hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into tausbn/python-refine-location-of-flask-request-sources

Browse Source
This commit is contained in:
Taus
2025-09-02 14:59:55 +02:00
committed by GitHub
parent 0f4f909ded 31852985e5
commit 1b6e3c4ef4
1091 changed files with 72277 additions and 23968 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/build-ripunzip.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
os: [ubuntu-22.04, macos-13, windows-2022]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
repository: google/ripunzip
ref: ${{ inputs.ripunzip-version }}
@@ -28,7 +28,7 @@ jobs:
# see https://github.com/sfackler/rust-openssl/issues/183
- if: runner.os == 'Linux'
name: checkout openssl
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
repository: openssl/openssl
path: openssl

2
.github/workflows/buildifier.yml vendored
View File

@@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Check bazel formatting
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
with:

2
.github/workflows/check-implicit-this.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check that implicit this warnings is enabled for all packs
shell: bash
run: |

2
.github/workflows/check-overlay-annotations.yml vendored
View File

@@ -17,7 +17,7 @@ jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check overlay annotations
run: python config/add-overlay-annotations.py --check java

2
.github/workflows/check-qldoc.yml vendored
View File

@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 2

2
.github/workflows/check-query-ids.yml vendored
View File

@@ -19,6 +19,6 @@ jobs:
name: Check query IDs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check for duplicate query IDs
run: python3 misc/scripts/check-query-ids.py

2
.github/workflows/codeql-analysis.yml vendored
View File

@@ -37,7 +37,7 @@ jobs:
dotnet-version: 9.0.100
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

2
.github/workflows/compile-queries.yml vendored
View File

@@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest-xl
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Setup CodeQL
uses: ./.github/actions/fetch-codeql
with:

2
.github/workflows/cpp-swift-analysis.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

4
.github/workflows/csharp-qltest.yml vendored
View File

@@ -39,7 +39,7 @@ jobs:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Setup dotnet
uses: actions/setup-dotnet@v4
with:
@@ -55,7 +55,7 @@ jobs:
stubgentest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./csharp/actions/create-extractor-pack
- name: Run stub generator tests
run: |

4
.github/workflows/csv-coverage-metrics.yml vendored
View File

@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup CodeQL
uses: ./.github/actions/fetch-codeql
- name: Create empty database
@@ -51,7 +51,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup CodeQL
uses: ./.github/actions/fetch-codeql
- name: Create empty database

4
.github/workflows/csv-coverage-pr-artifacts.yml vendored
View File

@@ -35,11 +35,11 @@ jobs:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql) - MERGE
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: merge
- name: Clone self (github/codeql) - BASE
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
fetch-depth: 2
path: base

2
.github/workflows/csv-coverage-pr-comment.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Set up Python 3.8
uses: actions/setup-python@v4
with:

4
.github/workflows/csv-coverage-timeseries.yml vendored
View File

@@ -12,11 +12,11 @@ jobs:
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: codeqlModels
fetch-depth: 0

2
.github/workflows/csv-coverage-update.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: ql
fetch-depth: 0

4
.github/workflows/csv-coverage.yml vendored
View File

@@ -16,11 +16,11 @@ jobs:
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: codeqlModels
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

2
.github/workflows/fast-forward.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
exit 1
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Git config
shell: bash

2
.github/workflows/go-tests.yml vendored
View File

@@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest-xl
steps:
- name: Check out code
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Run tests
uses: ./go/actions/test
with:

2
.github/workflows/kotlin-build.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- run: |
bazel query //java/kotlin-extractor/...
# only build the default version as a quick check that we can build from `codeql`

4
.github/workflows/mad_modelDiff.yml vendored
View File

@@ -28,12 +28,12 @@ jobs:
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
steps:
- name: Clone github/codeql from PR
uses: actions/checkout@v4
uses: actions/checkout@v5
if: github.event.pull_request
with:
path: codeql-pr
- name: Clone github/codeql from main
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: codeql-main
ref: main

4
.github/workflows/mad_regenerate-models.yml vendored
View File

@@ -30,11 +30,11 @@ jobs:
ref: "placeholder"
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup CodeQL binaries
uses: ./.github/actions/fetch-codeql
- name: Clone repositories
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: repos/${{ matrix.ref }}
ref: ${{ matrix.ref }}

2
.github/workflows/python-tooling.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
check-python-tooling:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: actions/setup-python@v5
with:
python-version: '3.12'

2
.github/workflows/qhelp-pr-preview.yml vendored
View File

@@ -43,7 +43,7 @@ jobs:
if-no-files-found: error
retention-days: 1
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 2
persist-credentials: false

2
.github/workflows/ql-for-ql-build.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest-xl
steps:
### Build the queries ###
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Find codeql

6
.github/workflows/ql-for-ql-dataset_measure.yml vendored
View File

@@ -25,7 +25,7 @@ jobs:
- github/codeql
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Find codeql
id: find-codeql
@@ -46,7 +46,7 @@ jobs:
env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
- name: Checkout ${{ matrix.repo }}
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
repository: ${{ matrix.repo }}
path: ${{ github.workspace }}/repo
@@ -75,7 +75,7 @@ jobs:
runs-on: ubuntu-latest
needs: measure
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: actions/download-artifact@v4
with:
name: measurements

4
.github/workflows/ql-for-ql-tests.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
qltest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@main
@@ -64,7 +64,7 @@ jobs:
needs: [qltest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Install GNU tar
if: runner.os == 'macOS'
run: |

2
.github/workflows/query-list.yml vendored
View File

@@ -23,7 +23,7 @@ jobs:
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
path: codeql
- name: Set up Python 3.8

8
.github/workflows/ruby-build.yml vendored
View File

@@ -47,7 +47,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Install GNU tar
if: runner.os == 'macOS'
run: |
@@ -113,7 +113,7 @@ jobs:
if: github.repository_owner == 'github'
runs-on: ubuntu-latest-xl
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Fetch CodeQL
uses: ./.github/actions/fetch-codeql
- name: Cache compilation cache
@@ -146,7 +146,7 @@ jobs:
runs-on: ubuntu-latest
needs: [build, compile-queries]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: actions/download-artifact@v4
with:
name: ruby.dbscheme
@@ -209,7 +209,7 @@ jobs:
runs-on: ${{ matrix.os }}
needs: [package]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Fetch CodeQL
uses: ./.github/actions/fetch-codeql

6
.github/workflows/ruby-dataset-measure.yml vendored
View File

@@ -30,14 +30,14 @@ jobs:
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Checkout ${{ matrix.repo }}
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
repository: ${{ matrix.repo }}
path: ${{ github.workspace }}/repo
@@ -62,7 +62,7 @@ jobs:
runs-on: ubuntu-latest
needs: measure
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: actions/download-artifact@v4
with:
path: stats

2
.github/workflows/ruby-qltest-rtjo.yml vendored
View File

@@ -25,7 +25,7 @@ jobs:
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache

4
.github/workflows/ruby-qltest.yml vendored
View File

@@ -36,7 +36,7 @@ jobs:
qlupgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- name: Check DB upgrade scripts
run: |
@@ -58,7 +58,7 @@ jobs:
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache

2
.github/workflows/rust-analysis.yml vendored
View File

@@ -35,7 +35,7 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Query latest nightly CodeQL bundle
shell: bash

6
.github/workflows/rust.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
working-directory: rust/ast-generator
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Inject sources
shell: bash
run: |
@@ -53,7 +53,7 @@ jobs:
working-directory: rust/extractor
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Format
shell: bash
run: |
@@ -69,7 +69,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Install CodeQL
uses: ./.github/actions/fetch-codeql
- name: Code generation

8
.github/workflows/swift.yml vendored
View File

@@ -36,7 +36,7 @@ jobs:
fail-fast: false
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Setup (Linux)
if: runner.os == 'Linux'
run: |
@@ -53,7 +53,7 @@ jobs:
clang-format:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that python code is properly formatted
with:
@@ -61,7 +61,7 @@ jobs:
codegen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
check-no-override:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check that no override is present in load.bzl
run: bazel test ... --test_tag_filters=override --test_output=errors

2
.github/workflows/sync-files.yml vendored
View File

@@ -17,7 +17,7 @@ jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check synchronized files
run: python config/sync-files.py
- name: Check dbscheme fragments

6
.github/workflows/tree-sitter-extractor-test.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check formatting
run: cargo fmt -- --check
- name: Run tests
@@ -38,12 +38,12 @@ jobs:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Check formatting
run: cargo fmt --check
clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Run clippy
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

2
.github/workflows/validate-change-notes.yml vendored
View File

@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup CodeQL
uses: ./.github/actions/fetch-codeql

2
.github/workflows/zipmerge-test.yml vendored
View File

@@ -18,6 +18,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- run: |
bazel test //misc/bazel/internal/zipmerge:test --test_output=all

