XXX: Fake change to demonstrate CI issue

Python: A few more parser fixes

.bazelrc

@@ -1,5 +1,4 @@
 common --enable_platform_specific_config
-common --enable_bzlmod
 # because we use --override_module with `%workspace%`, the lock file is not stable
 common --lockfile_mode=off
 

.bazelversion

@@ -1 +1 @@
-5f5d70b6c4d2fb1a889479569107f1692239e8a7
+8.0.0rc1

.github/labeler.yml

@@ -38,6 +38,10 @@ Swift:
   - swift/**/*
   - change-notes/**/*swift*
 
+Actions:
+  - actions/**/*
+  - change-notes/**/*actions*
+
 documentation:
   - "**/*.qhelp"
   - "**/*.md"

.github/workflows/build-ripunzip.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, macos-12, windows-2019]
+        os: [ubuntu-20.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/go-tests.yml

@@ -3,6 +3,7 @@ on:
   push:
     paths:
       - "go/**"
+      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
@@ -12,6 +13,7 @@ on:
   pull_request:
     paths:
       - "go/**"
+      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml

.github/workflows/rust-analysis.yml

@@ -0,0 +1,69 @@
+name: "Code scanning - Rust"
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+    paths:
+      - '**/*.rs'
+      - '**/Cargo.toml'
+      - '.github/codeql/codeql-config.yml'
+      - '.github/workflows/rust-analysis.yml'
+  schedule:
+    - cron: '0 9 * * 1'
+
+env:
+  CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
+
+jobs:
+  analyze:
+    strategy:
+      matrix:
+        language: [ 'rust' ]
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Query latest nightly CodeQL bundle
+      shell: bash
+      id: codeql
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: |
+        REPO=dsp-testing/codeql-cli-nightlies
+        TAG=$(
+          gh release list -R $REPO -L1 --exclude-drafts --json tagName -q ".[] | .tagName"
+        )
+        echo "nightly_bundle=https://github.com/$REPO/releases/download/$TAG/codeql-bundle-linux64.tar.zst" \
+          | tee -a "$GITHUB_OUTPUT"
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@main
+      with:
+        tools: ${{ steps.codeql.outputs.nightly_bundle }}
+        languages: ${{ matrix.language }}
+        config: |
+          disable-default-queries: true
+          queries:
+            - uses: security-and-quality
+          paths-ignore:
+            - '/rust/ql/tests'
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@main
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@main

.github/workflows/swift.yml

@@ -44,7 +44,7 @@ jobs:
   # without waiting for the macOS build
   build-and-test-macos:
     if: github.repository_owner == 'github'
-    runs-on: macos-12-xl
+    runs-on: macos-13-xlarge
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
@@ -64,7 +64,7 @@ jobs:
   qltests-macos:
     if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
     needs: build-and-test-macos
-    runs-on: macos-12-xl
+    runs-on: macos-13-xlarge
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests

.pre-commit-config.yaml

@@ -15,7 +15,7 @@ repos:
       - id: clang-format
 
   - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v1.6.0
+    rev: v2.0.4
     hooks:
       - id: autopep8
         files: ^misc/codegen/.*\.py

CODEOWNERS

@@ -23,7 +23,6 @@
 /ql/ @github/codeql-ql-for-ql-reviewers
 
 # Bazel (excluding BUILD.bazel files)
-WORKSPACE.bazel @github/codeql-ci-reviewers
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
 .bazelrc @github/codeql-ci-reviewers

Cargo.lock

@@ -96,12 +96,32 @@ version = "1.0.87"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "10f00e1f6e58a40e807377c75c6a7f97bf9044fab57816f2414e6f5f4499d7b8"
 
+[[package]]
+name = "argfile"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a1cc0ba69de57db40674c66f7cf2caee3981ddef084388482c95c0e2133e5e8"
+dependencies = [
+ "fs-err",
+ "os_str_bytes",
+]
+
 [[package]]
 name = "arrayvec"
 version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 
+[[package]]
+name = "ast-generator"
+version = "0.1.0"
+dependencies = [
+ "itertools 0.10.5",
+ "proc-macro2",
+ "quote",
+ "ungrammar",
+]
+
 [[package]]
 name = "atomic"
 version = "0.6.0"
@@ -255,7 +275,7 @@ dependencies = [
  "chalk-ir",
  "ena",
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "petgraph",
  "rustc-hash",
  "tracing",
@@ -360,20 +380,27 @@ name = "codeql-rust"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "argfile",
  "clap",
  "codeql-extractor",
  "figment",
+ "glob",
+ "itertools 0.13.0",
  "log",
  "num-traits",
  "ra_ap_base_db",
  "ra_ap_hir",
  "ra_ap_hir_def",
+ "ra_ap_hir_expand",
  "ra_ap_ide_db",
  "ra_ap_load-cargo",
+ "ra_ap_parser",
  "ra_ap_paths",
  "ra_ap_project_model",
+ "ra_ap_span",
  "ra_ap_syntax",
  "ra_ap_vfs",
+ "rust-extractor-macros",
  "serde",
  "serde_with",
  "stderrlog",
@@ -605,6 +632,7 @@ dependencies = [
  "atomic",
  "pear",
  "serde",
+ "serde_yaml",
  "uncased",
  "version_check",
 ]
@@ -643,6 +671,15 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
+[[package]]
+name = "fs-err"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88a41f105fe1d5b6b34b2055e3dc59bb79b46b48b2040b9e6c7b4b5de097aa41"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "fsevent-sys"
 version = "4.1.0"
@@ -669,6 +706,12 @@ dependencies = [
  "wasi",
 ]
 
+[[package]]
+name = "glob"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+
 [[package]]
 name = "globset"
 version = "0.4.15"
@@ -827,6 +870,15 @@ version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
+[[package]]
+name = "itertools"
+version = "0.10.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itertools"
 version = "0.12.1"
@@ -836,6 +888,15 @@ dependencies = [
  "either",
 ]
 
+[[package]]
+name = "itertools"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itoa"
 version = "1.0.11"
@@ -1064,6 +1125,15 @@ version = "11.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"
 
+[[package]]
+name = "os_str_bytes"
+version = "7.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ac44c994af577c799b1b4bd80dc214701e349873ad894d6cdf96f4f7526e0b9"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "overload"
 version = "0.1.1"
@@ -1303,7 +1373,7 @@ checksum = "c7c38520eb4770af561c34b908431f4e548c3282093cf3daf3c6e566d99a2937"
 dependencies = [
  "arrayvec",
  "either",
- "itertools",
+ "itertools 0.12.1",
  "ra_ap_base_db",
  "ra_ap_cfg",
  "ra_ap_hir_def",
@@ -1335,7 +1405,7 @@ dependencies = [
  "fst",
  "hashbrown 0.14.5",
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "la-arena",
  "ra-ap-rustc_abi",
  "ra-ap-rustc_parse_format",
@@ -1365,7 +1435,7 @@ dependencies = [
  "cov-mark",
  "either",
  "hashbrown 0.14.5",
- "itertools",
+ "itertools 0.12.1",
  "la-arena",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -1400,7 +1470,7 @@ dependencies = [
  "either",
  "ena",
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "la-arena",
  "nohash-hasher",
  "oorandom",
@@ -1437,7 +1507,7 @@ dependencies = [
  "either",
  "fst",
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "line-index",
  "memchr",
  "nohash-hasher",
@@ -1483,7 +1553,7 @@ checksum = "82e6f24b61f1ef1f3a756493d1fb7e711b69b2e4d5f4746fcb959313dfd41471"
 dependencies = [
  "anyhow",
  "crossbeam-channel",
- "itertools",
+ "itertools 0.12.1",
  "ra_ap_hir_expand",
  "ra_ap_ide_db",
  "ra_ap_intern",
@@ -1578,7 +1648,7 @@ checksum = "db83d1844c74b22c110c4b8e8f2519be2b1723964008527281a11c3398749756"
 dependencies = [
  "anyhow",
  "cargo_metadata",
- "itertools",
+ "itertools 0.12.1",
  "la-arena",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -1602,7 +1672,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "370b302873eeafd07ccc6a714fc9395cae11e385955ccb78081093ee3b86f94e"
 dependencies = [
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "lock_api",
  "oorandom",
  "parking_lot",
@@ -1649,7 +1719,7 @@ checksum = "bb63ff9d6b11b4553fc0835f16705975258905e3b1230fcf1ddbf24c46aff69d"
 dependencies = [
  "always-assert",
  "crossbeam-channel",
- "itertools",
+ "itertools 0.12.1",
  "jod-thread",
  "libc",
  "miow",
@@ -1665,7 +1735,7 @@ dependencies = [
  "cov-mark",
  "either",
  "indexmap 2.5.0",
- "itertools",
+ "itertools 0.12.1",
  "ra-ap-rustc_lexer",
  "ra_ap_parser",
  "ra_ap_stdx",
@@ -1699,7 +1769,7 @@ version = "0.0.232"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7cb72ee1901baec556f4f2ef77e287d749ac0e973f063990672d6207b076aeac"
 dependencies = [
- "itertools",
+ "itertools 0.12.1",
  "text-size",
 ]
 
