hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into promote-xxe

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-04-20 13:42:02 +02:00
parent 517444b5ff 3d109a4051
commit bb6969a175
307 changed files with 6388 additions and 16068 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.bazelrc Normal file
View File

@@ -0,0 +1,3 @@
build --copt="-std=c++17"
try-import %workspace%/local.bazelrc

1
.bazelversion Normal file
View File

@@ -0,0 +1 @@
5.0.0

14
.github/actions/fetch-codeql/action.yml vendored
View File

@@ -3,12 +3,22 @@ description: Fetches the latest version of CodeQL
runs:
using: composite
steps:
- name: Select platform - Linux
if: runner.os == 'Linux'
shell: bash
run: echo "GA_CODEQL_CLI_PLATFORM=linux64" >> $GITHUB_ENV
- name: Select platform - MacOS
if: runner.os == 'MacOS'
shell: bash
run: echo "GA_CODEQL_CLI_PLATFORM=osx64" >> $GITHUB_ENV
- name: Fetch CodeQL
shell: bash
run: |
LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
unzip -q -d "${RUNNER_TEMP}" codeql-linux64.zip
gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-$GA_CODEQL_CLI_PLATFORM.zip "$LATEST"
unzip -q -d "${RUNNER_TEMP}" codeql-$GA_CODEQL_CLI_PLATFORM.zip
echo "${RUNNER_TEMP}/codeql" >> "${GITHUB_PATH}"
env:
GITHUB_TOKEN: ${{ github.token }}

51
.github/workflows/swift-qltest.yml vendored Normal file
View File

@@ -0,0 +1,51 @@
name: "Swift: Run QL Tests"
on:
pull_request:
paths:
- "swift/**"
- .github/workflows/swift-qltest.yml
branches:
- main
defaults:
run:
working-directory: swift
jobs:
qlformat:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ./.github/actions/fetch-codeql
- name: Check QL formatting
run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
qltest:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os : [ubuntu-20.04, macos-latest]
steps:
- uses: actions/checkout@v2
- uses: ./.github/actions/fetch-codeql
- name: Install bazelisk - Linux
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y wget
wget https://github.com/bazelbuild/bazelisk/releases/download/v1.11.0/bazelisk-linux-amd64
mv bazelisk-linux-amd64 /usr/local/bin/bazel
chmod +x /usr/local/bin/bazel
- name: Install bazelisk - macOS
if: runner.os == 'MacOS'
run: |
brew install bazelisk
- name: Build Swift extractor
run: |
bazel run //swift:create-extractor-pack
- name: Run QL tests
run: |
codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
env:
GITHUB_TOKEN: ${{ github.token }}

5
.gitignore vendored
View File

@@ -31,5 +31,8 @@ csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
# Compiled class file
*.class
# links create by bazel
# links created by bazel
/bazel-*
# CLion project files
/.clwb

0
BUILD.bazel Normal file
View File

8
CODEOWNERS
View File

@@ -5,14 +5,6 @@
/python/ @github/codeql-python
/ruby/ @github/codeql-ruby
# Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
/cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
/csharp/**/experimental/**/* @github/codeql-csharp @xcorail
/java/**/experimental/**/* @github/codeql-java @xcorail
/javascript/**/experimental/**/* @github/codeql-javascript @xcorail
/python/**/experimental/**/* @github/codeql-python @xcorail
/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
# ML-powered queries
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

10
WORKSPACE.bazel
View File

@@ -1,2 +1,12 @@
# Please notice that any bazel targets and definitions in this repository are currently experimental
# and for internal use only.
workspace(name = "codeql")
load("//misc/bazel:workspace.bzl", "codeql_workspace")
codeql_workspace()
load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
codeql_workspace_deps()

3
config/identical-files.json
View File

@@ -383,7 +383,8 @@
"csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
"java/ql/test/TestUtilities/InlineExpectationsTest.qll",
"python/ql/test/TestUtilities/InlineExpectationsTest.qll",
"ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
"ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
"ql/ql/test/TestUtilities/InlineExpectationsTest.qll"
],
"C++ ExternalAPIs": [
"cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",

23
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,26 @@
## 0.0.13
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
## 0.0.11
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

5
cpp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
View File

@@ -1,5 +0,0 @@
---
category: deprecated
---
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.

4
cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.

4
cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.

4
cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

4
cpp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
View File

@@ -1,4 +0,0 @@
---
category: breaking
---
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.

20
cpp/ql/lib/change-notes/released/0.0.12.md Normal file
View File

@@ -0,0 +1,20 @@
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

1
cpp/ql/lib/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.0.12-dev
version: 0.1.0-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

7
cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
View File

@@ -84,6 +84,7 @@ private int fileHeaderLimit(File f) {
fc = fileFirstComment(f) and
result =
min(int line |
// code ending the initial comments
exists(DeclarationEntry de, Location l |
l = de.getLocation() and
l.getFile() = f and
@@ -105,7 +106,13 @@ private int fileHeaderLimit(File f) {
line > fc
)
or
// end of the file
line = f.getMetrics().getNumberOfLines()
or
// rarely, we've seen extremely long sequences of initial comments
// (and/or limitations in the above constraints) cause an overflow of
// the maximum string length. So don't look past 1000 lines regardless.
line = 1000
)
)
}

6
cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
View File

@@ -80,7 +80,11 @@ abstract class StackVariableReachability extends string {
j > i and
sink = bb.getNode(j) and
this.isSink(sink, v) and
not exists(int k | this.isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
not exists(int k, ControlFlowNode node |
node = bb.getNode(k) and this.isBarrier(pragma[only_bind_into](node), v)
|
k in [i + 1 .. j - 1]
)
)
or
not exists(int k | this.isBarrier(bb.getNode(k), v) | k > i) and

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

2
cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
View File

@@ -25,6 +25,7 @@ predicate guardedAbs(Operation e, Expr use) {
* Holds if the value of `use` is guarded to be less than something, and `e`
* is in code controlled by that guard (where the guard condition held).
*/
pragma[nomagic]
predicate guardedLesser(Operation e, Expr use) {
exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
or
@@ -35,6 +36,7 @@ predicate guardedLesser(Operation e, Expr use) {
* Holds if the value of `use` is guarded to be greater than something, and `e`
* is in code controlled by that guard (where the guard condition held).
*/
pragma[nomagic]
predicate guardedGreater(Operation e, Expr use) {
exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), false))
or

9
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,12 @@
## 0.0.13
## 0.0.12
### Minor Analysis Improvements
* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.
## 0.0.11
### Breaking Changes

4
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -116,8 +116,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
state instanceof ConcatState
}
override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) {
isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
override predicate isSanitizerOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}
}

4
cpp/ql/src/change-notes/2022-03-07-system-data-exposure.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.

8
cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md → cpp/ql/src/change-notes/released/0.0.12.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.0.12
### Minor Analysis Improvements
* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.

1
cpp/ql/src/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

13
cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
View File

@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {
VariableAccess va;
WriteAccessCheckMacro() {
this.getName() = ["user_write_access_begin", "user_access_begin"] and
this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and
va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
}
@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {
}
Expr getUserModePtr() {
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or
result = writeUserPtr.getOperand()
}
}
@@ -46,11 +47,13 @@ class ExploitableUserModePtrParam extends Parameter {
not exists(WriteAccessCheckMacro writeAccessCheck |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(writeAccessCheck.getArgument()))
) and
exists(UnSafePutUserMacro unsafePutUser |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(unsafePutUser.getUserModePtr()))
)
}
}
from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser
where
DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
from ExploitableUserModePtrParam p
select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.0.12-dev
version: 0.1.0-dev
groups:
- cpp
- queries

