpr = def.getAUse(offsetVar)
@@ -24,7 +24,7 @@ predicate hasUpperBound(VariableAccess offsetExpr) {
 }

 pragma[noinline]
-predicate linearBoundControls(BasicBlock controlled, SsaDefinition def, LocalScopeVariable offsetVar) {
+predicate linearBoundControls(BasicBlock controlled, SsaDefinition def, StackVariable offsetVar) {
  exists(GuardCondition guard, boolean branch |
    guard.controls(controlled, branch) and
    cmpWithLinearBound(guard, def.getAUse(offsetVar), Lesser(), branch)
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -44,7 +44,7 @@ Element friendlyLoc(Expr e) {
  not e instanceof Access and not e instanceof Call and result = e
 }

-from Loop l, RelationalOperation rel, Expr small, Expr large
+from Loop l, RelationalOperation rel, VariableAccess small, Expr large
 where
  small = rel.getLesserOperand() and
  large = rel.getGreaterOperand() and
@@ -60,7 +60,7 @@ where
  not getComparisonSize(large.(SubExpr).getLeftOperand().getExplicitlyConverted()) <= getComparisonSize(small) and
  not getComparisonSize(large.(RShiftExpr).getLeftOperand().getExplicitlyConverted()) <= getComparisonSize(small) and
  // ignore loop-invariant smaller variables
-  loopVariant(small.getAChild*(), l)
+  loopVariant(small, l)
 select rel,
  "Comparison between $@ of type " + small.getType().getName() + " and $@ of wider type " +
    large.getType().getName() + ".", friendlyLoc(small), small.toString(), friendlyLoc(large),
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -82,7 +82,7 @@ FunctionCall stat(Expr path, Expr buf) {
 predicate referenceTo(Expr source, Expr use) {
  source = use
  or
-  exists(SsaDefinition def, LocalScopeVariable v |
+  exists(SsaDefinition def, StackVariable v |
    def.getAnUltimateDefiningValue(v) = source and def.getAUse(v) = use
  )
 }
@@ -109,9 +109,7 @@ where
    )
  ) and
  // checkUse and opUse refer to the same SSA variable
-  exists(SsaDefinition def, LocalScopeVariable v |
-    def.getAUse(v) = checkUse and def.getAUse(v) = opUse
-  ) and
+  exists(SsaDefinition def, StackVariable v | def.getAUse(v) = checkUse and def.getAUse(v) = opUse) and
  // opUse looks like an operation on a filename
  fc = filenameOperation(opUse) and
  // the return value of check is used (possibly with one step of
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -1,7 +1,7 @@
 /**
 * @name Conditionally uninitialized variable
- * @description When an initialization function is used to initialize a local variable, but the
- *              returned status code is not checked, the variable may be left in an uninitialized
+ * @description An initialization function is used to initialize a local variable, but the
+ *              returned status code is not checked. The variable may be left in an uninitialized
 *              state, and reading the variable may result in undefined behavior.
 * @kind problem
 * @problem.severity warning
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingCommon.qll
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingCommon.qll
@@ -100,9 +100,9 @@ Type baseType(Type t) {
 */
 predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
  // Reaching definitions.
-  if exists(SsaDefinition def, LocalScopeVariable v | use = def.getAUse(v))
+  if exists(SsaDefinition def, StackVariable v | use = def.getAUse(v))
  then
-    exists(SsaDefinition def, LocalScopeVariable v | use = def.getAUse(v) |
+    exists(SsaDefinition def, StackVariable v | use = def.getAUse(v) |
      defSourceType(def, v, sourceType, sourceLoc)
    )
  else
@@ -137,7 +137,7 @@ predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
 * Holds if there is a pointer expression with type `sourceType` at
 * location `sourceLoc` which might define the value of `v` at `def`.
 */
-predicate defSourceType(SsaDefinition def, LocalScopeVariable v, Type sourceType, Location sourceLoc) {
+predicate defSourceType(SsaDefinition def, StackVariable v, Type sourceType, Location sourceLoc) {
  exprSourceType(def.getDefiningValue(v), sourceType, sourceLoc)
  or
  defSourceType(def.getAPhiInput(v), v, sourceType, sourceLoc)