@@ -1875,6 +1945,14 @@ dependencies = [
  "text-size",
 ]
 
+[[package]]
+name = "rust-extractor-macros"
+version = "0.1.0"
+dependencies = [
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "rustc-hash"
 version = "1.1.0"
@@ -1988,6 +2066,19 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap 2.5.0",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "sharded-slab"
 version = "0.1.7"
@@ -2287,6 +2378,12 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "ungrammar"
+version = "1.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.13"
@@ -2305,6 +2402,12 @@ version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "229730647fbc343e3a80e463c1db7f78f3855d3f3739bee0dda773c9a037c90a"
 
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.2"

Cargo.toml

@@ -6,6 +6,8 @@ members = [
     "shared/tree-sitter-extractor",
     "ruby/extractor",
     "rust/extractor",
+    "rust/extractor/macros",
+    "rust/ast-generator",
 ]
 
 [patch.crates-io]

MODULE.bazel

@@ -18,16 +18,16 @@ bazel_dep(name = "platforms", version = "0.0.10")
 bazel_dep(name = "rules_go", version = "0.50.0")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.35.0")
-bazel_dep(name = "bazel_skylib", version = "1.6.1")
+bazel_dep(name = "rules_python", version = "0.36.0")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
-bazel_dep(name = "rules_dotnet", version = "0.15.1")
+bazel_dep(name = "rules_dotnet", version = "0.16.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.50.0")
+bazel_dep(name = "rules_rust", version = "0.52.2")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
@@ -60,6 +60,8 @@ r.from_cargo(
         "//:Cargo.toml",
         "//ruby/extractor:Cargo.toml",
         "//rust/extractor:Cargo.toml",
+        "//rust/extractor/macros:Cargo.toml",
+        "//rust/ast-generator:Cargo.toml",
         "//shared/tree-sitter-extractor:Cargo.toml",
     ],
 )
@@ -126,6 +128,7 @@ use_repo(
     "kotlin-compiler-1.9.20-Beta",
     "kotlin-compiler-2.0.0-RC1",
     "kotlin-compiler-2.0.20-Beta2",
+    "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-embeddable-1.5.0",
     "kotlin-compiler-embeddable-1.5.10",
     "kotlin-compiler-embeddable-1.5.20",
@@ -139,6 +142,7 @@ use_repo(
     "kotlin-compiler-embeddable-1.9.20-Beta",
     "kotlin-compiler-embeddable-2.0.0-RC1",
     "kotlin-compiler-embeddable-2.0.20-Beta2",
+    "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-stdlib-1.5.0",
     "kotlin-stdlib-1.5.10",
     "kotlin-stdlib-1.5.20",
@@ -152,6 +156,7 @@ use_repo(
     "kotlin-stdlib-1.9.20-Beta",
     "kotlin-stdlib-2.0.0-RC1",
     "kotlin-stdlib-2.0.20-Beta2",
+    "kotlin-stdlib-2.1.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

README.md

@@ -1,5 +1,7 @@
 # CodeQL
 
+Chnage to demonstrate issue
+
 This open source repository contains the standard CodeQL libraries and queries that power [GitHub Advanced Security](https://github.com/features/security/code) and the other application security products that [GitHub](https://github.com/features/security/) makes available to its customers worldwide.
 
 ## How do I learn CodeQL and run queries?

WORKSPACE.bazel

@@ -1,2 +0,0 @@
-# please use MODULE.bazel to add dependencies
-# this empty file is required by internal repositories, don't remove it

actions/BUILD.bazel

@@ -0,0 +1,20 @@
+load("//misc/bazel:pkg.bzl", "codeql_pack")
+
+package(default_visibility = ["//visibility:public"])
+
+[
+    codeql_pack(
+        name = "-".join(parts),
+        srcs = [
+            "//actions/extractor",
+        ],
+        pack_prefix = "/".join(parts),
+    )
+    for parts in (
+        [
+            "experimental",
+            "actions",
+        ],
+        ["actions"],
+    )
+]

actions/extractor/BUILD.bazel

@@ -0,0 +1,10 @@
+load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix")
+
+codeql_pkg_files(
+    name = "extractor",
+    srcs = [
+        "codeql-extractor.yml",
+    ] + glob(["tools/**"]),
+    strip_prefix = strip_prefix.from_pkg(),
+    visibility = ["//actions:__pkg__"],
+)

actions/extractor/codeql-extractor.yml

@@ -0,0 +1,44 @@
+name: "actions"
+aliases: []
+display_name: "GitHub Actions"
+version: 0.0.1
+column_kind: "utf16"
+unicode_newlines: true
+build_modes:
+  - none
+file_coverage_languages: []
+github_api_languages: []
+scc_languages: []
+file_types:
+  - name: workflow
+    display_name: GitHub Actions workflow files
+    extensions:
+      - .yml
+      - .yaml
+forwarded_extractor_name: javascript
+options:
+  trap:
+    title: TRAP options
+    description: Options about how the extractor handles TRAP files
+    type: object
+    visibility: 3
+    properties:
+      cache:
+        title: TRAP cache options
+        description: Options about how the extractor handles its TRAP cache
+        type: object
+        properties:
+          dir:
+            title: TRAP cache directory
+            description: The directory of the TRAP cache to use
+            type: string
+          bound:
+            title: TRAP cache bound
+            description: A soft limit (in MB) on the size of the TRAP cache
+            type: string
+            pattern: "[0-9]+"
+          write:
+            title: TRAP cache writeable
+            description: Whether to write to the TRAP cache as well as reading it
+            type: string
+            pattern: "(true|TRUE|false|FALSE)"

actions/extractor/tools/autobuild-impl.ps1

@@ -0,0 +1,40 @@
+if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
+    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
+} else {
+    Write-Output 'No path filters set. Using the default filters.'
+    $DefaultPathFilters = @(
+        'exclude:**/*',
+        'include:.github/workflows/**/*.yml',
+        'include:.github/workflows/**/*.yaml',
+        'include:**/action.yml',
+        'include:**/action.yaml'
+    )
+
+    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
+}
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
+if ($LASTEXITCODE -ne 0) {
+    throw 'Failed to resolve JavaScript extractor.'
+}
+
+Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder.
+$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
+Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
+
+&$JavaScriptAutoBuild
+if ($LASTEXITCODE -ne 0) {
+    throw "JavaScript autobuilder failed."
+}

actions/extractor/tools/autobuild.cmd

@@ -0,0 +1,3 @@
+@echo off
+rem All of the work is done in the PowerShell script
+powershell.exe %~dp0autobuild-impl.ps1

actions/extractor/tools/autobuild.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -eu
+
+DEFAULT_PATH_FILTERS=$(cat << END
+exclude:**/*
+include:.github/workflows/**/*.yml
+include:.github/workflows/**/*.yaml
+include:**/action.yml
+include:**/action.yaml
+END
+)
+
+if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
+    echo "Path filters set. Passing them through to the JavaScript extractor."
+else
+    echo "No path filters set. Using the default filters."
+    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
+    export LGTM_INDEX_FILTERS
+fi
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
+export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
+
+echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder
+JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
+echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
+    ${JAVASCRIPT_AUTO_BUILD}

actions/ql/lib/actions.qll

@@ -0,0 +1 @@
+predicate placeholder(int x) { x = 0 }

actions/ql/lib/qlpack.yml

@@ -0,0 +1,12 @@
+name: codeql/actions-all
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+dependencies:
+  codeql/util: ${workspace}
+  codeql/yaml: ${workspace}
+  codeql/controlflow: ${workspace}
+  codeql/dataflow: ${workspace}
+  codeql/javascript-all: ${workspace}
+extractor: actions
+groups: actions

actions/ql/src/Placeholder.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Placeholder Query
+ * @description Placeholder
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 9.3
+ * @precision high
+ * @id actions/placeholder
+ * @tags actions security
+ */
+
+import actions
+import javascript
+
+from File f
+select f, "Analyzed a file."