194
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -13365,6 +13365,200 @@ ir.cpp:
# 1717| <params>:
# 1717| getEntryPoint(): [BlockStmt] { ... }
# 1717| getStmt(0): [ReturnStmt] return ...
# 1721| [CopyAssignmentOperator] CopyConstructorWithImplicitArgumentClass& CopyConstructorWithImplicitArgumentClass::operator=(CopyConstructorWithImplicitArgumentClass const&)
# 1721| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1724| [Constructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
# 1724| <params>:
# 1724| <initializations>:
# 1724| getEntryPoint(): [BlockStmt] { ... }
# 1724| getStmt(0): [ReturnStmt] return ...
# 1725| [CopyConstructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
# 1725| <params>:
# 1725| getParameter(0): [Parameter] c
# 1725| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1725| <initializations>:
# 1725| getEntryPoint(): [BlockStmt] { ... }
# 1726| getStmt(0): [ExprStmt] ExprStmt
# 1726| getExpr(): [AssignExpr] ... = ...
# 1726| Type = [IntType] int
# 1726| ValueCategory = lvalue
# 1726| getLValue(): [PointerFieldAccess] x
# 1726| Type = [IntType] int
# 1726| ValueCategory = lvalue
# 1726| getQualifier(): [ThisExpr] this
# 1726| Type = [PointerType] CopyConstructorWithImplicitArgumentClass *
# 1726| ValueCategory = prvalue(load)
# 1726| getRValue(): [ReferenceFieldAccess] x
# 1726| Type = [IntType] int
# 1726| ValueCategory = prvalue(load)
# 1726| getQualifier(): [VariableAccess] c
# 1726| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1726| ValueCategory = prvalue(load)
# 1726| getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
# 1726| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1726| ValueCategory = lvalue
# 1727| getStmt(1): [ReturnStmt] return ...
# 1730| [CopyAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass const&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
# 1730| [MoveAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass&&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
# 1730| [CopyConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass const&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
# 1730| [MoveConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass&&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
# 1733| [Constructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
# 1733| <params>:
# 1733| <initializations>:
# 1733| getEntryPoint(): [BlockStmt] { ... }
# 1733| getStmt(0): [ReturnStmt] return ...
# 1736| [CopyAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass const&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| [MoveAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass&&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
# 1736| [CopyConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| <initializations>:
# 1736| getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
# 1736| Type = [VoidType] void
# 1736| ValueCategory = prvalue
# 1736| getArgument(0): [VariableAccess] (unnamed parameter 0)
# 1736| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| ValueCategory = prvalue(load)
# 1736| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1736| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1736| ValueCategory = prvalue
# 1736| getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
# 1736| Conversion = [BaseClassConversion] base class conversion
# 1736| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1736| ValueCategory = lvalue
# 1736| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1736| Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
# 1736| ValueCategory = lvalue
# 1736| getInitializer(1): (no string representation)
# 1736| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1736| ValueCategory = prvalue
# 1736| getEntryPoint(): [BlockStmt] { ... }
# 1736| getStmt(0): [ReturnStmt] return ...
# 1736| [MoveConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass&&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
# 1740| [Constructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
# 1740| <params>:
# 1740| <initializations>:
# 1740| getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
# 1740| Type = [VoidType] void
# 1740| ValueCategory = prvalue
# 1740| getInitializer(1): [ConstructorDirectInit] call to CopyConstructorWithBitwiseCopyClass
# 1740| Type = [VoidType] void
# 1740| ValueCategory = prvalue
# 1740| getEntryPoint(): [BlockStmt] { ... }
# 1740| getStmt(0): [ReturnStmt] return ...
# 1743| [CopyAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass const&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| [MoveAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass&&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
# 1743| [CopyConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| <initializations>:
# 1743| getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
# 1743| Type = [VoidType] void
# 1743| ValueCategory = prvalue
# 1743| getArgument(0): [VariableAccess] (unnamed parameter 0)
# 1743| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| ValueCategory = prvalue(load)
# 1743| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1743| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1743| ValueCategory = prvalue
# 1743| getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
# 1743| Conversion = [BaseClassConversion] base class conversion
# 1743| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1743| ValueCategory = lvalue
# 1743| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1743| Type = [SpecifiedType] const CopyConstructorTestVirtualClass
# 1743| ValueCategory = lvalue
# 1743| getInitializer(1): (no string representation)
# 1743| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1743| ValueCategory = prvalue
# 1743| getEntryPoint(): [BlockStmt] { ... }
# 1743| getStmt(0): [ReturnStmt] return ...
# 1743| [MoveConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass&&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
# 1747| [Constructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
# 1747| <params>:
# 1747| <initializations>:
# 1747| getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
# 1747| Type = [VoidType] void
# 1747| ValueCategory = prvalue
# 1747| getInitializer(1): [ConstructorVirtualInit] call to CopyConstructorWithBitwiseCopyClass
# 1747| Type = [VoidType] void
# 1747| ValueCategory = prvalue
# 1747| getEntryPoint(): [BlockStmt] { ... }
# 1747| getStmt(0): [ReturnStmt] return ...
# 1750| [TopLevelFunction] int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
# 1750| <params>:
# 1751| getParameter(0): [Parameter] x
# 1751| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1752| getParameter(1): [Parameter] y
# 1752| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1752| getEntryPoint(): [BlockStmt] { ... }
# 1753| getStmt(0): [DeclStmt] declaration
# 1753| getDeclarationEntry(0): [VariableDeclarationEntry] definition of cx
# 1753| Type = [Class] CopyConstructorTestNonVirtualClass
# 1753| getVariable().getInitializer(): [Initializer] initializer for cx
# 1753| getExpr(): [ConstructorCall] call to CopyConstructorTestNonVirtualClass
# 1753| Type = [VoidType] void
# 1753| ValueCategory = prvalue
# 1753| getArgument(0): [VariableAccess] x
# 1753| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1753| ValueCategory = prvalue(load)
# 1753| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1753| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1753| ValueCategory = prvalue
# 1753| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1753| Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
# 1753| ValueCategory = lvalue
# 1754| getStmt(1): [DeclStmt] declaration
# 1754| getDeclarationEntry(0): [VariableDeclarationEntry] definition of cy
# 1754| Type = [Class] CopyConstructorTestVirtualClass
# 1754| getVariable().getInitializer(): [Initializer] initializer for cy
# 1754| getExpr(): [ConstructorCall] call to CopyConstructorTestVirtualClass
# 1754| Type = [VoidType] void
# 1754| ValueCategory = prvalue
# 1754| getArgument(0): [VariableAccess] y
# 1754| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1754| ValueCategory = prvalue(load)
# 1754| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1754| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1754| ValueCategory = prvalue
# 1754| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1754| Type = [SpecifiedType] const CopyConstructorTestVirtualClass
# 1754| ValueCategory = lvalue
# 1755| getStmt(2): [ReturnStmt] return ...
perf-regression.cpp:
# 4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
# 4| <params>:

36
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -1718,4 +1718,40 @@ void captured_lambda2(TrivialLambdaClass p1, TrivialLambdaClass &p2, TrivialLamb
};
}
class CopyConstructorWithImplicitArgumentClass {
int x;
public:
CopyConstructorWithImplicitArgumentClass() {}
CopyConstructorWithImplicitArgumentClass(const CopyConstructorWithImplicitArgumentClass &c) {
x = c.x;
}
};
class CopyConstructorWithBitwiseCopyClass {
int y;
public:
CopyConstructorWithBitwiseCopyClass() {}
};
class CopyConstructorTestNonVirtualClass :
public CopyConstructorWithImplicitArgumentClass,
public CopyConstructorWithBitwiseCopyClass {
public:
CopyConstructorTestNonVirtualClass() {}
};
class CopyConstructorTestVirtualClass :
public virtual CopyConstructorWithImplicitArgumentClass,
public virtual CopyConstructorWithBitwiseCopyClass {
public:
CopyConstructorTestVirtualClass() {}
};
int implicit_copy_constructor_test(
const CopyConstructorTestNonVirtualClass &x,
const CopyConstructorTestVirtualClass &y) {
CopyConstructorTestNonVirtualClass cx = x;
CopyConstructorTestVirtualClass cy = y;
}
// semmle-extractor-options: -std=c++17 --clang

