Merge branch 'main' into promote-sql-pqxx

cpp/ql/examples/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/examples/qlpack.yml

@@ -1,3 +1,4 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp
+name: codeql/cpp-examples
+version: 0.0.2
+dependencies:
+  codeql/cpp-all: "*"

cpp/ql/lib/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/lib/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/cpp-all
+version: 0.0.2
+dbscheme: semmlecode.cpp.dbscheme
+extractor: cpp
+library: true
+dependencies:
+  codeql/cpp-upgrades: 0.0.2

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -58,6 +58,11 @@ class ElementBase extends @element {
   /** DEPRECATED: use `getAPrimaryQlClass` instead. */
   deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }
 
+  /**
+   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
+   */
+  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
+
   /**
    * Gets the name of a primary CodeQL class to which this element belongs.
    *

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -272,20 +272,16 @@ class File extends Container, @file {
    * are compiled by a Microsoft compiler are detected by this predicate.
    */
   predicate compiledAsMicrosoft() {
-    exists(Compilation c |
-      c.getAFileCompiled() = this and
+    exists(File f, Compilation c |
+      c.getAFileCompiled() = f and
       (
         c.getAnArgument() = "--microsoft" or
         c.getAnArgument()
             .toLowerCase()
             .replaceAll("\\", "/")
             .matches(["%/cl.exe", "%/clang-cl.exe"])
-      )
-    )
-    or
-    exists(File parent |
-      parent.compiledAsMicrosoft() and
-      parent.getAnIncludedFile() = this
+      ) and
+      f.getAnIncludedFile*() = this
     )
   }
 
@@ -358,6 +354,11 @@ class File extends Container, @file {
   string getShortName() { files(underlyingElement(this), _, result, _, _) }
 }
 
+/**
+ * Holds if any file was compiled by a Microsoft compiler.
+ */
+predicate anyFileCompiledAsMicrosoft() { any(File f).compiledAsMicrosoft() }
+
 /**
  * A C/C++ header file, as determined (mainly) by file extension.
  *

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -82,9 +82,23 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   /** Holds if this function is inline. */
   predicate isInline() { this.hasSpecifier("inline") }
 
-  /** Holds if this function is virtual. */
+  /**
+   * Holds if this function is virtual.
+   *
+   * Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
+   * is not explicitly declared with the `virtual` specifier.
+   */
   predicate isVirtual() { this.hasSpecifier("virtual") }
 
+  /** Holds if this function is declared with the `virtual` specifier. */
+  predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
+
+  /** Holds if this function is declared with the `override` specifier. */
+  predicate isOverride() { this.hasSpecifier("override") }
+
+  /** Holds if this function is declared with the `final` specifier. */
+  predicate isFinal() { this.hasSpecifier("final") }
+
   /**
    * Holds if this function is deleted.
    * This may be because it was explicitly deleted with an `= delete`
@@ -137,6 +151,20 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isNaked() { getAnAttribute().hasName("naked") }
 
+  /**
+   * Holds if this function has a trailing return type.
+   *
+   * Note that this is true whether or not deduction took place. For example,
+   * this holds for both `e` and `f`, but not `g` or `h`:
+   * ```
+   * auto e() -> int { return 0; }
+   * auto f() -> auto { return 0; }
+   * auto g() { return 0; }
+   * int h() { return 0; }
+   * ```
+   */
+  predicate hasTrailingReturnType() { this.hasSpecifier("has_trailing_return_type") }
+
   /** Gets the return type of this function. */
   Type getType() { function_return_type(underlyingElement(this), unresolveElement(result)) }
 

cpp/ql/lib/semmle/code/cpp/Initializer.qll

@@ -18,6 +18,12 @@ import semmle.code.cpp.controlflow.ControlFlowGraph
  *   ...
  * }
  * ```
+ * But _not_ `4` in the following code:
+ * ```
+ * int myUninitializedVariable;
+ * myUninitializedVariable = 4;
+ * ```
+ * Instead, this is an `Assignment`.
  */
 class Initializer extends ControlFlowNode, @initialiser {
   override Location getLocation() { initialisers(underlyingElement(this), _, _, result) }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -46,7 +46,7 @@ private string escapeString(string s) {
  * string representation comes first in lexicographical order.
  */
 private Location getRepresentativeLocation(Locatable ast) {
-  result = rank[1](Location loc | loc = ast.getLocation() | loc order by loc.toString())
+  result = min(Location loc | loc = ast.getLocation() | loc order by loc.toString())
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1621,6 +1621,19 @@ class RoutineType extends Type, @routinetype {
    */
   Type getReturnType() { routinetypes(underlyingElement(this), unresolveElement(result)) }
 
+  /**
+   * Holds if this function type has "C" language linkage.
+   *
+   * This includes any function declared in a C source file, or explicitly marked as having "C" linkage:
+   * ```
+   * extern "C" void f();
+   * extern "C" {
+   * void g();
+   * }
+   * ```
+   */
+  predicate hasCLinkage() { this.hasSpecifier("c_linkage") }
+
   override string explain() {
     result =
       "function returning {" + this.getReturnType().explain() + "} with arguments (" +

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -136,6 +136,12 @@ class Variable extends Declaration, @variable {
   /**
    * Gets an assignment expression that assigns to this variable.
    * For example: `x=...` or `x+=...`.
+   *
+   * This does _not_ include the initialization of the variable. Use
+   * `Variable.getInitializer()` to get the variable's initializer,
+   * or use `Variable.getAnAssignedValue()` to get an expression that
+   * is the right-hand side of an assignment or an initialization of
+   * the varible.
    */
   Assignment getAnAssignment() { result.getLValue() = this.getAnAccess() }
 

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -306,7 +306,7 @@ class FormatLiteral extends Literal {
    * Holds if this `FormatLiteral` is in a context that supports
    * Microsoft rules and extensions.
    */
-  predicate isMicrosoft() { any(File f).compiledAsMicrosoft() }
+  predicate isMicrosoft() { anyFileCompiledAsMicrosoft() }
 
   /**
    * Gets the format string, with '%%' and '%@' replaced by '_' (to avoid processing
@@ -869,6 +869,33 @@ class FormatLiteral extends Literal {
     )
   }
 
+  /**
+   * Gets an alternate argument type that would be required by the nth
+   * conversion specifier on a Microsoft or non-Microsoft platform, opposite
+   * to that of the snapshot. This may be useful for answering 'what might
+   * happen' questions.
+   */
+  Type getConversionTypeAlternate(int n) {
+    exists(string len, string conv |
+      this.parseConvSpec(n, _, _, _, _, _, len, conv) and
+      (len != "l" and len != "w" and len != "h") and
+      getUse().getTarget().(FormattingFunction).getFormatCharType().getSize() > 1 and // wide function
+      (
+        conv = "c" and
+        result = getNonDefaultCharType()
+        or
+        conv = "C" and
+        result = getDefaultCharType()
+        or
+        conv = "s" and
+        result.(PointerType).getBaseType() = getNonDefaultCharType()
+        or
+        conv = "S" and
+        result.(PointerType).getBaseType() = getDefaultCharType()
+      )
+    )
+  }
+
   /**
    * Holds if the nth conversion specifier of this format string (if `mode = 2`), it's
    * minimum field width (if `mode = 0`) or it's precision (if `mode = 1`) requires a