actions/ql/src/qlpack.yml

@@ -0,0 +1,8 @@
+name: codeql/actions-queries
+version: 0.0.1-dev
+library: false
+groups: [actions, queries]
+extractor: actions
+dependencies:
+  codeql/actions-all: ${workspace}
+warnOnImplicitThis: true

actions/ql/test/library-tests/.github/workflows/shell.yml

@@ -0,0 +1,23 @@
+on: push
+
+jobs:
+  job1:
+    runs-on: ubuntu-latest
+    steps:
+      - shell: pwsh
+        run: Write-Output "foo"
+  job2:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "foo"
+
+  job3:
+    runs-on: windows-latest
+    steps:
+      - shell: bash
+        run: echo "foo"
+  job4:
+    runs-on: windows-latest
+    steps:
+      - run: Write-Output "foo"
+

actions/ql/test/library-tests/Placeholder.expected

@@ -0,0 +1 @@
+| 1 |

actions/ql/test/library-tests/Placeholder.ql

@@ -0,0 +1 @@
+select 1

actions/ql/test/qlpack.yml

@@ -0,0 +1,8 @@
+name: codeql/actions-tests
+groups: [codeql, test]
+dependencies:
+  codeql/actions-all: ${workspace}
+  codeql/actions-queries: ${workspace}
+extractor: actions
+tests: .
+warnOnImplicitThis: true

actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml

@@ -0,0 +1,23 @@
+on: push
+
+jobs:
+  job1:
+    runs-on: ubuntu-latest
+    steps:
+      - shell: pwsh
+        run: Write-Output "foo"
+  job2:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "foo"
+
+  job3:
+    runs-on: windows-latest
+    steps:
+      - shell: bash
+        run: echo "foo"
+  job4:
+    runs-on: windows-latest
+    steps:
+      - run: Write-Output "foo"
+

actions/ql/test/query-tests/Placeholder/Placeholder.expected

@@ -0,0 +1 @@
+| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | Analyzed a file. |

actions/ql/test/query-tests/Placeholder/Placeholder.qlref

@@ -0,0 +1 @@
+Placeholder.ql

config/identical-files.json

@@ -57,10 +57,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
-  "Model as Data Generation Java/C# - CaptureModels": [
-    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
-    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
-  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"

cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/exprs.ql

@@ -0,0 +1,15 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+predicate isExprRequires(Expr expr) { exists(int kind | exprs(expr, kind, _) | kind = 390) }
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprRequires(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties

@@ -0,0 +1,3 @@
+description: Add requires expr
+compatibility: partial
+exprs.rel: run exprs.qlo

cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/exprs.ql

@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+predicate isExprRequirement(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | kind = [391, 392, 393])
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprRequirement(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/params.ql

@@ -0,0 +1,17 @@
+class Parameter extends @parameter {
+  string toString() { none() }
+}
+
+class ParameterizedElement extends @parameterized_element {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+from Parameter param, ParameterizedElement pe, int index, Type type
+where
+  params(param, pe, index, type) and
+  not pe instanceof @requires_expr
+select param, pe, index, type

cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/upgrade.properties

@@ -0,0 +1,5 @@
+description: Support C++20 requires expressions
+compatibility: partial
+compound_requirement_is_noexcept.rel: delete
+exprs.rel: run exprs.qlo
+params.rel: run params.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 2.0.2
+
+### Minor Analysis Improvements
+
+* Added taint flow model for `fopen` and related functions.
+* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.
+
+## 2.0.1
+
+No user-facing changes.
+
 ## 2.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/2014-10-11-requires-expressions.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added classes `RequiresExpr`, `SimpleRequirementExpr`, `TypeRequirementExpr`, `CompoundRequirementExpr`, and `NestedRequirementExpr` to represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur in `requires` expressions.

cpp/ql/lib/change-notes/2014-10-16-implicitly-declared-fns.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added the predicate `mayBeFromImplicitlyDeclaredFunction()` to the `Call` class to represent calls that may be the return value of an implicitly declared C function.
+* Added the predicate `getAnExplicitDeclarationEntry()` to the `Function` class to get a `FunctionDeclarationEntry` that is not implicit.

cpp/ql/lib/change-notes/2024-10-16-function-pointer-resolution.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.

cpp/ql/lib/change-notes/2024-10-16-new-api-for-call-target-resolution.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a new predicate `DataFlow::getARuntimeTarget` for getting a function that may be invoked by a `Call` expression. Unlike `Call.getTarget` this new predicate may also resolve function pointers.

cpp/ql/lib/change-notes/released/2.0.1.md

@@ -0,0 +1,3 @@
+## 2.0.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/2.0.2.md

@@ -0,0 +1,6 @@
+## 2.0.2
+
+### Minor Analysis Improvements
+
+* Added taint flow model for `fopen` and related functions.
+* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.0
+lastReleaseVersion: 2.0.2

cpp/ql/lib/cpp.qll

@@ -17,6 +17,7 @@ import semmle.code.cpp.File
 import semmle.code.cpp.Linkage
 import semmle.code.cpp.Location
 import semmle.code.cpp.Compilation
+import semmle.code.cpp.Concept
 import semmle.code.cpp.Element
 import semmle.code.cpp.Namespace
 import semmle.code.cpp.Specifier

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 2.0.0
+version: 2.0.3-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Concept.qll