206
cpp/ql/test/library-tests/ir/ir/operand_locations.expected
View File

@@ -670,6 +670,10 @@
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_2 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
@@ -686,6 +690,10 @@
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_5 |
| file://:0:0:0:0 | Address | &:r0_5 |
| file://:0:0:0:0 | Address | &:r0_5 |
@@ -746,6 +754,8 @@
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m745_6 |
| file://:0:0:0:0 | Load | m754_6 |
| file://:0:0:0:0 | Load | m763_6 |
@@ -767,6 +777,8 @@
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m1078_23 |
| file://:0:0:0:0 | SideEffect | m1078_23 |
| file://:0:0:0:0 | SideEffect | m1084_23 |
@@ -8009,6 +8021,200 @@
| ir.cpp:1717:30:1717:30 | Load | m1717_6 |
| ir.cpp:1717:30:1717:30 | SideEffect | m1717_3 |
| ir.cpp:1717:30:1717:30 | SideEffect | m1717_8 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
| ir.cpp:1724:5:1724:44 | ChiPartial | partial:m1724_3 |
| ir.cpp:1724:5:1724:44 | ChiTotal | total:m1724_2 |
| ir.cpp:1724:5:1724:44 | Load | m1724_6 |
| ir.cpp:1724:5:1724:44 | SideEffect | m1724_3 |
| ir.cpp:1724:5:1724:44 | SideEffect | m1724_8 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
| ir.cpp:1725:5:1725:44 | ChiPartial | partial:m1725_3 |
| ir.cpp:1725:5:1725:44 | ChiTotal | total:m1725_2 |
| ir.cpp:1725:5:1725:44 | Load | m1725_6 |
| ir.cpp:1725:5:1725:44 | SideEffect | m1725_3 |
| ir.cpp:1725:5:1725:44 | SideEffect | m1726_10 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
| ir.cpp:1725:94:1725:94 | Load | m1725_10 |
| ir.cpp:1725:94:1725:94 | SideEffect | m1725_12 |
| ir.cpp:1726:9:1726:9 | Address | &:r1726_6 |
| ir.cpp:1726:9:1726:9 | Address | &:r1726_8 |
| ir.cpp:1726:9:1726:9 | Load | m1725_6 |
| ir.cpp:1726:9:1726:9 | Unary | r1726_7 |
| ir.cpp:1726:9:1726:15 | ChiPartial | partial:m1726_9 |
| ir.cpp:1726:9:1726:15 | ChiTotal | total:m1725_8 |
| ir.cpp:1726:13:1726:13 | Address | &:r1726_1 |
| ir.cpp:1726:13:1726:13 | Load | m1725_10 |
| ir.cpp:1726:13:1726:13 | Unary | r1726_2 |
| ir.cpp:1726:13:1726:13 | Unary | r1726_3 |
| ir.cpp:1726:15:1726:15 | Address | &:r1726_4 |
| ir.cpp:1726:15:1726:15 | Load | ~m1725_12 |
| ir.cpp:1726:15:1726:15 | StoreValue | r1726_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
| ir.cpp:1733:5:1733:39 | ChiPartial | partial:m1733_3 |
| ir.cpp:1733:5:1733:39 | ChiTotal | total:m1733_2 |
| ir.cpp:1733:5:1733:39 | Load | m1733_6 |
| ir.cpp:1733:5:1733:39 | SideEffect | m1733_3 |
| ir.cpp:1733:5:1733:39 | SideEffect | m1733_8 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_9 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_11 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_15 |
| ir.cpp:1736:7:1736:7 | Arg(0) | 0:r1736_15 |
| ir.cpp:1736:7:1736:7 | Arg(this) | this:r1736_9 |
| ir.cpp:1736:7:1736:7 | CallTarget | func:r1736_10 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_3 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_17 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_20 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_2 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_4 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_8 |
| ir.cpp:1736:7:1736:7 | Load | m0_2 |
| ir.cpp:1736:7:1736:7 | Load | m1736_6 |
| ir.cpp:1736:7:1736:7 | SideEffect | m1736_21 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m0_4 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_4 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_18 |
| ir.cpp:1736:7:1736:7 | Unary | m1736_6 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_12 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_13 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_14 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
| ir.cpp:1740:5:1740:38 | ChiPartial | partial:m1740_3 |
| ir.cpp:1740:5:1740:38 | ChiTotal | total:m1740_2 |
| ir.cpp:1740:5:1740:38 | Load | m1740_6 |
| ir.cpp:1740:5:1740:38 | SideEffect | m1740_22 |
| ir.cpp:1740:5:1740:38 | SideEffect | ~m1740_20 |
| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
| ir.cpp:1740:42:1740:42 | Address | &:r1740_9 |
| ir.cpp:1740:42:1740:42 | Address | &:r1740_16 |
| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_9 |
| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_16 |
| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_10 |
| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_17 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_12 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_14 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_19 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_21 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_4 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_8 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_13 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_15 |
| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_4 |
| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_13 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_9 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_11 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_15 |
| ir.cpp:1743:7:1743:7 | Arg(0) | 0:r1743_15 |
| ir.cpp:1743:7:1743:7 | Arg(this) | this:r1743_9 |
| ir.cpp:1743:7:1743:7 | CallTarget | func:r1743_10 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_3 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_17 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_20 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_2 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_4 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_18 |
| ir.cpp:1743:7:1743:7 | Load | m0_2 |
| ir.cpp:1743:7:1743:7 | Load | m1743_6 |
| ir.cpp:1743:7:1743:7 | SideEffect | m1743_8 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m0_4 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_4 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_21 |
| ir.cpp:1743:7:1743:7 | Unary | m1743_6 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_12 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_13 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_14 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
| ir.cpp:1747:5:1747:35 | ChiPartial | partial:m1747_3 |
| ir.cpp:1747:5:1747:35 | ChiTotal | total:m1747_2 |
| ir.cpp:1747:5:1747:35 | Load | m1747_6 |
| ir.cpp:1747:5:1747:35 | SideEffect | m1747_8 |
| ir.cpp:1747:5:1747:35 | SideEffect | ~m1747_22 |
| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
| ir.cpp:1747:39:1747:39 | Address | &:r1747_9 |
| ir.cpp:1747:39:1747:39 | Address | &:r1747_16 |
| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_9 |
| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_16 |
| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_10 |
| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_17 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_12 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_14 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_19 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_21 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_4 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_13 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_15 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_20 |
| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_4 |
| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_15 |
| ir.cpp:1750:5:1750:34 | ChiPartial | partial:m1750_3 |
| ir.cpp:1750:5:1750:34 | ChiTotal | total:m1750_2 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_3 |
| ir.cpp:1751:51:1751:51 | Load | m1751_2 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_3 |
| ir.cpp:1752:48:1752:48 | Load | m1752_2 |
| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
| ir.cpp:1753:40:1753:41 | Arg(this) | this:r1753_1 |
| ir.cpp:1753:44:1753:45 | CallTarget | func:r1753_3 |
| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_9 |
| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_12 |
| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1750_4 |
| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1753_2 |
| ir.cpp:1753:44:1753:45 | SideEffect | ~m1750_4 |
| ir.cpp:1753:45:1753:45 | Address | &:r1753_4 |
| ir.cpp:1753:45:1753:45 | Address | &:r1753_7 |
| ir.cpp:1753:45:1753:45 | Arg(0) | 0:r1753_7 |
| ir.cpp:1753:45:1753:45 | Load | m1751_2 |
| ir.cpp:1753:45:1753:45 | SideEffect | ~m1751_4 |
| ir.cpp:1753:45:1753:45 | Unary | r1753_5 |
| ir.cpp:1753:45:1753:45 | Unary | r1753_6 |
| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
| ir.cpp:1754:37:1754:38 | Arg(this) | this:r1754_1 |
| ir.cpp:1754:41:1754:42 | CallTarget | func:r1754_3 |
| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_9 |
| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_12 |
| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1753_10 |
| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1754_2 |
| ir.cpp:1754:41:1754:42 | SideEffect | ~m1753_10 |
| ir.cpp:1754:42:1754:42 | Address | &:r1754_4 |
| ir.cpp:1754:42:1754:42 | Address | &:r1754_7 |
| ir.cpp:1754:42:1754:42 | Arg(0) | 0:r1754_7 |
| ir.cpp:1754:42:1754:42 | Load | m1752_2 |
| ir.cpp:1754:42:1754:42 | SideEffect | ~m1752_4 |
| ir.cpp:1754:42:1754:42 | Unary | r1754_5 |
| ir.cpp:1754:42:1754:42 | Unary | r1754_6 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

2
cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
View File

@@ -18,6 +18,8 @@ lostReachability
backEdgeCountMismatch
useNotDominatedByDefinition
| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| ir.cpp:1751:51:1751:51 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
| ir.cpp:1752:48:1752:48 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
switchInstructionWithoutDefaultEdge
notMarkedAsConflated
wronglyMarkedAsConflated