770
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

52
MODULE.bazel
View File

@@ -98,49 +98,49 @@ use_repo(
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
use_repo(
tree_sitter_extractors_deps,
"vendor_ts__anyhow-1.0.98",
"vendor_ts__anyhow-1.0.99",
"vendor_ts__argfile-0.2.1",
"vendor_ts__chalk-ir-0.103.0",
"vendor_ts__chalk-ir-0.104.0",
"vendor_ts__chrono-0.4.41",
"vendor_ts__clap-4.5.40",
"vendor_ts__clap-4.5.44",
"vendor_ts__dunce-1.0.5",
"vendor_ts__either-1.15.0",
"vendor_ts__encoding-0.2.33",
"vendor_ts__figment-0.10.19",
"vendor_ts__flate2-1.1.0",
"vendor_ts__glob-0.3.2",
"vendor_ts__glob-0.3.3",
"vendor_ts__globset-0.4.15",
"vendor_ts__itertools-0.14.0",
"vendor_ts__lazy_static-1.5.0",
"vendor_ts__mustache-0.9.0",
"vendor_ts__num-traits-0.2.19",
"vendor_ts__num_cpus-1.17.0",
"vendor_ts__proc-macro2-1.0.95",
"vendor_ts__proc-macro2-1.0.97",
"vendor_ts__quote-1.0.40",
"vendor_ts__ra_ap_base_db-0.0.288",
"vendor_ts__ra_ap_cfg-0.0.288",
"vendor_ts__ra_ap_hir-0.0.288",
"vendor_ts__ra_ap_hir_def-0.0.288",
"vendor_ts__ra_ap_hir_expand-0.0.288",
"vendor_ts__ra_ap_hir_ty-0.0.288",
"vendor_ts__ra_ap_ide_db-0.0.288",
"vendor_ts__ra_ap_intern-0.0.288",
"vendor_ts__ra_ap_load-cargo-0.0.288",
"vendor_ts__ra_ap_parser-0.0.288",
"vendor_ts__ra_ap_paths-0.0.288",
"vendor_ts__ra_ap_project_model-0.0.288",
"vendor_ts__ra_ap_span-0.0.288",
"vendor_ts__ra_ap_stdx-0.0.288",
"vendor_ts__ra_ap_syntax-0.0.288",
"vendor_ts__ra_ap_vfs-0.0.288",
"vendor_ts__rand-0.9.1",
"vendor_ts__ra_ap_base_db-0.0.300",
"vendor_ts__ra_ap_cfg-0.0.300",
"vendor_ts__ra_ap_hir-0.0.300",
"vendor_ts__ra_ap_hir_def-0.0.300",
"vendor_ts__ra_ap_hir_expand-0.0.300",
"vendor_ts__ra_ap_hir_ty-0.0.300",
"vendor_ts__ra_ap_ide_db-0.0.300",
"vendor_ts__ra_ap_intern-0.0.300",
"vendor_ts__ra_ap_load-cargo-0.0.300",
"vendor_ts__ra_ap_parser-0.0.300",
"vendor_ts__ra_ap_paths-0.0.300",
"vendor_ts__ra_ap_project_model-0.0.300",
"vendor_ts__ra_ap_span-0.0.300",
"vendor_ts__ra_ap_stdx-0.0.300",
"vendor_ts__ra_ap_syntax-0.0.300",
"vendor_ts__ra_ap_vfs-0.0.300",
"vendor_ts__rand-0.9.2",
"vendor_ts__rayon-1.10.0",
"vendor_ts__regex-1.11.1",
"vendor_ts__serde-1.0.219",
"vendor_ts__serde_json-1.0.140",
"vendor_ts__serde_with-3.13.0",
"vendor_ts__syn-2.0.103",
"vendor_ts__toml-0.8.23",
"vendor_ts__serde_json-1.0.142",
"vendor_ts__serde_with-3.14.0",
"vendor_ts__syn-2.0.104",
"vendor_ts__toml-0.9.5",
"vendor_ts__tracing-0.1.41",
"vendor_ts__tracing-flame-0.2.0",
"vendor_ts__tracing-subscriber-0.3.19",

2
actions/extractor/codeql-extractor.yml
View File

@@ -6,6 +6,8 @@ column_kind: "utf16"
unicode_newlines: true
build_modes:
- none
default_queries:
- codeql/actions-queries
file_coverage_languages: []
github_api_languages: []
scc_languages: []

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.16
No user-facing changes.
## 0.4.15
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.16.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.16
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.15
lastReleaseVersion: 0.4.16

38
actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
View File

@@ -3,6 +3,8 @@ private import codeql.controlflow.Cfg as CfgShared
private import codeql.Locations
module Completion {
import codeql.controlflow.SuccessorType
private newtype TCompletion =
TSimpleCompletion() or
TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -25,7 +27,7 @@ module Completion {
override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
override NormalSuccessor getAMatchingSuccessorType() { any() }
override DirectSuccessor getAMatchingSuccessorType() { any() }
}
class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -49,34 +51,6 @@ module Completion {
override ReturnSuccessor getAMatchingSuccessorType() { any() }
}
cached
private newtype TSuccessorType =
TNormalSuccessor() or
TBooleanSuccessor(boolean b) { b in [false, true] } or
TReturnSuccessor()
class SuccessorType extends TSuccessorType {
string toString() { none() }
}
class NormalSuccessor extends SuccessorType, TNormalSuccessor {
override string toString() { result = "successor" }
}
class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
boolean value;
BooleanSuccessor() { this = TBooleanSuccessor(value) }
override string toString() { result = value.toString() }
boolean getValue() { result = value }
}
class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
override string toString() { result = "return" }
}
}
module CfgScope {
@@ -127,14 +101,8 @@ private module Implementation implements CfgShared::InputSig<Location> {
last(scope.(CompositeAction), e, c)
}
predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
predicate isAbnormalExitType(SuccessorType t) { none() }
int idOfAstNode(AstNode node) { none() }
int idOfCfgScope(CfgScope scope) { none() }

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.16-dev
version: 0.4.17-dev
library: true
warnOnImplicitThis: true
dependencies:

4
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.8
No user-facing changes.
## 0.6.7
No user-facing changes.

3
actions/ql/src/change-notes/released/0.6.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.8
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.7
lastReleaseVersion: 0.6.8

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.8-dev
version: 0.6.9-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

2436
cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2423
cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

4
cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties Normal file
View File

@@ -0,0 +1,4 @@
description: Link PCH creations and uses
compatibility: full
pch_uses.rel: delete
pch_creations.rel: delete

11
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 5.5.0
### New Features
* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
### Minor Analysis Improvements
* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
## 5.4.1
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

10
cpp/ql/lib/change-notes/released/5.5.0.md Normal file
View File

@@ -0,0 +1,10 @@
## 5.5.0
### New Features
* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
### Minor Analysis Improvements
* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.4.1
lastReleaseVersion: 5.5.0

1
cpp/ql/lib/cpp.qll
View File

@@ -15,6 +15,7 @@
import Customizations
import semmle.code.cpp.File
import semmle.code.cpp.PchFile
import semmle.code.cpp.Linkage
import semmle.code.cpp.Location
import semmle.code.cpp.Compilation

31
cpp/ql/lib/ext/ComPtr.model.yml Normal file
View File

@@ -0,0 +1,31 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["Microsoft::WRL", "ComPtr", True, "ComPtr<T>", "(T *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(const ComPtr &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(ComPtr &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "AsIID", "", "", "Argument[-1]", "Argument[*1]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "Attach", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr<T>", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "CopyTo<T>", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(REFIID,void **)", "", "Argument[-1].Element[@]", "Argument[**@1]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "Get", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator&", "", "", "Argument[-1]", "ReturnValue.Element", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr<T>", True, "operator=", "(T *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr<T>", True, "operator=", "(T *)", "", "Argument[*@0]", "ReturnValue[*].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=<U>", "(U *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=<U>", "(U *)", "", "Argument[*@0]", "ReturnValue[*].Element[@]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=", "(const ComPtr &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=", "(const ComPtr &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=", "(ComPtr &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
- ["Microsoft::WRL", "ComPtr", True, "operator=", "(ComPtr &&)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

12
cpp/ql/lib/ext/ComPtrRef.model.yml Normal file
View File

@@ -0,0 +1,12 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["Microsoft::WRL::Details", "ComPtrRef", True, "ComPtrRef", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"]
- ["Microsoft::WRL::Details", "ComPtrRef", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
# TODO: We cannot yet model https://learn.microsoft.com/en-us/cpp/cppcx/wrl/comptrref-class?view=msvc-170#operator-interfacetype-star-star
- ["Microsoft::WRL::Details", "ComPtrRef", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
# TODO: We cannot yet model https://learn.microsoft.com/en-us/cpp/cppcx/wrl/comptrref-class?view=msvc-170#operator-t-star
- ["Microsoft::WRL::Details", "ComPtrRef", True, "operator void**", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
- ["Microsoft::WRL::Details", "ComPtrRef", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 5.4.2-dev
version: 5.5.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

26
cpp/ql/lib/semmle/code/cpp/PchFile.qll Normal file
View File

@@ -0,0 +1,26 @@
/**
* Provides the `PchFile` class representing precompiled header (PCH) files created and
* used during the build process.
*/
import semmle.code.cpp.File
/**
* A precompiled header (PCH) file created during the build process.
*/
class PchFile extends @pch {
/**
* Gets a textual representation of this element.
*/
string toString() { result = "PCH for " + this.getHeaderFile() }
/**
* Gets the header file from which the PCH file was created.
*/
File getHeaderFile() { pch_creations(this, _, result) }
/**
* Gets a source file that includes the PCH.
*/
File getAUse() { pch_uses(this, _, result) }
}

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1880,9 +1880,7 @@ module IteratorFlow {
}
}
private module SsaInput implements SsaImpl::InputSig<Location> {
import Ssa::InputSigCommon
private module SsaInput implements SsaImpl::InputSig<Location, IRCfg::BasicBlock> {
class SourceVariable = IteratorFlow::SourceVariable;
/** A call to function that dereferences an iterator. */
@@ -1960,7 +1958,7 @@ module IteratorFlow {
* Holds if `(bb, i)` contains a write to an iterator that may have been obtained
* by calling `begin` (or related functions) on the variable `v`.
*/
predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
predicate variableWrite(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
certain = false and
exists(GetsIteratorCall beginCall, Instruction writeToDeref, IRBlock bbQual, int iQual |
isIteratorStoreInstruction(beginCall, writeToDeref) and
@@ -1971,12 +1969,12 @@ module IteratorFlow {
}
/** Holds if `(bb, i)` reads the container variable `v`. */
predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
predicate variableRead(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
Ssa::variableRead(bb, i, v, certain)
}
}
private module IteratorSsa = SsaImpl::Make<Location, SsaInput>;
private module IteratorSsa = SsaImpl::Make<Location, IRCfg, SsaInput>;
private module DataFlowIntegrationInput implements IteratorSsa::DataFlowIntegrationInputSig {
private import codeql.util.Void
@@ -1989,7 +1987,7 @@ module IteratorFlow {
)
}
predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
predicate hasCfgNode(IRCfg::BasicBlock bb, int i) { bb.getInstruction(i) = this }
}
predicate ssaDefHasSource(IteratorSsa::WriteDefinition def) { none() }
@@ -1999,20 +1997,16 @@ module IteratorFlow {
class GuardValue = Void;
class Guard extends Void {
predicate hasValueBranchEdge(
SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
) {
predicate hasValueBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue val) {
none()
}
predicate valueControlsBranchEdge(
SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
) {
predicate valueControlsBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue val) {
none()
}
}
predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue val) {
predicate guardDirectlyControlsBlock(Guard guard, IRCfg::BasicBlock bb, GuardValue val) {
none()
}

