Merge remote-tracking branch 'origin/main' into smowton/admin/merge-rc317-into-main

cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql

@@ -12,7 +12,11 @@
 import cpp
 
 predicate allowedTypedefs(TypedefType t) {
-  t.getName() = ["I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32"]
+  t.getName() =
+    [
+      "I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32", "int64_t", "uint64_t",
+      "int32_t", "uint32_t", "int16_t", "uint16_t", "int8_t", "uint8_t"
+    ]
 }
 
 /**
@@ -46,6 +50,8 @@ from Declaration d, Type usedType
 where
   usedType = getAUsedType*(getAnImmediateUsedType(d)) and
   problematic(usedType) and
+  // Allow uses of boolean types where defined by the language.
+  not usedType instanceof BoolType and
   // Ignore violations for which we do not have a valid location.
   not d.getLocation() instanceof UnknownLocation
 select d,

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -208,8 +208,7 @@ class LoopWithAlloca extends Stmt {
       this.conditionRequiresInequality(va, _, _) and
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
       // Phi nodes will be preceded by nodes that represent actual definitions
-      not result instanceof DataFlow::SsaPhiNode and
-      not result instanceof DataFlow::SsaPhiInputNode and
+      not result instanceof DataFlow::SsaSynthNode and
       // A source is outside the loop if it's not inside the loop
       not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )

cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Include file resolution status
+ * @description Counts unresolved and resolved #includes.
+ *              This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/include-resolution-status
+ */
+
+import cpp
+
+/**
+ * A cannot open file error.
+ *
+ * Typically this is due to a missing include.
+ */
+class CannotOpenFileError extends CompilerError {
+  CannotOpenFileError() { this.hasTag(["cannot_open_file", "cannot_open_file_reason"]) }
+}
+
+select count(CannotOpenFileError e) as failed_includes, count(Include i) as successful_includes

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -212,9 +212,7 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
     )
   }
 
-  predicate isBarrierOut2(DataFlow::Node node) {
-    node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
-  }
+  predicate isBarrierOut2(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
 
   predicate isAdditionalFlowStep2(
     DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -42,7 +42,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and isArithmeticNonCharType(node.asExpr().getUnspecifiedType())
     or
-    isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType())
+    isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
 }
 

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -37,7 +37,7 @@ private module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
     or
     mayAddNullTerminator(_, node.asIndirectExpr())
   }

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -75,9 +75,11 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(StoreInstruction store | store = node.asInstruction() |
+    exists(StoreInstruction store, Expr e |
+      store = node.asInstruction() and e = node.asCertainDefinition()
+    |
       // Block flow to "likely small expressions"
-      bounded(store.getSourceValue().getUnconvertedResultExpression())
+      bounded(e)
       or
       // Block flow to "small types"
       store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1

cpp/ql/src/change-notes/2025-03-11-basic-int-types.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.

cpp/ql/src/change-notes/2025-03-14-mad-atl-fix.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a bug in the models for Microsoft's Active Template Library (ATL).