@@ -0,0 +1,161 @@
+/**
+ * Provides classes for working with C++ concepts.
+ */
+
+import semmle.code.cpp.exprs.Expr
+
+/**
+ * A C++ requires expression.
+ *
+ * For example, with `T` and `U` template parameters:
+ * ```cpp
+ * requires (T x, U y) { x + y; };
+ * ```
+ */
+class RequiresExpr extends Expr, @requires_expr {
+  override string toString() {
+    if exists(this.getAParameter())
+    then result = "requires(...) { ... }"
+    else result = "requires { ... }"
+  }
+
+  override string getAPrimaryQlClass() { result = "RequiresExpr" }
+
+  /**
+   * Gets a requirement in this requires expression.
+   */
+  RequirementExpr getARequirement() { result = this.getAChild() }
+
+  /**
+   * Gets the nth requirement in this requires expression.
+   */
+  RequirementExpr getRequirement(int n) { result = this.getChild(n) }
+
+  /**
+   * Gets the number of requirements in this requires expression.
+   */
+  int getNumberOfRequirements() { result = count(this.getARequirement()) }
+
+  /**
+   * Gets a parameter of this requires expression, if any.
+   */
+  Parameter getAParameter() { result.getRequiresExpr() = underlyingElement(this) }
+
+  /**
+   * Gets the the nth parameter of this requires expression.
+   */
+  Parameter getParameter(int n) {
+    result.getRequiresExpr() = underlyingElement(this) and result.getIndex() = n
+  }
+
+  /**
+   * Gets the number of parameters of this requires expression.
+   */
+  int getNumberOfParameters() { result = count(this.getAParameter()) }
+}
+
+/**
+ * A C++ requirement in a requires expression.
+ */
+class RequirementExpr extends Expr { }
+
+/**
+ * A C++ simple requirement in a requires expression.
+ *
+ * For example, if:
+ * ```cpp
+ * requires(T x, U y) { x + y; };
+ * ```
+ * with `T` and `U` template parameters, then `x + y;` is a simple requirement.
+ */
+class SimpleRequirementExpr extends RequirementExpr {
+  SimpleRequirementExpr() {
+    this.getParent() instanceof RequiresExpr and
+    not this instanceof TypeRequirementExpr and
+    not this instanceof CompoundRequirementExpr and
+    not this instanceof NestedRequirementExpr
+  }
+
+  override string getAPrimaryQlClass() { result = "SimpleRequirementExpr" }
+}
+
+/**
+ * A C++ type requirement in a requires expression.
+ *
+ * For example, if:
+ * ```cpp
+ * requires { typename T::a_field; };
+ * ```
+ * with `T` a template parameter, then `typename T::a_field;` is a type requirement.
+ */
+class TypeRequirementExpr extends RequirementExpr, TypeName {
+  TypeRequirementExpr() { this.getParent() instanceof RequiresExpr }
+
+  override string getAPrimaryQlClass() { result = "TypeRequirementExpr" }
+}
+
+/**
+ * A C++ compound requirement in a requires expression.
+ *
+ * For example, if:
+ * ```cpp
+ * requires(T x) { { x } noexcept -> std::same_as<int>; };
+ * ```
+ * with `T` a template parameter, then `{ x } noexcept -> std::same_as<int>;` is
+ * a compound requirement.
+ */
+class CompoundRequirementExpr extends RequirementExpr, @compound_requirement {
+  override string toString() {
+    if exists(this.getReturnTypeRequirement())
+    then result = "{ ... } -> ..."
+    else result = "{ ... }"
+  }
+
+  override string getAPrimaryQlClass() { result = "CompoundRequirementExpr" }
+
+  /**
+   * Gets the expression from the compound requirement.
+   */
+  Expr getExpr() { result = this.getChild(0) }
+
+  /**
+   * Gets the return type requirement from the compound requirement, if any.
+   */
+  Expr getReturnTypeRequirement() { result = this.getChild(1) }
+
+  /**
+   * Holds if the expression from the compound requirement must not be
+   * potentially throwing.
+   */
+  predicate isNoExcept() { compound_requirement_is_noexcept(underlyingElement(this)) }
+}
+
+/**
+ * A C++ nested requirement in a requires expression.
+ *
+ * For example, if:
+ * ```cpp
+ * requires { requires std::is_same<T, int>::value; };
+ * ```
+ * with `T` a template parameter, then `requires std::is_same<T, int>::value;` is
+ * a nested requirement.
+ */
+class NestedRequirementExpr extends Expr, @nested_requirement {
+  override string toString() { result = "requires ..." }
+
+  override string getAPrimaryQlClass() { result = "NestedRequirementExpr" }
+
+  /**
+   * Gets the constraint from the nested requirement.
+   */
+  Expr getConstraint() { result = this.getChild(0) }
+}
+
+/**
+ * A C++ concept id expression.
+ */
+class ConceptIdExpr extends RequirementExpr, @concept_id {
+  override string toString() { result = "concept<...>" }
+
+  override string getAPrimaryQlClass() { result = "ConceptIdExpr" }
+}

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -129,7 +129,7 @@ class Element extends ElementBase {
    * or certain kinds of `Statement`.
    */
   Element getParentScope() {
-    // result instanceof class
+    // result instanceof Class
     exists(Declaration m |
       m = this and
       result = m.getDeclaringType() and
@@ -138,31 +138,40 @@ class Element extends ElementBase {
     or
     exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
     or
-    // result instanceof namespace
+    // result instanceof Namespace
     exists(Namespace n | result = n and n.getADeclaration() = this)
     or
     exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
     or
     exists(Namespace n | this = n and result = n.getParentNamespace())
     or
-    // result instanceof stmt
+    // result instanceof Stmt
     exists(LocalVariable v |
       this = v and
       exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
     )
     or
-    exists(Parameter p | this = p and result = p.getFunction())
+    exists(Parameter p |
+      this = p and
+      (
+        result = p.getFunction() or
+        result = p.getCatchBlock().getParent().(Handler).getParent().(TryStmt).getParent() or
+        result = p.getRequiresExpr().getEnclosingStmt().getParent()
+      )
+    )
     or
     exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
     or
+    exists(TemplateVariable tv | this = tv.getATemplateArgument() and result = tv)
+    or
     exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
     or
-    // result instanceof block|function
+    // result instanceof Block|Function
     exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
     or
     exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
     or
-    // result instanceof stmt
+    // result instanceof Stmt
     exists(ControlStructure s | this = s and result = s.getParent())
     or
     using_container(unresolveElement(result), underlyingElement(this))

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -230,6 +230,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
       )
   }
 
+  /**
+   * Gets a non-implicit function declaration entry.
+   */
+  FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
+    result = this.getADeclarationEntry() and
+    not result.isImplicit()
+  }
+
   private predicate declEntry(FunctionDeclarationEntry fde) {
     fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
     // If one .cpp file specializes a function, and another calls the
@@ -500,6 +508,17 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nearest enclosing AccessHolder.
    */
   override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+
+  /**
+   * Holds if this function has extraction errors that create an `ErrorExpr`.
+   */
+  predicate hasErrors() {
+    exists(ErrorExpr e |
+      e.getEnclosingFunction() = this and
+      // Exclude the first allocator call argument because it is always extracted as `ErrorExpr`.
+      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
+    )
+  }
 }
 
 pragma[noinline]
@@ -651,7 +670,8 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
 
   /**
    * Holds if this declaration is an implicit function declaration, that is,
-   * where a function is used before it is declared (under older C standards).
+   * where a function is used before it is declared (under older C standards,
+   * or when there were parse errors).
    */
   predicate isImplicit() { fun_implicit(underlyingElement(this)) }
 

cpp/ql/lib/semmle/code/cpp/Parameter.qll

@@ -7,8 +7,8 @@ import semmle.code.cpp.Declaration
 private import semmle.code.cpp.internal.ResolveClass
 
 /**
- * A C/C++ function parameter or catch block parameter. For example the
- * function parameter `p` and the catch block parameter `e` in the following
+ * A C/C++ function parameter, catch block parameter, or requires expression parameter.
+ * For example the function parameter `p` and the catch block parameter `e` in the following
  * code:
  * ```
  * void myFunction(int p) {
@@ -20,8 +20,8 @@ private import semmle.code.cpp.internal.ResolveClass
  * }
  * ```
  *
- * For catch block parameters, there is a one-to-one correspondence between
- * the `Parameter` and its `ParameterDeclarationEntry`.
+ * For catch block parameters and expression , there is a one-to-one
+ * correspondence between the `Parameter` and its `VariableDeclarationEntry`.
  *
  * For function parameters, there is a one-to-many relationship between
  * `Parameter` and `ParameterDeclarationEntry`, because one function can
@@ -73,7 +73,8 @@ class Parameter extends LocalScopeVariable, @parameter {
   }
 
   private VariableDeclarationEntry getANamedDeclarationEntry() {
-    result = this.getAnEffectiveDeclarationEntry() and result.getName() != ""
+    result = this.getAnEffectiveDeclarationEntry() and
+    exists(string name | var_decls(unresolveElement(result), _, _, name, _) | name != "")
   }
 
   /**
@@ -118,6 +119,12 @@ class Parameter extends LocalScopeVariable, @parameter {
    */
   BlockStmt getCatchBlock() { params(underlyingElement(this), unresolveElement(result), _, _) }
 
+  /**
+   * Gets the requires expression to which the parameter belongs, if it is a
+   * requires expression parameter.
+   */
+  RequiresExpr getRequiresExpr() { params(underlyingElement(this), unresolveElement(result), _, _) }
+
   /**
    * Gets the zero-based index of this parameter.
    *

