hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Semmle/ql into rdmarsh/cpp/ir-constructor-side-effects

Browse Source
This commit is contained in:
Robert Marsh
2019-11-08 12:47:27 -08:00
parent 2582b69e17 2b89139d5f
commit 1dc0cb89d0
27 changed files with 593 additions and 391 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
change-notes/1.23/analysis-javascript.md
View File

@@ -2,6 +2,8 @@
## General improvements
* Automatic classification of generated and minified files has been improved, in particular files generated by Doxygen are now recognized.
* Support for `globalThis` has been added.
* Support for the following frameworks and libraries has been improved:
@@ -14,8 +16,6 @@
* TypeScript 3.6 and 3.7 features are now supported.
* Automatic classification of generated files has been improved, in particular files generated by Doxygen are now recognized.
## New queries
| **Query** | **Tags** | **Purpose** |

3
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
View File

@@ -121,7 +121,8 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali
private predicate hasUninitializedInstruction() {
not exists(getInitialization()) or
getInitialization() instanceof TranslatedListInitialization or
getInitialization() instanceof TranslatedConstructorInitialization
getInitialization() instanceof TranslatedConstructorInitialization or
getInitialization().(TranslatedStringLiteralInitialization).zeroInitRange(_, _)
}
}

2
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
View File

@@ -340,7 +340,7 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati
* Holds if the `elementCount` array elements starting at `startIndex` must be
* zero initialized.
*/
private predicate zeroInitRange(int startIndex, int elementCount) {
predicate zeroInitRange(int startIndex, int elementCount) {
exists(int targetCount |
startIndex = expr.getUnspecifiedType().(ArrayType).getArraySize() and
targetCount = getContext().getTargetType().getUnspecifiedType().(ArrayType).getArraySize() and

117
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -2700,64 +2700,65 @@ ir.cpp:
# 571| mu0_1(unknown) = AliasedDefinition :
# 571| mu0_2(unknown) = UnmodeledDefinition :
# 572| r0_3(glval<char[32]>) = VariableAddress[a_pad] :
# 572| r0_4(glval<char[1]>) = StringConstant[""] :
# 572| r0_5(char[1]) = Load : &:r0_4, ~mu0_2
# 572| mu0_6(char[1]) = Store : &:r0_3, r0_5
# 572| r0_7(unknown[31]) = Constant[0] :
# 572| r0_8(int) = Constant[1] :
# 572| r0_9(glval<char>) = PointerAdd[1] : r0_3, r0_8
# 572| mu0_10(unknown[31]) = Store : &:r0_9, r0_7
# 573| r0_11(glval<char[4]>) = VariableAddress[a_nopad] :
# 573| r0_12(glval<char[4]>) = StringConstant["foo"] :
# 573| r0_13(char[4]) = Load : &:r0_12, ~mu0_2
# 573| mu0_14(char[4]) = Store : &:r0_11, r0_13
# 574| r0_15(glval<char[5]>) = VariableAddress[a_infer] :
# 574| r0_16(glval<char[5]>) = StringConstant["blah"] :
# 574| r0_17(char[5]) = Load : &:r0_16, ~mu0_2
# 574| mu0_18(char[5]) = Store : &:r0_15, r0_17
# 575| r0_19(glval<char[2]>) = VariableAddress[b] :
# 575| mu0_20(char[2]) = Uninitialized[b] : &:r0_19
# 576| r0_21(glval<char[2]>) = VariableAddress[c] :
# 576| mu0_22(char[2]) = Uninitialized[c] : &:r0_21
# 576| r0_23(int) = Constant[0] :
# 576| r0_24(glval<char>) = PointerAdd[1] : r0_21, r0_23
# 576| r0_25(unknown[2]) = Constant[0] :
# 576| mu0_26(unknown[2]) = Store : &:r0_24, r0_25
# 577| r0_27(glval<char[2]>) = VariableAddress[d] :
# 577| mu0_28(char[2]) = Uninitialized[d] : &:r0_27
# 577| r0_29(int) = Constant[0] :
# 577| r0_30(glval<char>) = PointerAdd[1] : r0_27, r0_29
# 577| r0_31(char) = Constant[0] :
# 577| mu0_32(char) = Store : &:r0_30, r0_31
# 577| r0_33(int) = Constant[1] :
# 577| r0_34(glval<char>) = PointerAdd[1] : r0_27, r0_33
# 577| r0_35(char) = Constant[0] :
# 577| mu0_36(char) = Store : &:r0_34, r0_35
# 578| r0_37(glval<char[2]>) = VariableAddress[e] :
# 578| mu0_38(char[2]) = Uninitialized[e] : &:r0_37
# 578| r0_39(int) = Constant[0] :
# 578| r0_40(glval<char>) = PointerAdd[1] : r0_37, r0_39
# 578| r0_41(char) = Constant[0] :
# 578| mu0_42(char) = Store : &:r0_40, r0_41
# 578| r0_43(int) = Constant[1] :
# 578| r0_44(glval<char>) = PointerAdd[1] : r0_37, r0_43
# 578| r0_45(char) = Constant[1] :
# 578| mu0_46(char) = Store : &:r0_44, r0_45
# 579| r0_47(glval<char[3]>) = VariableAddress[f] :
# 579| mu0_48(char[3]) = Uninitialized[f] : &:r0_47
# 579| r0_49(int) = Constant[0] :
# 579| r0_50(glval<char>) = PointerAdd[1] : r0_47, r0_49
# 579| r0_51(char) = Constant[0] :
# 579| mu0_52(char) = Store : &:r0_50, r0_51
# 579| r0_53(int) = Constant[1] :
# 579| r0_54(glval<char>) = PointerAdd[1] : r0_47, r0_53
# 579| r0_55(unknown[2]) = Constant[0] :
# 579| mu0_56(unknown[2]) = Store : &:r0_54, r0_55
# 580| v0_57(void) = NoOp :
# 571| v0_58(void) = ReturnVoid :
# 571| v0_59(void) = UnmodeledUse : mu*
# 571| v0_60(void) = AliasedUse : ~mu0_2
# 571| v0_61(void) = ExitFunction :
# 572| mu0_4(char[32]) = Uninitialized[a_pad] : &:r0_3
# 572| r0_5(glval<char[1]>) = StringConstant[""] :
# 572| r0_6(char[1]) = Load : &:r0_5, ~mu0_2
# 572| mu0_7(char[1]) = Store : &:r0_3, r0_6
# 572| r0_8(unknown[31]) = Constant[0] :
# 572| r0_9(int) = Constant[1] :
# 572| r0_10(glval<char>) = PointerAdd[1] : r0_3, r0_9
# 572| mu0_11(unknown[31]) = Store : &:r0_10, r0_8
# 573| r0_12(glval<char[4]>) = VariableAddress[a_nopad] :
# 573| r0_13(glval<char[4]>) = StringConstant["foo"] :
# 573| r0_14(char[4]) = Load : &:r0_13, ~mu0_2
# 573| mu0_15(char[4]) = Store : &:r0_12, r0_14
# 574| r0_16(glval<char[5]>) = VariableAddress[a_infer] :
# 574| r0_17(glval<char[5]>) = StringConstant["blah"] :
# 574| r0_18(char[5]) = Load : &:r0_17, ~mu0_2
# 574| mu0_19(char[5]) = Store : &:r0_16, r0_18
# 575| r0_20(glval<char[2]>) = VariableAddress[b] :
# 575| mu0_21(char[2]) = Uninitialized[b] : &:r0_20
# 576| r0_22(glval<char[2]>) = VariableAddress[c] :
# 576| mu0_23(char[2]) = Uninitialized[c] : &:r0_22
# 576| r0_24(int) = Constant[0] :
# 576| r0_25(glval<char>) = PointerAdd[1] : r0_22, r0_24
# 576| r0_26(unknown[2]) = Constant[0] :
# 576| mu0_27(unknown[2]) = Store : &:r0_25, r0_26
# 577| r0_28(glval<char[2]>) = VariableAddress[d] :
# 577| mu0_29(char[2]) = Uninitialized[d] : &:r0_28
# 577| r0_30(int) = Constant[0] :
# 577| r0_31(glval<char>) = PointerAdd[1] : r0_28, r0_30
# 577| r0_32(char) = Constant[0] :
# 577| mu0_33(char) = Store : &:r0_31, r0_32
# 577| r0_34(int) = Constant[1] :
# 577| r0_35(glval<char>) = PointerAdd[1] : r0_28, r0_34
# 577| r0_36(char) = Constant[0] :
# 577| mu0_37(char) = Store : &:r0_35, r0_36
# 578| r0_38(glval<char[2]>) = VariableAddress[e] :
# 578| mu0_39(char[2]) = Uninitialized[e] : &:r0_38
# 578| r0_40(int) = Constant[0] :
# 578| r0_41(glval<char>) = PointerAdd[1] : r0_38, r0_40
# 578| r0_42(char) = Constant[0] :
# 578| mu0_43(char) = Store : &:r0_41, r0_42
# 578| r0_44(int) = Constant[1] :
# 578| r0_45(glval<char>) = PointerAdd[1] : r0_38, r0_44
# 578| r0_46(char) = Constant[1] :
# 578| mu0_47(char) = Store : &:r0_45, r0_46
# 579| r0_48(glval<char[3]>) = VariableAddress[f] :
# 579| mu0_49(char[3]) = Uninitialized[f] : &:r0_48
# 579| r0_50(int) = Constant[0] :
# 579| r0_51(glval<char>) = PointerAdd[1] : r0_48, r0_50
# 579| r0_52(char) = Constant[0] :
# 579| mu0_53(char) = Store : &:r0_51, r0_52
# 579| r0_54(int) = Constant[1] :
# 579| r0_55(glval<char>) = PointerAdd[1] : r0_48, r0_54
# 579| r0_56(unknown[2]) = Constant[0] :
# 579| mu0_57(unknown[2]) = Store : &:r0_55, r0_56
# 580| v0_58(void) = NoOp :
# 571| v0_59(void) = ReturnVoid :
# 571| v0_60(void) = UnmodeledUse : mu*
# 571| v0_61(void) = AliasedUse : ~mu0_2
# 571| v0_62(void) = ExitFunction :
# 584| void VarArgs()
# 584| Block 0