216
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -9202,6 +9202,222 @@ ir.cpp:
# 1717| v1717_11(void) = AliasedUse : ~m?
# 1717| v1717_12(void) = ExitFunction :
# 1724| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
# 1724| Block 0
# 1724| v1724_1(void) = EnterFunction :
# 1724| mu1724_2(unknown) = AliasedDefinition :
# 1724| mu1724_3(unknown) = InitializeNonLocal :
# 1724| r1724_4(glval<unknown>) = VariableAddress[#this] :
# 1724| mu1724_5(glval<CopyConstructorWithImplicitArgumentClass>) = InitializeParameter[#this] : &:r1724_4
# 1724| r1724_6(glval<CopyConstructorWithImplicitArgumentClass>) = Load[#this] : &:r1724_4, ~m?
# 1724| mu1724_7(CopyConstructorWithImplicitArgumentClass) = InitializeIndirection[#this] : &:r1724_6
# 1724| v1724_8(void) = NoOp :
# 1724| v1724_9(void) = ReturnIndirection[#this] : &:r1724_6, ~m?
# 1724| v1724_10(void) = ReturnVoid :
# 1724| v1724_11(void) = AliasedUse : ~m?
# 1724| v1724_12(void) = ExitFunction :
# 1725| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
# 1725| Block 0
# 1725| v1725_1(void) = EnterFunction :
# 1725| mu1725_2(unknown) = AliasedDefinition :
# 1725| mu1725_3(unknown) = InitializeNonLocal :
# 1725| r1725_4(glval<unknown>) = VariableAddress[#this] :
# 1725| mu1725_5(glval<CopyConstructorWithImplicitArgumentClass>) = InitializeParameter[#this] : &:r1725_4
# 1725| r1725_6(glval<CopyConstructorWithImplicitArgumentClass>) = Load[#this] : &:r1725_4, ~m?
# 1725| mu1725_7(CopyConstructorWithImplicitArgumentClass) = InitializeIndirection[#this] : &:r1725_6
# 1725| r1725_8(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c] :
# 1725| mu1725_9(CopyConstructorWithImplicitArgumentClass &) = InitializeParameter[c] : &:r1725_8
# 1725| r1725_10(CopyConstructorWithImplicitArgumentClass &) = Load[c] : &:r1725_8, ~m?
# 1725| mu1725_11(unknown) = InitializeIndirection[c] : &:r1725_10
# 1726| r1726_1(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c] :
# 1726| r1726_2(CopyConstructorWithImplicitArgumentClass &) = Load[c] : &:r1726_1, ~m?
# 1726| r1726_3(glval<CopyConstructorWithImplicitArgumentClass>) = CopyValue : r1726_2
# 1726| r1726_4(glval<int>) = FieldAddress[x] : r1726_3
# 1726| r1726_5(int) = Load[?] : &:r1726_4, ~m?
# 1726| r1726_6(glval<unknown>) = VariableAddress[#this] :
# 1726| r1726_7(CopyConstructorWithImplicitArgumentClass *) = Load[#this] : &:r1726_6, ~m?
# 1726| r1726_8(glval<int>) = FieldAddress[x] : r1726_7
# 1726| mu1726_9(int) = Store[?] : &:r1726_8, r1726_5
# 1727| v1727_1(void) = NoOp :
# 1725| v1725_12(void) = ReturnIndirection[#this] : &:r1725_6, ~m?
# 1725| v1725_13(void) = ReturnIndirection[c] : &:r1725_10, ~m?
# 1725| v1725_14(void) = ReturnVoid :
# 1725| v1725_15(void) = AliasedUse : ~m?
# 1725| v1725_16(void) = ExitFunction :
# 1733| void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
# 1733| Block 0
# 1733| v1733_1(void) = EnterFunction :
# 1733| mu1733_2(unknown) = AliasedDefinition :
# 1733| mu1733_3(unknown) = InitializeNonLocal :
# 1733| r1733_4(glval<unknown>) = VariableAddress[#this] :
# 1733| mu1733_5(glval<CopyConstructorWithBitwiseCopyClass>) = InitializeParameter[#this] : &:r1733_4
# 1733| r1733_6(glval<CopyConstructorWithBitwiseCopyClass>) = Load[#this] : &:r1733_4, ~m?
# 1733| mu1733_7(CopyConstructorWithBitwiseCopyClass) = InitializeIndirection[#this] : &:r1733_6
# 1733| v1733_8(void) = NoOp :
# 1733| v1733_9(void) = ReturnIndirection[#this] : &:r1733_6, ~m?
# 1733| v1733_10(void) = ReturnVoid :
# 1733| v1733_11(void) = AliasedUse : ~m?
# 1733| v1733_12(void) = ExitFunction :
# 1736| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
# 1736| Block 0
# 1736| v1736_1(void) = EnterFunction :
# 1736| mu1736_2(unknown) = AliasedDefinition :
# 1736| mu1736_3(unknown) = InitializeNonLocal :
# 1736| r1736_4(glval<unknown>) = VariableAddress[#this] :
# 1736| mu1736_5(glval<CopyConstructorTestNonVirtualClass>) = InitializeParameter[#this] : &:r1736_4
# 1736| r1736_6(glval<CopyConstructorTestNonVirtualClass>) = Load[#this] : &:r1736_4, ~m?
# 1736| mu1736_7(CopyConstructorTestNonVirtualClass) = InitializeIndirection[#this] : &:r1736_6
#-----| r0_1(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
#-----| mu0_2(CopyConstructorTestNonVirtualClass &) = InitializeParameter[(unnamed parameter 0)] : &:r0_1
#-----| r0_3(CopyConstructorTestNonVirtualClass &) = Load[(unnamed parameter 0)] : &:r0_1, ~m?
#-----| mu0_4(unknown) = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
# 1736| r1736_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1736_5
# 1736| r1736_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1736| r1736_10(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
# 1736| r1736_11(CopyConstructorTestNonVirtualClass &) = Load[(unnamed parameter 0)] : &:r1736_10, ~m?
# 1736| r1736_12(glval<CopyConstructorTestNonVirtualClass>) = CopyValue : r1736_11
# 1736| r1736_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : r1736_12
# 1736| r1736_14(CopyConstructorWithImplicitArgumentClass &) = CopyValue : r1736_13
# 1736| v1736_15(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1736_9, this:r1736_8, 0:r1736_14
# 1736| mu1736_16(unknown) = ^CallSideEffect : ~m?
# 1736| v1736_17(void) = ^BufferReadSideEffect[0] : &:r1736_14, ~m?
# 1736| mu1736_18(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1736_8
# 1736| v1736_19(void) = NoOp :
# 1736| v1736_20(void) = ReturnIndirection[#this] : &:r1736_6, ~m?
#-----| v0_5(void) = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
# 1736| v1736_21(void) = ReturnVoid :
# 1736| v1736_22(void) = AliasedUse : ~m?
# 1736| v1736_23(void) = ExitFunction :
# 1740| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
# 1740| Block 0
# 1740| v1740_1(void) = EnterFunction :
# 1740| mu1740_2(unknown) = AliasedDefinition :
# 1740| mu1740_3(unknown) = InitializeNonLocal :
# 1740| r1740_4(glval<unknown>) = VariableAddress[#this] :
# 1740| mu1740_5(glval<CopyConstructorTestNonVirtualClass>) = InitializeParameter[#this] : &:r1740_4
# 1740| r1740_6(glval<CopyConstructorTestNonVirtualClass>) = Load[#this] : &:r1740_4, ~m?
# 1740| mu1740_7(CopyConstructorTestNonVirtualClass) = InitializeIndirection[#this] : &:r1740_6
# 1740| r1740_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1740_5
# 1740| r1740_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1740| v1740_10(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1740_9, this:r1740_8
# 1740| mu1740_11(unknown) = ^CallSideEffect : ~m?
# 1740| mu1740_12(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1740_8
# 1740| r1740_13(glval<CopyConstructorWithBitwiseCopyClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithBitwiseCopyClass] : mu1740_5
# 1740| r1740_14(glval<unknown>) = FunctionAddress[CopyConstructorWithBitwiseCopyClass] :
# 1740| v1740_15(void) = Call[CopyConstructorWithBitwiseCopyClass] : func:r1740_14, this:r1740_13
# 1740| mu1740_16(unknown) = ^CallSideEffect : ~m?
# 1740| mu1740_17(CopyConstructorWithBitwiseCopyClass) = ^IndirectMayWriteSideEffect[-1] : &:r1740_13
# 1740| v1740_18(void) = NoOp :
# 1740| v1740_19(void) = ReturnIndirection[#this] : &:r1740_6, ~m?
# 1740| v1740_20(void) = ReturnVoid :
# 1740| v1740_21(void) = AliasedUse : ~m?
# 1740| v1740_22(void) = ExitFunction :
# 1743| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
# 1743| Block 0
# 1743| v1743_1(void) = EnterFunction :
# 1743| mu1743_2(unknown) = AliasedDefinition :
# 1743| mu1743_3(unknown) = InitializeNonLocal :
# 1743| r1743_4(glval<unknown>) = VariableAddress[#this] :
# 1743| mu1743_5(glval<CopyConstructorTestVirtualClass>) = InitializeParameter[#this] : &:r1743_4
# 1743| r1743_6(glval<CopyConstructorTestVirtualClass>) = Load[#this] : &:r1743_4, ~m?
# 1743| mu1743_7(CopyConstructorTestVirtualClass) = InitializeIndirection[#this] : &:r1743_6
#-----| r0_1(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
#-----| mu0_2(CopyConstructorTestVirtualClass &) = InitializeParameter[(unnamed parameter 0)] : &:r0_1
#-----| r0_3(CopyConstructorTestVirtualClass &) = Load[(unnamed parameter 0)] : &:r0_1, ~m?
#-----| mu0_4(unknown) = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
# 1743| r1743_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1743_5
# 1743| r1743_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1743| r1743_10(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
# 1743| r1743_11(CopyConstructorTestVirtualClass &) = Load[(unnamed parameter 0)] : &:r1743_10, ~m?
# 1743| r1743_12(glval<CopyConstructorTestVirtualClass>) = CopyValue : r1743_11
# 1743| r1743_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : r1743_12
# 1743| r1743_14(CopyConstructorWithImplicitArgumentClass &) = CopyValue : r1743_13
# 1743| v1743_15(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1743_9, this:r1743_8, 0:r1743_14
# 1743| mu1743_16(unknown) = ^CallSideEffect : ~m?
# 1743| v1743_17(void) = ^BufferReadSideEffect[0] : &:r1743_14, ~m?
# 1743| mu1743_18(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1743_8
# 1743| v1743_19(void) = NoOp :
# 1743| v1743_20(void) = ReturnIndirection[#this] : &:r1743_6, ~m?
#-----| v0_5(void) = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
# 1743| v1743_21(void) = ReturnVoid :
# 1743| v1743_22(void) = AliasedUse : ~m?
# 1743| v1743_23(void) = ExitFunction :
# 1747| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
# 1747| Block 0
# 1747| v1747_1(void) = EnterFunction :
# 1747| mu1747_2(unknown) = AliasedDefinition :
# 1747| mu1747_3(unknown) = InitializeNonLocal :
# 1747| r1747_4(glval<unknown>) = VariableAddress[#this] :
# 1747| mu1747_5(glval<CopyConstructorTestVirtualClass>) = InitializeParameter[#this] : &:r1747_4
# 1747| r1747_6(glval<CopyConstructorTestVirtualClass>) = Load[#this] : &:r1747_4, ~m?
# 1747| mu1747_7(CopyConstructorTestVirtualClass) = InitializeIndirection[#this] : &:r1747_6
# 1747| r1747_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1747_5
# 1747| r1747_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1747| v1747_10(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1747_9, this:r1747_8
# 1747| mu1747_11(unknown) = ^CallSideEffect : ~m?
# 1747| mu1747_12(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1747_8
# 1747| r1747_13(glval<CopyConstructorWithBitwiseCopyClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithBitwiseCopyClass] : mu1747_5
# 1747| r1747_14(glval<unknown>) = FunctionAddress[CopyConstructorWithBitwiseCopyClass] :
# 1747| v1747_15(void) = Call[CopyConstructorWithBitwiseCopyClass] : func:r1747_14, this:r1747_13
# 1747| mu1747_16(unknown) = ^CallSideEffect : ~m?
# 1747| mu1747_17(CopyConstructorWithBitwiseCopyClass) = ^IndirectMayWriteSideEffect[-1] : &:r1747_13
# 1747| v1747_18(void) = NoOp :
# 1747| v1747_19(void) = ReturnIndirection[#this] : &:r1747_6, ~m?
# 1747| v1747_20(void) = ReturnVoid :
# 1747| v1747_21(void) = AliasedUse : ~m?
# 1747| v1747_22(void) = ExitFunction :
# 1750| int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
# 1750| Block 0
# 1750| v1750_1(void) = EnterFunction :
# 1750| mu1750_2(unknown) = AliasedDefinition :
# 1750| mu1750_3(unknown) = InitializeNonLocal :
# 1751| r1751_1(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x] :
# 1751| mu1751_2(CopyConstructorTestNonVirtualClass &) = InitializeParameter[x] : &:r1751_1
# 1751| r1751_3(CopyConstructorTestNonVirtualClass &) = Load[x] : &:r1751_1, ~m?
# 1751| mu1751_4(unknown) = InitializeIndirection[x] : &:r1751_3
# 1752| r1752_1(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[y] :
# 1752| mu1752_2(CopyConstructorTestVirtualClass &) = InitializeParameter[y] : &:r1752_1
# 1752| r1752_3(CopyConstructorTestVirtualClass &) = Load[y] : &:r1752_1, ~m?
# 1752| mu1752_4(unknown) = InitializeIndirection[y] : &:r1752_3
# 1753| r1753_1(glval<CopyConstructorTestNonVirtualClass>) = VariableAddress[cx] :
# 1753| mu1753_2(CopyConstructorTestNonVirtualClass) = Uninitialized[cx] : &:r1753_1
# 1753| r1753_3(glval<unknown>) = FunctionAddress[CopyConstructorTestNonVirtualClass] :
# 1753| r1753_4(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x] :
# 1753| r1753_5(CopyConstructorTestNonVirtualClass &) = Load[x] : &:r1753_4, ~m?
# 1753| r1753_6(glval<CopyConstructorTestNonVirtualClass>) = CopyValue : r1753_5
# 1753| r1753_7(CopyConstructorTestNonVirtualClass &) = CopyValue : r1753_6
# 1753| v1753_8(void) = Call[CopyConstructorTestNonVirtualClass] : func:r1753_3, this:r1753_1, 0:r1753_7
# 1753| mu1753_9(unknown) = ^CallSideEffect : ~m?
# 1753| v1753_10(void) = ^BufferReadSideEffect[0] : &:r1753_7, ~m?
# 1753| mu1753_11(CopyConstructorTestNonVirtualClass) = ^IndirectMayWriteSideEffect[-1] : &:r1753_1
# 1754| r1754_1(glval<CopyConstructorTestVirtualClass>) = VariableAddress[cy] :
# 1754| mu1754_2(CopyConstructorTestVirtualClass) = Uninitialized[cy] : &:r1754_1
# 1754| r1754_3(glval<unknown>) = FunctionAddress[CopyConstructorTestVirtualClass] :
# 1754| r1754_4(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[y] :
# 1754| r1754_5(CopyConstructorTestVirtualClass &) = Load[y] : &:r1754_4, ~m?
# 1754| r1754_6(glval<CopyConstructorTestVirtualClass>) = CopyValue : r1754_5
# 1754| r1754_7(CopyConstructorTestVirtualClass &) = CopyValue : r1754_6
# 1754| v1754_8(void) = Call[CopyConstructorTestVirtualClass] : func:r1754_3, this:r1754_1, 0:r1754_7
# 1754| mu1754_9(unknown) = ^CallSideEffect : ~m?
# 1754| v1754_10(void) = ^BufferReadSideEffect[0] : &:r1754_7, ~m?
# 1754| mu1754_11(CopyConstructorTestVirtualClass) = ^IndirectMayWriteSideEffect[-1] : &:r1754_1
# 1755| v1755_1(void) = Unreached :
# 1751| Block 1
# 1751| v1751_5(void) = ReturnIndirection[x] : &:r1751_3, ~m?
# 1752| v1752_5(void) = ReturnIndirection[y] : &:r1752_3, ~m?
# 1750| r1750_4(glval<int>) = VariableAddress[#return] :
# 1750| v1750_5(void) = ReturnValue : &:r1750_4, ~m?
# 1750| v1750_6(void) = AliasedUse : ~m?
# 1750| v1750_7(void) = ExitFunction :
perf-regression.cpp:
# 6| void Big::Big()
# 6| Block 0

