hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
11,841 Commits 1,671 Branches 157 Tags
merge-rc/1.24
Commit Graph

3597 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
525a00098e C++: Address review comments 2020-03-09 22:16:05 +01:00
Dave Bartolomeo
9fae2faaeb Merge pull request #2994 from jbj/IRSanity-separate-file 
C++: Move InstructionSanity out of Instruction.qll
 2020-03-09 16:34:36 -04:00
Mathias Vorreiter Pedersen
6dee7061a0 C++: Handle constant variable accesses in SimpleRangeAnalysis.qll 2020-03-09 15:44:32 +01:00
Tom Hvitved
6a10516c1e Merge pull request #3021 from aschackmull/dataflow/partial-path-perf 
Java/C++/C#: Fix performance issue in partial paths exploration.
 2020-03-09 15:04:33 +01:00
Anders Schack-Mulligen
a2bbacf58d Java/C++/C#: Fix performance issue in partial paths exploration. 2020-03-09 11:30:59 +01:00
Anders Schack-Mulligen
f491fcd5ae Java/C++/C#: Sync. 2020-03-09 11:05:13 +01:00
Ted Reed
a425e5fb5c Reduce false positives with small heuristics 2020-03-06 23:12:16 -05:00
Jonas Jensen
0cd3eb7b7e C++: Accept test changes 
Some IR inconsistencies are "fixed" because we no longer translate
constant initializers of static locals.
 2020-03-06 20:20:47 +01:00
Jonas Jensen
cc38abd228 C++: Ignore constant static initializers 2020-03-06 15:05:28 +01:00
Jonas Jensen
02f0b89a0d C++: Test for constant static initializer 2020-03-06 15:05:28 +01:00
Jonas Jensen
a13f355a85 C++: autoformat fixup 2020-03-06 08:29:46 +01:00
Ted Reed
8e1a7fef30 CPP: Add query for CWE-273 that detects out-of-order setuid 2020-03-05 14:21:32 -05:00
Jonas Jensen
e29f517af2 C++: Move InstructionSanity out of Instruction.qll 
Having that module in `Instruction.qll` slowed down the parsing of that
file both humans and the compiler.

This commit moves the `InstructionSanity` module to `IRSanity.qll`
without making any changes to its contents apart from adding some
imports.
 2020-03-05 12:11:50 +01:00
Robert Marsh
d9d6960110 Merge pull request #2985 from MathiasVP/bounded-uncontrolled-alloc-size 
C++: Add testcase for cpp/uncontrolled-allocation-size
 2020-03-04 10:00:43 -08:00
Robert Marsh
80ec5c11b3 Merge pull request #2983 from jbj/definitionReachesRank-perf 
C++: IR: faster definitionReachesRank
 2020-03-04 09:57:06 -08:00
Mathias Vorreiter Pedersen
3973a50c9b C++: Add testcase for cpp/uncontrolled-allocation-size 2020-03-04 15:51:14 +01:00
Jonas Jensen
6b2fd17f03 C++: IR: faster definitionReachesRank 
On Wireshark with 6GB RAM, I've observed `definitionReachesRank` to be
the slowest predicate in the IR. It seems that the implementation was
slow because the optimizer failed to eliminate the common
`reachesRank - 1` subexpression. This led to context being pushed into
the `not`, which got implemented as `MATERIALIZE`. That wouldn't
normally be a disaster, but this is one of the largest predicates in the
IR SSA construction, and iteration 2 was very slow.

Before:

    (1505s) Starting to evaluate predicate SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta/4[1]@93f592 (iteration 1)
    (1535s) Tuple counts for SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta:
    130670697 ~0%     {4} r1 = SCAN project#SSAConstruction::DefUse::hasDefinitionAtRank#fffff AS I OUTPUT I.<0>, I.<1>, I.<2>, (I.<2> + 1)
    130670697 ~6%     {5} r2 = JOIN r1 WITH SSAConstruction::DefUse::exitRank#fff AS R ON FIRST 2 OUTPUT r1.<0>, r1.<1>, r1.<2>, r1.<3>, R.<2>
    130670697 ~6%     {5} r3 = SELECT r2 ON r2.<3> <= r2.<4>
    130670697 ~0%     {4} r4 = SCAN r3 OUTPUT r3.<0>, r3.<1>, r3.<2>, r3.<3>
                      return r4
    (1535s) 			 - SSAConstruction::DefUse::definitionReachesRank#ffff_delta has 130670697 rows (order for disjuncts: delta=<standard>).

