Merge remote-tracking branch 'upstream/master' into ast-field-flow-defbyref

2026-04-30 19:26:02 +02:00 · 2019-09-05 09:33:45 +02:00
parent 067c55adb9 1bb57daf6f
commit 114c2fe0d4
69 changed files with 1702 additions and 462 deletions
--- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
@@ -61,3 +61,34 @@ void assignBeforeCopy() {
  S copy2 = s2;
  sink(copy2.m1); // flow
 }
+
+struct Wrapper {
+  S s;
+};
+
+void copyIntermediate() {
+  Wrapper w = { { 0, 0 } };
+  S s = w.s;
+  s.m1 = user_input();
+  sink(w.s.m1); // no flow
+}
+
+void pointerIntermediate() {
+  Wrapper w = { { 0, 0 } };
+  S *s = &w.s;
+  s->m1 = user_input();
+  sink(w.s.m1); // flow [FALSE NEGATIVE]
+}
+
+void referenceIntermediate() {
+  Wrapper w = { { 0, 0 } };
+  S &s = w.s;
+  s.m1 = user_input();
+  sink(w.s.m1); // flow [FALSE NEGATIVE]
+}
+
+void nestedAssign() {
+  Wrapper w = { { 0, 0 } };
+  w.s.m1 = user_input();
+  sink(w.s.m1); // flow
+}
--- a/cpp/ql/test/library-tests/dataflow/fields/flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/flow.expected
@@ -109,6 +109,12 @@ edges
 | aliasing.cpp:60:3:60:22 | ... = ... [void] | aliasing.cpp:60:3:60:4 | s2 [post update] [m1, ... (1)] |
 | aliasing.cpp:60:11:60:20 | call to user_input [void] | aliasing.cpp:60:3:60:22 | ... = ... [void] |
 | aliasing.cpp:62:8:62:12 | copy2 [m1, ... (1)] | aliasing.cpp:62:14:62:15 | m1 |
+| aliasing.cpp:92:3:92:3 | w [post update] [s, ... (2)] | aliasing.cpp:93:8:93:8 | w [s, ... (2)] |
+| aliasing.cpp:92:3:92:23 | ... = ... [void] | aliasing.cpp:92:5:92:5 | s [post update] [m1, ... (1)] |
+| aliasing.cpp:92:5:92:5 | s [post update] [m1, ... (1)] | aliasing.cpp:92:3:92:3 | w [post update] [s, ... (2)] |
+| aliasing.cpp:92:12:92:21 | call to user_input [void] | aliasing.cpp:92:3:92:23 | ... = ... [void] |
+| aliasing.cpp:93:8:93:8 | w [s, ... (2)] | aliasing.cpp:93:10:93:10 | s [m1, ... (1)] |
+| aliasing.cpp:93:10:93:10 | s [m1, ... (1)] | aliasing.cpp:93:12:93:13 | m1 |
 | complex.cpp:34:15:34:15 | b [f, ... (2)] | complex.cpp:44:8:44:8 | b [f, ... (2)] |
 | complex.cpp:34:15:34:15 | b [f, ... (2)] | complex.cpp:45:8:45:8 | b [f, ... (2)] |
 | complex.cpp:44:8:44:8 | b [f, ... (2)] | complex.cpp:44:10:44:10 | f [a_, ... (1)] |
@@ -195,6 +201,7 @@ edges
 | aliasing.cpp:29:11:29:12 | m1 | aliasing.cpp:9:11:9:20 | call to user_input [void] | aliasing.cpp:29:11:29:12 | m1 | m1 flows from $@ | aliasing.cpp:9:11:9:20 | call to user_input [void] | call to user_input [void] |
 | aliasing.cpp:30:11:30:12 | m1 | aliasing.cpp:13:10:13:19 | call to user_input [void] | aliasing.cpp:30:11:30:12 | m1 | m1 flows from $@ | aliasing.cpp:13:10:13:19 | call to user_input [void] | call to user_input [void] |
 | aliasing.cpp:62:14:62:15 | m1 | aliasing.cpp:60:11:60:20 | call to user_input [void] | aliasing.cpp:62:14:62:15 | m1 | m1 flows from $@ | aliasing.cpp:60:11:60:20 | call to user_input [void] | call to user_input [void] |
+| aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input [void] | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input [void] | call to user_input [void] |
 | complex.cpp:44:12:44:12 | call to a | complex.cpp:55:13:55:22 | call to user_input [void] | complex.cpp:44:12:44:12 | call to a | call to a flows from $@ | complex.cpp:55:13:55:22 | call to user_input [void] | call to user_input [void] |
 | complex.cpp:44:12:44:12 | call to a | complex.cpp:56:13:56:22 | call to user_input [void] | complex.cpp:44:12:44:12 | call to a | call to a flows from $@ | complex.cpp:56:13:56:22 | call to user_input [void] | call to user_input [void] |
 | complex.cpp:44:12:44:12 | call to a | complex.cpp:57:13:57:22 | call to user_input [void] | complex.cpp:44:12:44:12 | call to a | call to a flows from $@ | complex.cpp:57:13:57:22 | call to user_input [void] | call to user_input [void] |