226
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -878,81 +878,155 @@ ssa.cpp:
# 207| v0_28(void) = AliasedUse : ~m0_1
# 207| v0_29(void) = ExitFunction :
# 215| void Constructible::Constructible(int)
# 215| Block 0
# 215| v0_0(void) = EnterFunction :
# 215| m0_1(unknown) = AliasedDefinition :
# 215| mu0_2(unknown) = UnmodeledDefinition :
# 215| r0_3(glval<Constructible>) = InitializeThis :
# 215| r0_4(glval<int>) = VariableAddress[x] :
# 215| m0_5(int) = InitializeParameter[x] : &:r0_4
# 215| v0_6(void) = NoOp :
# 215| v0_7(void) = ReturnVoid :
# 215| v0_8(void) = UnmodeledUse : mu*
# 215| v0_9(void) = AliasedUse : ~m0_1
# 215| v0_10(void) = ExitFunction :
# 213| void InitArray()
# 213| Block 0
# 213| v0_0(void) = EnterFunction :
# 213| m0_1(unknown) = AliasedDefinition :
# 213| mu0_2(unknown) = UnmodeledDefinition :
# 214| r0_3(glval<char[32]>) = VariableAddress[a_pad] :
# 214| m0_4(char[32]) = Uninitialized[a_pad] : &:r0_3
# 214| r0_5(glval<char[1]>) = StringConstant[""] :
# 214| r0_6(char[1]) = Load : &:r0_5, ~m0_1
# 214| m0_7(char[1]) = Store : &:r0_3, r0_6
# 214| m0_8(char[32]) = Chi : total:m0_4, partial:m0_7
# 214| r0_9(unknown[31]) = Constant[0] :
# 214| r0_10(int) = Constant[1] :
# 214| r0_11(glval<char>) = PointerAdd[1] : r0_3, r0_10
# 214| m0_12(unknown[31]) = Store : &:r0_11, r0_9
# 214| m0_13(char[32]) = Chi : total:m0_8, partial:m0_12
# 215| r0_14(glval<char[4]>) = VariableAddress[a_nopad] :
# 215| r0_15(glval<char[4]>) = StringConstant["foo"] :
# 215| r0_16(char[4]) = Load : &:r0_15, ~m0_1
# 215| m0_17(char[4]) = Store : &:r0_14, r0_16
# 216| r0_18(glval<char[5]>) = VariableAddress[a_infer] :
# 216| r0_19(glval<char[5]>) = StringConstant["blah"] :
# 216| r0_20(char[5]) = Load : &:r0_19, ~m0_1
# 216| m0_21(char[5]) = Store : &:r0_18, r0_20
# 217| r0_22(glval<char[2]>) = VariableAddress[b] :
# 217| m0_23(char[2]) = Uninitialized[b] : &:r0_22
# 218| r0_24(glval<char[2]>) = VariableAddress[c] :
# 218| m0_25(char[2]) = Uninitialized[c] : &:r0_24
# 218| r0_26(int) = Constant[0] :
# 218| r0_27(glval<char>) = PointerAdd[1] : r0_24, r0_26
# 218| r0_28(unknown[2]) = Constant[0] :
# 218| m0_29(unknown[2]) = Store : &:r0_27, r0_28
# 219| r0_30(glval<char[2]>) = VariableAddress[d] :
# 219| m0_31(char[2]) = Uninitialized[d] : &:r0_30
# 219| r0_32(int) = Constant[0] :
# 219| r0_33(glval<char>) = PointerAdd[1] : r0_30, r0_32
# 219| r0_34(char) = Constant[0] :
# 219| m0_35(char) = Store : &:r0_33, r0_34
# 219| m0_36(char[2]) = Chi : total:m0_31, partial:m0_35
# 219| r0_37(int) = Constant[1] :
# 219| r0_38(glval<char>) = PointerAdd[1] : r0_30, r0_37
# 219| r0_39(char) = Constant[0] :
# 219| m0_40(char) = Store : &:r0_38, r0_39
# 219| m0_41(char[2]) = Chi : total:m0_36, partial:m0_40
# 220| r0_42(glval<char[2]>) = VariableAddress[e] :
# 220| m0_43(char[2]) = Uninitialized[e] : &:r0_42
# 220| r0_44(int) = Constant[0] :
# 220| r0_45(glval<char>) = PointerAdd[1] : r0_42, r0_44
# 220| r0_46(char) = Constant[0] :
# 220| m0_47(char) = Store : &:r0_45, r0_46
# 220| m0_48(char[2]) = Chi : total:m0_43, partial:m0_47
# 220| r0_49(int) = Constant[1] :
# 220| r0_50(glval<char>) = PointerAdd[1] : r0_42, r0_49
# 220| r0_51(char) = Constant[1] :
# 220| m0_52(char) = Store : &:r0_50, r0_51
# 220| m0_53(char[2]) = Chi : total:m0_48, partial:m0_52
# 221| r0_54(glval<char[3]>) = VariableAddress[f] :
# 221| m0_55(char[3]) = Uninitialized[f] : &:r0_54
# 221| r0_56(int) = Constant[0] :
# 221| r0_57(glval<char>) = PointerAdd[1] : r0_54, r0_56
# 221| r0_58(char) = Constant[0] :
# 221| m0_59(char) = Store : &:r0_57, r0_58
# 221| m0_60(char[3]) = Chi : total:m0_55, partial:m0_59
# 221| r0_61(int) = Constant[1] :
# 221| r0_62(glval<char>) = PointerAdd[1] : r0_54, r0_61
# 221| r0_63(unknown[2]) = Constant[0] :
# 221| m0_64(unknown[2]) = Store : &:r0_62, r0_63
# 221| m0_65(char[3]) = Chi : total:m0_60, partial:m0_64
# 222| v0_66(void) = NoOp :
# 213| v0_67(void) = ReturnVoid :
# 213| v0_68(void) = UnmodeledUse : mu*
# 213| v0_69(void) = AliasedUse : ~m0_1
# 213| v0_70(void) = ExitFunction :
# 216| void Constructible::g()
# 216| Block 0
# 216| v0_0(void) = EnterFunction :
# 216| m0_1(unknown) = AliasedDefinition :
# 216| mu0_2(unknown) = UnmodeledDefinition :
# 216| r0_3(glval<Constructible>) = InitializeThis :
# 216| v0_4(void) = NoOp :
# 216| v0_5(void) = ReturnVoid :
# 216| v0_6(void) = UnmodeledUse : mu*
# 216| v0_7(void) = AliasedUse : ~m0_1
# 216| v0_8(void) = ExitFunction :
# 226| void Constructible::Constructible(int)
# 226| Block 0
# 226| v0_0(void) = EnterFunction :
# 226| m0_1(unknown) = AliasedDefinition :
# 226| mu0_2(unknown) = UnmodeledDefinition :
# 226| r0_3(glval<Constructible>) = InitializeThis :
# 226| r0_4(glval<int>) = VariableAddress[x] :
# 226| m0_5(int) = InitializeParameter[x] : &:r0_4
# 226| v0_6(void) = NoOp :
# 226| v0_7(void) = ReturnVoid :
# 226| v0_8(void) = UnmodeledUse : mu*
# 226| v0_9(void) = AliasedUse : ~m0_1
# 226| v0_10(void) = ExitFunction :
# 219| void ExplicitConstructorCalls()
# 219| Block 0
# 219| v0_0(void) = EnterFunction :
# 219| m0_1(unknown) = AliasedDefinition :
# 219| mu0_2(unknown) = UnmodeledDefinition :
# 220| r0_3(glval<Constructible>) = VariableAddress[c] :
# 220| m0_4(Constructible) = Uninitialized[c] : &:r0_3
# 220| r0_5(glval<unknown>) = FunctionAddress[Constructible] :
# 220| r0_6(int) = Constant[1] :
# 220| v0_7(void) = Call : func:r0_5, this:r0_3, 0:r0_6
# 220| m0_8(unknown) = ^CallSideEffect : ~m0_1
# 220| m0_9(unknown) = Chi : total:m0_1, partial:m0_8
# 220| m0_10(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
# 220| m0_11(Constructible) = Chi : total:m0_4, partial:m0_10
# 221| r0_12(glval<Constructible>) = VariableAddress[c] :
# 221| r0_13(glval<unknown>) = FunctionAddress[g] :
# 221| v0_14(void) = Call : func:r0_13, this:r0_12
# 221| m0_15(unknown) = ^CallSideEffect : ~m0_9
# 221| m0_16(unknown) = Chi : total:m0_9, partial:m0_15
# 221| v0_17(void) = ^BufferReadSideEffect[-1] : &:r0_12, ~m0_11
# 221| m0_18(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_12
# 221| m0_19(Constructible) = Chi : total:m0_11, partial:m0_18
# 222| r0_20(glval<Constructible>) = VariableAddress[c] :
# 222| r0_21(glval<unknown>) = FunctionAddress[g] :
# 222| v0_22(void) = Call : func:r0_21, this:r0_20
# 222| m0_23(unknown) = ^CallSideEffect : ~m0_16
# 222| m0_24(unknown) = Chi : total:m0_16, partial:m0_23
# 222| v0_25(void) = ^BufferReadSideEffect[-1] : &:r0_20, ~m0_19
# 222| m0_26(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
# 222| m0_27(Constructible) = Chi : total:m0_19, partial:m0_26
# 223| r0_28(glval<Constructible>) = VariableAddress[c2] :
# 223| m0_29(Constructible) = Uninitialized[c2] : &:r0_28
# 223| r0_30(glval<unknown>) = FunctionAddress[Constructible] :
# 223| r0_31(int) = Constant[2] :
# 223| v0_32(void) = Call : func:r0_30, this:r0_28, 0:r0_31
# 223| m0_33(unknown) = ^CallSideEffect : ~m0_24
# 223| m0_34(unknown) = Chi : total:m0_24, partial:m0_33
# 223| m0_35(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_28
# 223| m0_36(Constructible) = Chi : total:m0_29, partial:m0_35
# 224| r0_37(glval<Constructible>) = VariableAddress[c2] :
# 224| r0_38(glval<unknown>) = FunctionAddress[g] :
# 224| v0_39(void) = Call : func:r0_38, this:r0_37
# 224| m0_40(unknown) = ^CallSideEffect : ~m0_34
# 224| m0_41(unknown) = Chi : total:m0_34, partial:m0_40
# 224| v0_42(void) = ^BufferReadSideEffect[-1] : &:r0_37, ~m0_36
# 224| m0_43(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_37
# 224| m0_44(Constructible) = Chi : total:m0_36, partial:m0_43
# 225| v0_45(void) = NoOp :
# 219| v0_46(void) = ReturnVoid :
# 219| v0_47(void) = UnmodeledUse : mu*
# 219| v0_48(void) = AliasedUse : ~m0_41
# 219| v0_49(void) = ExitFunction :
# 227| void Constructible::g()
# 227| Block 0
# 227| v0_0(void) = EnterFunction :
# 227| m0_1(unknown) = AliasedDefinition :
# 227| mu0_2(unknown) = UnmodeledDefinition :
# 227| r0_3(glval<Constructible>) = InitializeThis :
# 227| v0_4(void) = NoOp :
# 227| v0_5(void) = ReturnVoid :
# 227| v0_6(void) = UnmodeledUse : mu*
# 227| v0_7(void) = AliasedUse : ~m0_1
# 227| v0_8(void) = ExitFunction :
# 230| void ExplicitConstructorCalls()
# 230| Block 0
# 230| v0_0(void) = EnterFunction :
# 230| m0_1(unknown) = AliasedDefinition :
# 230| mu0_2(unknown) = UnmodeledDefinition :
# 231| r0_3(glval<Constructible>) = VariableAddress[c] :
# 231| m0_4(Constructible) = Uninitialized[c] : &:r0_3
# 231| r0_5(glval<unknown>) = FunctionAddress[Constructible] :
# 231| r0_6(int) = Constant[1] :
# 231| v0_7(void) = Call : func:r0_5, this:r0_3, 0:r0_6
# 231| m0_8(unknown) = ^CallSideEffect : ~m0_1
# 231| m0_9(unknown) = Chi : total:m0_1, partial:m0_8
# 231| m0_10(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
# 231| m0_11(Constructible) = Chi : total:m0_4, partial:m0_10
# 232| r0_12(glval<Constructible>) = VariableAddress[c] :
# 232| r0_13(glval<unknown>) = FunctionAddress[g] :
# 232| v0_14(void) = Call : func:r0_13, this:r0_12
# 232| m0_15(unknown) = ^CallSideEffect : ~m0_9
# 232| m0_16(unknown) = Chi : total:m0_9, partial:m0_15
# 232| v0_17(void) = ^BufferReadSideEffect[-1] : &:r0_12, ~m0_11
# 232| m0_18(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_12
# 232| m0_19(Constructible) = Chi : total:m0_11, partial:m0_18
# 233| r0_20(glval<Constructible>) = VariableAddress[c] :
# 233| r0_21(glval<unknown>) = FunctionAddress[g] :
# 233| v0_22(void) = Call : func:r0_21, this:r0_20
# 233| m0_23(unknown) = ^CallSideEffect : ~m0_16
# 233| m0_24(unknown) = Chi : total:m0_16, partial:m0_23
# 233| v0_25(void) = ^BufferReadSideEffect[-1] : &:r0_20, ~m0_19
# 233| m0_26(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
# 233| m0_27(Constructible) = Chi : total:m0_19, partial:m0_26
# 234| r0_28(glval<Constructible>) = VariableAddress[c2] :
# 234| m0_29(Constructible) = Uninitialized[c2] : &:r0_28
# 234| r0_30(glval<unknown>) = FunctionAddress[Constructible] :
# 234| r0_31(int) = Constant[2] :
# 234| v0_32(void) = Call : func:r0_30, this:r0_28, 0:r0_31
# 234| m0_33(unknown) = ^CallSideEffect : ~m0_24
# 234| m0_34(unknown) = Chi : total:m0_24, partial:m0_33
# 234| m0_35(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_28
# 234| m0_36(Constructible) = Chi : total:m0_29, partial:m0_35
# 235| r0_37(glval<Constructible>) = VariableAddress[c2] :
# 235| r0_38(glval<unknown>) = FunctionAddress[g] :
# 235| v0_39(void) = Call : func:r0_38, this:r0_37
# 235| m0_40(unknown) = ^CallSideEffect : ~m0_34
# 235| m0_41(unknown) = Chi : total:m0_34, partial:m0_40
# 235| v0_42(void) = ^BufferReadSideEffect[-1] : &:r0_37, ~m0_36
# 235| m0_43(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_37
# 235| m0_44(Constructible) = Chi : total:m0_36, partial:m0_43
# 236| v0_45(void) = NoOp :
# 230| v0_46(void) = ReturnVoid :
# 230| v0_47(void) = UnmodeledUse : mu*
# 230| v0_48(void) = AliasedUse : ~m0_41
# 230| v0_49(void) = ExitFunction :