    (1535s) Starting to evaluate predicate SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta/4[2]@866c14 (iteration 2)
    (1626s) Tuple counts for SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta:
    261341394 ~107%     {4} r1 = JOIN SSAConstruction::DefUse::definitionReachesRank#ffff#prev_delta AS L WITH SSAConstruction::DefUse::definitionReachesRank#ffff#join_rhs AS R ON FIRST 3 OUTPUT R.<0>, R.<1>, R.<2>, (1 + L.<3>)
    261341394 ~107%     {4} r2 = r1 AND NOT SSAConstruction::DefUse::definitionReachesRank#ffff#prev AS R(r1.<0>, r1.<1>, r1.<2>, r1.<3>)
    130670697 ~0%       {5} r3 = SCAN r2 OUTPUT r2.<0>, r2.<1>, (r2.<3> - 1), r2.<2>, r2.<3>
    106034590 ~1%       {4} r4 = JOIN r3 WITH project#SSAConstruction::DefUse::hasDefinitionAtRank#fffff AS R ON FIRST 3 OUTPUT r3.<0>, r3.<1>, r3.<3>, r3.<4>
    106034590           {4} r5 = MATERIALIZE r4 AS antijoin_rhs
    24636107  ~3%       {4} r6 = r2 AND NOT r5(r2.<0>, r2.<1>, r2.<2>, r2.<3>)
    24636107  ~0%       {5} r7 = JOIN r6 WITH SSAConstruction::DefUse::exitRank#fff AS R ON FIRST 2 OUTPUT r6.<0>, r6.<1>, r6.<2>, r6.<3>, R.<2>
    2749441   ~0%       {5} r8 = SELECT r7 ON r7.<3> <= r7.<4>
    2749441   ~4%       {4} r9 = SCAN r8 OUTPUT r8.<0>, r8.<1>, r8.<2>, r8.<3>
                        return r9
    (1626s) 			 - SSAConstruction::DefUse::definitionReachesRank#ffff_delta has 2749441 rows (order for disjuncts: delta=<standard>).

After:

    (12s) Tuple counts for SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta:
    130670697 ~0%     {4} r1 = SCAN project#SSAConstruction::DefUse::hasDefinitionAtRank#fffff AS I OUTPUT I.<0>, I.<1>, I.<2>, (I.<2> + 1)
                      return r1
    (12s) 			 - SSAConstruction::DefUse::definitionReachesRank#ffff_delta has 130670697 rows (order for disjuncts: delta=<standard>).
    (12s) Starting to evaluate predicate SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta/4[2]@fff64c (iteration 2)
    (34s) Tuple counts for SSAConstruction::DefUse::definitionReachesRank#ffff#cur_delta:
    108784031 ~0%     {4} r1 = SSAConstruction::DefUse::definitionReachesRank#ffff#prev_delta AS L AND NOT SSAConstruction::DefUse::exitRank#fff AS R(L.<0>, L.<1>, L.<3>)
    2749441   ~5%     {4} r2 = r1 AND NOT project#SSAConstruction::DefUse::hasDefinitionAtRank#fffff AS R(r1.<0>, r1.<1>, r1.<3>)
    2749441   ~4%     {4} r3 = SCAN r2 OUTPUT r2.<0>, r2.<1>, r2.<2>, (r2.<3> + 1)
    2749441   ~4%     {4} r4 = r3 AND NOT SSAConstruction::DefUse::definitionReachesRank#ffff#prev AS R(r3.<0>, r3.<1>, r3.<2>, r3.<3>)
                      return r4
    (34s) 			 - SSAConstruction::DefUse::definitionReachesRank#ffff_delta has 2749441 rows (order for disjuncts: delta=<standard>).

