hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,672 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

7750 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
78642aaae2 Merge pull request #7593 from MathiasVP/fix-join-order-in-get-conversion-type 
C++: Fix join order in 'getConversionType4'
 2022-01-17 11:01:08 +00:00
Robert Marsh
5df6bcf952 C++: change note for hex format range analysis 2022-01-14 13:18:58 -05:00
Robert Marsh
9de63b2812 Merge branch 'main' into rdmarsh2/cpp/hex-format-range-analysis 
Accept test changes from query split
 2022-01-14 12:53:52 -05:00
Andrew Eisenberg
fbb5d7196f Merge branch 'main' into post-release-prep/codeql-cli-2.7.5 2022-01-14 08:23:43 -08:00
Mathias Vorreiter Pedersen
25253c7b8d C++: Don't count write operations as uses for IR dataflow. Accept test changes. 2022-01-14 13:39:57 +00:00
Mathias Vorreiter Pedersen
e8afec413a C++: Add testcase that demonstrates a FP caused by spurious flow through phi nodes in IR dataflow. 2022-01-14 13:34:27 +00:00
Mathias Vorreiter Pedersen
6d95d47467 Merge branch 'main' into fix-join-order-in-get-conversion-type 2022-01-14 09:53:17 +00:00
Mathias Vorreiter Pedersen
68385dfab5 Merge pull request #7386 from github/redsun82/cpp-overrunning-write-precision-split 
C++: split `cpp/overrunning-write` into two
 2022-01-14 09:11:39 +00:00
Anders Schack-Mulligen
0b24af901d Merge pull request #7349 from aschackmull/dataflow/state 
Dataflow: Add support for flow state
 2022-01-14 09:12:38 +01:00
Andrew Eisenberg
4ffd8c62ac Merge pull request #7579 from github/aeisenberg/changenote-upgrades-removal 
Changenotes: Add changenotes for upgrades refactoring
 2022-01-13 09:09:06 -08:00
Anders Schack-Mulligen
c44cf29992 Merge pull request #7587 from owen-mc/add-default-taint-sanitizer-guard 
Dataflow: Add default taint sanitizer guard
 2022-01-13 14:44:55 +01:00
Mathias Vorreiter Pedersen
6148af4621 C++: Fix join order in 'getConversionType4'. 2022-01-13 13:28:36 +00:00
Anders Schack-Mulligen
f7cf327e71 Dataflow: Sync 2022-01-13 13:28:43 +01:00
Paolo Tranquilli
e6763c858d C++: add bindingset to private Printf predicate 
That predicate turned out to create a lot of tuples, of which only a
minimal part was then used in the query.
 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
64d15d6226 C++: fix inc.qhelp files and change notes 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
7b4300e4cf C++: Apply suggestions in documentation 
Co-authored-by: Sarah Edwards <skedwards88@github.com>
 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
9d49ad9f20 C++: use includes in OverrunWrite qhelp files 
Also added the relevant CERT C _and_ C++ standard references where they
were missing, and did some minor stylistic tweaks to
`OverrunWriteFloat.qhelp`.
 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
c117a1e21f C++: demote VeryLikelyOverrunWrite cast results 
There were some false positives where something like

    int x;
    // ...
    sprintf(buff, "%ld", (long)x);

was considered as if the parameter had a non-trivial range analysis only
because the range of `int` is smaller than the range for `long`, without
any non-trivial range analysis actually done on `x`.