19
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
View File

@@ -891,15 +891,14 @@ private predicate baseSourceVariableIsGlobal(
)
}
private module SsaInput implements Ssa::InputSig<Location> {
import InputSigCommon
private module SsaInput implements Ssa::InputSig<Location, IRCfg::BasicBlock> {
import SourceVariables
/**
* Holds if the `i`'th write in block `bb` writes to the variable `v`.
* `certain` is `true` if the write is guaranteed to overwrite the entire variable.
*/
predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
predicate variableWrite(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
DataFlowImplCommon::forceCachingInSameStage() and
(
exists(DefImpl def | def.hasIndexInBlock(v, bb, i) |
@@ -917,7 +916,7 @@ private module SsaInput implements Ssa::InputSig<Location> {
* Holds if the `i`'th read in block `bb` reads to the variable `v`.
* `certain` is `true` if the read is guaranteed. For C++, this is always the case.
*/
predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
predicate variableRead(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
if use.isCertain() then certain = true else certain = false
)
@@ -965,7 +964,7 @@ class GlobalDef extends Definition {
GlobalLikeVariable getVariable() { result = impl.getVariable() }
}
private module SsaImpl = Ssa::Make<Location, SsaInput>;
private module SsaImpl = Ssa::Make<Location, IRCfg, SsaInput>;
private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
private import codeql.util.Boolean
@@ -978,7 +977,7 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
)
}
predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
predicate hasCfgNode(IRCfg::BasicBlock bb, int i) { bb.getInstruction(i) = this }
}
Expr getARead(SsaImpl::Definition def) {
@@ -1006,9 +1005,7 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
class Guard instanceof IRGuards::IRGuardCondition {
string toString() { result = super.toString() }
predicate hasValueBranchEdge(
SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
) {
predicate hasValueBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue branch) {
exists(EdgeKind kind |
super.getBlock() = bb1 and
kind = getConditionalEdge(branch) and
@@ -1017,13 +1014,13 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
}
predicate valueControlsBranchEdge(
SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue branch
) {
this.hasValueBranchEdge(bb1, bb2, branch)
}
}
predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue branch) {
predicate guardDirectlyControlsBlock(Guard guard, IRCfg::BasicBlock bb, GuardValue branch) {
guard.(IRGuards::IRGuardCondition).controls(bb, branch)
}

18
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
View File

@@ -768,21 +768,3 @@ private module Cached {
}
import Cached
/**
* Inputs to the shared SSA library's parameterized module that is shared
* between the SSA pruning stage, and the final SSA stage.
*/
module InputSigCommon {
class BasicBlock extends IRBlock {
ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
int length() { result = this.getInstructionCount() }
}
class ControlFlowNode = Instruction;
BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
}

16
cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll
View File

@@ -2,6 +2,7 @@
* Provides classes that specify the conditions under which control flows along a given edge.
*/
private import codeql.controlflow.SuccessorType
private import internal.EdgeKindInternal
private newtype TEdgeKind =
@@ -28,6 +29,21 @@ abstract private class EdgeKindImpl extends TEdgeKind {
final class EdgeKind = EdgeKindImpl;
private SuccessorType getAMatchingSpecificSuccessorType(EdgeKind k) {
result.(BooleanSuccessor).getValue() = true and k instanceof TrueEdge
or
result.(BooleanSuccessor).getValue() = false and k instanceof FalseEdge
or
result instanceof ExceptionSuccessor and k instanceof ExceptionEdge
}
SuccessorType getAMatchingSuccessorType(EdgeKind k) {
result = getAMatchingSpecificSuccessorType(k)
or
not exists(getAMatchingSpecificSuccessorType(k)) and
result instanceof DirectSuccessor
}
/**
* A "goto" edge, representing the unconditional successor of an `Instruction`
* or `IRBlock`.

49
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
View File

@@ -7,6 +7,7 @@ import Instruction
private import internal.IRBlockImports as Imports
import Imports::EdgeKind
private import Cached
private import codeql.controlflow.BasicBlock as BB
/**
* Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
block = MkIRBlock(any(EnterFunctionInstruction enter))
}
module IRCfg implements BB::CfgSig<Language::Location> {
private import codeql.controlflow.SuccessorType
class ControlFlowNode = Instruction;
final private class FinalIRBlock = IRBlock;
class BasicBlock extends FinalIRBlock {
ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
ControlFlowNode getLastNode() { result = super.getLastInstruction() }
int length() { result = this.getInstructionCount() }
BasicBlock getASuccessor() { result = super.getASuccessor() }
BasicBlock getASuccessor(SuccessorType t) {
exists(EdgeKind k |
result = super.getSuccessor(k) and
t = getAMatchingSuccessorType(k)
)
}
predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
predicate dominates(BasicBlock bb) { super.dominates(bb) }
BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
}
class EntryBasicBlock extends BasicBlock {
EntryBasicBlock() { isEntryBlock(this) }
}
pragma[nomagic]
predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
bb1.getASuccessor() = bb2 and
bb1 = bb2.getImmediateDominator() and
forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
}
}
cached
private module Cached {
cached

49
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
View File

@@ -7,6 +7,7 @@ import Instruction
private import internal.IRBlockImports as Imports
import Imports::EdgeKind
private import Cached
private import codeql.controlflow.BasicBlock as BB
/**
* Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
block = MkIRBlock(any(EnterFunctionInstruction enter))
}
module IRCfg implements BB::CfgSig<Language::Location> {
private import codeql.controlflow.SuccessorType
class ControlFlowNode = Instruction;
final private class FinalIRBlock = IRBlock;
class BasicBlock extends FinalIRBlock {
ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
ControlFlowNode getLastNode() { result = super.getLastInstruction() }
int length() { result = this.getInstructionCount() }
BasicBlock getASuccessor() { result = super.getASuccessor() }
BasicBlock getASuccessor(SuccessorType t) {
exists(EdgeKind k |
result = super.getSuccessor(k) and
t = getAMatchingSuccessorType(k)
)
}
predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
predicate dominates(BasicBlock bb) { super.dominates(bb) }
BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
}
class EntryBasicBlock extends BasicBlock {
EntryBasicBlock() { isEntryBlock(this) }
}
pragma[nomagic]
predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
bb1.getASuccessor() = bb2 and
bb1 = bb2.getImmediateDominator() and
forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
}
}
cached
private module Cached {
cached

2
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
View File

@@ -3884,7 +3884,7 @@ class TranslatedNewExpr extends TranslatedNewOrNewArrayExpr {
final override Type getTargetType() { result = expr.getAllocatedType().getUnspecifiedType() }
final override TranslatedInitialization getInitialization() {
result = getTranslatedInitialization(expr.getInitializer())
result = getTranslatedInitialization(expr.getInitializer().getFullyConverted())
}
}

49
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
View File

@@ -7,6 +7,7 @@ import Instruction
private import internal.IRBlockImports as Imports
import Imports::EdgeKind
private import Cached
private import codeql.controlflow.BasicBlock as BB
/**
* Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
block = MkIRBlock(any(EnterFunctionInstruction enter))
}
module IRCfg implements BB::CfgSig<Language::Location> {
private import codeql.controlflow.SuccessorType
class ControlFlowNode = Instruction;
final private class FinalIRBlock = IRBlock;
class BasicBlock extends FinalIRBlock {
ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
ControlFlowNode getLastNode() { result = super.getLastInstruction() }
int length() { result = this.getInstructionCount() }
BasicBlock getASuccessor() { result = super.getASuccessor() }
BasicBlock getASuccessor(SuccessorType t) {
exists(EdgeKind k |
result = super.getSuccessor(k) and
t = getAMatchingSuccessorType(k)
)
}
predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
predicate dominates(BasicBlock bb) { super.dominates(bb) }
BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
}
class EntryBasicBlock extends BasicBlock {
EntryBasicBlock() { isEntryBlock(this) }
}
pragma[nomagic]
predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
bb1.getASuccessor() = bb2 and
bb1 = bb2.getImmediateDominator() and
forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
}
}
cached
private module Cached {
cached

13
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -222,6 +222,19 @@ extractor_version(
string frontend_version: string ref
)
pch_uses(
int pch: @pch ref,
int compilation: @compilation ref,
int id: @file ref
)
#keyset[pch, compilation]
pch_creations(
int pch: @pch,
int compilation: @compilation ref,
int from: @file ref
)
/** An element for which line-count information is available. */
@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable;

4868
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

2423
cpp/ql/lib/upgrades/5340d6d5f428557632b1a50113e406430f29ef7d/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2436
cpp/ql/lib/upgrades/5340d6d5f428557632b1a50113e406430f29ef7d/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/5340d6d5f428557632b1a50113e406430f29ef7d/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Link PCH creations and uses
compatibility: backwards

6
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 1.4.7
### Bug Fixes
* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.
## 1.4.6
### Minor Analysis Improvements

4
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -147,8 +147,8 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
predicate isBarrier(DataFlow::Node node) { isBarrierImpl(node) }
predicate isBarrierOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
predicate isBarrierOut(DataFlow::Node node, FlowState state) {
isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}
predicate observeDiffInformedIncrementalMode() { any() }

9
swift/ql/src/change-notes/2025-08-20-add-customizations.md → cpp/ql/src/change-notes/released/1.4.7.md
View File

@@ -1,4 +1,5 @@
---
category: fix
---
* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.
## 1.4.7
### Bug Fixes
* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.6
lastReleaseVersion: 1.4.7

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.4.7-dev
version: 1.4.8-dev
groups:
- cpp
- queries