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -80,6 +80,10 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
   or
   result = ast.(Parameter).getFunction()
   or
+  result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
+  or
+  result = ast.(Parameter).getRequiresExpr().getEnclosingFunction()
+  or
   result = ast.(Expr).getEnclosingDeclaration()
   or
   result = ast.(Initializer).getDeclaration()
@@ -99,7 +103,10 @@ private newtype TPrintAstNode =
     stmt.getADeclarationEntry() = entry and
     shouldPrintDeclaration(stmt.getEnclosingFunction())
   } or
-  TParametersNode(Function func) { shouldPrintDeclaration(func) } or
+  TFunctionParametersNode(Function func) { shouldPrintDeclaration(func) } or
+  TRequiresExprParametersNode(RequiresExpr req) {
+    shouldPrintDeclaration(getAnEnclosingDeclaration(req))
+  } or
   TConstructorInitializersNode(Constructor ctor) {
     ctor.hasEntryPoint() and
     shouldPrintDeclaration(ctor)
@@ -303,14 +310,14 @@ class ExprNode extends AstNode {
 
   ExprNode() { expr = ast }
 
-  override AstNode getChildInternal(int childIndex) {
-    result.getAst() = expr.getChild(childIndex)
+  override PrintAstNode getChildInternal(int childIndex) {
+    result.(AstNode).getAst() = expr.getChild(childIndex)
     or
     childIndex = max(int index | exists(expr.getChild(index)) or index = 0) + 1 and
-    result.getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
+    result.(AstNode).getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
     or
     exists(int destructorIndex |
-      result.getAst() = expr.getImplicitDestructorCall(destructorIndex) and
+      result.(AstNode).getAst() = expr.getImplicitDestructorCall(destructorIndex) and
       childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 2
     )
   }
@@ -329,7 +336,8 @@ class ExprNode extends AstNode {
   }
 
   override string getChildAccessorPredicateInternal(int childIndex) {
-    result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst())
+    result =
+      getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).(AstNode).getAst())
   }
 
   /**
@@ -409,6 +417,26 @@ class StmtExprNode extends ExprNode {
   }
 }
 
+/**
+ * A node representing a `RequiresExpr`
+ */
+class RequiresExprNode extends ExprNode {
+  override RequiresExpr expr;
+
+  override PrintAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    childIndex = -1 and
+    result.(RequiresExprParametersNode).getRequiresExpr() = expr
+  }
+
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    result = super.getChildAccessorPredicateInternal(childIndex)
+    or
+    childIndex = -1 and result = "<params>"
+  }
+}
+
 /**
  * A node representing a `DeclarationEntry`.
  */
@@ -510,6 +538,22 @@ class DeclStmtNode extends StmtNode {
   }
 }
 
+/**
+ * A node representing a `Handler`.
+ */
+class HandlerNode extends ChildStmtNode {
+  Handler handler;
+
+  HandlerNode() { handler = stmt }
+
+  override BaseAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    childIndex = -1 and
+    result.getAst() = handler.getParameter()
+  }
+}
+
 /**
  * A node representing a `Parameter`.
  */
@@ -552,10 +596,10 @@ class InitializerNode extends AstNode {
 /**
  * A node representing the parameters of a `Function`.
  */
-class ParametersNode extends PrintAstNode, TParametersNode {
+class FunctionParametersNode extends PrintAstNode, TFunctionParametersNode {
   Function func;
 
-  ParametersNode() { this = TParametersNode(func) }
+  FunctionParametersNode() { this = TFunctionParametersNode(func) }
 
   final override string toString() { result = "" }
 
@@ -576,6 +620,33 @@ class ParametersNode extends PrintAstNode, TParametersNode {
   final Function getFunction() { result = func }
 }
 
+/**
+ * A node representing the parameters of a `RequiresExpr`.
+ */
+class RequiresExprParametersNode extends PrintAstNode, TRequiresExprParametersNode {
+  RequiresExpr req;
+
+  RequiresExprParametersNode() { this = TRequiresExprParametersNode(req) }
+
+  final override string toString() { result = "" }
+
+  final override Location getLocation() { result = getRepresentativeLocation(req) }
+
+  override AstNode getChildInternal(int childIndex) {
+    result.getAst() = req.getParameter(childIndex)
+  }
+
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    exists(this.getChildInternal(childIndex)) and
+    result = "getParameter(" + childIndex.toString() + ")"
+  }
+
+  /**
+   * Gets the `RequiresExpr` for which this node represents the parameters.
+   */
+  final RequiresExpr getRequiresExpr() { result = req }
+}
+
 /**
  * A node representing the initializer list of a `Constructor`.
  */
@@ -679,7 +750,7 @@ class FunctionNode extends FunctionOrGlobalOrNamespaceVariableNode {
 
   override PrintAstNode getChildInternal(int childIndex) {
     childIndex = 0 and
-    result.(ParametersNode).getFunction() = func
+    result.(FunctionParametersNode).getFunction() = func
     or
     childIndex = 1 and
     result.(ConstructorInitializersNode).getConstructor() = func
@@ -754,6 +825,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
     or
+    s.(Handler).getParameter() = e and pred = "getParameter()"
+    or
     s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
     or
     s.(IfStmt).getCondition() = e and pred = "getCondition()"
@@ -901,6 +974,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(CommaExpr).getRightOperand() = ele and pred = "getRightOperand()"
     or
+    expr.(CompoundRequirementExpr).getExpr() = ele and pred = "getExpr()"
+    or
+    expr.(CompoundRequirementExpr).getReturnTypeRequirement() = ele and
+    pred = "getReturnTypeRequirement()"
+    or
     expr.(ConditionDeclExpr).getVariableAccess() = ele and pred = "getVariableAccess()"
     or
     expr.(ConstructorFieldInit).getExpr() = ele and pred = "getExpr()"
@@ -921,6 +999,8 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(LambdaExpression).getInitializer() = ele and pred = "getInitializer()"
     or
+    expr.(NestedRequirementExpr).getConstraint() = ele and pred = "getConstraint()"
+    or
     expr.(NewOrNewArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
     or
     expr.(NewOrNewArrayExpr).getAlignmentArgument() = ele and pred = "getAlignmentArgument()"
@@ -960,6 +1040,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(UnaryOperation).getOperand() = ele and pred = "getOperand()"
     or
+    exists(int n |
+      expr.(RequiresExpr).getRequirement(n) = ele and
+      pred = "getRequirement(" + n + ")"
+    )
+    or
     expr.(SizeofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"
     or
     expr.(StmtExpr).getStmt() = ele and pred = "getStmt()"

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -39,8 +39,8 @@ class Type extends Locatable, @type {
 
   /**
    * Gets a specifier of this type, recursively looking through `typedef` and
-   * `decltype`. For example, in the context of `typedef const int *restrict
-   * t`, the type `volatile t` has specifiers `volatile` and `restrict` but not
+   * `decltype`. For example, in the context of `typedef const int *restrict t`,
+   * the type `volatile t` has specifiers `volatile` and `restrict` but not
    * `const` since the `const` is attached to the type being pointed to rather
    * than the pointer itself.
    */

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -241,6 +241,10 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
         name != "" and result = name
         or
         name = "" and result = this.getVariable().(LocalVariable).getName()
+        or
+        name = "" and
+        not this instanceof ParameterDeclarationEntry and
+        result = this.getVariable().(Parameter).getName()
       )
     )
   }
@@ -295,19 +299,11 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
 
   private string getAnonymousParameterDescription() {
     not exists(this.getName()) and
-    exists(string idx |
-      idx =
-        ((this.getIndex() + 1).toString() + "th")
-            .replaceAll("1th", "1st")
-            .replaceAll("2th", "2nd")
-            .replaceAll("3th", "3rd")
-            .replaceAll("11st", "11th")
-            .replaceAll("12nd", "12th")
-            .replaceAll("13rd", "13th") and
+    exists(string anon |
+      anon = "(unnamed parameter " + this.getIndex().toString() + ")" and
       if exists(this.getCanonicalName())
-      then
-        result = "declaration of " + this.getCanonicalName() + " as anonymous " + idx + " parameter"
-      else result = "declaration of " + idx + " parameter"
+      then result = "declaration of " + this.getCanonicalName() + " as " + anon
+      else result = "declaration of " + anon
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -149,6 +149,11 @@ class Call extends Expr, NameQualifiableElement, TCall {
     variableAddressEscapesTreeNonConst(va, this.getQualifier().getFullyConverted()) and
     i = -1
   }
+
+  /** Holds if this expression could be the return value of an implicitly declared function. */
+  predicate mayBeFromImplicitlyDeclaredFunction() {
+    this.getTarget().getADeclarationEntry().isImplicit()
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll

@@ -181,12 +181,7 @@ class VariableDeclarationEntry extends @var_decl {
   string getName() { var_decls(this, _, _, result, _) and result != "" }
 }
 
-class Parameter extends LocalScopeVariable, @parameter {
-  @functionorblock function;
-  int index;
-
-  Parameter() { params(this, function, index, _) }
-}
+class Parameter extends LocalScopeVariable, @parameter { }
 
 class GlobalOrNamespaceVariable extends Variable, @globalvariable { }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig {
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1328,7 +1328,10 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
-  call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() and
+  (
+    call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() or
+    call.asCallInstruction().getCallTargetOperand() = receiver.asOperand()
+  ) and
   exists(kind)
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -17,6 +17,7 @@ private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
+private import DataFlowDispatch as DataFlowDispatch
 import ExprNodes
 
 /**
@@ -2497,3 +2498,16 @@ class AdditionalCallTarget extends Unit {
    */
   abstract Declaration viableTarget(Call call);
 }
+
+/**
+ * Gets a function that may be called by `call`.
+ *
+ * Note that `call` may be a call to a function pointer expression.
+ */
+Function getARuntimeTarget(Call call) {
+  exists(DataFlowCall dfCall | dfCall.asCallInstruction().getUnconvertedResultExpression() = call |
+    result = DataFlowDispatch::viableCallable(dfCall).asSourceCallable()
+    or
+    result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -546,7 +546,7 @@ module ProductFlow {
       Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
         succ1.getNode() = returnKind.getAnOutNode(call) and
-        paramReturnNode(_, pred1.asParameterReturnNode(), _, returnKind)
+        returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
       )
     }
 
@@ -574,7 +574,7 @@ module ProductFlow {
       Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
         succ2.getNode() = returnKind.getAnOutNode(call) and
-        paramReturnNode(_, pred2.asParameterReturnNode(), _, returnKind)
+        returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
       )
     }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll

@@ -6,6 +6,112 @@
  * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
  * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
  * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
  */
 
 private import internal.IRInternal

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -683,8 +683,13 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
     def.getVirtualVariable() = use.getVirtualVariable() and
     def instanceof EntireAllocationMemoryLocation and
     (
-      // EntireAllocationMemoryLocation exactly overlaps itself.
-      use instanceof EntireAllocationMemoryLocation and
+      // EntireAllocationMemoryLocation exactly overlaps any EntireAllocationMemoryLocation for the
+      // same allocation. Checking the allocation, rather than the memory location itself, ensures
+      // that we get the right relationship between the "must" and "may" memory locations for that
+      // allocation.
+      // Note that if one of the locations is a "may" access, the overlap will be downgraded to
+      // `MustTotallyOverlap` or `MayPartialOverlap` in `getOverlap()`.
+      use.(EntireAllocationMemoryLocation).getAnAllocation() = def.getAnAllocation() and
       result instanceof MustExactlyOverlap
       or
       not use instanceof EntireAllocationMemoryLocation and

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll

@@ -6,6 +6,112 @@
  * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
  * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
  * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
  */
 
 private import internal.IRInternal

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll

@@ -6,6 +6,112 @@
  * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
  * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
  * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
  */
 
 private import internal.IRInternal

cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
   Fopen() {
     this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
     or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
     i = 0 and
     buffer = true
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      this.hasGlobalOrStdName(["fopen", "freopen"]) or
+      this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
+    ) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName("fopen_s") and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -91,7 +91,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
   override int getFirstFormatArgumentIndex() {
     if this.hasName("__builtin___sprintf_chk")
     then result = 4
-    else result = this.getNumberOfParameters()
+    else result = super.getFirstFormatArgumentIndex()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -42,6 +42,21 @@ private Type getAFormatterWideTypeOrDefault() {
  * A standard library function that uses a `printf`-like formatting string.
  */
 abstract class FormattingFunction extends ArrayFunction, TaintFunction {
+  int firstFormatArgumentIndex;
+
+  FormattingFunction() {
+    firstFormatArgumentIndex > 0 and
+    if this.hasDefinition()
+    then firstFormatArgumentIndex = this.getDefinition().getNumberOfParameters()
+    else
+      if this instanceof BuiltInFunction
+      then firstFormatArgumentIndex = this.getNumberOfParameters()
+      else
+        forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
+          firstFormatArgumentIndex = fde.getNumberOfParameters()
+        )
+  }
+
   /** Gets the position at which the format parameter occurs. */
   abstract int getFormatParameterIndex();
 
@@ -118,21 +133,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
 
   /**
    * Gets the position of the first format argument, corresponding with
-   * the first format specifier in the format string.
+   * the first format specifier in the format string. We ignore all
+   * implicit function definitions.
    */
-  int getFirstFormatArgumentIndex() {
-    result = this.getNumberOfParameters() and
-    // the formatting function either has a definition in the snapshot, or all
-    // `DeclarationEntry`s agree on the number of parameters (otherwise we don't
-    // really know the correct number)
-    (
-      this.hasDefinition()
-      or
-      forall(FunctionDeclarationEntry fde | fde = this.getADeclarationEntry() |
-        result = fde.getNumberOfParameters()
-      )
-    )
-  }
+  int getFirstFormatArgumentIndex() { result = firstFormatArgumentIndex }
 
   /**
    * Gets the position of the buffer size argument, if any.

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -192,6 +192,37 @@ private class UnsignedMulExpr extends MulExpr {
   }
 }
 
+/**
+ * Gets the value of the `EOF` macro.
+ *
+ * This is typically `"-1"`, but this is not guaranteed to be the case on all
+ * systems.
+ */
+private int getEofValue() {
+  exists(MacroInvocation mi |
+    mi.getMacroName() = "EOF" and
+    result = unique( | | mi.getExpr().getValue().toInt())
+  )
+}
+
+/** Get standard `getc` function or related variants. */
+private class Getc extends Function {
+  Getc() { this.hasGlobalOrStdOrBslName(["fgetc", "getc"]) }
+}
+
+/** A call to `getc` */
+private class CallToGetc extends FunctionCall {
+  CallToGetc() { this.getTarget() instanceof Getc }
+}
+
+/**
+ * A call to `getc` that we can analyze because we know
+ * the value of the `EOF` macro.
+ */
+private class AnalyzableCallToGetc extends CallToGetc {
+  AnalyzableCallToGetc() { exists(getEofValue()) }
+}
+
 /**
  * Holds if `expr` is effectively a multiplication of `operand` with the
  * positive constant `positive`.
@@ -287,6 +318,8 @@ private predicate analyzableExpr(Expr e) {
     or
     e instanceof RemExpr
     or
+    e instanceof AnalyzableCallToGetc
+    or
     // A conversion is analyzable, provided that its child has an arithmetic
     // type. (Sometimes the child is a reference type, and so does not get
     // any bounds.) Rather than checking whether the type of the child is
@@ -861,6 +894,14 @@ private float getLowerBoundsImpl(Expr expr) {
       )
     )
     or
+    exists(AnalyzableCallToGetc getc |
+      expr = getc and
+      // from https://en.cppreference.com/w/c/io/fgetc:
+      // On success, returns the obtained character as an unsigned char
+      // converted to an int. On failure, returns EOF.
+      result = min([typeLowerBound(any(UnsignedCharType pct)), getEofValue()])
+    )
+    or
     // If the conversion is to an arithmetic type then we just return the
     // lower bound of the child. We do not need to handle truncation and
     // overflow here, because that is done in `getTruncatedLowerBounds`.
@@ -1055,6 +1096,14 @@ private float getUpperBoundsImpl(Expr expr) {
       )
     )
     or
+    exists(AnalyzableCallToGetc getc |
+      expr = getc and
+      // from https://en.cppreference.com/w/c/io/fgetc:
+      // On success, returns the obtained character as an unsigned char
+      // converted to an int. On failure, returns EOF.
+      result = max([typeUpperBound(any(UnsignedCharType pct)), getEofValue()])
+    )
+    or
     // If the conversion is to an arithmetic type then we just return the
     // upper bound of the child. We do not need to handle truncation and
     // overflow here, because that is done in `getTruncatedUpperBounds`.