11
cpp/ql/test/library-tests/ir/ssa/ssa.cpp
View File

@@ -210,6 +210,17 @@ int ModeledCallTarget(int x) {
return y;
}
void InitArray() {
char a_pad[32] = "";
char a_nopad[4] = "foo";
char a_infer[] = "blah";
char b[2];
char c[2] = {};
char d[2] = { 0 };
char e[2] = { 0, 1 };
char f[3] = { 0 };
}
class Constructible {
public:
Constructible(int x) {};

198
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
View File

@@ -842,71 +842,137 @@ ssa.cpp:
# 207| v0_25(void) = AliasedUse : ~mu0_2
# 207| v0_26(void) = ExitFunction :
# 215| void Constructible::Constructible(int)
# 215| Block 0
# 215| v0_0(void) = EnterFunction :
# 215| mu0_1(unknown) = AliasedDefinition :
# 215| mu0_2(unknown) = UnmodeledDefinition :
# 215| r0_3(glval<Constructible>) = InitializeThis :
# 215| r0_4(glval<int>) = VariableAddress[x] :
# 215| m0_5(int) = InitializeParameter[x] : &:r0_4
# 215| v0_6(void) = NoOp :
# 215| v0_7(void) = ReturnVoid :
# 215| v0_8(void) = UnmodeledUse : mu*
# 215| v0_9(void) = AliasedUse : ~mu0_2
# 215| v0_10(void) = ExitFunction :
# 213| void InitArray()
# 213| Block 0
# 213| v0_0(void) = EnterFunction :
# 213| mu0_1(unknown) = AliasedDefinition :
# 213| mu0_2(unknown) = UnmodeledDefinition :
# 214| r0_3(glval<char[32]>) = VariableAddress[a_pad] :
# 214| mu0_4(char[32]) = Uninitialized[a_pad] : &:r0_3
# 214| r0_5(glval<char[1]>) = StringConstant[""] :
# 214| r0_6(char[1]) = Load : &:r0_5, ~mu0_2
# 214| mu0_7(char[1]) = Store : &:r0_3, r0_6
# 214| r0_8(unknown[31]) = Constant[0] :
# 214| r0_9(int) = Constant[1] :
# 214| r0_10(glval<char>) = PointerAdd[1] : r0_3, r0_9
# 214| mu0_11(unknown[31]) = Store : &:r0_10, r0_8
# 215| r0_12(glval<char[4]>) = VariableAddress[a_nopad] :
# 215| r0_13(glval<char[4]>) = StringConstant["foo"] :
# 215| r0_14(char[4]) = Load : &:r0_13, ~mu0_2
# 215| m0_15(char[4]) = Store : &:r0_12, r0_14
# 216| r0_16(glval<char[5]>) = VariableAddress[a_infer] :
# 216| r0_17(glval<char[5]>) = StringConstant["blah"] :
# 216| r0_18(char[5]) = Load : &:r0_17, ~mu0_2
# 216| m0_19(char[5]) = Store : &:r0_16, r0_18
# 217| r0_20(glval<char[2]>) = VariableAddress[b] :
# 217| m0_21(char[2]) = Uninitialized[b] : &:r0_20
# 218| r0_22(glval<char[2]>) = VariableAddress[c] :
# 218| mu0_23(char[2]) = Uninitialized[c] : &:r0_22
# 218| r0_24(int) = Constant[0] :
# 218| r0_25(glval<char>) = PointerAdd[1] : r0_22, r0_24
# 218| r0_26(unknown[2]) = Constant[0] :
# 218| mu0_27(unknown[2]) = Store : &:r0_25, r0_26
# 219| r0_28(glval<char[2]>) = VariableAddress[d] :
# 219| mu0_29(char[2]) = Uninitialized[d] : &:r0_28
# 219| r0_30(int) = Constant[0] :
# 219| r0_31(glval<char>) = PointerAdd[1] : r0_28, r0_30
# 219| r0_32(char) = Constant[0] :
# 219| mu0_33(char) = Store : &:r0_31, r0_32
# 219| r0_34(int) = Constant[1] :
# 219| r0_35(glval<char>) = PointerAdd[1] : r0_28, r0_34
# 219| r0_36(char) = Constant[0] :
# 219| mu0_37(char) = Store : &:r0_35, r0_36
# 220| r0_38(glval<char[2]>) = VariableAddress[e] :
# 220| mu0_39(char[2]) = Uninitialized[e] : &:r0_38
# 220| r0_40(int) = Constant[0] :
# 220| r0_41(glval<char>) = PointerAdd[1] : r0_38, r0_40
# 220| r0_42(char) = Constant[0] :
# 220| mu0_43(char) = Store : &:r0_41, r0_42
# 220| r0_44(int) = Constant[1] :
# 220| r0_45(glval<char>) = PointerAdd[1] : r0_38, r0_44
# 220| r0_46(char) = Constant[1] :
# 220| mu0_47(char) = Store : &:r0_45, r0_46
# 221| r0_48(glval<char[3]>) = VariableAddress[f] :
# 221| mu0_49(char[3]) = Uninitialized[f] : &:r0_48
# 221| r0_50(int) = Constant[0] :
# 221| r0_51(glval<char>) = PointerAdd[1] : r0_48, r0_50
# 221| r0_52(char) = Constant[0] :
# 221| mu0_53(char) = Store : &:r0_51, r0_52
# 221| r0_54(int) = Constant[1] :
# 221| r0_55(glval<char>) = PointerAdd[1] : r0_48, r0_54
# 221| r0_56(unknown[2]) = Constant[0] :
# 221| mu0_57(unknown[2]) = Store : &:r0_55, r0_56
# 222| v0_58(void) = NoOp :
# 213| v0_59(void) = ReturnVoid :
# 213| v0_60(void) = UnmodeledUse : mu*
# 213| v0_61(void) = AliasedUse : ~mu0_2
# 213| v0_62(void) = ExitFunction :
# 216| void Constructible::g()
# 216| Block 0
# 216| v0_0(void) = EnterFunction :
# 216| mu0_1(unknown) = AliasedDefinition :
# 216| mu0_2(unknown) = UnmodeledDefinition :
# 216| r0_3(glval<Constructible>) = InitializeThis :
# 216| v0_4(void) = NoOp :
# 216| v0_5(void) = ReturnVoid :
# 216| v0_6(void) = UnmodeledUse : mu*
# 216| v0_7(void) = AliasedUse : ~mu0_2
# 216| v0_8(void) = ExitFunction :
# 226| void Constructible::Constructible(int)
# 226| Block 0
# 226| v0_0(void) = EnterFunction :
# 226| mu0_1(unknown) = AliasedDefinition :
# 226| mu0_2(unknown) = UnmodeledDefinition :
# 226| r0_3(glval<Constructible>) = InitializeThis :
# 226| r0_4(glval<int>) = VariableAddress[x] :
# 226| m0_5(int) = InitializeParameter[x] : &:r0_4
# 226| v0_6(void) = NoOp :
# 226| v0_7(void) = ReturnVoid :
# 226| v0_8(void) = UnmodeledUse : mu*
# 226| v0_9(void) = AliasedUse : ~mu0_2