8
cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected
View File

@@ -6,12 +6,14 @@
| Dubious member name "operator LPWSTR" in summary model. |
| Dubious member name "operator PCXSTR" in summary model. |
| Dubious member name "operator PXSTR" in summary model. |
| Dubious member name "operator void**" in summary model. |
| Dubious member name "operator&" in summary model. |
| Dubious member name "operator*" in summary model. |
| Dubious member name "operator+" in summary model. |
| Dubious member name "operator+=" in summary model. |
| Dubious member name "operator->" in summary model. |
| Dubious member name "operator=" in summary model. |
| Dubious member name "operator=<U>" in summary model. |
| Dubious member name "operator[]" in summary model. |
| Dubious signature "(..(*)(..))" in summary model. |
| Dubious signature "(..(*)(..),..(*)(..),..(*)(..),..(*)(..))" in summary model. |
@@ -503,6 +505,7 @@
| Dubious signature "(CURLU *,CURLUPart,const char *,unsigned int)" in summary model. |
| Dubious signature "(CURLU *,const char *)" in summary model. |
| Dubious signature "(CURLU *,const char *,char **,OperationConfig *)" in summary model. |
| Dubious signature "(ComPtr &&)" in summary model. |
| Dubious signature "(CompoundDictionary *,const PreparedDictionary *)" in summary model. |
| Dubious signature "(Curl_cfilter *)" in summary model. |
| Dubious signature "(Curl_cfilter **,Curl_easy *)" in summary model. |
@@ -2130,6 +2133,7 @@
| Dubious signature "(RAND_POOL *,unsigned char *)" in summary model. |
| Dubious signature "(RAND_POOL *,unsigned int)" in summary model. |
| Dubious signature "(RECORD_LAYER *,SSL_CONNECTION *)" in summary model. |
| Dubious signature "(REFIID,void **)" in summary model. |
| Dubious signature "(RIO_NOTIFIER *)" in summary model. |
| Dubious signature "(RIPEMD160_CTX *,const unsigned char *)" in summary model. |
| Dubious signature "(RIPEMD160_CTX *,const void *,size_t)" in summary model. |
@@ -2431,6 +2435,8 @@
| Dubious signature "(Strent *)" in summary model. |
| Dubious signature "(Strtab *,const char *,size_t)" in summary model. |
| Dubious signature "(Strtab *,size_t *)" in summary model. |
| Dubious signature "(T *)" in summary model. |
| Dubious signature "(T **)" in summary model. |
| Dubious signature "(TLS_FEATURE *)" in summary model. |
| Dubious signature "(TLS_RL_RECORD *,const unsigned char *)" in summary model. |
| Dubious signature "(TS_ACCURACY *)" in summary model. |
@@ -2493,6 +2499,7 @@
| Dubious signature "(TS_VERIFY_CTX *,unsigned char *,long)" in summary model. |
| Dubious signature "(TXT_DB *,OPENSSL_STRING *)" in summary model. |
| Dubious signature "(TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC)" in summary model. |
| Dubious signature "(U *)" in summary model. |
| Dubious signature "(UI *)" in summary model. |
| Dubious signature "(UI *,UI_STRING *,const char *)" in summary model. |
| Dubious signature "(UI *,UI_STRING *,const char *,int)" in summary model. |
@@ -3155,6 +3162,7 @@
| Dubious signature "(const CT_POLICY_EVAL_CTX *)" in summary model. |
| Dubious signature "(const CURLU *)" in summary model. |
| Dubious signature "(const CURLU *,CURLUPart,char **,unsigned int)" in summary model. |
| Dubious signature "(const ComPtr &)" in summary model. |
| Dubious signature "(const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *)" in summary model. |
| Dubious signature "(const Curl_easy *,const connectdata *,int)" in summary model. |
| Dubious signature "(const DH *)" in summary model. |

217
cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp
View File

@@ -1241,4 +1241,221 @@ namespace ATL {
sink(static_cast<CStrBufT<char>::PCXSTR>(b)); // $ ir
sink(static_cast<CStrBufT<char>::PXSTR>(b)); // $ ir
}
}
namespace Microsoft {
namespace WRL {
template <typename T>
class ComPtr;
struct GUID;
typedef GUID IID;
typedef IID *REFIID;
class IUnknown;
class WeakRef;
namespace Details {
template <typename T>
class ComPtrRef {
public:
using InterfaceType = T;
ComPtrRef(T*);
InterfaceType* const * GetAddressOf() const;
InterfaceType** ReleaseAndGetAddressOf();
operator InterfaceType**();
operator T*();
operator void**() const;
InterfaceType* operator *();
};
}
template <typename T>
class ComPtr
{
public:
using InterfaceType = T;
ComPtr();
ComPtr(const ComPtr &);
ComPtr(ComPtr &&);
template <typename U>
ComPtr(U *);
~ComPtr();
template <typename U>
HRESULT As(ComPtr<U> *p) const;
HRESULT AsWeak(WeakRef *);
void Attach(InterfaceType *);
HRESULT CopyTo(InterfaceType **);
HRESULT CopyTo(REFIID, void **) const;
template <typename U>
HRESULT CopyTo(U **) const;
T *Detach();
T *Get() const;
T *const *GetAddressOf() const;
T **GetAddressOf();
T **ReleaseAndGetAddressOf();
unsigned long Reset();
void Swap(ComPtr &&r);
void Swap(ComPtr &r);
Details::ComPtrRef<ComPtr<T>> operator&();
const Details::ComPtrRef<const ComPtr<T>> operator&() const;
InterfaceType* operator->() const; // return type simplified from Microsoft::WRL::Details::RemoveIUnknown<InterfaceType>*
ComPtr& operator=(T *);
template <typename U>
ComPtr& operator=(U *);
ComPtr& operator=(const ComPtr &);
template<class U>
ComPtr& operator=(const ComPtr<U>&);
ComPtr& operator=(ComPtr &&);
template<class U>
ComPtr& operator=(ComPtr<U>&&);
};
}
}
namespace std {
template<class T> T&& move(T& t) noexcept; // simplified signature
}
void test_constructor()
{
Microsoft::WRL::ComPtr<int> p0;
sink(*p0.Get()); // clean
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
sink(*p1.Get()); // $ ir MISSING: ast
sink(*p1.Detach()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p2(p1);
sink(*p2.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p3(std::move(p1));
sink(*p3.Get()); // $ ir MISSING: ast
}
void test_As()
{
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
Microsoft::WRL::ComPtr<int>* p2;
p1.As(p2);
sink(*p2->Get()); // $ ir MISSING: ast
}
void test_CopyTo()
{
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
int *raw = nullptr;
p1.CopyTo(&raw);
sink(*raw); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p2;
p1.CopyTo(nullptr, (void**)&raw);
sink(*raw); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p3(new int(x));
int* raw2 = nullptr;
p3.CopyTo<int>(&raw2);
sink(*raw2); // $ ir MISSING: ast
}
void test_Swap()
{
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
Microsoft::WRL::ComPtr<int> p2;
p1.Swap(p2);
sink(*p2.Get()); // $ ir MISSING: ast
sink(*p1.Get()); // $ SPURIOUS: ir
}
void test_GetAddressOf()
{
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
sink(**p1.GetAddressOf()); // $ ir MISSING: ast
const Microsoft::WRL::ComPtr<int> p2(new int(x));
sink(**p2.GetAddressOf()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p3(new int(x));
int **pp = p3.ReleaseAndGetAddressOf();
sink(**pp); // $ ir MISSING: ast
}
struct S {
int x;
};
void test_address_of_deref_operators() {
int x = source<int>();
Microsoft::WRL::ComPtr<int> p1(new int(x));
Microsoft::WRL::Details::ComPtrRef<Microsoft::WRL::ComPtr<int>> pp = &p1;
Microsoft::WRL::ComPtr<int>* qq = *pp;
sink(*qq->Get()); // $ ir MISSING: ast
const Microsoft::WRL::ComPtr<int> p2(new int(x));
Microsoft::WRL::Details::ComPtrRef<const Microsoft::WRL::ComPtr<int>> pp2 = &p2;
const Microsoft::WRL::ComPtr<int>* qq2 = *pp2;
sink(*qq2->Get()); // $ ir MISSING: ast
S s;
s.x = source<int>();
Microsoft::WRL::ComPtr<S> p3(&s);
sink(p3->x); // $ ir MISSING: ast
}
void test_assignments() {
Microsoft::WRL::ComPtr<int> p1;
p1 = new int(source<int>());
sink(*p1.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p2;
p2 = new long(source<long>());
sink(*p2.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p3;
p3 = p1;
sink(*p3.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<long> p4;
p4 = p1;
sink(*p4.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<int> p5;
p5 = std::move(p1);
sink(*p5.Get()); // $ ir MISSING: ast
Microsoft::WRL::ComPtr<long> p6;
p6 = std::move(p1);
sink(*p6.Get()); // $ ir MISSING: ast
}