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -160,6 +160,26 @@ private module InvalidPointerToDerefBarrier {
   }
 }
 
+/**
+ * BEWARE: This configuration uses an unrestricted sink, so accessing its full
+ * flow computation or any stages beyond the first 2 will likely diverge.
+ * Stage 1 will still be fast and we use it to restrict the subsequent sink
+ * computation.
+ */
+private module InvalidPointerReachesConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { invalidPointerToDerefSource(_, _, source) }
+
+  predicate isSink(DataFlow::Node sink) { any() }
+
+  predicate isBarrier(DataFlow::Node node) { InvalidPointerToDerefConfig::isBarrier(node) }
+
+  int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() }
+}
+
+private module InvalidPointerReachesFlow = DataFlow::Global<InvalidPointerReachesConfig>;
+
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+
 /**
  * A configuration to track flow from a pointer-arithmetic operation found
  * by `AllocToInvalidPointerConfig` to a dereference of the pointer.
@@ -173,8 +193,13 @@ private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
     invalidPointerToDerefSource(_, pai, source)
   }
 
-  pragma[inline]
-  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _, _, _) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(DataFlowImplCommon::NodeEx n |
+      InvalidPointerReachesFlow::Stages::Stage1::sinkNode(n, _) and
+      n.asNode() = sink and
+      isInvalidPointerDerefSink(sink, _, _, _, _)
+    )
+  }
 
   predicate isSink(DataFlow::Node sink, FlowState pai) { none() }
 

cpp/ql/lib/semmle/code/cpp/security/flowafterfree/FlowAfterFree.qll

@@ -72,7 +72,6 @@ module FlowFromFree<FlowFromFreeParamSig P> {
 
     predicate isSource(DataFlow::Node node, FlowState state) { isFree(node, _, state, _) }
 
-    pragma[inline]
     predicate isSink(DataFlow::Node sink, FlowState state) {
       exists(Expr e, DataFlow::Node source, DeallocationExpr dealloc |
         P::isSink(sink, e) and

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -534,7 +534,7 @@ static_asserts(
 #keyset[function, index, type_id]
 params(
     int id: @parameter,
-    int function: @functionorblock ref,
+    int function: @parameterized_element ref,
     int index: int ref,
     int type_id: @type ref
 );
@@ -1790,6 +1790,10 @@ case @expr.kind of
 | 387 = @istriviallyrelocatable
 | 388 = @datasizeof
 | 389 = @c11_generic
+| 390 = @requires_expr
+| 391 = @nested_requirement
+| 392 = @compound_requirement
+| 393 = @concept_id
 ;
 
 @var_args_expr = @vastartexpr
@@ -1908,6 +1912,10 @@ case @expr.kind of
             | @istriviallyrelocatable
             ;
 
+compound_requirement_is_noexcept(
+    int expr: @compound_requirement ref
+);
+
 new_allocated_type(
     unique int expr: @new_expr ref,
     int type_id: @type ref
@@ -2167,11 +2175,11 @@ stmt_decl_entry_bind(
     int decl_entry: @element ref
 );
 
-@functionorblock = @function | @stmt_block;
+@parameterized_element = @function | @stmt_block | @requires_expr;
 
 blockscope(
     unique int block: @stmt_block ref,
-    int enclosing: @functionorblock ref
+    int enclosing: @parameterized_element ref
 );
 
 @jump = @stmt_goto | @stmt_break | @stmt_continue;

cpp/ql/lib/upgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support C++20 requires expressions
+compatibility: backwards

cpp/ql/lib/upgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add requires expressions
+compatibility: full

cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql

@@ -57,5 +57,5 @@ where
   not declarationHasSideEffects(v) and
   not exists(AsmStmt s | f = s.getEnclosingFunction()) and
   not v.getAnAttribute().getName() = "unused" and
-  not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v`
+  not f.hasErrors() // Unextracted expressions may use `v`
 select v, "Variable " + v.getName() + " is not used."

cpp/ql/src/CHANGELOG.md

@@ -1,9 +1,24 @@
+## 1.2.5
+
+### Minor Analysis Improvements
+
+* The `cpp/unclear-array-index-validation` ("Unclear validation of array index") query has been improved to reduce false positives and increase true positives.
+* Fixed false positives in the `cpp/uninitialized-local` ("Potentially uninitialized local variable") query if there are extraction errors in the function.
+* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to detect byte arrays.
+* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to recognize dynamic checks prior to possible dangerous widening.
+
+## 1.2.4
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the `cpp/wrong-number-format-arguments` ("Too few arguments to formatting function") query when the formatting function has been declared implicitly.
+
 ## 1.2.3
 
 ### Minor Analysis Improvements
 
-* Removed false positives caused by buffer accesses in unreachable code.
-* Removed false positives caused by inconsistent type checking.
+* Removed false positives caused by buffer accesses in unreachable code
+* Removed false positives caused by inconsistent type checking
 * Add modeling of C functions that don't throw, thereby increasing the precision of the `cpp/incorrect-allocation-error-handling` ("Incorrect allocation-error handling") query. The query now produces additional true positives.
 
 ## 1.2.2

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -170,7 +170,8 @@ where
   ) and
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType
+  not actual.getUnspecifiedType() instanceof ErroneousType and
+  not arg.(Call).mayBeFromImplicitlyDeclaredFunction()
 select arg,
   "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
     actual.getUnspecifiedType().getName() + "'."

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -29,7 +29,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   override predicate isSource(Instruction source) {
     exists(Function func |
       // Rule out FPs caused by extraction errors.
-      not any(ErrorExpr e).getEnclosingFunction() = func and
+      not func.hasErrors() and
       not intentionallyReturnsStackPointer(func) and
       func = source.getEnclosingFunction()
     |

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -65,6 +65,7 @@ predicate isSinkImpl(Instruction sink, VariableAccess va) {
   exists(LoadInstruction load |
     va = load.getUnconvertedResultExpression() and
     not va = commonException() and
+    not va.getTarget().(LocalVariable).getFunction().hasErrors() and
     sink = load.getSourceValue()
   )
 }

cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql

@@ -24,7 +24,7 @@ predicate instructionHasVariable(VariableAddressInstruction vai, StackVariable v
   // Pointer-to-member types aren't properly handled in the dbscheme.
   not vai.getResultType() instanceof PointerToMemberType and
   // Rule out FPs caused by extraction errors.
-  not any(ErrorExpr e).getEnclosingFunction() = f
+  not f.hasErrors()
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -14,102 +14,56 @@
 
 import cpp
 import semmle.code.cpp.controlflow.IRGuards
-import semmle.code.cpp.security.FlowSources
-import semmle.code.cpp.ir.dataflow.TaintTracking
-import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+import semmle.code.cpp.security.FlowSources as FS
+import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import ImproperArrayIndexValidation::PathGraph
-import semmle.code.cpp.security.Security
 
-predicate hasUpperBound(VariableAccess offsetExpr) {
-  exists(BasicBlock controlled, StackVariable offsetVar, SsaDefinition def |
-    controlled.contains(offsetExpr) and
-    linearBoundControls(controlled, def, offsetVar) and
-    offsetExpr = def.getAUse(offsetVar)
+predicate isFlowSource(FS::FlowSource source, string sourceType) {
+  sourceType = source.getSourceType()
+}
+
+predicate guardChecks(IRGuardCondition g, Expr e, boolean branch) {
+  exists(Operand op | op.getDef().getConvertedResultExpression() = e |
+    // `op < k` is true and `k > 0`
+    g.comparesLt(op, any(int k | k > 0), true, any(BooleanValue bv | bv.getValue() = branch))
+    or
+    // `op < _ + k` is true and `k > 0`.
+    g.comparesLt(op, _, any(int k | k > 0), true, branch)
+    or
+    // op == k
+    g.comparesEq(op, _, true, any(BooleanValue bv | bv.getValue() = branch))
+    or
+    // op == _ + k
+    g.comparesEq(op, _, _, true, branch)
   )
 }
 