These will now be reported by `OverrunWrite` instead.
 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
630982cc31 C++: auto format Printf.qll 2022-01-13 11:59:48 +00:00
Paolo Tranquilli
9f811b2439 C++: remove unused variables and fix tests 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
013216d5e6 C++: exclude widening from VeryLikelyOverrunWrite 
This also restrict what we consider "non-trivial" range analysis, as we
now require both ends to be non-trivially bounded for signed integers.
This avoids false positives stemming from a non trivial upper bound but
no meaningful lower bound, for example.
 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
aac029841a C++: doc fixes to VeryLikelyOverrunWrite 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
c8741f6475 C++: update 2021-12-14-overruning-write-split.md 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
1e4861a944 C++: shorten VeryLikelyOverrunWrite @name 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
106400238a C++: tweak overrunning write qhelp files 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
8ac34f3db5 C++: NoSpecifiedEstimateReasonUnspecified... 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
4a85b9b0cc C++: add VeryLikelyOverrunWrite.ql to cwe-120 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
97f1a5bac0 C++: add VeryLikelyOverrunWrite.qhelp 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
10b62154a1 C++: add cpp/very-likely-overruning-write help 
Also update the help of `cpp/overruning-write`, as the case shown there
will actually not be flagged by that query any more.
 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
b979f02e5d C++: fix OverrunWrite for backward compatibility 
Rather than testing for `TypeBoundsAnalysis`, we test that the reason is
not `ValueFlowAnalysis` (which is reported by the new
`cpp/very-likely-overruning-write` query), so that if a client has
overridden `BufferWrite::getMaxData` the `NoSpecifiedEstimateReason` is
taken into account.
 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
db6214fdff C++: add change note for new overrun write query 2022-01-13 11:59:47 +00:00
Paolo Tranquilli
a0059202db C++: split cpp/overrunning-write into two 
This splits the `cpp/overruning-write` into two separate queries based
off on the reason for the estimation. If the overrun is detected based
on non-trivial range analysis, the results are now marked by the new
`cpp/very-likely-overruning-write` high precision query. If it is based
on less precise, usually type based bounds, then it will still be marked
by `cpp/overruning-write` which remains at medium precision.
 2022-01-13 11:59:47 +00:00
Andrew Eisenberg
e435a3e9c3 Changenotes: Add changenotes for upgrades refactoring 2022-01-12 11:36:31 -08:00
Robert Marsh
5031d6c4a3 Merge pull request #7566 from MathiasVP/smaller-join-in-reachesRefParameter 
C++: Smaller join in `reachesRefParameter`
 2022-01-12 10:04:35 -05:00
Owen Mansel-Chan
8e8278764b Add predicate defaultTaintSanitizerGuard for each language 
This was done manually, as these files are not synced by sync-files.py.
 2022-01-12 14:44:56 +00:00
Owen Mansel-Chan
c112980b81 Sync TaintTrackingImpl.qll 
Done automatically using sync-files.py
 2022-01-12 14:44:55 +00:00
github-actions[bot]
8a2d92badc Post-release preparation for codeql-cli-2.7.5 2022-01-12 13:28:43 +00:00
Andrew Eisenberg
07228672df Merge branch 'main' into aeisenberg/remove-upgrades 2022-01-11 11:25:27 -08:00
Mathias Vorreiter Pedersen
c45127fdd6 Merge pull request #7541 from github/rdmarsh2/dataflow-ipa-params 
C++: Use an IPA type rather than negative indexes for argument/parameter matching in data flow
 2022-01-11 16:52:13 +00:00
Mathias Vorreiter Pedersen
b3a7090068 C++: Fix join in reachesRefParameter by joining with 'getEnd' instead 
of 'getANode'.

Before:

Tuple counts for FlowVar::FlowVar::reachesRefParameter_dispred#ff/2@956ac39i after 229ms:
  24806   ~1%     {2} r1 = JOIN FlowVar::FlowVar_internal::parameterIsNonConstReference#f WITH Parameter::Parameter::getFunction_dispred#ff ON FIRST 1 OUTPUT Lhs.0 'p', Rhs.1
  56985   ~3%     {3} r2 = JOIN r1 WITH num#FlowVar::FlowVar_internal::TBlockVar#fff_12#join_rhs ON FIRST 1 OUTPUT Rhs.1 'this', Lhs.0 'p', Lhs.1
  2384489 ~4%     {4} r3 = JOIN r2 WITH FlowVar::FlowVar_internal::getAReachedBlockVarSBB#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.2, Lhs.1 'p', Lhs.0 'this'
  49457   ~0%     {2} r4 = JOIN r3 WITH SubBasicBlocks::SubBasicBlock::getANode_dispred#fb ON FIRST 2 OUTPUT Lhs.3 'this', Lhs.2 'p'
                  return r4

After:

Tuple counts for FlowVar::FlowVar::reachesRefParameter_dispred#ff/2@46f8bfn7 after 32ms:
  24806 ~1%     {2} r1 = JOIN FlowVar::FlowVar_internal::parameterIsNonConstReference#f WITH Parameter::Parameter::getFunction_dispred#ff ON FIRST 1 OUTPUT Lhs.0 'p', Rhs.1
  56985 ~1%     {3} r2 = JOIN r1 WITH num#FlowVar::FlowVar_internal::TBlockVar#fff_12#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'p', Rhs.1 'this'
  56985 ~1%     {3} r3 = JOIN r2 WITH SubBasicBlocks::SubBasicBlock::getEnd_dispred#fb_10#join_rhs ON FIRST 1 OUTPUT Lhs.2 'this', Rhs.1, Lhs.1 'p'
  49457 ~0%     {2} r4 = JOIN r3 WITH FlowVar::FlowVar_internal::getAReachedBlockVarSBB#ff ON FIRST 2 OUTPUT Lhs.0 'this', Lhs.2 'p'
                return r4
 2022-01-11 13:48:20 +00:00
Robert Marsh
fe355a0bc9 C++: update test comments 2022-01-10 12:38:08 -05:00
Mathias Vorreiter Pedersen
2a02ce137a C++: Fix join orders in 'exprIsSubLeftOrLess'. 
Before:

Tuple counts for UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff/2@i3#a5071w3a after 24s:
  304220    ~2%      {2} r1 = JOIN UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff#prev_delta WITH Expr::BinaryOperation#class#f#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.0 'sub'

  190061335 ~24%     {2} r2 = JOIN r1 WITH DataFlowUtil::localFlowStep#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  3956      ~0%      {2} r3 = JOIN r1 WITH DataFlowUtil::localFlowStep#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  407983    ~1%      {2} r4 = JOIN Expr::BinaryOperation#class#f#join_rhs WITH UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff#prev ON FIRST 1 OUTPUT Rhs.1 'n', Lhs.0 'sub'
  380823    ~0%      {2} r5 = JOIN r4 WITH DataFlowUtil::TExprNode#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1
  0         ~0%      {2} r6 = JOIN r5 WITH UnsignedDifferenceExpressionComparedZero::isGuarded#fff#prev_delta ON FIRST 2 OUTPUT Rhs.2, Lhs.0 'sub'
  0         ~0%      {2} r7 = JOIN r6 WITH DataFlowUtil::TExprNode#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  3956      ~0%      {2} r8 = r3 UNION r7
  190065291 ~24%     {2} r9 = r2 UNION r8
  ...

After:

Tuple counts for UnsignedDifferenceExpressionComparedZero::interestingSubExpr#f/1@654e29g3 after 228ms:
  370 ~2%     {2} r1 = ComparisonOperation::RelationalOperation::getGreaterOperand_dispred#fb AND NOT Exclusions::isFromMacroDefinition#b(Lhs.1 'sub')
  370 ~0%     {2} r2 = SCAN r1 OUTPUT In.1 'sub', In.0
  370 ~3%     {3} r3 = JOIN r2 WITH Expr::Expr::getFullyConverted_dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0 'sub'
  210 ~1%     {2} r4 = JOIN r3 WITH SimpleRangeAnalysis::SimpleRangeAnalysisCached::exprMightOverflowNegatively#f ON FIRST 1 OUTPUT Lhs.2 'sub', Lhs.1
  210 ~0%     {3} r5 = JOIN r4 WITH Expr::Expr::getFullyConverted_dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'sub', Rhs.1
  210 ~1%     {3} r6 = JOIN r5 WITH ComparisonOperation::RelationalOperation::getLesserOperand_dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'sub', Lhs.2
  59  ~2%     {4} r7 = JOIN r6 WITH Expr::Expr::getValue_dispred#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Lhs.2, Rhs.1, toInt(Rhs.1)
  17  ~0%     {4} r8 = SELECT r7 ON In.3 = 0
  17  ~0%     {2} r9 = SCAN r8 OUTPUT In.1, In.0 'sub'
  8   ~0%     {2} r10 = JOIN r9 WITH Expr::Expr::getUnspecifiedType_dispred#bb ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'sub'
  8   ~0%     {1} r11 = JOIN r10 WITH Type::IntegralType::isUnsigned_dispred#f ON FIRST 1 OUTPUT Lhs.1 'sub'
              return r11

Tuple counts for UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff/2@i2#61800weu after 1ms:
  8  ~0%      {2} r1 = JOIN UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff#prev_delta WITH UnsignedDifferenceExpressionComparedZero::interestingSubExpr#f ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'sub'

  0  ~0%      {2} r2 = JOIN r1 WITH DataFlowUtil::localFlowStep#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  1  ~0%      {2} r3 = JOIN r1 WITH DataFlowUtil::localFlowStep#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  0  ~0%      {3} r4 = JOIN UnsignedDifferenceExpressionComparedZero::isGuarded#fff#prev_delta WITH UnsignedDifferenceExpressionComparedZero::interestingSubExpr#f ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'sub', Lhs.2
  0  ~0%      {3} r5 = JOIN r4 WITH DataFlowUtil::TExprNode#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n', Lhs.2
  0  ~0%      {2} r6 = JOIN r5 WITH UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff#prev ON FIRST 2 OUTPUT Lhs.2, Lhs.0 'sub'
  0  ~0%      {2} r7 = JOIN r6 WITH DataFlowUtil::TExprNode#ff ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1 'n'