217
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -1278,6 +1278,223 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1241:46:1241:46 | b | |
| atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1242:45:1242:45 | b | |
| atl.cpp:1241:46:1241:46 | ref arg b | atl.cpp:1242:45:1242:45 | b | |
| atl.cpp:1348:31:1348:32 | call to ComPtr | atl.cpp:1349:9:1349:10 | p0 | |
| atl.cpp:1348:31:1348:32 | call to ComPtr | atl.cpp:1361:1:1361:1 | p0 | |
| atl.cpp:1349:9:1349:10 | ref arg p0 | atl.cpp:1361:1:1361:1 | p0 | |
| atl.cpp:1349:12:1349:14 | call to Get | atl.cpp:1349:8:1349:16 | * ... | TAINT |
| atl.cpp:1351:11:1351:21 | call to source | atl.cpp:1352:42:1352:42 | x | |
| atl.cpp:1352:34:1352:43 | new | atl.cpp:1352:34:1352:44 | call to ComPtr | TAINT |
| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1353:9:1353:10 | p1 | |
| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1354:9:1354:10 | p1 | |
| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1356:34:1356:35 | p1 | |
| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1359:44:1359:45 | p1 | |
| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1361:1:1361:1 | p1 | |
| atl.cpp:1352:42:1352:42 | x | atl.cpp:1352:34:1352:43 | new | |
| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1354:9:1354:10 | p1 | |
| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1356:34:1356:35 | p1 | |
| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1359:44:1359:45 | p1 | |
| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1361:1:1361:1 | p1 | |
| atl.cpp:1353:12:1353:14 | call to Get | atl.cpp:1353:8:1353:16 | * ... | TAINT |
| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1356:34:1356:35 | p1 | |
| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1359:44:1359:45 | p1 | |
| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1361:1:1361:1 | p1 | |
| atl.cpp:1354:12:1354:17 | call to Detach | atl.cpp:1354:8:1354:19 | * ... | TAINT |
| atl.cpp:1356:34:1356:35 | p1 | atl.cpp:1356:34:1356:36 | call to ComPtr | |
| atl.cpp:1356:34:1356:36 | call to ComPtr | atl.cpp:1357:9:1357:10 | p2 | |
| atl.cpp:1356:34:1356:36 | call to ComPtr | atl.cpp:1361:1:1361:1 | p2 | |
| atl.cpp:1357:9:1357:10 | ref arg p2 | atl.cpp:1361:1:1361:1 | p2 | |
| atl.cpp:1357:12:1357:14 | call to Get | atl.cpp:1357:8:1357:16 | * ... | TAINT |
| atl.cpp:1359:34:1359:42 | call to move | atl.cpp:1359:34:1359:47 | call to ComPtr | TAINT |
| atl.cpp:1359:34:1359:42 | ref arg call to move | atl.cpp:1359:44:1359:45 | p1 [inner post update] | |
| atl.cpp:1359:34:1359:42 | ref arg call to move | atl.cpp:1361:1:1361:1 | p1 | |
| atl.cpp:1359:34:1359:47 | call to ComPtr | atl.cpp:1360:9:1360:10 | p3 | |
| atl.cpp:1359:34:1359:47 | call to ComPtr | atl.cpp:1361:1:1361:1 | p3 | |
| atl.cpp:1359:44:1359:45 | p1 | atl.cpp:1359:34:1359:42 | call to move | TAINT |
| atl.cpp:1359:44:1359:45 | p1 | atl.cpp:1359:34:1359:47 | call to ComPtr | |
| atl.cpp:1360:9:1360:10 | ref arg p3 | atl.cpp:1361:1:1361:1 | p3 | |
| atl.cpp:1360:12:1360:14 | call to Get | atl.cpp:1360:8:1360:16 | * ... | TAINT |
| atl.cpp:1365:11:1365:21 | call to source | atl.cpp:1366:42:1366:42 | x | |
| atl.cpp:1366:34:1366:43 | new | atl.cpp:1366:34:1366:44 | call to ComPtr | TAINT |
| atl.cpp:1366:34:1366:44 | call to ComPtr | atl.cpp:1368:3:1368:4 | p1 | |
| atl.cpp:1366:34:1366:44 | call to ComPtr | atl.cpp:1370:1:1370:1 | p1 | |
| atl.cpp:1366:42:1366:42 | x | atl.cpp:1366:34:1366:43 | new | |
| atl.cpp:1367:32:1367:33 | p2 | atl.cpp:1368:9:1368:10 | p2 | |
| atl.cpp:1367:32:1367:33 | p2 | atl.cpp:1369:9:1369:10 | p2 | |
| atl.cpp:1368:9:1368:10 | ref arg p2 | atl.cpp:1369:9:1369:10 | p2 | |
| atl.cpp:1369:13:1369:15 | call to Get | atl.cpp:1369:8:1369:17 | * ... | TAINT |
| atl.cpp:1374:11:1374:21 | call to source | atl.cpp:1375:42:1375:42 | x | |
| atl.cpp:1374:11:1374:21 | call to source | atl.cpp:1384:42:1384:42 | x | |
| atl.cpp:1375:34:1375:43 | new | atl.cpp:1375:34:1375:44 | call to ComPtr | TAINT |
| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1377:3:1377:4 | p1 | |
| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1381:3:1381:4 | p1 | |
| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1389:1:1389:1 | p1 | |
| atl.cpp:1375:42:1375:42 | x | atl.cpp:1375:34:1375:43 | new | |
| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1377:14:1377:16 | raw | |
| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1378:9:1378:11 | raw | |
| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1381:31:1381:33 | raw | |
| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1382:9:1382:11 | raw | |
| atl.cpp:1377:3:1377:4 | ref arg p1 | atl.cpp:1381:3:1381:4 | p1 | |
| atl.cpp:1377:3:1377:4 | ref arg p1 | atl.cpp:1389:1:1389:1 | p1 | |
| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1377:14:1377:16 | raw [inner post update] | |
| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1378:9:1378:11 | raw | |
| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1381:31:1381:33 | raw | |
| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1382:9:1382:11 | raw | |
| atl.cpp:1377:14:1377:16 | raw | atl.cpp:1377:13:1377:16 | & ... | |
| atl.cpp:1378:9:1378:11 | raw | atl.cpp:1378:8:1378:11 | * ... | TAINT |
| atl.cpp:1380:31:1380:32 | call to ComPtr | atl.cpp:1389:1:1389:1 | p2 | |
| atl.cpp:1381:30:1381:33 | ref arg & ... | atl.cpp:1381:31:1381:33 | raw [inner post update] | |
| atl.cpp:1381:30:1381:33 | ref arg & ... | atl.cpp:1382:9:1382:11 | raw | |
| atl.cpp:1381:31:1381:33 | raw | atl.cpp:1381:30:1381:33 | & ... | |
| atl.cpp:1382:9:1382:11 | raw | atl.cpp:1382:8:1382:11 | * ... | TAINT |
| atl.cpp:1384:34:1384:43 | new | atl.cpp:1384:34:1384:44 | call to ComPtr | TAINT |
| atl.cpp:1384:34:1384:44 | call to ComPtr | atl.cpp:1387:3:1387:4 | p3 | |
| atl.cpp:1384:34:1384:44 | call to ComPtr | atl.cpp:1389:1:1389:1 | p3 | |
| atl.cpp:1384:42:1384:42 | x | atl.cpp:1384:34:1384:43 | new | |
| atl.cpp:1386:15:1386:21 | 0 | atl.cpp:1387:19:1387:22 | raw2 | |
| atl.cpp:1386:15:1386:21 | 0 | atl.cpp:1388:9:1388:12 | raw2 | |
| atl.cpp:1387:18:1387:22 | ref arg & ... | atl.cpp:1387:19:1387:22 | raw2 [inner post update] | |
| atl.cpp:1387:18:1387:22 | ref arg & ... | atl.cpp:1388:9:1388:12 | raw2 | |
| atl.cpp:1387:19:1387:22 | raw2 | atl.cpp:1387:18:1387:22 | & ... | |
| atl.cpp:1388:9:1388:12 | raw2 | atl.cpp:1388:8:1388:12 | * ... | TAINT |
| atl.cpp:1393:11:1393:21 | call to source | atl.cpp:1394:42:1394:42 | x | |
| atl.cpp:1394:34:1394:43 | new | atl.cpp:1394:34:1394:44 | call to ComPtr | TAINT |
| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1396:3:1396:4 | p1 | |
| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1398:9:1398:10 | p1 | |
| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1399:1:1399:1 | p1 | |
| atl.cpp:1394:42:1394:42 | x | atl.cpp:1394:34:1394:43 | new | |
| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1396:11:1396:12 | p2 | |
| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1397:9:1397:10 | p2 | |
| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1399:1:1399:1 | p2 | |
| atl.cpp:1396:3:1396:4 | ref arg p1 | atl.cpp:1398:9:1398:10 | p1 | |
| atl.cpp:1396:3:1396:4 | ref arg p1 | atl.cpp:1399:1:1399:1 | p1 | |
| atl.cpp:1396:11:1396:12 | ref arg p2 | atl.cpp:1397:9:1397:10 | p2 | |
| atl.cpp:1396:11:1396:12 | ref arg p2 | atl.cpp:1399:1:1399:1 | p2 | |
| atl.cpp:1397:9:1397:10 | ref arg p2 | atl.cpp:1399:1:1399:1 | p2 | |
| atl.cpp:1397:12:1397:14 | call to Get | atl.cpp:1397:8:1397:16 | * ... | TAINT |
| atl.cpp:1398:9:1398:10 | ref arg p1 | atl.cpp:1399:1:1399:1 | p1 | |
| atl.cpp:1398:12:1398:14 | call to Get | atl.cpp:1398:8:1398:16 | * ... | TAINT |
| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1404:42:1404:42 | x | |
| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1407:48:1407:48 | x | |
| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1410:42:1410:42 | x | |
| atl.cpp:1404:34:1404:43 | new | atl.cpp:1404:34:1404:44 | call to ComPtr | TAINT |
| atl.cpp:1404:34:1404:44 | call to ComPtr | atl.cpp:1405:10:1405:11 | p1 | |
| atl.cpp:1404:34:1404:44 | call to ComPtr | atl.cpp:1413:1:1413:1 | p1 | |
| atl.cpp:1404:42:1404:42 | x | atl.cpp:1404:34:1404:43 | new | |
| atl.cpp:1405:9:1405:26 | * ... | atl.cpp:1405:8:1405:26 | * ... | TAINT |
| atl.cpp:1405:10:1405:11 | ref arg p1 | atl.cpp:1413:1:1413:1 | p1 | |
| atl.cpp:1405:13:1405:24 | call to GetAddressOf | atl.cpp:1405:9:1405:26 | * ... | TAINT |
| atl.cpp:1407:40:1407:49 | new | atl.cpp:1407:40:1407:50 | call to ComPtr | TAINT |
| atl.cpp:1407:40:1407:50 | call to ComPtr | atl.cpp:1408:10:1408:11 | p2 | |