-pragma[noinline]
-predicate linearBoundControls(BasicBlock controlled, SsaDefinition def, StackVariable offsetVar) {
-  exists(GuardCondition guard, boolean branch |
-    guard.controls(controlled, branch) and
-    cmpWithLinearBound(guard, def.getAUse(offsetVar), Lesser(), branch)
+/**
+ * Holds if `arrayExpr` accesses an `ArrayType` with a constant size `N`, and
+ * the value of `offsetExpr` is known to be smaller than `N`.
+ */
+predicate offsetIsAlwaysInBounds(ArrayExpr arrayExpr, VariableAccess offsetExpr) {
+  exists(ArrayType arrayType |
+    arrayType = arrayExpr.getArrayBase().getUnspecifiedType() and
+    arrayType.getArraySize() > upperBound(offsetExpr.getFullyConverted())
   )
 }
 
-predicate readsVariable(LoadInstruction load, Variable var) {
-  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
-  readsVariable(node.asInstruction(), checkedVar) and
-  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
-}
-
-predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
-
-predicate predictableInstruction(Instruction instr) {
-  instr instanceof ConstantInstruction
-  or
-  instr instanceof StringConstantInstruction
-  or
-  // This could be a conversion on a string literal
-  predictableInstruction(instr.(UnaryInstruction).getUnary())
-}
-
 module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
 
   predicate isBarrier(DataFlow::Node node) {
-    hasUpperBound(node.asExpr())
-    or
-    // These barriers are ported from `DefaultTaintTracking` because this query is quite noisy
-    // otherwise.
-    exists(Variable checkedVar |
-      readsVariable(node.asInstruction(), checkedVar) and
-      hasUpperBoundsCheck(checkedVar)
-    )
-    or
-    exists(Variable checkedVar, Operand access |
-      readsVariable(access.getDef(), checkedVar) and
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
-    )
-    or
-    // Don't use dataflow into binary instructions if both operands are unpredictable
-    exists(BinaryInstruction iTo |
-      iTo = node.asInstruction() and
-      not predictableInstruction(iTo.getLeft()) and
-      not predictableInstruction(iTo.getRight()) and
-      // propagate taint from either the pointer or the offset, regardless of predictability
-      not iTo instanceof PointerArithmeticInstruction
-    )
-    or
-    // don't use dataflow through calls to pure functions if two or more operands
-    // are unpredictable
-    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
-      iTo = node.asInstruction() and
-      isPureFunction(iTo.getStaticCallTarget().getName()) and
-      iFrom1 = iTo.getAnArgument() and
-      iFrom2 = iTo.getAnArgument() and
-      not predictableInstruction(iFrom1) and
-      not predictableInstruction(iFrom2) and
-      iFrom1 != iFrom2
-    )
+    node = DataFlow::BarrierGuard<guardChecks/3>::getABarrierNode()
   }
 
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+
   predicate isSink(DataFlow::Node sink) {
     exists(ArrayExpr arrayExpr, VariableAccess offsetExpr |
       offsetExpr = arrayExpr.getArrayOffset() and
       sink.asExpr() = offsetExpr and
-      not hasUpperBound(offsetExpr)
+      not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
     )
   }
 }

cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql

@@ -13,23 +13,85 @@
  */
 
 import cpp
+import semmle.code.cpp.controlflow.Guards
 
 class WideCharPointerType extends PointerType {
   WideCharPointerType() { this.getBaseType() instanceof WideCharType }
 }
 
+/**
+ * Given type `t`, recurses through and returns all
+ * intermediate base types, including `t`.
+ */
+Type getABaseType(Type t) {
+  result = t
+  or
+  result = getABaseType(t.(DerivedType).getBaseType())
+  or
+  result = getABaseType(t.(TypedefType).getBaseType())
+}
+
 /**
  * A type that may also be `CharPointerType`, but that are likely used as arbitrary buffers.
  */
 class UnlikelyToBeAStringType extends Type {
   UnlikelyToBeAStringType() {
-    this.(PointerType).getBaseType().(CharType).isUnsigned() or
-    this.(PointerType).getBaseType().getName().toLowerCase().matches("%byte") or
-    this.getName().toLowerCase().matches("%byte") or
-    this.(PointerType).getBaseType().hasName("uint8_t")
+    exists(Type targ | getABaseType(this) = targ |
+      // NOTE: not using CharType isUnsigned, but rather look for any explicitly declared unsigned
+      // char types. Assuming these are used for buffers, not strings.
+      targ.(CharType).getName().toLowerCase().matches("unsigned%") or
+      targ.getName().toLowerCase().matches(["uint8_t", "%byte%"])
+    )
   }
 }
 
+// Types that can be wide depending on the UNICODE macro
+// see https://learn.microsoft.com/en-us/windows/win32/winprog/windows-data-types
+class UnicodeMacroDependentWidthType extends Type {
+  UnicodeMacroDependentWidthType() {
+    exists(Type targ | getABaseType(this) = targ |
+      targ.getName() in [
+          "LPCTSTR",
+          "LPTSTR",
+          "PCTSTR",
+          "PTSTR",
+          "TBYTE",
+          "TCHAR"
+        ]
+    )
+  }
+}
+
+class UnicodeMacro extends Macro {
+  UnicodeMacro() { this.getName().toLowerCase().matches("%unicode%") }
+}
+
+class UnicodeMacroInvocation extends MacroInvocation {
+  UnicodeMacroInvocation() { this.getMacro() instanceof UnicodeMacro }
+}
+
+/**
+ * Holds when a expression whose type is UnicodeMacroDependentWidthType and
+ * is observed to be guarded by a check involving a bitwise-and operation
+ * with a UnicodeMacroInvocation.
+ * Such expressions are assumed to be checked dynamically, i.e.,
+ * the flag would indicate if UNICODE typing is set correctly to allow
+ * or disallow a widening cast.
+ */
+predicate isLikelyDynamicallyChecked(Expr e) {
+  e.getType() instanceof UnicodeMacroDependentWidthType and
+  exists(GuardCondition gc, BitwiseAndExpr bai, UnicodeMacroInvocation umi |
+    bai.getAnOperand() = umi.getExpr()
+  |
+    // bai == 0 is false when reaching `e.getBasicBlock()`.
+    // That is, bai != 0 when reaching `e.getBasicBlock()`.
+    gc.ensuresEq(bai, 0, e.getBasicBlock(), false)
+    or
+    // bai == k and k != 0 is true when reaching `e.getBasicBlock()`.
+    gc.ensuresEq(bai, any(int k | k != 0), e.getBasicBlock(), true)
+  )
+}
+
 from Expr e1, Cast e2
 where
   e2 = e1.getConversion() and
@@ -42,7 +104,11 @@ where
   not e1.getType() instanceof UnlikelyToBeAStringType and
   // Avoid castings from 'new' expressions as typically these will be safe
   // Example: `__Type* ret = reinterpret_cast<__Type*>(New(m_pmo) char[num * sizeof(__Type)]);`
-  not exists(NewOrNewArrayExpr newExpr | newExpr.getAChild*() = e1)
+  not exists(NewOrNewArrayExpr newExpr | newExpr.getAChild*() = e1) and
+  // Avoid cases where the cast is guarded by a check to determine if
+  // unicode encoding is enabled in such a way to disallow the dangerous cast
+  // at runtime.
+  not isLikelyDynamicallyChecked(e1)
 select e1,
   "Conversion from " + e1.getType().toString() + " to " + e2.getType().toString() +
     ". Use of invalid string can lead to undefined behavior."

cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Remove results from the `cpp/wrong-type-format-argument` ("Wrong type of arguments to formatting function") query if the argument is the return value of an implicitly declared function.

cpp/ql/src/change-notes/released/1.2.4.md

@@ -0,0 +1,5 @@
+## 1.2.4
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the `cpp/wrong-number-format-arguments` ("Too few arguments to formatting function") query when the formatting function has been declared implicitly.