1
cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
View File

@@ -123,3 +123,4 @@ postWithInFlow
| misc.c:220:4:220:5 | sp [inner post update] | PostUpdateNode should not be the target of local flow. |
| static_init_templates.cpp:3:2:3:4 | ref [post update] | PostUpdateNode should not be the target of local flow. |
| static_init_templates.cpp:21:2:21:4 | val [post update] | PostUpdateNode should not be the target of local flow. |
| try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. |

1
csharp/downgrades/qlpack.yml
View File

@@ -1,5 +1,4 @@
name: codeql/csharp-downgrades
groups: csharp
version: 0.0.6-dev
downgrades: .
library: true

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.7
## 1.0.6
## 1.0.5
## 1.0.4

1
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.6.md Normal file
View File

@@ -0,0 +1 @@
## 1.0.6

1
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.0.7.md Normal file
View File

@@ -0,0 +1 @@
## 1.0.7

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.5
lastReleaseVersion: 1.0.7

4
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,8 +1,8 @@
name: codeql/csharp-solorigate-all
version: 1.0.6-dev
version: 1.1.0-dev
groups:
- csharp
- solorigate
library: true
dependencies:
codeql/csharp-all: ~0.0.3
codeql/csharp-all: "*"

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.7
## 1.0.6
## 1.0.5
## 1.0.4

1
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.6.md Normal file
View File

@@ -0,0 +1 @@
## 1.0.6

1
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.0.7.md Normal file
View File

@@ -0,0 +1 @@
## 1.0.7

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.5
lastReleaseVersion: 1.0.7

6
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,9 +1,9 @@
name: codeql/csharp-solorigate-queries
version: 1.0.6-dev
version: 1.1.0-dev
groups:
- csharp
- solorigate
defaultSuiteFile: codeql-suites/solorigate.qls
dependencies:
codeql/csharp-all: ~0.0.3
codeql/csharp-solorigate-all: ^1.0
codeql/csharp-all: "*"
codeql/csharp-solorigate-all: "*"

21
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,24 @@
## 0.0.13
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
## 0.0.11
### Breaking Changes

4
csharp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

5
csharp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
View File

@@ -1,5 +0,0 @@
---
category: deprecated
---
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.

4
csharp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

4
csharp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
View File

@@ -1,4 +0,0 @@
---
category: breaking
---
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.