| atl.cpp:1407:40:1407:50 | call to ComPtr | atl.cpp:1413:1:1413:1 | p2 | |
| atl.cpp:1407:48:1407:48 | x | atl.cpp:1407:40:1407:49 | new | |
| atl.cpp:1408:9:1408:26 | * ... | atl.cpp:1408:8:1408:26 | * ... | TAINT |
| atl.cpp:1408:10:1408:11 | ref arg p2 | atl.cpp:1413:1:1413:1 | p2 | |
| atl.cpp:1408:13:1408:24 | call to GetAddressOf | atl.cpp:1408:9:1408:26 | * ... | TAINT |
| atl.cpp:1410:34:1410:43 | new | atl.cpp:1410:34:1410:44 | call to ComPtr | TAINT |
| atl.cpp:1410:34:1410:44 | call to ComPtr | atl.cpp:1411:14:1411:15 | p3 | |
| atl.cpp:1410:34:1410:44 | call to ComPtr | atl.cpp:1413:1:1413:1 | p3 | |
| atl.cpp:1410:42:1410:42 | x | atl.cpp:1410:34:1410:43 | new | |
| atl.cpp:1411:14:1411:15 | ref arg p3 | atl.cpp:1413:1:1413:1 | p3 | |
| atl.cpp:1411:17:1411:38 | call to ReleaseAndGetAddressOf | atl.cpp:1412:10:1412:11 | pp | |
| atl.cpp:1412:9:1412:11 | * ... | atl.cpp:1412:8:1412:11 | * ... | TAINT |
| atl.cpp:1412:10:1412:11 | pp | atl.cpp:1412:9:1412:11 | * ... | TAINT |
| atl.cpp:1420:11:1420:21 | call to source | atl.cpp:1421:42:1421:42 | x | |
| atl.cpp:1420:11:1420:21 | call to source | atl.cpp:1426:48:1426:48 | x | |
| atl.cpp:1421:34:1421:43 | new | atl.cpp:1421:34:1421:44 | call to ComPtr | TAINT |
| atl.cpp:1421:34:1421:44 | call to ComPtr | atl.cpp:1422:73:1422:74 | p1 | |
| atl.cpp:1421:34:1421:44 | call to ComPtr | atl.cpp:1435:1:1435:1 | p1 | |
| atl.cpp:1421:42:1421:42 | x | atl.cpp:1421:34:1421:43 | new | |
| atl.cpp:1422:72:1422:72 | call to operator& | atl.cpp:1423:38:1423:39 | pp | |
| atl.cpp:1422:73:1422:74 | ref arg p1 | atl.cpp:1435:1:1435:1 | p1 | |
| atl.cpp:1423:37:1423:37 | call to operator* | atl.cpp:1424:9:1424:10 | qq | |
| atl.cpp:1424:13:1424:15 | call to Get | atl.cpp:1424:8:1424:17 | * ... | TAINT |
| atl.cpp:1426:40:1426:49 | new | atl.cpp:1426:40:1426:50 | call to ComPtr | TAINT |
| atl.cpp:1426:40:1426:50 | call to ComPtr | atl.cpp:1427:80:1427:81 | p2 | |
| atl.cpp:1426:40:1426:50 | call to ComPtr | atl.cpp:1435:1:1435:1 | p2 | |
| atl.cpp:1426:48:1426:48 | x | atl.cpp:1426:40:1426:49 | new | |
| atl.cpp:1427:79:1427:79 | call to operator& | atl.cpp:1428:45:1428:47 | pp2 | |
| atl.cpp:1428:44:1428:44 | call to operator* | atl.cpp:1429:9:1429:11 | qq2 | |
| atl.cpp:1429:14:1429:16 | call to Get | atl.cpp:1429:8:1429:18 | * ... | TAINT |
| atl.cpp:1431:5:1431:5 | s | atl.cpp:1432:3:1432:3 | s | |
| atl.cpp:1431:5:1431:5 | s | atl.cpp:1433:33:1433:33 | s | |
| atl.cpp:1432:3:1432:3 | s [post update] | atl.cpp:1433:33:1433:33 | s | |
| atl.cpp:1432:3:1432:21 | ... = ... | atl.cpp:1432:5:1432:5 | x [post update] | |
| atl.cpp:1432:9:1432:19 | call to source | atl.cpp:1432:3:1432:21 | ... = ... | |
| atl.cpp:1433:32:1433:33 | & ... | atl.cpp:1433:32:1433:34 | call to ComPtr | TAINT |
| atl.cpp:1433:32:1433:33 | ref arg & ... | atl.cpp:1433:33:1433:33 | s [inner post update] | |
| atl.cpp:1433:32:1433:34 | call to ComPtr | atl.cpp:1434:8:1434:9 | p3 | |
| atl.cpp:1433:32:1433:34 | call to ComPtr | atl.cpp:1435:1:1435:1 | p3 | |
| atl.cpp:1433:33:1433:33 | s | atl.cpp:1433:32:1433:33 | & ... | |
| atl.cpp:1434:8:1434:9 | ref arg p3 | atl.cpp:1435:1:1435:1 | p3 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1439:3:1439:4 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1440:9:1440:10 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1447:8:1447:9 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1451:8:1451:9 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1455:18:1455:19 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1459:18:1459:19 | p1 | |
| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1440:9:1440:10 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1447:8:1447:9 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1451:8:1451:9 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1455:18:1455:19 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1459:18:1459:19 | p1 | |
| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1461:1:1461:1 | p1 | |
| atl.cpp:1439:16:1439:26 | call to source | atl.cpp:1439:8:1439:29 | new | |
| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1447:8:1447:9 | p1 | |
| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1451:8:1451:9 | p1 | |
| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1455:18:1455:19 | p1 | |
| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1459:18:1459:19 | p1 | |
| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1461:1:1461:1 | p1 | |
| atl.cpp:1440:12:1440:14 | call to Get | atl.cpp:1440:8:1440:16 | * ... | TAINT |
| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1443:3:1443:4 | p2 | |
| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1444:9:1444:10 | p2 | |
| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p2 | |
| atl.cpp:1443:3:1443:4 | ref arg p2 | atl.cpp:1444:9:1444:10 | p2 | |
| atl.cpp:1443:3:1443:4 | ref arg p2 | atl.cpp:1461:1:1461:1 | p2 | |
| atl.cpp:1443:17:1443:28 | call to source | atl.cpp:1443:8:1443:31 | new | |
| atl.cpp:1444:9:1444:10 | ref arg p2 | atl.cpp:1461:1:1461:1 | p2 | |
| atl.cpp:1444:12:1444:14 | call to Get | atl.cpp:1444:8:1444:16 | * ... | TAINT |
| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1447:3:1447:4 | p3 | |
| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1448:9:1448:10 | p3 | |
| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p3 | |
| atl.cpp:1447:3:1447:4 | ref arg p3 | atl.cpp:1448:9:1448:10 | p3 | |
| atl.cpp:1447:3:1447:4 | ref arg p3 | atl.cpp:1461:1:1461:1 | p3 | |
| atl.cpp:1447:8:1447:9 | p1 | atl.cpp:1447:3:1447:4 | ref arg p3 | TAINT |
| atl.cpp:1447:8:1447:9 | p1 | atl.cpp:1447:6:1447:6 | call to operator= | TAINT |
| atl.cpp:1448:9:1448:10 | ref arg p3 | atl.cpp:1461:1:1461:1 | p3 | |
| atl.cpp:1448:12:1448:14 | call to Get | atl.cpp:1448:8:1448:16 | * ... | TAINT |
| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1451:3:1451:4 | p4 | |
| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1452:9:1452:10 | p4 | |
| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1461:1:1461:1 | p4 | |
| atl.cpp:1451:3:1451:4 | ref arg p4 | atl.cpp:1452:9:1452:10 | p4 | |
| atl.cpp:1451:3:1451:4 | ref arg p4 | atl.cpp:1461:1:1461:1 | p4 | |
| atl.cpp:1452:9:1452:10 | ref arg p4 | atl.cpp:1461:1:1461:1 | p4 | |
| atl.cpp:1452:12:1452:14 | call to Get | atl.cpp:1452:8:1452:16 | * ... | TAINT |
| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1455:3:1455:4 | p5 | |
| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1456:9:1456:10 | p5 | |
| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p5 | |
| atl.cpp:1455:3:1455:4 | ref arg p5 | atl.cpp:1456:9:1456:10 | p5 | |
| atl.cpp:1455:3:1455:4 | ref arg p5 | atl.cpp:1461:1:1461:1 | p5 | |
| atl.cpp:1455:8:1455:16 | call to move | atl.cpp:1455:3:1455:4 | ref arg p5 | TAINT |
| atl.cpp:1455:8:1455:16 | call to move | atl.cpp:1455:6:1455:6 | call to operator= | TAINT |
| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1455:18:1455:19 | p1 [inner post update] | |
| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1459:18:1459:19 | p1 | |
| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1461:1:1461:1 | p1 | |
| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:3:1455:4 | ref arg p5 | TAINT |
| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:6:1455:6 | call to operator= | TAINT |
| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:8:1455:16 | call to move | TAINT |
| atl.cpp:1456:9:1456:10 | ref arg p5 | atl.cpp:1461:1:1461:1 | p5 | |
| atl.cpp:1456:12:1456:14 | call to Get | atl.cpp:1456:8:1456:16 | * ... | TAINT |
| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1459:3:1459:4 | p6 | |
| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1460:9:1460:10 | p6 | |
| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1461:1:1461:1 | p6 | |
| atl.cpp:1459:3:1459:4 | ref arg p6 | atl.cpp:1460:9:1460:10 | p6 | |
| atl.cpp:1459:3:1459:4 | ref arg p6 | atl.cpp:1461:1:1461:1 | p6 | |
| atl.cpp:1459:8:1459:16 | ref arg call to move | atl.cpp:1459:18:1459:19 | p1 [inner post update] | |
| atl.cpp:1459:8:1459:16 | ref arg call to move | atl.cpp:1461:1:1461:1 | p1 | |
| atl.cpp:1459:18:1459:19 | p1 | atl.cpp:1459:8:1459:16 | call to move | TAINT |
| atl.cpp:1460:9:1460:10 | ref arg p6 | atl.cpp:1461:1:1461:1 | p6 | |
| atl.cpp:1460:12:1460:14 | call to Get | atl.cpp:1460:8:1460:16 | * ... | TAINT |
| bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | |
| bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | |
| bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | |

59
cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected
View File

@@ -5567,6 +5567,31 @@ signatureMatches
| atl.cpp:1231:5:1231:12 | CStrBufT | (const char *,const char *,unsigned long) | | __ngettext | 2 |
| atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 1 |
| atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 2 |
| atl.cpp:1286:5:1286:10 | ComPtr | (const ComPtr &) | ComPtr | ComPtr | 0 |
| atl.cpp:1286:5:1286:10 | ComPtr | (const ComPtr &) | ComPtr | operator= | 0 |
| atl.cpp:1287:5:1287:10 | ComPtr | (ComPtr &&) | ComPtr | ComPtr | 0 |
| atl.cpp:1287:5:1287:10 | ComPtr | (ComPtr &&) | ComPtr | operator= | 0 |
| atl.cpp:1290:5:1290:10 | ComPtr | (T *) | ComPtr | ComPtr<T> | 0 |
| atl.cpp:1290:5:1290:10 | ComPtr | (T *) | ComPtr | ComPtr<T> | 0 |
| atl.cpp:1290:5:1290:10 | ComPtr | (U *) | ComPtr | operator=<U> | 0 |
| atl.cpp:1290:5:1290:10 | ComPtr | (U *) | ComPtr | operator=<U> | 0 |
| atl.cpp:1301:13:1301:18 | CopyTo | (T **) | ComPtr<T> | CopyTo | 0 |
| atl.cpp:1303:13:1303:18 | CopyTo | (Curl_easy *,void **) | | Curl_resolver_init | 1 |
| atl.cpp:1303:13:1303:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 0 |
| atl.cpp:1303:13:1303:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 1 |
| atl.cpp:1303:13:1303:18 | CopyTo | (size_t,void **) | | __libc_alloc_buffer_allocate | 1 |
| atl.cpp:1306:13:1306:18 | CopyTo | (T **) | ComPtr | CopyTo<T> | 0 |
| atl.cpp:1328:13:1328:21 | operator= | (T *) | ComPtr<T> | operator= | 0 |
| atl.cpp:1330:13:1330:21 | operator= | (T *) | ComPtr | ComPtr<T> | 0 |
| atl.cpp:1330:13:1330:21 | operator= | (U *) | ComPtr | operator=<U> | 0 |
| atl.cpp:1331:13:1331:21 | operator= | (const ComPtr &) | ComPtr | ComPtr | 0 |
| atl.cpp:1331:13:1331:21 | operator= | (const ComPtr &) | ComPtr | operator= | 0 |
| atl.cpp:1333:13:1333:21 | operator= | (const ComPtr &) | ComPtr | ComPtr | 0 |
| atl.cpp:1333:13:1333:21 | operator= | (const ComPtr &) | ComPtr | operator= | 0 |
| atl.cpp:1334:13:1334:21 | operator= | (ComPtr &&) | ComPtr | ComPtr | 0 |
| atl.cpp:1334:13:1334:21 | operator= | (ComPtr &&) | ComPtr | operator= | 0 |
| atl.cpp:1336:13:1336:21 | operator= | (ComPtr &&) | ComPtr | ComPtr | 0 |
| atl.cpp:1336:13:1336:21 | operator= | (ComPtr &&) | ComPtr | operator= | 0 |
| bsd.cpp:12:5:12:10 | accept | (CURLM *,curl_socket_t,int *) | | curl_multi_socket | 2 |
| bsd.cpp:12:5:12:10 | accept | (Curl_easy *,ssize_t *,int *) | | Curl_GetFTPResponse | 2 |
| bsd.cpp:12:5:12:10 | accept | (EVP_CIPHER_CTX *,unsigned char *,int *) | | EVP_CipherFinal | 2 |
@@ -9386,6 +9411,8 @@ signatureMatches
| stl.h:333:42:333:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert<InputIt> | 2 |
| stl.h:333:42:333:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert<InputIt> | 2 |
| stl.h:335:37:335:43 | emplace | (format_string,Args &&) | | format<Args> | 1 |
| stl.h:351:12:351:21 | shared_ptr | (T *) | ComPtr<T> | operator= | 0 |
| stl.h:369:12:369:21 | unique_ptr | (T *) | ComPtr<T> | operator= | 0 |
| stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
| stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
| stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
@@ -21750,6 +21777,8 @@ getSignatureParameterName
| (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 1 | const char * |
| (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 2 | char ** |
| (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 3 | OperationConfig * |
| (ComPtr &&) | ComPtr | ComPtr | 0 | ComPtr && |
| (ComPtr &&) | ComPtr | operator= | 0 | ComPtr && |
| (CompoundDictionary *,const PreparedDictionary *) | | AttachPreparedDictionary | 0 | CompoundDictionary * |
| (CompoundDictionary *,const PreparedDictionary *) | | AttachPreparedDictionary | 1 | const PreparedDictionary * |
| (Curl_cfilter *) | | Curl_conn_cf_is_ssl | 0 | Curl_cfilter * |
@@ -28580,6 +28609,8 @@ getSignatureParameterName
| (RAND_POOL *,unsigned int) | | ossl_rand_pool_bytes_needed | 1 | unsigned int |
| (RECORD_LAYER *,SSL_CONNECTION *) | | RECORD_LAYER_init | 0 | RECORD_LAYER * |
| (RECORD_LAYER *,SSL_CONNECTION *) | | RECORD_LAYER_init | 1 | SSL_CONNECTION * |
| (REFIID,void **) | ComPtr | CopyTo | 0 | REFIID |
| (REFIID,void **) | ComPtr | CopyTo | 1 | void ** |
| (RIO_NOTIFIER *) | | ossl_rio_notifier_cleanup | 0 | RIO_NOTIFIER * |
| (RIPEMD160_CTX *,const unsigned char *) | | RIPEMD160_Transform | 0 | RIPEMD160_CTX * |
| (RIPEMD160_CTX *,const unsigned char *) | | RIPEMD160_Transform | 1 | const unsigned char * |
@@ -30163,6 +30194,10 @@ getSignatureParameterName
| (Strtab *,const char *,size_t) | | strtabadd | 2 | size_t |
| (Strtab *,size_t *) | | strtabfinalize | 0 | Strtab * |
| (Strtab *,size_t *) | | strtabfinalize | 1 | size_t * |
| (T *) | ComPtr | ComPtr<T> | 0 | func:0 * |
| (T *) | ComPtr<T> | operator= | 0 | class:0 * |
| (T **) | ComPtr | CopyTo<T> | 0 | func:0 ** |
| (T **) | ComPtr<T> | CopyTo | 0 | class:0 ** |
| (TLS_FEATURE *) | | TLS_FEATURE_free | 0 | TLS_FEATURE * |
| (TLS_RL_RECORD *,const unsigned char *) | | ossl_tls_rl_record_set_seq_num | 0 | TLS_RL_RECORD * |
| (TLS_RL_RECORD *,const unsigned char *) | | ossl_tls_rl_record_set_seq_num | 1 | const unsigned char * |
@@ -30355,6 +30390,7 @@ getSignatureParameterName
| (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) | | TXT_DB_create_index | 2 | ..(*)(..) |
| (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) | | TXT_DB_create_index | 3 | OPENSSL_LH_HASHFUNC |
| (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) | | TXT_DB_create_index | 4 | OPENSSL_LH_COMPFUNC |
| (U *) | ComPtr | operator=<U> | 0 | func:0 * |
| (UI *) | | UI_get0_user_data | 0 | UI * |
| (UI *) | | UI_get_method | 0 | UI * |
| (UI *,UI_STRING *,const char *) | | UI_set_result | 0 | UI * |
@@ -33305,6 +33341,8 @@ getSignatureParameterName
| (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 1 | CURLUPart |
| (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 2 | char ** |
| (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 3 | unsigned int |
| (const ComPtr &) | ComPtr | ComPtr | 0 | const ComPtr & |
| (const ComPtr &) | ComPtr | operator= | 0 | const ComPtr & |
| (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 0 | const Command * |
| (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 1 | const size_t |
| (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 2 | const BlockSplit * |
@@ -46404,6 +46442,27 @@ getParameterTypeName
| atl.cpp:1231:5:1231:12 | CStrBufT | 1 | int |
| atl.cpp:1231:5:1231:12 | CStrBufT | 2 | DWORD |
| atl.cpp:1231:5:1231:12 | CStrBufT | 2 | unsigned long |
| atl.cpp:1286:5:1286:10 | ComPtr | 0 | const ComPtr & |
| atl.cpp:1287:5:1287:10 | ComPtr | 0 | ComPtr && |
| atl.cpp:1290:5:1290:10 | ComPtr | 0 | func:0 * |
| atl.cpp:1290:5:1290:10 | ComPtr | 0 | func:0 * |
| atl.cpp:1295:13:1295:14 | As | 0 | ComPtr * |
| atl.cpp:1301:13:1301:18 | CopyTo | 0 | Interfaceclass:0ype ** |
| atl.cpp:1301:13:1301:18 | CopyTo | 0 | class:0 ** |
| atl.cpp:1303:13:1303:18 | CopyTo | 0 | GUID * |
| atl.cpp:1303:13:1303:18 | CopyTo | 0 | REFIID |
| atl.cpp:1303:13:1303:18 | CopyTo | 1 | void ** |
| atl.cpp:1306:13:1306:18 | CopyTo | 0 | func:0 ** |
| atl.cpp:1321:10:1321:13 | Swap | 0 | ComPtr & |
| atl.cpp:1328:13:1328:21 | operator= | 0 | class:0 * |
| atl.cpp:1330:13:1330:21 | operator= | 0 | func:0 * |
| atl.cpp:1331:13:1331:21 | operator= | 0 | const ComPtr & |
| atl.cpp:1333:13:1333:21 | operator= | 0 | const ComPtr & |
| atl.cpp:1334:13:1334:21 | operator= | 0 | ComPtr && |
| atl.cpp:1336:13:1336:21 | operator= | 0 | ComPtr && |
| atl.cpp:1343:25:1343:28 | move | 0 | func:0 & |
| atl.cpp:1415:8:1415:8 | operator= | 0 | S && |
| atl.cpp:1415:8:1415:8 | operator= | 0 | const S & |
| bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & |
| bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && |
| bsd.cpp:12:5:12:10 | accept | 0 | int |

31
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -24550,6 +24550,37 @@ ir.cpp:
# 2771| Type = [LValueReferenceType] ThreeWay &
# 2771| ValueCategory = prvalue
# 2772| getStmt(2): [ReturnStmt] return ...
# 2774| [TopLevelFunction] void test_allocation_with_initializer()
# 2774| <params>:
# 2774| getEntryPoint(): [BlockStmt] { ... }
# 2775| getStmt(0): [DeclStmt] declaration
# 2775| getDeclarationEntry(0): [VariableDeclarationEntry] definition of p1
# 2775| Type = [IntPointerType] int *
# 2775| getVariable().getInitializer(): [Initializer] initializer for p1
# 2775| getExpr(): [NewExpr] new
# 2775| Type = [IntPointerType] int *
# 2775| ValueCategory = prvalue
# 2775| getInitializer(): [Literal] 42
# 2775| Type = [IntType] int
# 2775| Value = [Literal] 42
# 2775| ValueCategory = prvalue
# 2776| getStmt(1): [DeclStmt] declaration
# 2776| getDeclarationEntry(0): [VariableDeclarationEntry] definition of p2
# 2776| Type = [PointerType] long *
# 2776| getVariable().getInitializer(): [Initializer] initializer for p2
# 2776| getExpr(): [NewExpr] new
# 2776| Type = [PointerType] long *
# 2776| ValueCategory = prvalue
# 2776| getInitializer(): [Literal] 42
# 2776| Type = [IntType] int
# 2776| Value = [Literal] 42
# 2776| ValueCategory = prvalue
# 2776| getInitializer().getFullyConverted(): [CStyleCast] (long)...
# 2776| Conversion = [IntegralConversion] integral conversion
# 2776| Type = [LongType] long
# 2776| Value = [CStyleCast] 42
# 2776| ValueCategory = prvalue
# 2777| getStmt(2): [ReturnStmt] return ...
ir23.cpp:
# 1| [TopLevelFunction] bool consteval_1()
# 1| <params>:

35
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

@@ -20395,6 +20395,41 @@ ir.cpp:
# 2769| v2769_14(void) = AliasedUse : ~m2771_8
# 2769| v2769_15(void) = ExitFunction :
# 2774| void test_allocation_with_initializer()
# 2774| Block 0
# 2774| v2774_1(void) = EnterFunction :
# 2774| m2774_2(unknown) = AliasedDefinition :
# 2774| m2774_3(unknown) = InitializeNonLocal :
# 2774| m2774_4(unknown) = Chi : total:m2774_2, partial:m2774_3
# 2775| r2775_1(glval<int *>) = VariableAddress[p1] :
# 2775| r2775_2(glval<unknown>) = FunctionAddress[operator new] :
# 2775| r2775_3(unsigned long) = Constant[4] :
# 2775| r2775_4(void *) = Call[operator new] : func:r2775_2, 0:r2775_3
# 2775| m2775_5(unknown) = ^CallSideEffect : ~m2774_4
# 2775| m2775_6(unknown) = Chi : total:m2774_4, partial:m2775_5
# 2775| m2775_7(unknown) = ^InitializeDynamicAllocation : &:r2775_4
# 2775| r2775_8(int *) = Convert : r2775_4
# 2775| r2775_9(int) = Constant[42] :
# 2775| m2775_10(int) = Store[?] : &:r2775_8, r2775_9
# 2775| m2775_11(unknown) = Chi : total:m2775_7, partial:m2775_10
# 2775| m2775_12(int *) = Store[p1] : &:r2775_1, r2775_8
# 2776| r2776_1(glval<long *>) = VariableAddress[p2] :
# 2776| r2776_2(glval<unknown>) = FunctionAddress[operator new] :
# 2776| r2776_3(unsigned long) = Constant[8] :
# 2776| r2776_4(void *) = Call[operator new] : func:r2776_2, 0:r2776_3
# 2776| m2776_5(unknown) = ^CallSideEffect : ~m2775_6
# 2776| m2776_6(unknown) = Chi : total:m2775_6, partial:m2776_5
# 2776| m2776_7(unknown) = ^InitializeDynamicAllocation : &:r2776_4
# 2776| r2776_8(long *) = Convert : r2776_4
# 2776| r2776_9(long) = Constant[42] :
# 2776| m2776_10(long) = Store[?] : &:r2776_8, r2776_9
# 2776| m2776_11(unknown) = Chi : total:m2776_7, partial:m2776_10
# 2776| m2776_12(long *) = Store[p2] : &:r2776_1, r2776_8
# 2777| v2777_1(void) = NoOp :
# 2774| v2774_5(void) = ReturnVoid :
# 2774| v2774_6(void) = AliasedUse : ~m2776_6
# 2774| v2774_7(void) = ExitFunction :
ir23.cpp:
# 1| bool consteval_1()
# 1| Block 0

5
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -2771,4 +2771,9 @@ void test_three_way(int a, int b, ThreeWay c, ThreeWay d) {
auto y = c <=> d;
}
void test_allocation_with_initializer() {
int* p1 = new int(42);
long* p2 = new long(42);
}
// semmle-extractor-options: -std=c++20 --clang

30
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -18547,6 +18547,36 @@ ir.cpp:
# 2769| v2769_13(void) = AliasedUse : ~m?
# 2769| v2769_14(void) = ExitFunction :
# 2774| void test_allocation_with_initializer()
# 2774| Block 0
# 2774| v2774_1(void) = EnterFunction :
# 2774| mu2774_2(unknown) = AliasedDefinition :
# 2774| mu2774_3(unknown) = InitializeNonLocal :
# 2775| r2775_1(glval<int *>) = VariableAddress[p1] :
# 2775| r2775_2(glval<unknown>) = FunctionAddress[operator new] :
# 2775| r2775_3(unsigned long) = Constant[4] :
# 2775| r2775_4(void *) = Call[operator new] : func:r2775_2, 0:r2775_3
# 2775| mu2775_5(unknown) = ^CallSideEffect : ~m?
# 2775| mu2775_6(unknown) = ^InitializeDynamicAllocation : &:r2775_4
# 2775| r2775_7(int *) = Convert : r2775_4
# 2775| r2775_8(int) = Constant[42] :
# 2775| mu2775_9(int) = Store[?] : &:r2775_7, r2775_8
# 2775| mu2775_10(int *) = Store[p1] : &:r2775_1, r2775_7
# 2776| r2776_1(glval<long *>) = VariableAddress[p2] :
# 2776| r2776_2(glval<unknown>) = FunctionAddress[operator new] :
# 2776| r2776_3(unsigned long) = Constant[8] :
# 2776| r2776_4(void *) = Call[operator new] : func:r2776_2, 0:r2776_3
# 2776| mu2776_5(unknown) = ^CallSideEffect : ~m?
# 2776| mu2776_6(unknown) = ^InitializeDynamicAllocation : &:r2776_4
# 2776| r2776_7(long *) = Convert : r2776_4
# 2776| r2776_8(long) = Constant[42] :
# 2776| mu2776_9(long) = Store[?] : &:r2776_7, r2776_8
# 2776| mu2776_10(long *) = Store[p2] : &:r2776_1, r2776_7
# 2777| v2777_1(void) = NoOp :
# 2774| v2774_4(void) = ReturnVoid :
# 2774| v2774_5(void) = AliasedUse : ~m?
# 2774| v2774_6(void) = ExitFunction :
ir23.cpp:
# 1| bool consteval_1()
# 1| Block 0

4
cpp/ql/test/library-tests/macros/arguments/macro_arguments.expected
View File

@@ -23,7 +23,7 @@
| test.c:27:17:33:1 | test.c:27:17:33:1 | CONCAT | 1 | "Semmle" | "Semmle" |
| test.c:42:1:42:13 | test.c:42:1:42:13 | APPLY | 0 | top | top |
| test.c:42:1:42:13 | test.c:42:1:42:13 | APPLY | 1 | 3 | 3 |
| test.c:42:1:42:13 | test.c:42:7:41:24 | APPLY -> top | 0 | 3 | 3 |
| test.c:42:1:42:13 | test.c:42:7:42:7 | APPLY -> top | 0 | 3 | 3 |
| test.c:42:1:42:13 | top_and_nested.h:2:16:2:24 | APPLY -> top -> nested | 0 | 3 | |
| test.c:42:1:42:13 | top_and_nested.h:3:16:3:30 | APPLY -> top -> nested | 0 | 2 + (3) | |
| test.c:47:1:47:23 | test.c:45:15:45:22 | DECLARE_STRING -> ID | 0 | string1 | string1 |
@@ -49,7 +49,7 @@
| test.c:82:1:82:4 | test.c:82:1:82:4 | ID | 0 | | |
| test.c:84:5:84:20 | test.c:84:5:84:20 | APPLY | 0 | ID | ID |
| test.c:84:5:84:20 | test.c:84:5:84:20 | APPLY | 1 | ID(1) | 1 |
| test.c:84:5:84:20 | test.c:84:11:41:24 | APPLY -> ID | 0 | 1 | 1 |
| test.c:84:5:84:20 | test.c:84:11:84:11 | APPLY -> ID | 0 | 1 | 1 |
| test.c:84:5:84:20 | test.c:84:15:84:19 | APPLY -> ID | 0 | 1 | 1 |
| test.c:85:21:85:40 | test.c:85:21:85:40 | CMD_LINE_MACRO | 0 | 5 | 5 |
| test.c:85:21:85:40 | test.c:85:21:85:40 | CMD_LINE_MACRO | 1 | 6 | 6 |

8
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/ms_vacopy.c Normal file
View File

@@ -0,0 +1,8 @@
#include <stdarg.h>
int va_copy_test(va_list va) {
va_list va2;
va_copy(va2, va);
return 0;
}
// semmle-extractor-options: --microsoft

2
csharp/codeql-extractor.yml
View File

@@ -10,6 +10,8 @@ build_modes:
- autobuild
- manual
- none
default_queries:
- codeql/csharp-queries
github_api_languages:
- C#
scc_languages:

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.47
No user-facing changes.
## 1.7.46
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.47.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.47
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.46
lastReleaseVersion: 1.7.47

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.47-dev
version: 1.7.48-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.47
No user-facing changes.
## 1.7.46
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.47.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.47
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.46
lastReleaseVersion: 1.7.47

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.47-dev
version: 1.7.48-dev
groups:
- csharp
- solorigate

8
csharp/ql/consistency-queries/CfgConsistency.ql
View File

@@ -29,7 +29,7 @@ predicate bbSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ)
succBB.getFirstNode() = succ.getAControlFlowNode()
) and
not exists(PreBasicBlock predBB, PreBasicBlock succBB |
predBB.getLastElement() = pred and
predBB.getLastNode() = pred and
succBB = predBB.getASuccessor() and
succBB.getFirstElement() = succ
)
@@ -41,12 +41,12 @@ predicate bbIntraSuccInconsistency(ControlFlowElement pred, ControlFlowElement s
succ.getAControlFlowNode() = bb.getNode(i + 1)
) and
not exists(PreBasicBlock bb |
bb.getLastElement() = pred and
bb.getLastNode() = pred and
bb.getASuccessor().getFirstElement() = succ
) and
not exists(PreBasicBlock bb, int i |
bb.getElement(i) = pred and
bb.getElement(i + 1) = succ
bb.getNode(i) = pred and
bb.getNode(i + 1) = succ
)
}

Some files were not shown because too many files have changed in this diff Show More