# 226| v0_10(void) = ExitFunction :
# 219| void ExplicitConstructorCalls()
# 219| Block 0
# 219| v0_0(void) = EnterFunction :
# 219| mu0_1(unknown) = AliasedDefinition :
# 219| mu0_2(unknown) = UnmodeledDefinition :
# 220| r0_3(glval<Constructible>) = VariableAddress[c] :
# 220| mu0_4(Constructible) = Uninitialized[c] : &:r0_3
# 220| r0_5(glval<unknown>) = FunctionAddress[Constructible] :
# 220| r0_6(int) = Constant[1] :
# 220| v0_7(void) = Call : func:r0_5, this:r0_3, 0:r0_6
# 220| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
# 220| mu0_9(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
# 221| r0_10(glval<Constructible>) = VariableAddress[c] :
# 221| r0_11(glval<unknown>) = FunctionAddress[g] :
# 221| v0_12(void) = Call : func:r0_11, this:r0_10
# 221| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
# 221| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2
# 221| mu0_15(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_10
# 222| r0_16(glval<Constructible>) = VariableAddress[c] :
# 222| r0_17(glval<unknown>) = FunctionAddress[g] :
# 222| v0_18(void) = Call : func:r0_17, this:r0_16
# 222| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
# 222| v0_20(void) = ^BufferReadSideEffect[-1] : &:r0_16, ~mu0_2
# 222| mu0_21(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_16
# 223| r0_22(glval<Constructible>) = VariableAddress[c2] :
# 223| mu0_23(Constructible) = Uninitialized[c2] : &:r0_22
# 223| r0_24(glval<unknown>) = FunctionAddress[Constructible] :
# 223| r0_25(int) = Constant[2] :
# 223| v0_26(void) = Call : func:r0_24, this:r0_22, 0:r0_25
# 223| mu0_27(unknown) = ^CallSideEffect : ~mu0_2
# 223| mu0_28(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_22
# 224| r0_29(glval<Constructible>) = VariableAddress[c2] :
# 224| r0_30(glval<unknown>) = FunctionAddress[g] :
# 224| v0_31(void) = Call : func:r0_30, this:r0_29
# 224| mu0_32(unknown) = ^CallSideEffect : ~mu0_2
# 224| v0_33(void) = ^BufferReadSideEffect[-1] : &:r0_29, ~mu0_2
# 224| mu0_34(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_29
# 225| v0_35(void) = NoOp :
# 219| v0_36(void) = ReturnVoid :
# 219| v0_37(void) = UnmodeledUse : mu*
# 219| v0_38(void) = AliasedUse : ~mu0_2
# 219| v0_39(void) = ExitFunction :
# 227| void Constructible::g()
# 227| Block 0
# 227| v0_0(void) = EnterFunction :
# 227| mu0_1(unknown) = AliasedDefinition :
# 227| mu0_2(unknown) = UnmodeledDefinition :
# 227| r0_3(glval<Constructible>) = InitializeThis :
# 227| v0_4(void) = NoOp :
# 227| v0_5(void) = ReturnVoid :
# 227| v0_6(void) = UnmodeledUse : mu*
# 227| v0_7(void) = AliasedUse : ~mu0_2
# 227| v0_8(void) = ExitFunction :
# 230| void ExplicitConstructorCalls()
# 230| Block 0
# 230| v0_0(void) = EnterFunction :
# 230| mu0_1(unknown) = AliasedDefinition :
# 230| mu0_2(unknown) = UnmodeledDefinition :
# 231| r0_3(glval<Constructible>) = VariableAddress[c] :
# 231| mu0_4(Constructible) = Uninitialized[c] : &:r0_3
# 231| r0_5(glval<unknown>) = FunctionAddress[Constructible] :
# 231| r0_6(int) = Constant[1] :
# 231| v0_7(void) = Call : func:r0_5, this:r0_3, 0:r0_6
# 231| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
# 231| mu0_9(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
# 232| r0_10(glval<Constructible>) = VariableAddress[c] :
# 232| r0_11(glval<unknown>) = FunctionAddress[g] :
# 232| v0_12(void) = Call : func:r0_11, this:r0_10
# 232| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
# 232| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2
# 232| mu0_15(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_10
# 233| r0_16(glval<Constructible>) = VariableAddress[c] :
# 233| r0_17(glval<unknown>) = FunctionAddress[g] :
# 233| v0_18(void) = Call : func:r0_17, this:r0_16
# 233| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
# 233| v0_20(void) = ^BufferReadSideEffect[-1] : &:r0_16, ~mu0_2
# 233| mu0_21(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_16
# 234| r0_22(glval<Constructible>) = VariableAddress[c2] :
# 234| mu0_23(Constructible) = Uninitialized[c2] : &:r0_22
# 234| r0_24(glval<unknown>) = FunctionAddress[Constructible] :
# 234| r0_25(int) = Constant[2] :
# 234| v0_26(void) = Call : func:r0_24, this:r0_22, 0:r0_25
# 234| mu0_27(unknown) = ^CallSideEffect : ~mu0_2
# 234| mu0_28(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_22
# 235| r0_29(glval<Constructible>) = VariableAddress[c2] :
# 235| r0_30(glval<unknown>) = FunctionAddress[g] :
# 235| v0_31(void) = Call : func:r0_30, this:r0_29
# 235| mu0_32(unknown) = ^CallSideEffect : ~mu0_2
# 235| v0_33(void) = ^BufferReadSideEffect[-1] : &:r0_29, ~mu0_2
# 235| mu0_34(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_29
# 236| v0_35(void) = NoOp :
# 230| v0_36(void) = ReturnVoid :
# 230| v0_37(void) = UnmodeledUse : mu*
# 230| v0_38(void) = AliasedUse : ~mu0_2
# 230| v0_39(void) = ExitFunction :