--- a/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.cpp
+++ b/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.cpp
@@ -0,0 +1,16 @@
+
+struct MyStruct
+{
+	int x;
+	struct MySubStruct {
+		int z;
+	} y;
+};
+
+void test()
+{
+	MyStruct s;
+
+	s.x = 1;
+	s.y.z = 1;
+}
--- a/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.expected
+++ b/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.expected
@@ -0,0 +1,3 @@
+| partialdefinitions.cpp:14:2:14:2 | partial def of s | partialdefinitions.cpp:14:2:14:2 | s | partialdefinitions.cpp:14:2:14:8 | ... = ... |
+| partialdefinitions.cpp:15:2:15:2 | partial def of s | partialdefinitions.cpp:15:2:15:2 | s | partialdefinitions.cpp:15:2:15:10 | ... = ... |
+| partialdefinitions.cpp:15:4:15:4 | partial def of y | partialdefinitions.cpp:15:4:15:4 | y | partialdefinitions.cpp:15:2:15:10 | ... = ... |
--- a/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.ql
+++ b/cpp/ql/test/library-tests/dataflow/partialdefinitions/partialdefinitions.ql
@@ -0,0 +1,4 @@
+import semmle.code.cpp.dataflow.internal.FlowVar
+
+from PartialDefinition def
+select def, def.getDefinedExpr(), def.getSubBasicBlockStart()
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -189,11 +189,11 @@
 | taint.cpp:228:11:228:11 | Unknown literal | taint.cpp:228:11:228:11 | constructor init of field t | TAINT |
 | taint.cpp:228:11:228:11 | Unknown literal | taint.cpp:228:11:228:11 | constructor init of field u | TAINT |
 | taint.cpp:228:11:228:11 | `this` parameter in (constructor) | taint.cpp:228:11:228:11 | constructor init of field t [pre-this] |  |
-| taint.cpp:228:11:228:11 | `this` parameter in (constructor) | taint.cpp:243:11:243:11 | constructor init of field t [pre-this] |  |
+| taint.cpp:228:11:228:11 | constructor init of field t [post-this] | taint.cpp:228:11:228:11 | constructor init of field u [pre-this] |  |
+| taint.cpp:228:11:228:11 | constructor init of field t [pre-this] | taint.cpp:228:11:228:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:228:11:232:2 | [...](...){...} | taint.cpp:233:7:233:7 | a |  |
 | taint.cpp:228:11:232:2 | {...} | taint.cpp:228:11:232:2 | [...](...){...} |  |
 | taint.cpp:228:17:228:17 | `this` parameter in operator() | taint.cpp:229:3:229:6 | this |  |
-| taint.cpp:228:17:228:17 | `this` parameter in operator() | taint.cpp:244:3:244:6 | this |  |
 | taint.cpp:229:3:229:6 | this | taint.cpp:230:3:230:6 | this |  |
 | taint.cpp:230:3:230:6 | this | taint.cpp:231:3:231:11 | this |  |
 | taint.cpp:235:11:235:11 | Unknown literal | taint.cpp:235:11:235:11 | constructor init of field t | TAINT |
@@ -212,11 +212,11 @@
 | taint.cpp:238:7:238:12 | call to source | taint.cpp:238:3:238:14 | ... = ... |  |
 | taint.cpp:243:11:243:11 | Unknown literal | taint.cpp:243:11:243:11 | constructor init of field t | TAINT |
 | taint.cpp:243:11:243:11 | Unknown literal | taint.cpp:243:11:243:11 | constructor init of field u | TAINT |
-| taint.cpp:243:11:243:11 | `this` parameter in (constructor) | taint.cpp:228:11:228:11 | constructor init of field t [pre-this] |  |
 | taint.cpp:243:11:243:11 | `this` parameter in (constructor) | taint.cpp:243:11:243:11 | constructor init of field t [pre-this] |  |
+| taint.cpp:243:11:243:11 | constructor init of field t [post-this] | taint.cpp:243:11:243:11 | constructor init of field u [pre-this] |  |
+| taint.cpp:243:11:243:11 | constructor init of field t [pre-this] | taint.cpp:243:11:243:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:243:11:246:2 | [...](...){...} | taint.cpp:247:2:247:2 | c |  |
 | taint.cpp:243:11:246:2 | {...} | taint.cpp:243:11:246:2 | [...](...){...} |  |
-| taint.cpp:243:15:243:15 | `this` parameter in operator() | taint.cpp:229:3:229:6 | this |  |