Note that the row counts are exactly the same before and after.
 2020-03-04 15:00:47 +01:00
Mathias Vorreiter Pedersen
bbcf0b52df Merge pull request #2941 from jbj/Overflow-stmtDominates 
C++: Avoid `iDominates*` in Overflow.qll
 2020-03-04 12:40:52 +01:00
Mathias Vorreiter Pedersen
b20afa6370 Merge pull request #2979 from jbj/GVN-noinline 
C++: pragma[noinline] on GVN charpred
 2020-03-04 12:19:27 +01:00
Jonas Jensen
60bcbf477a C++: pragma[noinline] on GVN charpred 
The charpred of class `GVN` in `ASTValueNumbering.qll` got inlined into
the member predicate `getAnInstruction` and caused a tuple explosion on
Wireshark in the query `StrncpyFlippedArgs.ql`.

I interrupted the predicate after 10 minutes and got these intermediate
tuple counts:

    (5208s) Tuple counts for ASTValueNumbering::GVN::getAnInstruction_dispred#ff:
    8754900909 ~5%          {3} r1 = JOIN ValueNumberingInternal::tvalueNumber#ff_10#join_rhs AS L WITH ValueNumberingInternal::tvalueNumber#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, L.<1>, L.<0>
    4390274632 ~150085%     {2} r2 = JOIN r1 WITH project#SSAConstruction::Cached::getInstructionUnconvertedResultExpression AS R ON FIRST 1 OUTPUT r1.<2>, r1.<1>
                            return r2

After this change, the `getAnInstruction` predicate is itself inlined,
like it should be. The new non-inlined charpred takes 2.1s and has these
tuple counts:

    (2s) Tuple counts for ASTValueNumbering::GVN#f:
    9158442  ~117%     {1} r1 = JOIN project#SSAConstruction::Cached::getInstructionUnconvertedResultExpression AS L WITH ValueNumberingInternal::tvalueNumber#ff@staged_ext AS R ON FIRST 1 OUTPUT R.<1>
                       return r1
 2020-03-04 10:34:05 +01:00
Robert Marsh
1e3419fd60 C++/C#: generate IR for funcs excluded in PrintIR 
Previously, functions excluded from PrintIR would not have IR
generated. This sometimes affected escacpe analysis of functions that
were printed.
 2020-03-03 14:34:08 -08:00
Nick Rolfe
c2db3d7984 Merge pull request #2968 from igfoo/unused_types 
C++: Update tests following extractor no longer extracting some unused types
 2020-03-03 16:03:40 +00:00
Jonas Jensen
30b43b9322 C++: Tests for variables with ambiguous types 2020-03-03 14:45:04 +01:00
Jonas Jensen
88c74b2a4b Merge pull request #2917 from MathiasVP/inexact-is-chi-for-all-aliased-memory 
C++: `isChiForAllAliasedMemory` recursion through inexact Phi operands
 2020-03-03 14:25:49 +01:00
Jonas Jensen
4f23acf080 Merge pull request #2957 from MathiasVP/dataflow-dispatch-same-num-args 
C++: Only return functions that match arguments in DataFlowDispatch::viableCallable
 2020-03-03 14:19:26 +01:00
Ian Lynagh
5b0cb10f9b C++: Update tests following extractor no longer extracting some unused types 2020-03-03 01:30:18 +00:00
Mathias Vorreiter Pedersen
0b082a4089 C++: Only do argument check for 2020-03-02 16:22:05 +01:00
Jonas Jensen
76066afe6a C++: Add getCanonicalQLClass overrides in Variable 2020-03-02 13:49:12 +01:00
Mathias Vorreiter Pedersen
9df7a7a87e Merge branch 'master' into inexact-is-chi-for-all-aliased-memory 2020-03-02 12:34:24 +01:00
Mathias Vorreiter Pedersen
20529b4436 C++/C#: Sync identical files 2020-03-02 12:15:54 +01:00
Mathias Vorreiter Pedersen
14d836ba59 C++: should only match those functions that has the same number of parameters as the call has arguments. 2020-03-02 12:15:28 +01:00
Mathias Vorreiter Pedersen
3a3aa75121 Merge pull request #2935 from jbj/MissingEnumCaseInSwitch-perf 
C++: Optimize EnumSwitch.getAMissingCase
 2020-03-02 10:32:44 +01:00
Jonas Jensen
dab6691eb0 Merge pull request #2900 from dbartol/dbartol/void-buffer 
C++: Better fix for `void` type on buffer access
 2020-03-02 09:00:15 +01:00
Jonas Jensen
ec85f9f1a1 Merge pull request #2797 from rdmarsh2/rdmarsh/cpp/malloc-alias-locations 
C++: Support dynamic memory allocations in IR alias analysis
 2020-03-02 08:49:59 +01:00
Jonas Jensen
30b5db3b7f C++: autoformat fixup 2020-03-02 08:48:54 +01:00
Jonas Jensen
bbc57878dd C++: Performance fix for large basic blocks 
The code is now quadratic in the number of statements in a basic block,
whereas before it was quadratic in the number of _control-flow nodes_ in
a basic block.
 2020-03-02 08:46:58 +01:00
Robert Marsh
28ee756c6a Merge pull request #2934 from geoffw0/add_tests 
C++: Test and typos.
 2020-02-28 15:12:32 -08:00
Geoffrey White
82191102d9 Merge pull request #2930 from jbj/getUnconverted 
C++: Add Expr.getUnconverted predicate
 2020-02-28 14:25:36 +00:00
Jonas Jensen
dfe1a7e2f0 C++: Avoid iDominates* in Overflow.qll 
The `iDominates` relation is directly on control-flow nodes, and its
transitive closure is far too large. It got compiled into a recursion
rather than `fastTC`, and I've observed that recursion to take about an
hour on a medium-size customer snapshot.