6
docs/language/global-sphinx-files/_templates/layout.html
View File

@@ -62,8 +62,8 @@
<div class="linkcontainer">
<div class="linkbar">
<a href="https://help.semmle.com/QL/learn-ql/" target="_blank">Learn CodeQL</a>
<a href="https://help.semmle.com/QL/learn-ql/ql-training.html" target="_blank">QL for variant analysis</a>
<a href="https://help.semmle.com/QL/ql-tools.html" target="_blank">QL tools</a>
<a href="https://help.semmle.com/QL/learn-ql/ql-training.html" target="_blank">Variant analysis</a>
<a href="https://help.semmle.com/QL/ql-tools.html" target="_blank">Tools</a>
<a href="https://help.semmle.com/QL/ql-explore-queries.html" target="_blank">Queries</a>
<a href="https://help.semmle.com/QL/ql-reference-topics.html" target="_blank">Reference</a>
<a href="https://blog.semmle.com" target="_blank">Blog</a>
@@ -79,7 +79,7 @@
<div class="wrapper">
<div class="navBox" >
<p>Start writing QL in the <a href="https://lgtm.com/query">Query console</a> on <a href="https://lgtm.com">LGTM.com</a>.</p>
<p>Start writing queries in the <a href="https://lgtm.com/query">Query console</a> on <a href="https://lgtm.com">LGTM.com</a>.</p>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>

31
javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
View File

@@ -1,5 +1,16 @@
package com.semmle.js.extractor;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.regex.Pattern;
import com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase;
import com.semmle.js.extractor.trapcache.CachingTrapWriter;
import com.semmle.js.extractor.trapcache.ITrapCache;
@@ -10,15 +21,6 @@ import com.semmle.util.files.FileUtil;
import com.semmle.util.io.WholeIO;
import com.semmle.util.trap.TrapWriter;
import com.semmle.util.trap.TrapWriter.Label;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.Charset;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.regex.Pattern;
/**
* The file extractor extracts a single file and handles source archive population and TRAP caching;
@@ -154,6 +156,9 @@ public class FileExtractor {
byte[] bytes = new byte[fileHeaderSize];
int length = fis.read(bytes);
if (length == -1)
return false;
// Avoid invalid or unprintable UTF-8 files.
if (config.getDefaultEncoding().equals("UTF-8") && hasUnprintableUtf8(bytes, length)) {
return true;
@@ -167,6 +172,9 @@ public class FileExtractor {
return true;
}
// Avoid Touchstone files
if (isTouchstone(bytes, length)) return true;
return false;
} catch (IOException e) {
Exceptions.ignore(e, "Let extractor handle this one.");
@@ -198,6 +206,11 @@ public class FileExtractor {
return false;
}
private boolean isTouchstone(byte[] bytes, int length) {
String s = new String(bytes, 0, length, StandardCharsets.US_ASCII);
return s.startsWith("! TOUCHSTONE file ") || s.startsWith("[Version] 2.0");
}
/**
* Returns true if the byte sequence contains invalid UTF-8 or unprintable ASCII characters.
*/

2
javascript/extractor/tests/ts/input/touchstone-file.ts Normal file
View File

@@ -0,0 +1,2 @@
! TOUCHSTONE file generated by me
[Version] 2.0

1
javascript/extractor/tests/ts/input/touchstone-file2.ts Normal file
View File

@@ -0,0 +1 @@
[Version] 2.0

1
javascript/ql/src/javascript.qll
View File

@@ -28,6 +28,7 @@ import semmle.javascript.Functions
import semmle.javascript.GlobalAccessPaths
import semmle.javascript.HTML
import semmle.javascript.HtmlSanitizers
import semmle.javascript.InclusionTests
import semmle.javascript.JSDoc
import semmle.javascript.JSON
import semmle.javascript.JsonParsers

2
javascript/ql/src/semmle/javascript/AST.qll
View File

@@ -150,7 +150,7 @@ class TopLevel extends @toplevel, StmtContainer {
/** Holds if this toplevel is minified. */
predicate isMinified() {
// file name contains 'min' (not as part of a longer word)
getFile().getBaseName().regexpMatch(".*[^-.]*[-.]min([-.].*)?\\.\\w+")
getFile().getBaseName().regexpMatch(".*[^-._]*[-._]min([-._].*)?\\.\\w+")
or
exists(int numstmt | numstmt = strictcount(Stmt s | s.getTopLevel() = this) |
// there are more than two statements per line on average

173
javascript/ql/src/semmle/javascript/InclusionTests.qll Normal file
View File

@@ -0,0 +1,173 @@
/**
* Contains classes for recognizing array and string inclusion tests.
*/
private import javascript
/**
* A expression that checks if an element is contained in an array
* or is a substring of another string.
*
* Examples:
* ```
* A.includes(B)
* A.indexOf(B) !== -1
* A.indexOf(B) >= 0
* ~A.indexOf(B)
* ```
*/
class InclusionTest extends DataFlow::Node {
InclusionTest::Range range;
InclusionTest() { this = range }
/** Gets the `A` in `A.includes(B)`. */
DataFlow::Node getContainerNode() { result = range.getContainerNode() }
/** Gets the `B` in `A.includes(B)`. */
DataFlow::Node getContainedNode() { result = range.getContainedNode() }
/**
* Gets the polarity of the check.
*
* If the polarity is `false` the check returns `true` if the container does not contain
* the given element.
*/
boolean getPolarity() { result = range.getPolarity() }
}
module InclusionTest {
/**
* A expression that is equivalent to `A.includes(B)` or `!A.includes(B)`.
*
* Note that this also includes calls to the array method named `includes`.
*/
abstract class Range extends DataFlow::Node {
/** Gets the `A` in `A.includes(B)`. */
abstract DataFlow::Node getContainerNode();
/** Gets the `B` in `A.includes(B)`. */
abstract DataFlow::Node getContainedNode();
/**
* Gets the polarity of the check.
*
* If the polarity is `false` the check returns `true` if the container does not contain
* the given element.
*/
boolean getPolarity() { result = true }
}
/**
* A call to a method named `includes`, assumed to refer to `String.prototype.includes`
* or `Array.prototype.includes`.
*/
private class Includes_Native extends Range, DataFlow::MethodCallNode {
Includes_Native() {
getMethodName() = "includes" and
getNumArgument() = 1
}
override DataFlow::Node getContainerNode() { result = getReceiver() }
override DataFlow::Node getContainedNode() { result = getArgument(0) }
}
/**
* A call to `_.includes` or similar, assumed to operate on strings.
*/
private class Includes_Library extends Range, DataFlow::CallNode {
Includes_Library() {
exists(string name |
this = LodashUnderscore::member(name).getACall() and
(name = "includes" or name = "include" or name = "contains")
or
this = Closure::moduleImport("goog.string." + name).getACall() and
(name = "contains" or name = "caseInsensitiveContains")
)
}
override DataFlow::Node getContainerNode() { result = getArgument(0) }
override DataFlow::Node getContainedNode() { result = getArgument(1) }
}
/**
* A check of form `A.indexOf(B) !== -1` or similar.
*/
private class Includes_IndexOfEquals extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override EqualityTest astNode;
Includes_IndexOfEquals() {
exists(Expr index | astNode.hasOperands(indexOf, index) |
// one operand is of the form `whitelist.indexOf(x)`
indexOf.getMethodName() = "indexOf" and
// and the other one is -1
index.getIntValue() = -1
)
}
override DataFlow::Node getContainerNode() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getContainedNode() { result = indexOf.getArgument(0).flow() }
override boolean getPolarity() { result = astNode.getPolarity().booleanNot() }
}
/**
* A check of form `A.indexOf(B) >= 0` or similar.
*/
private class Includes_IndexOfRelational extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override RelationalComparison astNode;
boolean polarity;
Includes_IndexOfRelational() {
exists(Expr lesser, Expr greater |
astNode.getLesserOperand() = lesser and
astNode.getGreaterOperand() = greater and
indexOf.getMethodName() = "indexOf" and
indexOf.getNumArgument() = 1
|
polarity = true and
greater = indexOf and
(
lesser.getIntValue() = 0 and astNode.isInclusive()
or
lesser.getIntValue() = -1 and not astNode.isInclusive()
)
or
polarity = false and
lesser = indexOf and
(
greater.getIntValue() = -1 and astNode.isInclusive()
or
greater.getIntValue() = 0 and not astNode.isInclusive()
)
)
}
override DataFlow::Node getContainerNode() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getContainedNode() { result = indexOf.getArgument(0).flow() }
override boolean getPolarity() { result = polarity }
}
/**
* An expression of form `~A.indexOf(B)` which, when coerced to a boolean, is equivalent to `A.includes(B)`.
*/
private class Includes_IndexOfBitwise extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override BitNotExpr astNode;
Includes_IndexOfBitwise() {
astNode.getOperand() = indexOf and
indexOf.getMethodName() = "indexOf"
}
override DataFlow::Node getContainerNode() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getContainedNode() { result = indexOf.getArgument(0).flow() }
}
}