 | taint.cpp:243:15:243:15 | `this` parameter in operator() | taint.cpp:244:3:244:6 | this |  |
 | taint.cpp:244:3:244:6 | this | taint.cpp:245:3:245:6 | this |  |
 | taint.cpp:249:11:252:2 | [...](...){...} | taint.cpp:253:2:253:2 | d |  |
--- a/Era/ConstructorOrMethodWithExactDate.cpp
+++ b/Era/ConstructorOrMethodWithExactDate.cpp
@@ -37,4 +37,7 @@ int Main()

    // GOOD: method call with the same parameters in a different order (we only track year, month, day)
    EraInfo * pDateTimeUtil4 = EraInfo::EraInfoFromDate(1, 2, 8, 1, 1989, L"\u5e73\u6210");
+
+    // BAD: constructor creating a EraInfo with exact Reiwa era start date
+    EraInfo * pDateTimeUtil5 = new EraInfo(2019, 5, 1);
 }
--- a/Era/JapaneseEraDate.expected
+++ b/Era/JapaneseEraDate.expected
@@ -0,0 +1,7 @@
+| ConstructorOrMethodWithExactDate.cpp:27:31:27:53 | call to EraInfo | Call that appears to have hard-coded Japanese era start date as parameter. |
+| ConstructorOrMethodWithExactDate.cpp:30:32:30:77 | call to EraInfo | Call that appears to have hard-coded Japanese era start date as parameter. |
+| ConstructorOrMethodWithExactDate.cpp:36:32:36:55 | call to EraInfoFromDate | Call that appears to have hard-coded Japanese era start date as parameter. |
+| ConstructorOrMethodWithExactDate.cpp:42:32:42:54 | call to EraInfo | Call that appears to have hard-coded Japanese era start date as parameter. |
+| StructWithExactDate.cpp:31:13:31:19 | tm_year | A time struct that is initialized with exact Japanese calendar era start date. |
+| StructWithExactDate.cpp:46:8:46:12 | wYear | A time struct that is initialized with exact Japanese calendar era start date. |
+| StructWithExactDate.cpp:60:9:60:13 | wYear | A time struct that is initialized with exact Japanese calendar era start date. |
--- a/cpp/ql/test/query-tests/Best
+++ b/cpp/ql/test/query-tests/Best
@@ -0,0 +1 @@
+Best Practices/Magic Constants/JapaneseEraDate.ql
--- a/cpp/ql/test/query-tests/Likely
+++ b/cpp/ql/test/query-tests/Likely
@@ -52,6 +52,13 @@ int main()
    st1.wMonth = 1;
    st1.wYear = 1990;

+
+    // BAD: Creation of SYSTEMTIME stuct corresponding to the beginning of Reiwa era
+    SYSTEMTIME st2;
+    st2.wDay = 1;
+    st2.wMonth = 5;
+    st2.wYear = 2019;
+
    return 0;
 }

--- a/Era/ConstructorOrMethodWithExactEraDate.expected
+++ b/Era/ConstructorOrMethodWithExactEraDate.expected
@@ -1,3 +0,0 @@
-| ConstructorOrMethodWithExactDate.cpp:27:31:27:53 | call to EraInfo | Call that appears to have hard-coded Japanese era start date as parameter. |
-| ConstructorOrMethodWithExactDate.cpp:30:32:30:77 | call to EraInfo | Call that appears to have hard-coded Japanese era start date as parameter. |
-| ConstructorOrMethodWithExactDate.cpp:36:32:36:55 | call to EraInfoFromDate | Call that appears to have hard-coded Japanese era start date as parameter. |
--- a/Era/ConstructorOrMethodWithExactEraDate.qlref
+++ b/Era/ConstructorOrMethodWithExactEraDate.qlref
@@ -1 +0,0 @@
-Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
--- a/Era/StructWithExactEraDate.expected
+++ b/Era/StructWithExactEraDate.expected
@@ -1,2 +0,0 @@
-| StructWithExactDate.cpp:31:13:31:19 | tm_year | A time struct that is initialized with exact Japanese calendar era start date. |
-| StructWithExactDate.cpp:46:8:46:12 | wYear | A time struct that is initialized with exact Japanese calendar era start date. |
--- a/Era/StructWithExactEraDate.qlref
+++ b/Era/StructWithExactEraDate.qlref
@@ -1 +0,0 @@
-Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
				`@@ -0,0 +1 @@`
				`Best Practices/Magic Constants/JapaneseEraDate.ql`
				`@@ -1 +0,0 @@`
				`Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql`
				`@@ -1 +0,0 @@`
				`Likely Bugs/JapaneseEra/StructWithExactEraDate.ql`