18
csharp/ql/lib/change-notes/released/0.0.12.md Normal file
View File

@@ -0,0 +1,18 @@
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

1
csharp/ql/lib/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.0.12-dev
version: 0.1.0-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

79
csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
View File

@@ -162,10 +162,17 @@ private predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
private predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
bindingset[input]
private predicate getKind(string input, string kind, boolean generated) {
input.splitAt(":", 0) = "generated" and kind = input.splitAt(":", 1) and generated = true
or
not input.matches("%:%") and kind = input and generated = false
}
/** Holds if a source model exists for the given parameters. */
predicate sourceModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind
string output, string kind, boolean generated
) {
exists(string row |
sourceModel(row) and
@@ -177,14 +184,14 @@ predicate sourceModel(
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = output and
row.splitAt(";", 7) = kind
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
)
}
/** Holds if a sink model exists for the given parameters. */
predicate sinkModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind
string input, string kind, boolean generated
) {
exists(string row |
sinkModel(row) and
@@ -196,14 +203,14 @@ predicate sinkModel(
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = kind
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
)
}
/** Holds if a summary model exists for the given parameters. */
predicate summaryModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind
string input, string output, string kind, boolean generated
) {
exists(string row |
summaryModel(row) and
@@ -216,14 +223,14 @@ predicate summaryModel(
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = output and
row.splitAt(";", 8) = kind
exists(string k | row.splitAt(";", 8) = k and getKind(k, kind, generated))
)
}
private predicate relevantNamespace(string namespace) {
sourceModel(namespace, _, _, _, _, _, _, _) or
sinkModel(namespace, _, _, _, _, _, _, _) or
summaryModel(namespace, _, _, _, _, _, _, _, _)
sourceModel(namespace, _, _, _, _, _, _, _, _) or
sinkModel(namespace, _, _, _, _, _, _, _, _) or
summaryModel(namespace, _, _, _, _, _, _, _, _, _)
}
private predicate namespaceLink(string shortns, string longns) {
@@ -251,25 +258,25 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
part = "source" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string output |
string ext, string output, boolean generated |
canonicalNamespaceLink(namespace, subns) and
sourceModel(subns, type, subtypes, name, signature, ext, output, kind)
sourceModel(subns, type, subtypes, name, signature, ext, output, kind, generated)
)
or
part = "sink" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string input |
string ext, string input, boolean generated |
canonicalNamespaceLink(namespace, subns) and
sinkModel(subns, type, subtypes, name, signature, ext, input, kind)
sinkModel(subns, type, subtypes, name, signature, ext, input, kind, generated)
)
or
part = "summary" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string input, string output |
string ext, string input, string output, boolean generated |
canonicalNamespaceLink(namespace, subns) and
summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind)
summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, generated)
)
)
}
@@ -279,11 +286,11 @@ module CsvValidation {
/** Holds if some row in a CSV-based flow model appears to contain typos. */
query predicate invalidModelRow(string msg) {
exists(string pred, string namespace, string type, string name, string signature, string ext |
sourceModel(namespace, type, _, name, signature, ext, _, _) and pred = "source"
sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
or
sinkModel(namespace, type, _, name, signature, ext, _, _) and pred = "sink"
sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
or
summaryModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "summary"
summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
|
not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
msg = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -302,9 +309,9 @@ module CsvValidation {
)
or
exists(string pred, AccessPath input, string part |
sinkModel(_, _, _, _, _, _, input, _) and pred = "sink"
sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
or
summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
|
(
invalidSpecComponent(input, part) and
@@ -319,9 +326,9 @@ module CsvValidation {
)
or
exists(string pred, string output, string part |
sourceModel(_, _, _, _, _, _, output, _) and pred = "source"
sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
or
summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
|
invalidSpecComponent(output, part) and
not part = "" and
@@ -351,20 +358,23 @@ module CsvValidation {
)
)
or
exists(string row, string kind | summaryModel(row) |
kind = row.splitAt(";", 8) and
exists(string row, string k, string kind | summaryModel(row) |
k = row.splitAt(";", 8) and
getKind(k, kind, _) and
not kind = ["taint", "value"] and
msg = "Invalid kind \"" + kind + "\" in summary model."
)
or
exists(string row, string kind | sinkModel(row) |
kind = row.splitAt(";", 7) and
exists(string row, string k, string kind | sinkModel(row) |
k = row.splitAt(";", 7) and
getKind(k, kind, _) and
not kind = ["code", "sql", "xss", "remote", "html"] and
msg = "Invalid kind \"" + kind + "\" in sink model."
)
or
exists(string row, string kind | sourceModel(row) |
kind = row.splitAt(";", 7) and
exists(string row, string k, string kind | sourceModel(row) |
k = row.splitAt(";", 7) and
getKind(k, kind, _) and
not kind = "local" and
msg = "Invalid kind \"" + kind + "\" in source model."
)
@@ -374,9 +384,9 @@ module CsvValidation {
private predicate elementSpec(
string namespace, string type, boolean subtypes, string name, string signature, string ext
) {
sourceModel(namespace, type, subtypes, name, signature, ext, _, _) or
sinkModel(namespace, type, subtypes, name, signature, ext, _, _) or
summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _)
sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
}
private predicate elementSpec(
@@ -502,6 +512,13 @@ Element interpretElement(
)
}
/**
* Holds if `c` has a `generated` summary.
*/
predicate hasSummary(DataFlowCallable c, boolean generated) {
summaryElement(c, _, _, _, generated)
}
cached
private module Cached {
/**

22
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

22
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
View File

@@ -1158,8 +1158,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1246,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1951,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +2035,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2765,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2862,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5047,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

23
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -806,10 +806,10 @@ module Private {
module External {
/** Holds if `spec` is a relevant external specification. */
private predicate relevantSpec(string spec) {
summaryElement(_, spec, _, _) or
summaryElement(_, _, spec, _) or
sourceElement(_, spec, _) or
sinkElement(_, spec, _)
summaryElement(_, spec, _, _, _) or
summaryElement(_, _, spec, _, _) or
sourceElement(_, spec, _, _) or
sinkElement(_, spec, _, _)
}
private class AccessPathRange extends AccessPath::Range {
@@ -875,13 +875,20 @@ module Private {
}
private class SummarizedCallableExternal extends SummarizedCallable {
SummarizedCallableExternal() { summaryElement(this, _, _, _) }
SummarizedCallableExternal() { summaryElement(this, _, _, _, _) }
private predicate relevantSummaryElement(AccessPath inSpec, AccessPath outSpec, string kind) {
summaryElement(this, inSpec, outSpec, kind, false)
or
summaryElement(this, inSpec, outSpec, kind, true) and
not summaryElement(this, _, _, _, false)
}
override predicate propagatesFlow(
SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
) {
exists(AccessPath inSpec, AccessPath outSpec, string kind |
summaryElement(this, inSpec, outSpec, kind) and
this.relevantSummaryElement(inSpec, outSpec, kind) and
interpretSpec(inSpec, input) and
interpretSpec(outSpec, output)
|
@@ -910,7 +917,7 @@ module Private {
private predicate sourceElementRef(InterpretNode ref, AccessPath output, string kind) {
exists(SourceOrSinkElement e |
sourceElement(e, output, kind) and
sourceElement(e, output, kind, _) and
if outputNeedsReference(output.getToken(0))
then e = ref.getCallTarget()
else e = ref.asElement()
@@ -919,7 +926,7 @@ module Private {
private predicate sinkElementRef(InterpretNode ref, AccessPath input, string kind) {
exists(SourceOrSinkElement e |
sinkElement(e, input, kind) and
sinkElement(e, input, kind, _) and
if inputNeedsReference(input.getToken(0))
then e = ref.getCallTarget()
else e = ref.asElement()

25
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -85,39 +85,44 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
/**
* Holds if an external flow summary exists for `c` with input specification
* `input`, output specification `output`, and kind `kind`.
* `input`, output specification `output`, kind `kind`, and a flag `generated`
* stating whether the summary is autogenerated.
*/
predicate summaryElement(DataFlowCallable c, string input, string output, string kind) {
predicate summaryElement(
DataFlowCallable c, string input, string output, string kind, boolean generated
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated) and
c = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}
/**
* Holds if an external source specification exists for `e` with output specification
* `output` and kind `kind`.
* `output`, kind `kind`, and a flag `generated` stating whether the source specification is
* autogenerated.
*/
predicate sourceElement(Element e, string output, string kind) {
predicate sourceElement(Element e, string output, string kind, boolean generated) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, generated) and
e = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}
/**
* Holds if an external sink specification exists for `n` with input specification
* `input` and kind `kind`.
* Holds if an external sink specification exists for `e` with input specification
* `input`, kind `kind` and a flag `generated` stating whether the sink specification is
* autogenerated.
*/
predicate sinkElement(Element e, string input, string kind) {
predicate sinkElement(Element e, string input, string kind, boolean generated) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, generated) and
e = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.0.13
## 0.0.12
## 0.0.11
### Minor Analysis Improvements

1
csharp/ql/src/change-notes/released/0.0.12.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.12

1
csharp/ql/src/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.0.12-dev
version: 0.1.0-dev
groups:
- csharp
- queries

13
csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql Normal file
View File

@@ -0,0 +1,13 @@
/**
* @name Capture discarded summary models.
* @description Finds summary models that are discarded as handwritten counterparts exist.
* @id csharp/utils/model-generator/discarded-summary-models
*/
private import semmle.code.csharp.dataflow.ExternalFlow
private import internal.CaptureModels
private import internal.CaptureFlow
from TargetApi api, string flow
where flow = captureFlow(api) and hasSummary(api, false)
select flow order by flow