157
javascript/ql/src/semmle/javascript/StringOps.qll
View File

@@ -185,162 +185,15 @@ module StringOps {
/**
* A expression that is equivalent to `A.includes(B)` or `!A.includes(B)`.
*
* Note that this also includes calls to the array method named `includes`.
* Note that this class is equivalent to `InclusionTest`, which also matches
* inclusion tests on array objects.
*/
class Includes extends DataFlow::Node {
Includes::Range range;
Includes() { this = range }
class Includes extends InclusionTest {
/** Gets the `A` in `A.includes(B)`. */
DataFlow::Node getBaseString() { result = range.getBaseString() }
DataFlow::Node getBaseString() { result = getContainerNode() }
/** Gets the `B` in `A.includes(B)`. */
DataFlow::Node getSubstring() { result = range.getSubstring() }
/**
* Gets the polarity of the check.
*
* If the polarity is `false` the check returns `true` if the string does not contain
* the given substring.
*/
boolean getPolarity() { result = range.getPolarity() }
}
module Includes {
/**
* A expression that is equivalent to `A.includes(B)` or `!A.includes(B)`.
*
* Note that this also includes calls to the array method named `includes`.
*/
abstract class Range extends DataFlow::Node {
/** Gets the `A` in `A.includes(B)`. */
abstract DataFlow::Node getBaseString();
/** Gets the `B` in `A.includes(B)`. */
abstract DataFlow::Node getSubstring();
/**
* Gets the polarity of the check.
*
* If the polarity is `false` the check returns `true` if the string does not contain
* the given substring.
*/
boolean getPolarity() { result = true }
}
/**
* A call to a method named `includes`, assumed to refer to `String.prototype.includes`.
*/
private class Includes_Native extends Range, DataFlow::MethodCallNode {
Includes_Native() {
getMethodName() = "includes" and
getNumArgument() = 1
}
override DataFlow::Node getBaseString() { result = getReceiver() }
override DataFlow::Node getSubstring() { result = getArgument(0) }
}
/**
* A call to `_.includes` or similar, assumed to operate on strings.
*/
private class Includes_Library extends Range, DataFlow::CallNode {
Includes_Library() {
exists(string name |
this = LodashUnderscore::member(name).getACall() and
(name = "includes" or name = "include" or name = "contains")
or
this = Closure::moduleImport("goog.string." + name).getACall() and
(name = "contains" or name = "caseInsensitiveContains")
)
}
override DataFlow::Node getBaseString() { result = getArgument(0) }
override DataFlow::Node getSubstring() { result = getArgument(1) }
}
/**
* A check of form `A.indexOf(B) !== -1` or similar.
*/
private class Includes_IndexOfEquals extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override EqualityTest astNode;
Includes_IndexOfEquals() {
exists(Expr index | astNode.hasOperands(indexOf, index) |
// one operand is of the form `whitelist.indexOf(x)`
indexOf.getMethodName() = "indexOf" and
// and the other one is -1
index.getIntValue() = -1
)
}
override DataFlow::Node getBaseString() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getSubstring() { result = indexOf.getArgument(0).flow() }
override boolean getPolarity() { result = astNode.getPolarity().booleanNot() }
}
/**
* A check of form `A.indexOf(B) >= 0` or similar.
*/
private class Includes_IndexOfRelational extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override RelationalComparison astNode;
boolean polarity;
Includes_IndexOfRelational() {
exists(Expr lesser, Expr greater |
astNode.getLesserOperand() = lesser and
astNode.getGreaterOperand() = greater and
indexOf.getMethodName() = "indexOf" and
indexOf.getNumArgument() = 1
|
polarity = true and
greater = indexOf and
(
lesser.getIntValue() = 0 and astNode.isInclusive()
or
lesser.getIntValue() = -1 and not astNode.isInclusive()
)
or
polarity = false and
lesser = indexOf and
(
greater.getIntValue() = -1 and astNode.isInclusive()
or
greater.getIntValue() = 0 and not astNode.isInclusive()
)
)
}
override DataFlow::Node getBaseString() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getSubstring() { result = indexOf.getArgument(0).flow() }
override boolean getPolarity() { result = polarity }
}
/**
* An expression of form `~A.indexOf(B)` which, when coerced to a boolean, is equivalent to `A.includes(B)`.
*/
private class Includes_IndexOfBitwise extends Range, DataFlow::ValueNode {
MethodCallExpr indexOf;
override BitNotExpr astNode;
Includes_IndexOfBitwise() {
astNode.getOperand() = indexOf and
indexOf.getMethodName() = "indexOf"
}
override DataFlow::Node getBaseString() { result = indexOf.getReceiver().flow() }
override DataFlow::Node getSubstring() { result = indexOf.getArgument(0).flow() }
}
DataFlow::Node getSubstring() { result = getContainedNode() }
}
/**

15
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -781,15 +781,18 @@ module TaintTracking {
override predicate appliesTo(Configuration cfg) { any() }
}
/** A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch. */
class StringInclusionSanitizer extends AdditionalSanitizerGuardNode {
StringOps::Includes includes;
/** DEPRECATED. This class has been renamed to `InclusionSanitizer`. */
deprecated class StringInclusionSanitizer = InclusionSanitizer;
StringInclusionSanitizer() { this = includes }
/** A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch. */
class InclusionSanitizer extends AdditionalSanitizerGuardNode {
InclusionTest inclusion;
InclusionSanitizer() { this = inclusion }
override predicate sanitizes(boolean outcome, Expr e) {
outcome = includes.getPolarity() and
e = includes.getSubstring().asExpr()
outcome = inclusion.getPolarity() and
e = inclusion.getContainedNode().asExpr()
}
override predicate appliesTo(Configuration cfg) { any() }

3
javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected
View File

@@ -39,8 +39,11 @@
| textmate.html:0:0:0:0 | textmate.html | generated |
| tmpl2.html:0:0:0:0 | tmpl2.html | template |
| tmpl.html:0:0:0:0 | tmpl.html | template |
| tst-min.js:0:0:0:0 | tst-min.js | generated |
| tst.browserify.js:0:0:0:0 | tst.browserify.js | generated |
| tst.dart.js:0:0:0:0 | tst.dart.js | generated |
| tst.min.js:0:0:0:0 | tst.min.js | generated |
| tst_min.js:0:0:0:0 | tst_min.js | generated |
| twitter-text.js:0:0:0:0 | twitter-text.js | library |
| twitter_text.js:0:0:0:0 | twitter_text.js | library |
| unannotated-externs-1.js:0:0:0:0 | unannotated-externs-1.js | externs |

