Merge branch 'main' into more-public-dataflow-apis

2026-04-28 10:15:14 +02:00 · 2026-03-23 13:43:01 +00:00
parent fef314e27f 0d0d34cc71
commit b5723bd75d
862 changed files with 4636 additions and 4263 deletions
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 8.0.1
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 8.0.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
+++ b/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a new data flow node, `IndirectUninitializedNode`, that represents uninitialized local variables behind a number of indirections.
--- a/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 8.0.1
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.0
+lastReleaseVersion: 8.0.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.1-dev
+version: 8.0.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -524,6 +524,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
    )
  }
+
+  /**
+   * Holds if this function has an ambiguous return type, meaning that zero or multiple return
+   * types for this function are present in the database (this can occur in `build-mode: none`).
+   */
+  predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
 }

 pragma[noinline]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
@@ -623,6 +623,25 @@ module Public {
     */
    LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }

+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * `index` number of indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized(int index) {
+      exists(IndirectUninitializedNode indirectUninitializedNode |
+        this = indirectUninitializedNode and
+        indirectUninitializedNode.getIndirectionIndex() = index
+      |
+        result = indirectUninitializedNode.getLocalVariable()
+      )
+    }
+
+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * a number indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
+
    /**
     * Gets the positional parameter corresponding to the node that represents
     * the value of the parameter after `index` number of loads, if any. For
@@ -767,16 +786,13 @@ module Public {
    final override Type getType() { result = this.getPreUpdateNode().getType() }
  }

-  /**
-   * The value of an uninitialized local variable, viewed as a node in a data
-   * flow graph.
-   */
-  class UninitializedNode extends Node {
+  abstract private class AbstractUninitializedNode extends Node {
    LocalVariable v;
+    int indirectionIndex;

-    UninitializedNode() {
+    AbstractUninitializedNode() {
      exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
-        def.getIndirectionIndex() = 0 and
+        def.getIndirectionIndex() = indirectionIndex and
        def.getValue().asInstruction() instanceof UninitializedInstruction and
        SsaImpl::defToNode(this, def, sv) and
        v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
@@ -787,6 +803,25 @@ module Public {
    LocalVariable getLocalVariable() { result = v }
  }

+  /**
+   * The value of an uninitialized local variable, viewed as a node in a data
+   * flow graph.
+   */
+  class UninitializedNode extends AbstractUninitializedNode {
+    UninitializedNode() { indirectionIndex = 0 }
+  }
+
+  /**
+   * The value of an uninitialized local variable behind one or more levels of
+   * indirection, viewed as a node in a data flow graph.
+   */
+  class IndirectUninitializedNode extends AbstractUninitializedNode {
+    IndirectUninitializedNode() { indirectionIndex > 0 }
+
+    /** Gets the indirection index of this node. */
+    int getIndirectionIndex() { result = indirectionIndex }
+  }
+
  /**
   * The value of a parameter at function entry, viewed as a node in a data
   * flow graph. This includes both explicit parameters such as `x` in `f(x)`