1
csharp/ql/src/utils/model-generator/CaptureSinkModels.ql
View File

@@ -1,6 +1,7 @@
/**
* @name Capture sink models.
* @description Finds public methods that act as sinks as they flow into a a known sink.
* @kind diagnostic
* @id cs/utils/model-generator/sink-models
*/

1
csharp/ql/src/utils/model-generator/CaptureSourceModels.ql
View File

@@ -1,6 +1,7 @@
/**
* @name Capture source models.
* @description Finds APIs that act as sources as they expose already known sources.
* @kind diagnostic
* @id cs/utils/model-generator/source-models
*/

85
csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql
View File

@@ -1,91 +1,14 @@
/**
* @name Capture summary models.
* @description Finds applicable summary models to be used by other queries.
* @kind diagnostic
* @id cs/utils/model-generator/summary-models
*/
private import semmle.code.csharp.dataflow.ExternalFlow
private import internal.CaptureModels
/**
* Capture fluent APIs that return `this`.
* Example of a fluent API:
* ```csharp
* public class BasicFlow {
* public BasicFlow ReturnThis(object input)
* {
* // some side effect
* return this;
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
* Capture APIs that transfer taint from an input parameter to an output return
* value or parameter.
* Allows a sequence of read steps followed by a sequence of store steps.
*
* Examples:
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public String ReturnField()
* {
* return tainted;
* }
*
* public void AssignFieldToArray(object[] target)
* {
* target[0] = tainted;
* }
* }
* ```
* Captured Models:
* ```
* Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
* Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
* ```
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public void SetField(string s)
* {
* tainted = s;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
*
* ```csharp
* public class BasicFlow {
* public void ReturnSubstring(string s)
* {
* return s.Substring(0, 1);
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
*
* ```csharp
* public class BasicFlow {
* public void AssignToArray(int data, int[] target)
* {
* target[0] = data;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
*/
private string captureFlow(TargetApi api) {
result = captureQualifierFlow(api) or
result = captureThroughFlow(api)
}
private import internal.CaptureFlow
from TargetApi api, string flow
where flow = captureFlow(api)
where flow = captureFlow(api) and not hasSummary(api, false)
select flow order by flow

81
csharp/ql/src/utils/model-generator/internal/CaptureFlow.qll Normal file
View File

@@ -0,0 +1,81 @@
private import CaptureModels
/**
* Capture fluent APIs that return `this`.
* Example of a fluent API:
* ```csharp
* public class BasicFlow {
* public BasicFlow ReturnThis(object input)
* {
* // some side effect
* return this;
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
* Capture APIs that transfer taint from an input parameter to an output return
* value or parameter.
* Allows a sequence of read steps followed by a sequence of store steps.
*
* Examples:
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public String ReturnField()
* {
* return tainted;
* }
*
* public void AssignFieldToArray(object[] target)
* {
* target[0] = tainted;
* }
* }
* ```
* Captured Models:
* ```
* Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
* Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
* ```
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public void SetField(string s)
* {
* tainted = s;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
*
* ```csharp
* public class BasicFlow {
* public void ReturnSubstring(string s)
* {
* return s.Substring(0, 1);
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
*
* ```csharp
* public class BasicFlow {
* public void AssignToArray(int data, int[] target)
* {
* target[0] = data;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
*/
string captureFlow(TargetApi api) {
result = captureQualifierFlow(api) or
result = captureThroughFlow(api)
}

6
csharp/ql/src/utils/model-generator/internal/CaptureModels.qll
View File

@@ -44,7 +44,7 @@ private string asSummaryModel(TargetApi api, string input, string output, string
result =
asPartialModel(api) + input + ";" //
+ output + ";" //
+ kind
+ "generated:" + kind
}
/**
@@ -68,7 +68,7 @@ private string asTaintModel(TargetApi api, string input, string output) {
*/
bindingset[input, kind]
private string asSinkModel(TargetApi api, string input, string kind) {
result = asPartialModel(api) + input + ";" + kind
result = asPartialModel(api) + input + ";" + "generated:" + kind
}
/**
@@ -76,7 +76,7 @@ private string asSinkModel(TargetApi api, string input, string kind) {
*/
bindingset[output, kind]
private string asSourceModel(TargetApi api, string output, string kind) {
result = asPartialModel(api) + output + ";" + kind
result = asPartialModel(api) + output + ";" + "generated:" + kind
}
/**

35
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
View File

@@ -169,4 +169,39 @@ namespace My.Qltest
set { throw null; }
}
}
public class G
{
void M1()
{
var o = new object();
Sink(GeneratedFlow(o));
}
void M2()
{
var o1 = new object();
Sink(GeneratedFlowArgs(o1, null));
var o2 = new object();
Sink(GeneratedFlowArgs(null, o2));
}
void M3()
{
var o1 = new object();
Sink(MixedFlowArgs(o1, null));
var o2 = new object();
Sink(MixedFlowArgs(null, o2));
}
object GeneratedFlow(object o) => throw null;
object GeneratedFlowArgs(object o1, object o2) => throw null;
object MixedFlowArgs(object o1, object o2) => throw null;
static void Sink(object o) { }
}
}

24
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
View File

@@ -56,6 +56,14 @@ edges
| ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object |
| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object |
| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp |
| ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | ExternalFlow.cs:178:32:178:32 | access to local variable o : Object |
| ExternalFlow.cs:178:32:178:32 | access to local variable o : Object | ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow |
| ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object |
| ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object | ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs |
| ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object |
| ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object | ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs |
| ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object |
| ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object | ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs |
nodes
| ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | semmle.label | call to method StepArgRes |
@@ -130,6 +138,18 @@ nodes
| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | semmle.label | access to local variable f [field MyField] : Object |
| ExternalFlow.cs:112:18:112:25 | access to property MyProp | semmle.label | access to property MyProp |
| ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
| ExternalFlow.cs:178:32:178:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
| ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
| ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
| ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
| ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
| ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
| ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
subpaths
invalidModelRow
#select
@@ -152,3 +172,7 @@ invalidModelRow
| ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | object creation of type Object : Object |

7
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql
View File

@@ -30,7 +30,12 @@ class SummaryModelTest extends SummaryModelCsv {
"My.Qltest;D;false;Map<,>;(S[],System.Func<S,T>);;Argument[1].ReturnValue;ReturnValue.Element;value",
"My.Qltest;D;false;Parse;(System.String,System.Int32);;Argument[0];Argument[1];taint",
"My.Qltest;E;true;get_MyProp;();;Argument[Qualifier].Field[My.Qltest.E.MyField];ReturnValue;value",
"My.Qltest;E;true;set_MyProp;(System.Object);;Argument[0];Argument[Qualifier].Field[My.Qltest.E.MyField];value"
"My.Qltest;E;true;set_MyProp;(System.Object);;Argument[0];Argument[Qualifier].Field[My.Qltest.E.MyField];value",
"My.Qltest;G;false;GeneratedFlow;(System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;GeneratedFlowArgs;(System.Object,System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;GeneratedFlowArgs;(System.Object,System.Object);;Argument[1];ReturnValue;generated:value",
"My.Qltest;G;false;MixedFlowArgs;(System.Object,System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;MixedFlowArgs;(System.Object,System.Object);;Argument[1];ReturnValue;value",
]
}
}

8
csharp/ql/test/utils/model-generator/CaptureSinkModels.expected
View File

@@ -1,4 +1,4 @@
| Sinks;NewSinks;false;WrapFieldResponseWriteFile;();;Argument[Qualifier];html |
| Sinks;NewSinks;false;WrapPropResponseWriteFile;();;Argument[Qualifier];html |
| Sinks;NewSinks;false;WrapResponseWrite;(System.Object);;Argument[0];html |
| Sinks;NewSinks;false;WrapResponseWriteFile;(System.String);;Argument[0];html |
| Sinks;NewSinks;false;WrapFieldResponseWriteFile;();;Argument[Qualifier];generated:html |
| Sinks;NewSinks;false;WrapPropResponseWriteFile;();;Argument[Qualifier];generated:html |
| Sinks;NewSinks;false;WrapResponseWrite;(System.Object);;Argument[0];generated:html |
| Sinks;NewSinks;false;WrapResponseWriteFile;(System.String);;Argument[0];generated:html |

6
csharp/ql/test/utils/model-generator/CaptureSourceModels.expected
View File

@@ -1,3 +1,3 @@
| Sources;NewSources;false;WrapConsoleReadKey;();;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadLine;();;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadLineAndProcees;(System.String);;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadKey;();;ReturnValue;generated:local |
| Sources;NewSources;false;WrapConsoleReadLine;();;ReturnValue;generated:local |
| Sources;NewSources;false;WrapConsoleReadLineAndProcees;(System.String);;ReturnValue;generated:local |