0
javascript/ql/test/query-tests/filters/ClassifyFiles/tst-min.js vendored Normal file
View File

0
javascript/ql/test/query-tests/filters/ClassifyFiles/tst.min.js vendored Normal file
View File

0
javascript/ql/test/query-tests/filters/ClassifyFiles/tst_min.js Normal file
View File

8
python/ql/test/2/library-tests/classes/attr/list_attr.expected
View File

@@ -1,9 +1,12 @@
| builtin-class list | __add__ | Builtin-method __add__ |
| builtin-class list | __class__ | Property __class__ |
| builtin-class list | __contains__ | Builtin-method __contains__ |
| builtin-class list | __delattr__ | Builtin-method __delattr__ |
| builtin-class list | __delitem__ | Builtin-method __delitem__ |
| builtin-class list | __delslice__ | Builtin-method __delslice__ |
| builtin-class list | __doc__ | str b'list() -> new empty list\nlist(iterable) -> new list initialized from iterable's items' |
| builtin-class list | __eq__ | Builtin-method __eq__ |
| builtin-class list | __format__ | Builtin-method __format__ |
| builtin-class list | __ge__ | Builtin-method __ge__ |
| builtin-class list | __getattribute__ | Builtin-method __getattribute__ |
| builtin-class list | __getitem__ | Builtin-method __getitem__ |
@@ -20,12 +23,17 @@
| builtin-class list | __mul__ | Builtin-method __mul__ |
| builtin-class list | __ne__ | Builtin-method __ne__ |
| builtin-class list | __new__ | builtin_function_or_method __new__ |
| builtin-class list | __reduce__ | Builtin-method __reduce__ |
| builtin-class list | __reduce_ex__ | Builtin-method __reduce_ex__ |
| builtin-class list | __repr__ | Builtin-method __repr__ |
| builtin-class list | __reversed__ | Builtin-method __reversed__ |
| builtin-class list | __rmul__ | Builtin-method __rmul__ |
| builtin-class list | __setattr__ | Builtin-method __setattr__ |
| builtin-class list | __setitem__ | Builtin-method __setitem__ |
| builtin-class list | __setslice__ | Builtin-method __setslice__ |
| builtin-class list | __sizeof__ | Builtin-method __sizeof__ |
| builtin-class list | __str__ | Builtin-method __str__ |
| builtin-class list | __subclasshook__ | classmethod_descriptor __subclasshook__ |
| builtin-class list | append | Builtin-method append |
| builtin-class list | count | Builtin-method count |
| builtin-class list | extend | Builtin-method extend |

1
python/ql/test/2/library-tests/classes/mro/C3.expected
View File

@@ -3,7 +3,6 @@
| class C | [C, BaseException, object] |
| class D | [D, X, object] |
| class Meta | [Meta, type, object] |
| class N | [N, object, O] |
| class NewStyle | [NewStyle, object] |
| class NewStyleDerived | [NewStyleDerived, NewStyle, object] |
| class O | [O] |

2
python/ql/test/2/library-tests/classes/mro/mro.expected
View File

@@ -8,8 +8,6 @@
| class D | class X | builtin-class object |
| class Meta | builtin-class type | builtin-class object |
| class Meta | class Meta | builtin-class type |
| class N | builtin-class object | class O |
| class N | class N | builtin-class object |
| class NewStyle | class NewStyle | builtin-class object |
| class NewStyleDerived | class NewStyle | builtin-class object |
| class NewStyleDerived | class NewStyleDerived | class NewStyle |

11
python/ql/test/2/library-tests/six/test.expected
View File

@@ -1,5 +1,6 @@
| Module six | BytesIO | class StringIO |
| Module six | Iterator | class Iterator |
| Module six | MAXSIZE | int() |
| Module six | PY2 | bool True |
| Module six | PY3 | bool False |
| Module six | StringIO | class StringIO |
@@ -45,14 +46,6 @@
| Module six | iterlists | Function iterlists |
| Module six | itervalues | Function itervalues |
| Module six | moves | Module six.moves |
| Module six | moves.__init__ | Module six.moves.__init__ |
| Module six | moves.urllib | Module six.moves.urllib |
| Module six | moves.urllib.__init__ | Module six.moves.urllib.__init__ |
| Module six | moves.urllib_error | Module six.moves.urllib_error |
| Module six | moves.urllib_parse | Module six.moves.urllib_parse |
| Module six | moves.urllib_request | Module six.moves.urllib_request |
| Module six | moves.urllib_response | Module six.moves.urllib_response |
| Module six | moves.urllib_robotparser | Module six.moves.urllib_robotparser |
| Module six | next | Builtin-function next |
| Module six | operator | Module operator |
| Module six | print_ | Function print_ |
@@ -67,6 +60,7 @@
| Module six | with_metaclass | Function with_metaclass |
| Module six.__init__ | BytesIO | class StringIO |
| Module six.__init__ | Iterator | class Iterator |
| Module six.__init__ | MAXSIZE | int() |
| Module six.__init__ | PY2 | bool True |
| Module six.__init__ | PY3 | bool False |
| Module six.__init__ | StringIO | class StringIO |
@@ -174,7 +168,6 @@
| Module six.moves | tkinter_tksimpledialog | Module tkSimpleDialog |
| Module six.moves | tkinter_ttk | Module ttk |
| Module six.moves | urllib | Module six.moves.urllib |
| Module six.moves | urllib.__init__ | Module six.moves.urllib.__init__ |
| Module six.moves | urllib_error | Module six.moves.urllib_error |
| Module six.moves | urllib_parse | Module six.moves.urllib_parse |
| Module six.moves | urllib_request | Module six.moves.urllib_request |

2
python/ql/test/2/library-tests/types/classes/mro_test.expected
View File

@@ -1,3 +1,5 @@
| class A | [A, ??, object] |
| class J | [J, ??, object] |
| class MyDict | [MyDict, dict, object] |
| class MyList | [MyList, list, object] |
| class O1 | [O1] |

4
python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.expected
View File

@@ -1,2 +1,2 @@
| equals_hash.py:8:5:8:28 | Function __eq__ | Class $@ implements __eq__ but does not define __hash__. | equals_hash.py:3:1:3:17 | class Eq | Eq |
| equals_hash.py:24:5:24:23 | Function __hash__ | Class $@ implements __hash__ but does not define __eq__ or __cmp__. | equals_hash.py:19:1:19:19 | class Hash | Hash |
| equals_hash.py:8:5:8:28 | Function Eq.__eq__ | Class $@ implements __eq__ but does not define __hash__. | equals_hash.py:3:1:3:17 | class Eq | Eq |
| equals_hash.py:24:5:24:23 | Function Hash.__hash__ | Class $@ implements __hash__ but does not define __eq__ or __cmp__. | equals_hash.py:19:1:19:19 | class Hash | Hash |

4
python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.expected
View File

@@ -1,2 +1,2 @@
| equals_hash.py:8:5:8:28 | Function __eq__ | Class $@ implements __eq__ but does not implement __ne__. | equals_hash.py:3:1:3:17 | class Eq | Eq |
| equals_hash.py:16:5:16:28 | Function __ne__ | Class $@ implements __ne__ but does not implement __eq__. | equals_hash.py:11:1:11:17 | class Ne | Ne |
| equals_hash.py:8:5:8:28 | Function Eq.__eq__ | Class $@ implements __eq__ but does not implement __ne__. | equals_hash.py:3:1:3:17 | class Eq | Eq |
| equals_hash.py:16:5:16:28 | Function Ne.__ne__ | Class $@ implements __ne__ but does not implement __eq__. | equals_hash.py:11:1:11:17 | class Ne | Ne |