  1  ~0%      {2} r8 = r3 UNION r7
  1  ~0%      {2} r9 = r2 UNION r8
  ...
 2022-01-10 17:28:14 +00:00
Mathias Vorreiter Pedersen
f2d6bcd767 C++: Fix join order in 'isGuarded'. 
Before:

Tuple counts for UnsignedDifferenceExpressionComparedZero::isGuarded#bff/3@ec24001m after 1.7s:
  97431    ~0%     {2} r1 = JOIN UnsignedDifferenceExpressionComparedZero::isGuarded#bff#join_rhs WITH project#BasicBlocks::Cached::basic_block_member ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'sub'
  11809769 ~1%     {2} r2 = JOIN r1 WITH Guards::GuardCondition::controls_dispred#fff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'sub', Rhs.1
  11809769 ~0%     {4} r3 = JOIN r2 WITH project#BasicBlocks::Cached::basic_block_member ON FIRST 1 OUTPUT Lhs.1, Rhs.1, false, Lhs.0 'sub'
  629277   ~4%     {7} r4 = JOIN r3 WITH Guards::GuardCondition::ensuresLt_dispred#ffffff_045123#join_rhs ON FIRST 3 OUTPUT Lhs.3 'sub', Lhs.0, Lhs.1, false, Rhs.3 'left', Rhs.4 'right', Rhs.5
  628120   ~4%     {7} r5 = SELECT r4 ON In.6 >= 0
  628120   ~1%     {3} r6 = SCAN r5 OUTPUT In.0 'sub', In.4 'left', In.5 'right'
                    return r6

After:

Tuple counts for UnsignedDifferenceExpressionComparedZero::isGuarded#fff/3@i2#a5071x3a after 392ms:
  103763 ~0%     {2} r1 = SCAN UnsignedDifferenceExpressionComparedZero::exprIsSubLeftOrLess#ff#prev_delta OUTPUT In.0 'sub', 26
  103763 ~0%     {1} r2 = JOIN r1 WITH exprs ON FIRST 2 OUTPUT Lhs.0 'sub'
  97431  ~0%     {3} r3 = JOIN r2 WITH project#BasicBlocks::Cached::basic_block_member ON FIRST 1 OUTPUT Rhs.1, false, Lhs.0 'sub'
  629277 ~0%     {7} r4 = JOIN r3 WITH Guards::GuardCondition::ensuresLt_dispred#ffffff_450123#join_rhs ON FIRST 2 OUTPUT Lhs.2 'sub', Lhs.0, false, Rhs.2, Rhs.3 'left', Rhs.4 'right', Rhs.5
  628120 ~0%     {7} r5 = SELECT r4 ON In.6 >= 0
  628120 ~1%     {6} r6 = SCAN r5 OUTPUT In.0 'sub', In.1, In.3, In.4 'left', In.5 'right', In.6
  628120 ~1%     {6} r7 = r6 AND NOT UnsignedDifferenceExpressionComparedZero::isGuarded#fff#prev(Lhs.0 'sub', Lhs.3 'left', Lhs.4 'right')
  628120 ~0%     {5} r8 = SCAN r7 OUTPUT In.2, In.1, In.0 'sub', In.3 'left', In.4 'right'
  628120 ~1%     {3} r9 = JOIN r8 WITH Guards::GuardCondition::controls_dispred#fff ON FIRST 2 OUTPUT Lhs.2 'sub', Lhs.3 'left', Lhs.4 'right'
                  return r9
 2022-01-10 17:03:40 +00:00
Tom Hvitved
d2ebbe0819 Merge pull request #7469 from hvitved/csharp/promote-adhoc-consistency-checks 
C#: Promote existing ad-hoc consistency checks to consistency queries
 2022-01-10 11:10:25 +01:00
Mathias Vorreiter Pedersen
a5ccd6a23b Merge pull request #7521 from rdmarsh2/rdmarsh2/cpp/use-guards-in-overflow 2022-01-09 14:09:04 +00:00
Robert Marsh
67fb48fcc1 C++: use range analysis for hex format lengths 
The "new" result on line 189 is a tighter bound than was previously
established, not a newly introduced location.
 2022-01-07 16:16:22 -05:00
Robert Marsh
fa9242befe C++: Add tests for bounded hex format values 2022-01-07 16:08:53 -05:00
Robert Marsh
673399719e C++: autoformat DataFlowPrivate 2022-01-07 15:23:24 -05:00
Robert Marsh
78b8d113bb C++: PR comments on DataFlow Position 2022-01-07 14:21:56 -05:00
Robert Marsh
4322a39807 C++: fix typo in Overflow.qll abs handling 2022-01-07 14:09:47 -05:00