66
csharp/ql/test/utils/model-generator/CaptureSummaryModels.expected
View File

@@ -1,33 +1,33 @@
| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;BaseClassFlow;true;ReturnParam;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnField;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParam0;(System.String,System.Object);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParam1;(System.String,System.Object);;Argument[1];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[1];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnSubstring;(System.String);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnThis;(System.Object);;Argument[Qualifier];ReturnValue;value |
| Summaries;BasicFlow;false;SetField;(System.String);;Argument[0];Argument[Qualifier];taint |
| Summaries;CollectionFlow;false;AddFieldToList;(System.Collections.Generic.List<System.String>);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AddToList;(System.Collections.Generic.List<System.Object>,System.Object);;Argument[1];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AssignToArray;(System.Int32,System.Int32[]);;Argument[0];Argument[1].Element;taint |
| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Int32[]);;Argument[0].Element;ReturnValue;taint |
| Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;taint |
| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.Int32,System.Int32);;Argument[1];ReturnValue;taint |
| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.Int32,System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;GenericFlow<>;false;AddFieldToGenericList;(System.Collections.Generic.List<T>);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;GenericFlow<>;false;AddToGenericList<>;(System.Collections.Generic.List<S>,S);;Argument[1];Argument[0].Element;taint |
| Summaries;GenericFlow<>;false;ReturnFieldInGenericList;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericElement<>;(System.Collections.Generic.List<S>);;Argument[0].Element;ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericField;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericParam<>;(S);;Argument[0];ReturnValue;taint |
| Summaries;GenericFlow<>;false;SetGenericField;(T);;Argument[0];Argument[Qualifier];taint |
| Summaries;IEnumerableFlow;false;ReturnFieldInIEnumerable;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerable;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerableElement;(System.Collections.Generic.IEnumerable<System.Object>);;Argument[0].Element;ReturnValue;taint |
| Summaries;OperatorFlow;false;OperatorFlow;(System.Object);;Argument[0];Argument[Qualifier];taint |
| Summaries;OperatorFlow;false;op_Addition;(Summaries.OperatorFlow,Summaries.OperatorFlow);;Argument[0];ReturnValue;taint |
| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;BaseClassFlow;true;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnField;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParam0;(System.String,System.Object);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParam1;(System.String,System.Object);;Argument[1];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[1];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnSubstring;(System.String);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnThis;(System.Object);;Argument[Qualifier];ReturnValue;generated:value |
| Summaries;BasicFlow;false;SetField;(System.String);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;CollectionFlow;false;AddFieldToList;(System.Collections.Generic.List<System.String>);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AddToList;(System.Collections.Generic.List<System.Object>,System.Object);;Argument[1];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AssignToArray;(System.Int32,System.Int32[]);;Argument[0];Argument[1].Element;generated:taint |
| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Int32[]);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.Int32,System.Int32);;Argument[1];ReturnValue;generated:taint |
| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.Int32,System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;AddFieldToGenericList;(System.Collections.Generic.List<T>);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;GenericFlow<>;false;AddToGenericList<>;(System.Collections.Generic.List<S>,S);;Argument[1];Argument[0].Element;generated:taint |
| Summaries;GenericFlow<>;false;ReturnFieldInGenericList;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericElement<>;(System.Collections.Generic.List<S>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericField;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericParam<>;(S);;Argument[0];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;SetGenericField;(T);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;IEnumerableFlow;false;ReturnFieldInIEnumerable;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerable;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerableElement;(System.Collections.Generic.IEnumerable<System.Object>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;OperatorFlow;false;OperatorFlow;(System.Object);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;OperatorFlow;false;op_Addition;(Summaries.OperatorFlow,Summaries.OperatorFlow);;Argument[0];ReturnValue;generated:taint |

5
defs.bzl Normal file
View File

@@ -0,0 +1,5 @@
codeql_platform = select({
"@platforms//os:linux": "linux64",
"@platforms//os:macos": "osx64",
"@platforms//os:windows": "win64",
})

47
docs/codeql/ql-language-reference/formulas.rst
View File

@@ -100,12 +100,12 @@ As a consequence, ``A != B`` has a very different meaning to the :ref:`negation
- ``1 = [1 .. 2]`` holds, because ``1 = 1``.
- ``not 1 = [1 .. 2]`` doesn't hold, because there is a common value (``1``).
#. Compare ``1`` and ``none()`` (the "empty set"):
- ``1 != none()`` doesn't hold, because there are no values in ``none()``, so no values
#. Compare ``1`` and ``int empty() { none() }`` (a predicate defining the empty set of integers):
- ``1 != empty()`` doesn't hold, because there are no values in ``empty()``, so no values
that are not equal to ``1``.
- ``1 = none()`` also doesn't hold, because there are no values in ``none()``, so no values
- ``1 = empty()`` also doesn't hold, because there are no values in ``empty()``, so no values
that are equal to ``1``.
- ``not 1 = none()`` holds, because there are no common values.
- ``not 1 = empty()`` holds, because there are no common values.
.. index:: instanceof
.. _type-checks:
@@ -295,9 +295,48 @@ necessary, since they highlight the default precedence. You usually only add par
override the default precedence, but you can also add them to make your code easier to read
(even if they aren't required).
QL also has two nullary connectives indicating the always true formula,
``any()``, and the always false formula, ``none()``.
The logical connectives in QL work similarly to Boolean connectives in other programming
languages. Here is a brief overview:
.. index:: any, true
.. _true:
``any()``
=========
The built-in predicate ``any()`` is a formula that always holds.
**Example**
The following predicate defines the set of all expressions.
.. code-block:: ql
Expr allExpressions() {
any()
}
.. index:: none, false
.. _false:
``none()``
==========
The built-in predicate ``none()`` is a formula that never holds.
**Example**
The following predicate defines the empty set of integers.
.. code-block:: ql
int emptySet() {
none()
}
.. index:: not, negation
.. _negation:

24
docs/codeql/ql-language-reference/types.rst
View File

@@ -387,26 +387,26 @@ from ``OneTwoThree`` and ``int``.
Non-extending subtypes
======================
Besides extending base types, classes can also declare `instanceof` relationships with other types.
Declaring a class as `instanceof Foo` is roughly equivalent to saying `this instanceof Foo` in the characteristic predicate.
The main differences are that you can call methods on Bar via `super` and you can get better optimisation.
Besides extending base types, classes can also declare ``instanceof`` relationships with other types.
Declaring a class as ``instanceof Foo`` is roughly equivalent to saying ``this instanceof Foo`` in the characteristic predicate.
The main differences are that you can call methods on ``Bar`` via ``super`` and you can get better optimisation.
.. code-block:: ql
class Foo extends int {
Foo() { this in [1 .. 10] }
string foo_method() { result = "foo" }
string fooMethod() { result = "foo" }
}
class Bar instanceof Foo {
string toString() { result = super.foo_method() }
string toString() { result = super.fooMethod() }
}
In this example, the characteristic predicate from `Foo` also applies to `Bar`.
However, `foo_method` is not exposed in `Bar`, so the query `select any(Bar b).foo_method()`
In this example, the characteristic predicate from ``Foo`` also applies to ``Bar``.
However, ``fooMethod`` is not exposed in ``Bar``, so the query ``select any(Bar b).fooMethod()``
results in a compile time error. Note from the example that it is still possible to access
methods from instanceof supertypes from within the specialising class with the `super` keyword.
methods from instanceof supertypes from within the specialising class with the ``super`` keyword.
Crucially, the instanceof **supertypes** are not **base types**.
This means that these supertypes do not participate in overriding, and any fields of such
@@ -430,10 +430,10 @@ The following example demonstrates this.
override string foo() { result = "bar" }
}
Here, the method `Bar::foo` does not override `Foo::foo`.
Instead, it overrides only `Interface::foo`.
This means that `select any(Foo f).foo()` yields only `foo`.
Had `Bar` been defined as `extends Foo`, then `select any(Foo b)` would yield `bar`.
Here, the method ``Bar::foo`` does not override ``Foo::foo``.
Instead, it overrides only ``Interface::foo``.
This means that ``select any(Foo f).foo()`` yields ``foo``.
Had ``Bar`` been defined as ``extends Foo``, then ``select any(Foo f).foo()`` would yield ``bar``.
.. _character-types:
.. _domain-types:

25
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,28 @@
## 0.0.13
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* Added new guards `IsWindowsGuard`, `IsSpecificWindowsVariant`, `IsUnixGuard`, and `IsSpecificUnixVariant` to detect OS specific guards.
* Added a new predicate `getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc.).
* Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC.
* Re-removed support for `CharacterLiteral` from `CompileTimeConstantExpr.getStringValue()` to restore the convention that that predicate only applies to `String`-typed constants.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
## 0.0.11
### New Features

4
java/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

5
java/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
View File

@@ -1,5 +0,0 @@
---
category: deprecated
---
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.

4
java/ql/lib/change-notes/2022-03-11-revert-8325.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Re-removed support for `CharacterLiteral` from `CompileTimeConstantExpr.getStringValue()` to restore the convention that that predicate only applies to `String`-typed constants.

4
java/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

4
java/ql/lib/change-notes/2022-03-14-new-jdbc-ssrf-sinks.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC.

Some files were not shown because too many files have changed in this diff Show More