The fix is to check for dominance at the basic-block level.
 2020-02-28 10:48:23 +01:00
Geoffrey White
4ca57db553 Merge pull request #2929 from Semmle/rc/1.23 
Merge rc/1.23 into master
 2020-02-28 09:30:20 +00:00
Jonas Jensen
0be13e45f2 Merge remote-tracking branch 'upstream/master' into MissingEnumCaseInSwitch-perf 2020-02-28 09:57:29 +01:00
semmle-qlci
ec90627a64 Merge pull request #2909 from yo-h/experimental 
Approved by aschackmull, jbj, max-schaefer, tausbn
 2020-02-28 03:15:58 +00:00
Dave Bartolomeo
b0fb16c068 C++/C#: Fix formatting 2020-02-27 13:44:02 -05:00
Geoffrey White
729c310eb9 C++: More typos. 2020-02-27 15:49:59 +00:00
Jonas Jensen
d686347315 C++: Optimize EnumSwitch.getAMissingCase 
The `cpp/missing-case-in-switch` performed badly on some snapshots, to
the extent where it was as slow as the most expensive IR stages
(example: ChakraCore). This commit makes it faster, removing a
`pragma[noopt]` along the way.

The intermediate tuple counts on a customer codebase drop from 84M to
3M, while the content hash of `getAMissingCase` is the same.

Before:

    (124s) Tuple counts for Stmt::EnumSwitch::getAMissingCase#ff#antijoin_rhs:
    20867789 ~0%       {3} r1 = JOIN Stmt::SwitchStmt::getASwitchCase_dispred#ff AS L WITH Stmt::EnumSwitch::getAMissingCase#ff#shared AS R ON FIRST 1 OUTPUT L.<1>, R.<0>, R.<1>
    20122830 ~0%       {3} r2 = JOIN r1 WITH Stmt::SwitchCase::getExpr_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, r1.<1>, r1.<2>
    20122830 ~0%       {3} r3 = JOIN r2 WITH Expr::Expr::getValue_dispred#ff AS R ON FIRST 1 OUTPUT r2.<2>, r2.<1>, R.<1>
    83961918 ~0%       {4} r4 = JOIN r3 WITH Enum::EnumConstant::getInitializer_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, r3.<1>, r3.<0>, r3.<2>
    83961918 ~0%       {4} r5 = JOIN r4 WITH initialisers AS R ON FIRST 1 OUTPUT R.<2>, r4.<3>, r4.<1>, r4.<2>
    234348   ~185%     {2} r6 = JOIN r5 WITH Expr::Expr::getValue_dispred#ff AS R ON FIRST 2 OUTPUT r5.<2>, r5.<3>
                       return r6
    ...
    (124s) Tuple counts for Stmt::EnumSwitch::getAMissingCase#ff:
    663127 ~4%     {2} r1 = Stmt::EnumSwitch::getAMissingCase#ff#shared AS L AND NOT Stmt::EnumSwitch::getAMissingCase#ff#antijoin_rhs AS R(L.<0>, L.<1>)
                   return r1
    (124s) Registering Stmt::EnumSwitch::getAMissingCase#ff + [] with content 2060ff326cvhihcsvoph6k9divuv4
    (124s)  >>> Wrote relation Stmt::EnumSwitch::getAMissingCase#ff with 663127 rows and 2 columns.

After:

    (5s) Tuple counts for Stmt::EnumSwitch::getAMissingCase_dispred#ff#antijoin_rhs:
    746029   ~0%       {2} r1 = JOIN Stmt::EnumSwitch::getAMissingCase_dispred#ff#shared AS L WITH Enum::Enum::getAnEnumConstant_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, L.<1>
    3116197  ~2%       {3} r2 = JOIN r1 WITH Enum::EnumConstant::getInitializer_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, r1.<1>, r1.<0>
    3116197  ~0%       {3} r3 = JOIN r2 WITH initialisers AS R ON FIRST 1 OUTPUT R.<2>, r2.<1>, r2.<2>
    3116197  ~311%     {3} r4 = JOIN r3 WITH Expr::Expr::getValue_dispred#ff AS R ON FIRST 1 OUTPUT r3.<1>, R.<1>, r3.<2>
    234348   ~185%     {2} r5 = JOIN r4 WITH Stmt::EnumSwitch::matchesValue#ff AS R ON FIRST 2 OUTPUT r4.<0>, r4.<2>
                       return r5
    (5s) Registering Stmt::EnumSwitch::getAMissingCase_dispred#ff#antijoin_rhs + [] with content 173483d71508vl534mvlr1g0ehi12
    (5s)  >>> Wrote relation Stmt::EnumSwitch::getAMissingCase_dispred#ff#antijoin_rhs with 82902 rows and 2 columns.
    (5s) Starting to evaluate predicate Stmt::EnumSwitch::getAMissingCase_dispred#ff/2@ae4c0b
    (5s) Tuple counts for Stmt::EnumSwitch::getAMissingCase_dispred#ff:
    746029 ~2%     {2} r1 = JOIN Stmt::EnumSwitch::getAMissingCase_dispred#ff#shared AS L WITH Enum::Enum::getAnEnumConstant_dispred#ff AS R ON FIRST 1 OUTPUT L.<1>, R.<1>
    663127 ~4%     {2} r2 = r1 AND NOT Stmt::EnumSwitch::getAMissingCase_dispred#ff#antijoin_rhs AS R(r1.<0>, r1.<1>)
                   return r2
    (5s) Registering Stmt::EnumSwitch::getAMissingCase_dispred#ff + [] with content 2060ff326cvhihcsvoph6k9divuv4
    (5s)  >>> Wrote relation Stmt::EnumSwitch::getAMissingCase_dispred#ff with 663127 rows and 2 columns.
 2020-02-27 16:27:52 +01:00
Geoffrey White
f8a61ffc4c C++: Expand the test as described in ODASA-640. 2020-02-27 15:26:53 +00:00
Geoffrey White
0a7d9db335 C++: Add example described in ODASA-640. 2020-02-27 15:23:16 +00:00
Geoffrey White
e6d35d314d C++: Fix typo. 2020-02-27 15:23:10 +00:00
Jonas Jensen
c9e56d13f7 C++: Add Expr.getUnconverted predicate 
This gets rid of the expensive predicate
`#Cast::Conversion::getExpr_dispred#ffPlus`, I've observed to cause
memory pressure on large databases.
 2020-02-27 14:52:42 +01:00
Anders Schack-Mulligen
67d386b5ba C++/C#: Add synchronization. 2020-02-27 14:10:16 +01:00